Hello guys, I have the following configs. I need your help in doing chroot for each php-fpm config (for each user). Practically I want to embed each user in his own environment and isolate him from the host linux env as much as possible. P.S. Can I do this from nxing in stead of php-fpm? I'm thinking of extending hosting for other languages, not only for php. /etc/nginx/nginx.conf Code: user www-data; # As a thumb rule: One per CPU. If you are serving a large amount # of static files, which requires blocking disk reads, you may want # to increase this from the number of cpu_cores available on your # system. # # The maximum number of connections for Nginx is calculated by: # max_clients = worker_processes * worker_connections worker_processes 8; # Maximum file descriptors that can be opened per process # This should be > worker_connections worker_rlimit_nofile 8192; events { # When you need > 8000 * cpu_cores connections, you start optimizing # your OS, and this is probably the point at where you hire people # who are smarter than you, this is *a lot* of requests. worker_connections 8000; } error_log /var/log/nginx/error.log; pid /var/run/nginx.pid; http { charset utf-8; # Set the mime-types via the mime.types external file include mime.types; # And the fallback mime-type default_type application/octet-stream; # Click tracking! access_log /var/log/nginx/access.log; # Hide nginx version server_tokens off; # ~2 seconds is often enough for HTML/CSS, but connections in # Nginx are cheap, so generally it's safe to increase it keepalive_timeout 20; # You usually want to serve static files with Nginx sendfile on; tcp_nopush on; # off may be better for Comet/long-poll stuff tcp_nodelay on; # on may be better for Comet/long-poll stuff server_name_in_redirect off; types_hash_max_size 2048; gzip on; gzip_http_version 1.0; gzip_comp_level 5; gzip_min_length 512; gzip_buffers 4 8k; gzip_proxied any; gzip_types # text/html is always compressed by HttpGzipModule text/css text/plain text/x-component application/javascript application/json application/xml application/xhtml+xml application/x-font-ttf application/x-font-opentype application/vnd.ms-fontobject image/svg+xml image/x-icon; # This should be turned on if you are going to have pre-compressed copies (.gz) of # static files available. If not it should be left off as it will cause extra I/O # for the check. It would be better to enable this in a location {} block for # a specific directory: # gzip_static on; gzip_disable "msie6"; gzip_vary on; # other config files include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } This is a config each user will have particularized for himself. /home/$USER/etc/nginx/php Code: # pass the PHP scripts to FPM socket location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini #fastcgi_pass 127.0.0.1:22000; fastcgi_pass unix:/home/$USER/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /usr/share/nginx/www$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /usr/share/nginx/www; fastcgi_intercept_errors on; include fastcgi_params; } This is particularized for each user. /etc/php5/fpm/pool.d/$USER.conf Code: [USER] user = $pool group = $pool listen = /home/$pool/var/run/php-$pool-fpm.sock listen.owner = $pool listen.group = www-data listen.mode = 660 pm = ondemand pm.max_children = 20 pm.process_idle_timeout = 60 pm.max_requests = 500 request_terminate_timeout = 35 php_admin_value[max_execution_time] = 60 php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f $pool@sendmail-$pool #php_admin_value[open_basedir] = /home/$pool #php_admin_value[realpath_cache_basedir] = /home/$pool php_admin_value[mail.log] = /home/$pool/log/php-mail.log security.limit_extensions = .php .php52 .php53 .php54 .php55 .php60 .php54 .php0 php_admin_value[safe_mode] = off php_admin_value[realpath_cache_size] = 128M
