Setting up php7.0-fpm + Apache and multi-user pools: Only 1 site works

apache-2.4 php-fpm ubuntu-16.04 php-fastcgi
5,665

The first line of both of your pool.d configurations is the same [username]. That's why they are treated as a single configuration and you only see /run/php/php7.0-fpm.username1.sock. Edit the first line to contain the actual username as the pool name.

Share:
5,665

Related videos on Youtube

peppy
Author by

peppy

Updated on September 18, 2022

Comments

  • peppy
    peppy over 1 year

    I am using Ubuntu 16.04, Apache 2.4.29 and php7.0-fpm. I am trying to create separate pools for multiple users and websites, so that they run under a separate user and each site is protected in case one is hacked. I followed the instructions of a similar post regarding this subject, but it does not quite work.

    Here are two example pool.d conf files I have in /etc/php/7.0/fpm/pool.d

    username1.conf

    [username]
user = username1
group = username1
listen = /run/php/php7.0-fpm.username1.sock
listen.owner = www-data      #(I've already tried username1 here too)
listen.group = www-data      #(I've already tried username1 here too)
listen.mode = 0660

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

    -

    username2.conf

    [username]
user = username2
group = username2
listen = /run/php/php7.0-fpm.username2.sock
listen.owner = www-data      #(I've already tried username2 here too)
listen.group = www-data      #(I've already tried username2 here too)
listen.mode = 0660

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

    Note that I have reloaded php7.0-fpm and apache2 after each conf file saved. In addition, here are my two Apache VirtualHost files:

    website1.com.conf (with username1)

    <VirtualHost *:80>
  ServerAdmin [email protected]
  ServerName www.website1.com
  ServerAlias website1.com
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =website1.com [OR]
  RewriteCond %{SERVER_NAME} =www.website1.com
  RewriteRule ^ https://www.website1.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
  <IfModule mod_fastcgi.c>
    AddHandler php7-fcgi-username1 .php
    Action php7-fcgi-username1 /php7-fcgi-username1
    Alias /php7-fcgi-username1 /usr/lib/cgi-bin/php7-fcgi-username1
    FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-username1 -socket /run/php/php7.0-fpm.username1.sock -pass-header Authorization
    <Directory "/usr/lib/cgi-bin">
      Require all granted
    </Directory>
  </IfModule>
  ServerAdmin [email protected]
  ServerName www.website1.com
  ServerAlias website1.com
  DocumentRoot /home/username1/website1.com
  DirectoryIndex index.html index.php
  <Directory /home/username1/website1.com>
    Options +SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^website1.com
    RewriteRule (.*) https://www.website1.com/$1 [R=301,L]
    <IfModule mod_fastcgi.c>
      <FilesMatch ".+\.ph(p[3457]?|t|tml)$">
        SetHandler php7-fcgi-username1
      </FilesMatch>
    </IfModule>
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  SSLEngine on

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/www.website1.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.website1.com/privkey.pem

    website2.com.conf (with username2)

    <VirtualHost *:80>
  ServerAdmin [email protected]
  ServerName www.website2.com
  ServerAlias website2.com
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =website2.com [OR]
  RewriteCond %{SERVER_NAME} =www.website2.com
  RewriteRule ^ https://www.website2.com%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
  <IfModule mod_fastcgi.c>
    AddHandler php7-fcgi-username2 .php
    Action php7-fcgi-username2 /php7-fcgi-username2
    Alias /php7-fcgi-username2 /usr/lib/cgi-bin/php7-fcgi-username2
    FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-username2 -socket /run/php/php7.0-fpm.username2.sock -pass-header Authorization
    <Directory "/usr/lib/cgi-bin">
      Require all granted
    </Directory>
  </IfModule>
  ServerAdmin [email protected]
  ServerName www.website2.com
  ServerAlias website2.com
  DocumentRoot /home/username2/website2.com
  DirectoryIndex index.html index.php
  <Directory /home/username2/website2.com>
    Options +SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^website2.com
    RewriteRule (.*) https://www.website2.com/$1 [R=301,L]
    <IfModule mod_fastcgi.c>
      <FilesMatch ".+\.ph(p[3457]?|t|tml)$">
        SetHandler php7-fcgi-username2
      </FilesMatch>
    </IfModule>
  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  SSLEngine on

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/www.website2.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.website2.com/privkey.pem
</VirtualHost>

    Here is a list of all Apache mods that I have enabled:

    Apache Mods Enabled

    authn_core.load@                  --> /etc/apache2/mods-available/authn_core.load
authn_file.load@                  --> /etc/apache2/mods-available/authn_file.load
authz_core.load@                  --> /etc/apache2/mods-available/authz_core.load
authz_host.load@                  --> /etc/apache2/mods-available/authz_host.load
authz_user.load@                  --> /etc/apache2/mods-available/authz_user.load
autoindex.conf@                   --> /etc/apache2/mods-available/autoindex.conf
autoindex.load@                   --> /etc/apache2/mods-available/autoindex.load
deflate.conf@                     --> /etc/apache2/mods-available/deflate.conf
deflate.load@                     --> /etc/apache2/mods-available/deflate.load
dir.conf@                         --> /etc/apache2/mods-available/dir.conf
dir.load@                         --> /etc/apache2/mods-available/dir.load
env.load@                         --> /etc/apache2/mods-available/env.load
fastcgi.conf@                     --> /etc/apache2/mods-available/fastcgi.conf
fastcgi.load@                     --> /etc/apache2/mods-available/fastcgi.load
filter.load@                      --> /etc/apache2/mods-available/filter.load
headers.load@                     --> /etc/apache2/mods-available/headers.load
http2.load@                       --> /etc/apache2/mods-available/http2.load
mime.conf@                        --> /etc/apache2/mods-available/mime.conf
mime.load@                        --> /etc/apache2/mods-available/mime.load
mpm_event.conf@                   --> /etc/apache2/mods-available/mpm_event.conf
mpm_event.load@                   --> /etc/apache2/mods-available/mpm_event.load
negotiation.conf@                 --> /etc/apache2/mods-available/negotiation.conf
negotiation.load@                 --> /etc/apache2/mods-available/negotiation.load
proxy.conf@                       --> /etc/apache2/mods-available/proxy.conf
proxy.load@                       --> /etc/apache2/mods-available/proxy.load
proxy_fcgi.load@                  --> /etc/apache2/mods-available/proxy_fcgi.load
reqtimeout.conf@                  --> /etc/apache2/mods-available/reqtimeout.conf
reqtimeout.load@                  --> /etc/apache2/mods-available/reqtimeout.load
rewrite.load@                     --> /etc/apache2/mods-available/rewrite.load
security2.conf@                   --> /etc/apache2/mods-available/security2.conf
security2.load@                   --> /etc/apache2/mods-available/security2.load
setenvif.conf@                    --> /etc/apache2/mods-available/setenvif.conf
setenvif.load@                    --> /etc/apache2/mods-available/setenvif.load
socache_shmcb.load@               --> /etc/apache2/mods-available/socache_shmcb.load
ssl.conf@                         --> /etc/apache2/mods- available/ssl.conf
ssl.load@                         --> /etc/apache2/mods-available/ssl.load
status.conf@                      --> /etc/apache2/mods-available/status.conf
status.load@                      --> /etc/apache2/mods-available/status.load
unique_id.load@                   --> /etc/apache2/mods-available/unique_id.load
userdir.conf@                     --> /etc/apache2/mods-available/userdir.conf
userdir.load@                     --> /etc/apache2/mods-available/userdir.load

    The problem: It seems that only one site works properly this way. A second site gets a 500 error in the browser. I'll get errors like this:

    [Fri Mar 09 00:01:36.965019 2018] [fastcgi:error] [pid 31964:tid 134959322724992] (2)No such file or directory: [client ***.***.***.***:47348] FastCGI: failed to connect to server "/usr/lib/cgi-bin/php7-fcgi-username2": connect() failed
[Fri Mar 09 00:01:36.966129 2018] [fastcgi:error] [pid 31964:tid 139355612722992] [client ***.***.***.***:47348] FastCGI: incomplete headers (0 bytes) received from server "/usr/lib/cgi-bin/php7-fcgi-username2"

    In addition, when I view the /var/run/php directory, I see:

    php7.0-fpm.sock
php7.0-fpm.username1.sock
php7.0-fpm.pid

# (without php7.0-fpm.username2.sock)

    In my "/home" directory, "www-data" is the group owner for all users and their websites:

    drwx--x--- 11 username1       www-data  4096 Mar 3 07:25 username1
drwx--x--- 11 username2       www-data  4096 Mar 3 07:25 username1

    Let me know where I should go from here. I'm going to have about 30 users running about 60 sites. I need Apache to run the websites as the user (instead of www-data). It needs to be done in such a way so that if a hacker breaks into a Wordpress site, they cannot use www-data to access and infect the rest of the users and their websites. If a hacker breaks in, the damage needs to be isolated to just one user.

  • peppy
    peppy about 6 years
    This is the solution, nevermind the second part of my comment above. I had all of my users (except the first 2) added to the www-data unix group. After removing the users from that group and reloading php7.0-fpm, those users could no longer access each other's files. Hopefully this bit also helps someone else having the same problem. In my user directories, the folders and files still have 775 and 664 permissions and are within the www-data group. Anyone who is more knowledgeable in site security, let me know if that looks correct or not.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

php7.0-fpm not working with apache2.4 on Ubuntu-16.04
switch apache from prefork to event in Ubuntu 16, get php 7 working
Apache proxy / redirect https to https with one ip
Unable to enable PHP-FPM on my server
Client denied by server configuration on Apache 2.4
PHP Error 500: Timezone database is corrupt - this should *never* happen
Installing php-fpm apache 2.4.6 on Centos 7
403 Forbidden error with fcgid and PHP
FastCGI: "comm with server aborted: read failed" only for one specific file
Apache 2.4 + PHP-FPM + ProxyPassMatch using Unix socket