PHP-FPM/Nginx Security In Shared Hosting Environments (Debian/Ubuntu)

If you want to use nginx and PHP-FPM for shared hosting environments, you should make up your mind about security. In Apache/PHP environments, you can use suExec and/or suPHP to make PHP execute under individual user accounts instead of a system user like www-data. There's no such thing for PHP-FPM, but fortunately PHP-FPM allows us to set up a "pool" for each web site that makes PHP scripts execute as the user/group defined in that pool. This gives you all the benefits of suPHP, and in addition to that you don't have any FTP or SCP transfer problems because PHP scripts don't need to be owned by a specific user/group to be executed as the user/group defined in the pool.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I use a vhost called www.example.com/example.com here with the document root /var/www/www.example.com/web.

You should have a working LEMP installation, as shown in these tutorials:

Installing Nginx With PHP5 And MySQL Support On Debian Squeeze Installing Nginx With PHP5 (And PHP-FPM) And MySQL Support On Ubuntu 11.04

A note for Ubuntu users:

Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing

sudo su

 

2 What We Have So Far

On Debian/Ubuntu, PHP-FPM's pool directory is /etc/php5/fpm/pool.d/ - this is where new pools will be created. The php.ini used by PHP-FPM is /etc/php5/fpm/php.ini. There's one pool already, www.conf - let's take a look at it:

vi /etc/php5/fpm/pool.d/www.conf

; Start a new pool named 'www'.; the variable $pool can we used in any directive and will be replaced by the; pool name ('www' here)

View the Original article