Nginx: Run fastcgi process under individual owners, like suexec on Apache

nginxSecurityusersvirtualhost

I've had issues with Apache 2 on my server of which I had an Apache2-worker/php-fpm setup and am migrating to Nginx.

I've followed various guides to set up the wrapper script for fastcgi spawning for PHP-cgi and Nginx, however I can find no guide on running the actual cgi script under specific users.

i.e. this Linode guide (and others) hardcoding the wrapper in an init.d script:
http://library.linode.com/web-servers/nginx/php-fastcgi/debian-6-squeeze

Right now I have made a script to add a user/group for each individual vhost directories, and chowning the public_html directories – however this seems useless as the PHP process will still be ran under the www-data user.

Any guides for doing this? Am I just searching the wrong things this late?

Best Answer

Fastcgi does not have user switching, so you have to spawn a process(or multiple) for each of your users. PHP-FPM makes this very easy via pools, and you should be using that over vanilla php-cgi any way.

Related Solutions

Nginx – Installing ikiwiki on nginx – fastcgi/fcgi wrapper

you should install fcgiwrap via apitude. worked out of the box.

most of the nginx tutorials suck, because they are either not debian-specific, try to reinvent the wheel or use old software or configuration. so be careful and read a bit more than usual.

fyi, my cgi location block:

location ~ \.cgi {
        root    /usr/lib;
        fastcgi_pass  unix:/var/run/fcgiwrap.socket;
          # Fastcgi parameters, include the standard ones
        include /etc/nginx/fastcgi_params;
        # Adjust non standard parameters (SCRIPT_FILENAME)
        fastcgi_param SCRIPT_FILENAME  /usr/lib$fastcgi_script_name;
        fastcgi_param  AUTH_USER          $remote_user;
        fastcgi_param  REMOTE_USER    $remote_user;

}

the /etc/nginx/fastcgi_params

fastcgi_param   QUERY_STRING        $query_string;
fastcgi_param   REQUEST_METHOD      $request_method;
fastcgi_param   CONTENT_TYPE        $content_type;
fastcgi_param   CONTENT_LENGTH      $content_length;

fastcgi_param   SCRIPT_FILENAME     $request_filename;
fastcgi_param   SCRIPT_NAME     $fastcgi_script_name;
fastcgi_param   REQUEST_URI     $request_uri;
fastcgi_param   DOCUMENT_URI        $document_uri;
fastcgi_param   DOCUMENT_ROOT       $document_root;
fastcgi_param   SERVER_PROTOCOL     $server_protocol;

fastcgi_param   GATEWAY_INTERFACE   CGI/1.1;
fastcgi_param   SERVER_SOFTWARE     nginx/$nginx_version;

fastcgi_param   REMOTE_ADDR     $remote_addr;
fastcgi_param   REMOTE_PORT     $remote_port;
fastcgi_param   SERVER_ADDR     $server_addr;
fastcgi_param   SERVER_PORT     $server_port;
fastcgi_param   SERVER_NAME     $server_name;

the ikiwiki stuff goes in /usr/lib/cgi-bin, you can reach it via http://server/cgi-bin/

Nginx + PHP-FPM = “Random” 502 Bad Gateway

I think your max_children is too low

<value name="max_children">3</value>

Also you can try switching from TCP port to unix socket for php-fpm:

php-fpm.conf

<value name="listen_address">/tmp/php.sock</value>

nginx.conf

fastcgi_pass unix:/tmp/php.sock;

Elaborated:

Unix sockets are ~20% faster
You don't use time-wait sockets for each connect

Best Answer

Related Solutions

Nginx – Installing ikiwiki on nginx – fastcgi/fcgi wrapper

Nginx + PHP-FPM = “Random” 502 Bad Gateway

Related Topic