Categories

See More
Popular Forum

MBA (4887) B.Tech (1769) Engineering (1486) Class 12 (1030) Study Abroad (1004) Computer Science and Engineering (988) Business Management Studies (865) BBA (846) Diploma (746) CAT (651) B.Com (648) B.Sc (643) JEE Mains (618) Mechanical Engineering (574) Exam (525) India (462) Career (452) All Time Q&A (439) Mass Communication (427) BCA (417) Science (384) Computers & IT (Non-Engg) (383) Medicine & Health Sciences (381) Hotel Management (373) Civil Engineering (353) MCA (349) Tuteehub Top Questions (348) Distance (340) Colleges in India (334)
See More

Nginx, php-fpm, virtual hosts and premissions

General Tech Bugs & Fixes
Max. 2000 characters
Replies

usr_profile.png
Pooja Bhardwaj

User

( 7 months ago )

 

I have apache-mpm-itk + php_module setup and user's folders/files belongs to them. But I want to migrate several accounts to nginx + php-fpm.

What should be the right permissions on folders/files if I want to use nginx/php-fpm with virtual hosts which belongs to different users?

For example, user's home:

/var/www/user/data/www/domain.com    

and permissions is user:user

Here is code from host's nginx conf:

server {
    listen 8080;
    server_name domain.com;
    root /var/www/user/data/www/domain.com/;

    index index.php index.html index.htm;

    location / {
            # First attempt to serve request as file
            try_files $uri $uri/index.php;
    }


    location ~ \.php$ {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php5-fpm/domain.com.socket;
            fastcgi_index index.php;
            include fastcgi_params;
    }
}

And here is pool config from php-fpm:

[domain.com]

listen = /var/run/php5-fpm/domain.com.socket
listen.backlog = -1
listen.owner = user
listen.group = user
listen.mode=0660

; Unix user/group of processes
user = user
group = user

; Choose how the process manager will control the number of child processes.
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500

; Pass environment variables
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /var/www/user/data/tmp
env[TMPDIR] = /var/www/user/data/tmp
env[TEMP] = /var/www/user/data/tmp

; host-specific php ini settings here
; php_admin_value[open_basedir] = /var/www/user/data:/tmp
php_admin_value[error_log] = /var/user/data/logs/fpm-php.log
php_admin_value[realpath_cache_size] = 4096K  

usr_profile.png
Shalini Jaiswal

User

( 7 months ago )

 

nginx workers are spawned with the value from the user directive. The default value is nobody, but nginx official packages include a default configuration containing user nginx; in nginx.conf, in the main context.

When only a user is specified, the group with the same name is applied to nginx workers.

Default user:group for PHP-FPM is www-data:www-data.

What you could so is making files owned by nginx:www-data which would work out the box. The problem would then be to update files, since any user creating files would need write access.

By default, directories are writeable by its owner (user) but not this user's group, which forces you to either:

  1. use the nginx user to update Web content
  2. add the write access to the www-data group and add the user managing content to this group

To me, both previous solutions are less-than-ideal.

What I would do is making that directory tree owned by the user managing content, use user nginx www-data; to make nginx workers user belonging to the www-data group, and allow the user to read/write, group to read and others nothing (thus a 0640 bitmask for files and 0750 bitmask for directories, allowing traversal for user and group).

To go even further, I would add the setgid bit on directories, to ensure the right group is automatically applied to any directory/file created in the tree. I would thus use the 2640 bitmask on files and 2750on directories.

You can change the default bitmask for a specific partition at the OS level... or you can stick with the defaults which are a bit less restrictive, but work flawlessly, simply changing ownership and adding the setgid flag.

what's your interest


forum_ban8_5d8c5fd7cf6f7.gif