How to run php-fpm as root
See:
# php-fpm --help
...
-R, --allow-to-run-as-root
Allow pool to run as root (disabled by default)
Set root for PHP in nginx
Since you are running php-fpm
, you can set chroot
in the config and restrict it to a certain directory. See the below thread for more details
https://serverfault.com/questions/344538/php-fpms-chroot-and-chdir-directory
chroot string
Chroot to this directory at the start. This value must be defined as an absolute path. When this value is not set, chroot is not used.
chdir string
Chdir to this directory at the start. This value must be an absolute path. Default value: current directory or / when chroot.
https://secure.php.net/manual/en/install.fpm.configuration.php
So you will add the below to the your php-fpm config
chroot=/var/www/mydomain.com
chdir=/
nginx and php-fpm socket owner
Config files FPM will read
/etc/php-fpm.conf
is the config file FPM will read (on CentOS). If you want FPM to read other config files as well, you need to tell it that.
You can do this by placing the line include=/etc/php-fpm.d/*.conf
at the bottom of /etc/php-fpm.conf
. It will then read everything in the directory /etc/php-fpm.d
(that ends with .conf
).
Then place the global directives and the include line in /etc/php-fpm.conf
. This could look something like this:
[global]
pid = /var/run/php-fpm/php-fpm.pid
error_log = /var/log/php5-fpm.log
include=/etc/php-fpm.d/*.conf
And have a separate file in /etc/php-fpm.d
for each pool.
Example /etc/php-fpm.d/global.conf
:
[global-pool]
user = www-data
group = www-data
listen = /var/run/php-fcgi.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
pm = dynamic
pm.start_servers = 1
pm.max_children = 5
pm.min_spare_servers = 1
pm.max_spare_servers = 5
Example /etc/php-fpm.d/vhostname-0.conf
:
[vhostname-php-fcgi-0]
user = www-data
group = www-data
listen = /var/run/php-fcgi-vhostname-php-fcgi-0.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 5
Directives to pay attention to
Every pool should use a different socket. If you have multiple pools using the same socket you'll get issues.
The directives
user
andgroup
control the user/group which the FPM process for that pool will run as. These do not specify the user/group of the socket.The directives
listen.owner
andlisten.group
control the user/group the socket uses for that pool.The pool directives (like
listen.*
) will only work for pools. So you can't use them in the global section, you have to specify them for each pool.
Socket permissions
The permissions 0660 are perfectly fine when listen.owner
and listen.group
are the same as the webserver. You could even use 0600, but one might argue that any user that can operate under the same group as the webserver can also use the socket, so I would use 0660.
Nginx/PHP-FPM use more than one webroot
This configuration works :)
server {
listen 80;
server_name _;
index index.php;
rewrite_log on;
root /var/www/html;
location / {
try_files $uri /public/index.php$is_args$args;
}
location ^~ /api {
try_files $uri /api/index.php$is_args$args;
location ~ \.php {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
}
}
location ~ \.php {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
}
}
Related Topics
What Does the "Mov Rax, Qword Ptr Fs:0X28" Assembly Instruction Do
How to Redirect the Telnet Console Logs to a File Linux
What Happened to Socket If Network Has Broken Down
The New Line Characted in the String Constant Isn't Being Recognized by Nasm
Bash: How to Traverse Directory Structure and Execute Commands
How to Kill a Process on No Output for Some Period of Time
How to Install an Older Version of PHP Using Apt-Get
Automatic Syntax/Headers in Vim for C++ Files
Getting Github Files (And Updates) Onto an Ubuntu Web Server
How to Check If a File Contains Only Zeros in a Linux Shell
Which Is the Best Way to Make Config Changes in Conf Files in Ansible
Why Does "Uniq" Count Identical Words as Different
Git Clone from Linux to Tfs Git Repo
What Is Echo $? in Linux Terminal
Why Exported Variables in Makefile Is Not Received by Executable