Tell apache virtual hosts to connect to php-fpm sockets using different user/group each

I've been reading the php-fpm documentation and found out that I can give each socket its own user, group and mode, but how can I tell apache (per vhost I mean) to use x user and y group to connect to the sockets?

What I want to achieve is to prevent pools from reading each other files, in case of breach, only the files for that domain would be leaked and nothing else. I know how I can do this for the fpm pools using the user and group settings and then giving the file structure their proper permissions. But what about the same http user being able to access all fpm sockets? Should I be concerned about that or not?

pool1.conf (php-fpm)

[pool1]
user = domain1
group = domain1
listen = /run/php-fpm/www.domain1.sock
listen.owner = http
listen.group = http
listen.mode = 0660

domain1.conf (apache virtual host)

<VirtualHost *:443>
    ServerAdmin webmaster@domain1.com
    ServerName www.domain1.com

    DocumentRoot "/srv/http/domain1.com/www"
    <Directory "/srv/http/domain1.com/www">
        <IfModule dir_module>
            DirectoryIndex index.php
        </IfModule>

        <Files "index.php">
            SetHandler "proxy:unix:/run/php-fpm/www.domain1.sock|fcgi://localhost/"
        </Files>

        <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteRule ^index\.php$ - [L]
            RewriteRule . index.php [L]
        </IfModule>
    </Directory>

    SSLEngine On
    SSLCertificateFile "/etc/letsencrypt/live/domain1.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/domain1.com/privkey.pem"
    Protocols h2 h2c
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    ErrorLog "/srv/protected/sites/domain1.com/logs/www-error_log"
    CustomLog "/srv/protected/sites/domain1.com/logs/www-access_log" common
</VirtualHost>

I'm also trying to figure out why does the default value for listen.mode is 0660? Why does the http group need read+write permissions?

Best Answer

I'm not an expert but here's how I understand it to work. Each process runs as a system (service) user. Apache is a process and runs as its user (http in your example). I think that in order to achieve what you want you would need to spawn a separate apache process with its own user.

To do this, though, you'd also need to put each user/site on its own port and then have a reverse proxy on the same machine that listens on port 80/443 and accesses the corresponding sites accordingly.

This is actually not a bad setup as it also gives you the opportunity to add mod_security on the proxy server and cover all sites at once.

So, in short, PHP-FPM is not the solution you are looking for (if I've understood your question correctly). The listen.user directive must be the same as the user that apache is running as.

Best Answer

Related Solutions

Nginx – Why WordPress Loads Blank Pages on Nginx and PHP-FPM

Why the php-cgi wrapper script for php-fpm? (Using virtualhost and suexec.)

Related Topic