Reputation: 783
Nginx websites isolation
I have followed a lot of nginx guides but none satisfies me.
My goal is to create two websites with different files permissisons so I'm sure they are isolated for good.
Ex. /var/www/site1 with owner:site1 and group:site1 and /var/www/site2 with owner:site2 and group:site2, both directories with 770 permissions.
My nginx.conf:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/sites-enabled/*;
}
My /etc/nginx/sites-available/site1:
server {
listen 80;
root /var/www/site1;
index index.php index.html index.htm;
server_name www.site1.org site1.org;
access_log /var/log/nginx/access2.log;
error_log /var/log/nginx/error2.log;
location / {
try_files $uri $uri/ /index.php?$args;
#try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/site1;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm-site1.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
... the same for site2.
and finally my /etc/php5/fpm/pool.d/site1.conf:
[site1]
user = site1
group = site1
listen = /var/run/php5-fpm-site1.sock
listen.owner = www-data
listen.group = www-data
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /
... the same for site2.
Everything works as expected as far as www-data user has file permissions on /var/www/site1 and /var/www/site2. The problem occurs when I set site1:site1 as owner:group with 770 then I get "13: Permission denied" in log.
The idea was that only php-fpm has to own the website files since nginx is just communicating with php-fpm through the socket and php-fpm is the process that manipulates the files. Why should even Nginx own them?
Upvotes: 1
Views: 1049
Answers (1)
Reputation: 1283
Nginx can run with any (trusted) user you want, including the owner of those files... however you cannot perfectly isolate 2 sites as long as the nginx user has permissions on both.
If you must run nginx for both, you must have virtualization (vps) in order to perfectly isolate them (although the word perfectly is relative).
If you can have another server for another site, on top of having php running for each user as that user, you can put 2 different webservers in different ports such as litespeed or lighttpd.
So you will have nginx + fpm for user one (and running with user one), and lighttpd + fpm for user two (running with usr two). Files should be in each other user home directory with proper permissions to block any access from the other user.
You could then put nginx + lighttpd behind haproxy and route requests to either nginx or lighttpd depending on the hostname, which in turn will lauch fpm for each user, serving only files from that user.
https://seanmcgary.com/posts/haproxy---route-by-domain-name
But either way, I think the best route would be virtualization.
Upvotes: 0
Related Questions
- nginx change root folder for specific url
- Node.js + Nginx - What now?
- Can multi laravel based sites be accessed by folder not by port?
- Share Nginx server configuration
- Strange Nginx behavior with trailing slashes
- How to install one site inside another with Nginx
- Nginx + php5-fpm + Drupal: 404 "File not found"
- Vagrant / puppet config for complex vhost setting (if statements etc.)?