You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Matthias Leopold <ma...@leopold.priv.at> on 2016/12/29 18:35:20 UTC
[users@httpd] php-fpm user other than webserver user?
Hi,
I hope this is an appropriate place for my question (also sent it to
CentOS list):
I'd like to know how others handle the setup of Apache httpd and PHP-FPM
when the PHP-FPM user is different from the webserver user. This is the
case in the default configuration of IUS PHP-FPM packages (not in stock
CentOS/RHEL). So I have httpd running as 'apache' and PHP running as
'php-fpm'. I'm aware of special use cases where a configurable PHP user
is a nice feature, but how do i handle filesystem setup for this default
configuration in a pretty and secure way? Do people use it like that or
do they change PHP-FPM user back to 'apache' (like in RH packages)? All
of the setups i tried (eg. using ACLs) don't really look "pretty" and
"robust", something I'd like to have when using "default"
configurations. I hope I'm not thinking too complicated...
Thanks for feedback
matthias
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] php-fpm user other than webserver user?
Posted by Jason Brooks <ja...@eroi.com>.
Of course, if you are using tcp sockets, you will need to bind to a different port for each socket, and unix-domain sockets will need a different path/filename.
—jason
Jason Brooks Systems Administrator
eROI Performance is Art.
m: 505 nw couch #300 w: eroi.com <http://eroi.com/>
t: 503.290.3105 f: 503.228.4249
fb: fb.com/eROI <http://www.facebook.com/eROI>
> On Dec 29, 2016, at 11:40 AM, Jason Brooks <ja...@eroi.com> wrote:
>
> Hello Mattias,
>
> I just dealt with this question moments ago. I am running ubuntu 16.04 lts.
>
> I had to modify the pool file: /etc/php/7.0/fpm/pool.d/www.conf
>
> The lines in question are:
> user =
> group =
> listen.owner =
> listen.group =
>
> The last two lines are for unix domain sockets.
>
> This is the easiest if you are only serving one domain.
>
> I still have to do some research into multiple virtual domains each with their own user, but I expect in that case to have one listening php-fpm port per user. I would probably then reserve the www.conf file for the main apache configurations assuming I was running phpmyadmin or something, and create new pool files of <username>.conf each.
>
> —jason
>
> Jason Brooks Systems Administrator
> eROI Performance is Art.
>
> m: 505 nw couch #300 w: eroi.com <http://eroi.com/>
> t: 503.290.3105 f: 503.228.4249
>
>
> fb: fb.com/eROI <http://www.facebook.com/eROI>
>
>
>
>
>
>
>
>
>> On Dec 29, 2016, at 10:35 AM, Matthias Leopold <matthias@leopold.priv.at <ma...@leopold.priv.at>> wrote:
>>
>> Hi,
>>
>> I hope this is an appropriate place for my question (also sent it to CentOS list):
>>
>> I'd like to know how others handle the setup of Apache httpd and PHP-FPM when the PHP-FPM user is different from the webserver user. This is the case in the default configuration of IUS PHP-FPM packages (not in stock CentOS/RHEL). So I have httpd running as 'apache' and PHP running as 'php-fpm'. I'm aware of special use cases where a configurable PHP user is a nice feature, but how do i handle filesystem setup for this default configuration in a pretty and secure way? Do people use it like that or do they change PHP-FPM user back to 'apache' (like in RH packages)? All of the setups i tried (eg. using ACLs) don't really look "pretty" and "robust", something I'd like to have when using "default" configurations. I hope I'm not thinking too complicated...
>>
>> Thanks for feedback
>> matthias
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org <ma...@httpd.apache.org>
>> For additional commands, e-mail: users-help@httpd.apache.org <ma...@httpd.apache.org>
>>
>
Re: [users@httpd] php-fpm user other than webserver user?
Posted by Jason Brooks <ja...@eroi.com>.
Hello Mattias,
I just dealt with this question moments ago. I am running ubuntu 16.04 lts.
I had to modify the pool file: /etc/php/7.0/fpm/pool.d/www.conf
The lines in question are:
user =
group =
listen.owner =
listen.group =
The last two lines are for unix domain sockets.
This is the easiest if you are only serving one domain.
I still have to do some research into multiple virtual domains each with their own user, but I expect in that case to have one listening php-fpm port per user. I would probably then reserve the www.conf file for the main apache configurations assuming I was running phpmyadmin or something, and create new pool files of <username>.conf each.
—jason
Jason Brooks Systems Administrator
eROI Performance is Art.
m: 505 nw couch #300 w: eroi.com <http://eroi.com/>
t: 503.290.3105 f: 503.228.4249
fb: fb.com/eROI <http://www.facebook.com/eROI>
> On Dec 29, 2016, at 10:35 AM, Matthias Leopold <ma...@leopold.priv.at> wrote:
>
> Hi,
>
> I hope this is an appropriate place for my question (also sent it to CentOS list):
>
> I'd like to know how others handle the setup of Apache httpd and PHP-FPM when the PHP-FPM user is different from the webserver user. This is the case in the default configuration of IUS PHP-FPM packages (not in stock CentOS/RHEL). So I have httpd running as 'apache' and PHP running as 'php-fpm'. I'm aware of special use cases where a configurable PHP user is a nice feature, but how do i handle filesystem setup for this default configuration in a pretty and secure way? Do people use it like that or do they change PHP-FPM user back to 'apache' (like in RH packages)? All of the setups i tried (eg. using ACLs) don't really look "pretty" and "robust", something I'd like to have when using "default" configurations. I hope I'm not thinking too complicated...
>
> Thanks for feedback
> matthias
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>