After you have followed some great tutorial out there to install php-fpm and fast-cgi, it is now time to secure your webserver by running each hosted site under a dedicated user. Here are the steps to follow:
In this example we are assuming you are using php7.4. If not, adjust the commands respectively to your php version.
We will be adding a new user called: newuser. And our site is going to be called newsite. Replace these wherever you see those in the code below to your liking.
The new site will be hosted in /var/www/. The code in this directory shall be owned by a super user, or you could also use root. Only those files and folder which actually need to be updated by php are owned by newuser.
First, let’s create a copy of this file /etc/php/7.4/fpm/pool.d/www.conf:
cd /etc/php/7.4/fpm/pool.d/ sudo cp www.conf newsite.conf
Now, let’s edit it with your favorite editor sudo nano newsite.conf.
Next we’ll replace [www] with [newsite] and we will also replace www-data for user and group with newuser, resulting in two lines like:
user = newuser group = newgroup
Now we will modify the listen parameter:
listen = /run/php/php7.4-newsite-fpm.sock
Before we save our changes, let’s add a new line at the bottom, to set our base directory:
php_admin_value[open_basedir] = /var/www/newsite.tld/public_html
Hint: This is also where you could specify php related information for specifying a temporary upload directory which is often needed by CMSs such as wordpress. In this case you add something like this:
php_admin_value[upload_tmp_dir] = /var/www/newsite.com/public_html/wp-content/temp
Or you can modify the maximum execution timeout in this spot as well:
php_admin_value[max_execution_time] = 600 ;Set's the timeout to 10 minutes (or 600 seconds)
Save and exit.
Now we will add the new user that we have specified in our configuration file to our system:
sudo adduser -system -disabled-login -shell /bin/false -no-create-home -home /var/www/newsite.tld/public_html newuser
This will create a new user but the user won’t have any login options, so it just exists on the system itself. The home directory will be pointed to the location where the site is hosted.
Now, let’s create the group for this user, and we will also add the new group to the user itself:
sudo groupadd newuser sudo usermod -a -G newuser newuser
After creating the new, limited user, let’s jump to this a new directory:
cd /etc/apache2/conf-available/
Here, we’ll take php7.4-fpm.conf as a starting point.
sudo cp php7.4-fpm.conf php7.4-newsite-fpm.conf
Wrap the entire configuration file with a Directory tag:
<Directory /var/www/newsite.com/public_html> # Redirect to local php-fpm if mod_php is not available <IfModule !mod_php7.c> <IfModule proxy_fcgi_module> ... </IfModule> </IfModule> </Directory>
Inside the SetHandler:
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler "proxy:unix:/run/php/php7.4-newsite-fpm.sock|fcgi://localhost"
</FilesMatch>
We are almost done. Let’s go to cd /etc/apache2/conf-enabled and let’s create a symlink to this new configuration file
sudo ln -s ../conf-available/php7.4-newsite-fpm.conf
.
Now, is a good time to set the permissions of your site. Again, we are usually giving a superuser the owner rights to /var/www/newsite/public_html, but if there are some directories or files which need to be updated by php, then you can use chown and chmod to update the permissions and ownerships of those folders and files.
Now, we’ll restart apache and php-fpm and we should have php run under newuser:
sudo service apache2 restart sudo service php7.4-fpm restart
You can verify this by creating a file phpinfo in cd /var/www/newsite/public_html:
echo "<?php phpinfo(); ?>" > info.php
Navigate to your newsite.tld/info.php and verify all looks good. If you did everything correctly, under the Environment section you’ll find a USER property. Its value should the newuser. Also verify that open_basedir is set to the correct path.
Don’t forget to remove the info.php file once done verifying its output. Let us know if you need any help securing your server!
0 Comments