Forum
php-fpm pool with hiawatha
Fred
14 June 2017, 11:19
Hi Hugo,
I have setup a new webserver to host about 8 websites..
So far everything is working well but I have a problem around security...
As far as php is concern I use php-fpm pool per each website
php-fpm-fred.conf
php-fpm-alice.conf
In my hiawatha.conf file, I have
I then call php with
Now the problem is with my hiawatha.conf file... at the moment I have
I would like to run each site with its own uid/gid
So how do I deal with the hiawatha.conf ServerId ?
Hope I explain my problem well enough
Thank you
I have setup a new webserver to host about 8 websites..
So far everything is working well but I have a problem around security...
As far as php is concern I use php-fpm pool per each website
php-fpm-fred.conf
[fred]
user = fred
group = www
listen = /var/run/fred.sock
listen.owner = fred
listen.group = www
listen.mode = 0660
pm = ondemand
pm.max_children = 20
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.process_idle_timeout = 60s;
pm.max_requests = 200
pm.status_path = /status
request_terminate_timeout = 0
env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/fred/tmp
env[TMPDIR] = /home/fred/tmp
env[TEMP] = /home/fred/tmp
php_admin_value[open_basedir] = /home/fred/public_html:/home/fred/tmp:/usr/local/share/pear:/usr/local/lib/php
php_admin_value[disable_functions] = "exec,passthru,shell_exec,system,proc_open,popen,show_source"
php_admin_value[date.timezone] = Europe/London
php_flag[display_errors] = off
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = 30711
php_admin_value[error_log] = /var/log/php-fpm/fred.error.log
php_admin_value[memory_limit] = 32M
php_admin_value[upload_tmp_dir] = /home/fred/tmp
php_admin_value[session.save_path] = /home/fred/tmp
php-fpm-alice.conf
[alice]
user = alice
group = www
listen = /var/run/alice.sock
listen.owner = alice
listen.group = www
listen.mode = 0660
pm = ondemand
pm.max_children = 20
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.process_idle_timeout = 60s;
pm.max_requests = 200
pm.status_path = /status
request_terminate_timeout = 0
env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/alice/tmp
env[TMPDIR] = /home/alice/tmp
env[TEMP] = /home/alice/tmp
php_admin_value[open_basedir] = /home/alice/public_html:/home/alice/tmp:/usr/local/share/pear:/usr/local/lib/php
php_admin_value[disable_functions] = "exec,passthru,shell_exec,system,proc_open,popen,show_source"
php_admin_value[date.timezone] = Europe/London
php_flag[display_errors] = off
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = 30711
php_admin_value[error_log] = /var/log/php-fpm/alice.error.log
php_admin_value[memory_limit] = 32M
php_admin_value[upload_tmp_dir] = /home/alice/tmp
php_admin_value[session.save_path] = /home/alice/tmp
In my hiawatha.conf file, I have
FastCGIserver {
FastCGIid = PHP71-FPM-FRED
ConnectTo = /var/run/fred.sock
Extension = php
}
FastCGIserver {
FastCGIid = PHP71-FPM-ALICE
ConnectTo = /var/run/alice.sock
Extension = php
}
I then call php with
...
VirtualHost {
UseFastCGI = PHP71-FPM-FRED
}
...
VirtualHost {
UseFastCGI = PHP71-FPM-ALICE
}
Now the problem is with my hiawatha.conf file... at the moment I have
ServerId = www:wwwwhich is why I kept the group = www in all the pool.. but this mean that user www car read any website file which I don't want..
I would like to run each site with its own uid/gid
user = fred
group = fred
user = alice
group = alice
So how do I deal with the hiawatha.conf ServerId ?
Hope I explain my problem well enough
Thank you
Joe Schmoe
14 June 2017, 19:23
I don't think thats possible. Also your PHP implementation is probably not as secure as you think either. You will want to do a search on "php-fpm chroot" (which also requires using the ServerRoot directive in your FastCGIserver config).
Are your users accessing the file system directly by FTP or SSH? Are they jailed so they can't access the file system outside their home directory?
That's a pretty slippery slope to go down unless you REALLY require that level of security. Expect to spend a LOT of time and research to do it right.
I tried and gave up at a certain point so I can't be helpful beyond the tips I've given above. Good luck!
Are your users accessing the file system directly by FTP or SSH? Are they jailed so they can't access the file system outside their home directory?
That's a pretty slippery slope to go down unless you REALLY require that level of security. Expect to spend a LOT of time and research to do it right.
I tried and gave up at a certain point so I can't be helpful beyond the tips I've given above. Good luck!
Joe Schmoe
14 June 2017, 19:31
FYI, in your php pool configs, you should be able to replace each instance of the pool name with the variable $pool which makes it easier to replicate configs since you only have to change the pool name.
Example:
Example:
[alice]
user = $pool
group = www
listen = /var/run/$pool.sock
listen.owner = $pool
listen.group = www
listen.mode = 0660
...
Fred
14 June 2017, 20:50
Joe Schmoe, thank you for the good advise:)
the user are not allowed ssh, they can only sftp to their account only.
I'll look at "php-fpm chroot" thank you.
Hugo,
can you please confirm that what I am trying to do is possible or not?
the user are not allowed ssh, they can only sftp to their account only.
I'll look at "php-fpm chroot" thank you.
Hugo,
can you please confirm that what I am trying to do is possible or not?
Hugo Leisink
14 June 2017, 22:04
Yes, user 'www' (which is used to run Hiawatha) can read every website. The webserver should be able to read every websites. How can it otherwise serve them?? Don't focus on what the server can do, focus on the CGI scripts. But as Joe already said, that requires a lot of testing and 'knowing what you are doing'.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
