Get the most out of your Centmin Mod LEMP stack
Become a Member

PHP-FPM open_basedir

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Tythus, Aug 13, 2014.

Tags:
  1. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    7:00 AM
    My IPB is asking me to set open_basedir and i was wondering what i should set it to and if there is a way of having seperate open_basedir's per domain hosted on that box?

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,811
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,711
    Local Time:
    5:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    are you doing shared hosting or only you have access and control over sites on your server i.e. control over what is uploaded ? If you only one with access and sites are you own, I wouldn't even both with setting open_basedir

    Centmin Mod isn't for shared hosting, see FAQ 2 at Centmin Mod FAQ - Menu based Nginx installer

    But if you create separate PHP-FPM pools, you can do individual site open_basedir in each PHP-FPM pools conf files and then edit each vhost include php.conf for a separate one for each vhost i.e. php-domain1.conf etc and that points to the separate pool with the open_basedir in the separate php-domain1.conf include file i.e.

    Code:
    php_admin_value[open_basedir] = /home/nginx/domains/domain.com/public
    However, Centmin Mod is provided as is, so all this you'd need to do yourself as I can't be supporting it all for free as you understand. Some hints I did point in how to create second PHP-FPM pools at PHP-FPM - Switch from TCP to UNIX domain sockets | Centmin Mod Community

    Also playing with the idea of a multi PHP-FPM Pool auto generator at PHP-FPM - Multiple PHP-FPM Pools Generator Script testing | Centmin Mod Community but it's only for internal testing and not public release as yet as not sure how it fits in with my eventual plans for other items on my to do list Centmin Mod To Do List | Centmin Mod Community
     
  3. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    7:00 AM
    oh just me being super paranoid about wordpress so I was wanting to know if there was a way of me seperating them out for my sanity I am the only user on the server but I want to host multiple sites off it
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,811
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,711
    Local Time:
    5:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah right now Centmin Mod isn't setup for shared hosting or that type of isolation for security. The planned jailed chroot user features will help with that - see this thread PHP-FPM - php hacking shell jailed? | Centmin Mod Community and Previews - Jailed / chrooted SFTP & SSH user Nginx vhost menu | Centmin Mod Community

    Right now if you're really paranoid, just setup separate VPS servers for each site :) And always been software such as forums and wordpress up to date. Wordpress you can enable auto core, plugin and theme updating Wordpress - Wordpress 3.9.2 security fix release out | Centmin Mod Community
     
  5. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    7:00 AM
    Is it possible to define custom php.ini settings per domain?
     
  6. rdan

    rdan Well-Known Member

    5,439
    1,399
    113
    May 25, 2014
    Ratings:
    +2,188
    Local Time:
    3:00 PM
    Mainline
    10.2
    For now, It's not possible.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,811
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,711
    Local Time:
    5:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @Tythus thanks for become one the first Premium users on the forums :D

    Currently it isn't possible to have per domain php.ini settings. Which settings specifically in php.ini where you looking at setting ? disable_functions ?

    Really need to wait for jailed chrooted user feature for proper isolation as each domain will have it's own PHP-FPM pool which you could set specific php.ini related settings via that PHP-FPM pool's config file as already mentioned above and below :)

    Benefits as Premium User

    As you're a Premium user however you will get access to the private Premium forums which will have earlier access to some alpha/beta codes I play with and one of them is the PHP-FPM multiple pool generator which could be used for such purposes as separate php.ini settings for separate Nginx vhost domains. Also jailed and chrooted users whenever it's ready will allow Premium Users first access too in future ;)

    You could use different PHP-FPM pool config files for different domains and Nginx vhost, so if you created 2 additional PHP-FPM pools via the multiple pool generator, you would have 2 additional PHP-FPM config files at /usr/local/nginx/conf/phpfpmd/multiphp_pool0.conf listening to port 9100 and /usr/local/nginx/conf/phpfpmd/multiphp_pool1.conf listening to port 9101.

    Then you just manually create new copy of /usr/local/nginx/conf/php.conf i.e. /usr/local/nginx/conf/php_pool0.conf and /usr/local/nginx/conf/php_pool1.conf and place them in each domain Nginx vhost replacing include line for /usr/local/nginx/conf/php.conf and edit them accordingly changing fastcgi_pass 127.0.0.1:9000; line to point to 9100 and 9101 respectively.

    sample contents from /usr/local/nginx/conf/phpfpmd/multiphp_pool0.conf

    notice the last 2 lines in config file, they are how you set corresponding php.ini values for that specific PHP-FPM pool which would be assigned to a specific domain Nginx vhost

    Code:
    php_admin_value[error_log] = /var/log/php-fpm/multiphp.error0.log
    php_admin_value[disable_functions] = shell_exec
    full /usr/local/nginx/conf/phpfpmd/multiphp_pool0.conf

    Code:
    [php_pool0]
    user = nginx
    group = nginx
    
    listen = 127.0.0.1:9100
    ;listen.allowed_clients = 127.0.0.1
    ;listen.backlog = -1
    listen.backlog = 131072
    
    ;listen = /tmp/multi_php-fpm0.sock
    listen.owner = nginx
    listen.group = nginx
    listen.mode = 0666
    
    pm = static
    pm.max_children = 4
    ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
    pm.start_servers = 1
    pm.min_spare_servers = 1
    pm.max_spare_servers = 3
    pm.max_requests = 2000
    
    rlimit_files = 131072
    rlimit_core = 0
    
    ; The timeout for serving a single request after which the worker process will
    ; be killed. This option should be used when the 'max_execution_time' ini option
    ; does not stop script execution for some reason. A value of '0' means 'off'.
    ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
    ; Default Value: 0
    ;request_terminate_timeout = 0
    ; Default Value: 0
    ;request_slowlog_timeout = 0
    slowlog = /var/log/php-fpm/multiphp-slow0.log
    
    pm.status_path = /phpstatus_pool0
    ping.path = /phpping_pool0
    ping.response = pong
    
    ; Limits the extensions of the main script FPM will allow to parse. This can
    ; prevent configuration mistakes on the web server side. You should only limit
    ; FPM to .php extensions to prevent malicious users to use other extensions to
    ; exectute php code.
    ; Note: set an empty value to allow all extensions.
    ; Default Value: .php
    security.limit_extensions = .php .php3 .php4 .php5
    
    ; catch_workers_output = yes
    php_admin_value[error_log] = /var/log/php-fpm/multiphp.error0.log
    php_admin_value[disable_functions] = shell_exec
    
    Tythus, we can discuss this more in private Premium User forums
     
    Last edited: Sep 4, 2014
  8. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    7:00 AM
    @eva2000
    sorry for not responding for ages I've made a thread in premium member zone