It seems to work fine here without placing the pid inside the jail, just the socket and the chroot def. Since php-fpm is being launched in host, I am not sure I would place the pid inside the jail.
The nginx pid is placed inside the jail, as per wiki, which makes sense, since it needs to access the pid file.
php-fpm being outside doesn't, thus I don't think you should place it within the jail.
But I am a total noob with these things , so everything I say might be wrong
]]>Many thanks for your great answer.
In my case nginx is built according to arch linux wiki (link)
Apart from that I have used a php-fpm >>chroot<< option mentioned by jonalvarezz. The only difference is that I decided to go for unix sockets rather than tcp sockets (a lot of comments on the internet are suggesting unix sockets are faster).
So in the end I have both nginx and php-fpm chrooted into same directory. There is just the case with php-fpm configuration where I configured it to drop socket into /run of that chroot. For that I have had to provide absolute path. So in fact this configuration looks like that:
(...)
chroot = /path_to_nginx_jail
(...)
pid = /path_to_nginx_jail/run/php-fpm/php-fpm.pid
(...)
listen = /path_to_nginx_jail/run/php-fpm/php-fpm.sock
(...)
Thanks again,
Greg
I'm not sure how will it affect whole security concept though.
PHP is the security problem because PHP can do harm. It is highly unlikely that nginx would do anything to your system.
PHP on the other hand has the ability to read and write files on the system, so it has to be chrooted (at least), so that
people are not able to do lots of harm by reading out files other or overwriting configurations.
Nowadays especially on this virtualized servers I find the chrooting of nginx an overkill, because there are bigger security issues.
Then putting a nginx into a jail makes limited sense too. Likewise having a jail for only running a PHP process may be a good idea
but is an overkill too as long as you can simply chroot it and so prevent it from writing or reading parts of the system you do not
want it to access (jail does the same).
PS: As far as i can see from your code examples, you were trying to access the jail from outside the jail, that makes no sense too,
because then you are breaking the whole point of running software in a jail. When you make it possible to access the jail or even the
whole system by other software, why do you then need the jail for? Someone who does want to cause you harm would surely go for
the entire thing instead of playing around with one jail.
I have built similar stack on my devel box and found out there is another alternative to your config.
Instead of using tcp socket the one might want to ask php-fpm to create its socket in /run/php-fpm directory of nginx's chrooted jail.
(...)
pid = /path_to_nginx_jail/run/php-fpm/php-fpm.pid
(...)
listen = /path_to_nginx_jail/run/php-fpm/php-fpm.sock
(...)
I'm not sure how will it affect whole security concept though.
]]>Php-fpm must to be configured to use a chroot directory.
make sure to set the chroot variable.
chroot = /srv/http
In order to connect php-fpm socket, FastCGI must to be listen the TCP socket.
listen = 127.0.0.1:9000
Using Unix socket doesn't connect, if somebody success it, please tell me since unix socket is faster.
this is my php block in nginx.conf
location ~ \.php$ {
try_files $uri = 404;
root /usr/share/nginx/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
# systemctl restart php-fpm
# systemctl restart nginx
Enjoy.
]]>I have a fresh installation of Chroot Nginx following Nginx - Archlinux wiki.
Nginx's welcome page is served with no problems, however i'm getting issues with .php files.
if i doesn't put a root path in the php block of nginx configuration file:
location ~ \.php$ {
try_files $uri = 404;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
I get a 404 Error message. (Nginx Log)
Instead, if i define the root path:
location ~ \.php$ {
try_files $uri = 404;
root /usr/share/nginx/html;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
I get the error message: "An error occurred. Sorry, the page you are looking for is currently unavailable. Please try again later." (Nginx Log)
I've tried different php block configurations like:
Using fastcgi_pass 127.0.0.1:9000;
Using fastcgi_pass localhost:9000;
Using fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
With no luck.
open_basedir in /etc/php/php.ini already include /usr/share/nginx/html
open_basedir = /usr/share/webapps/:/srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/nginx/html
There are my conf files:
Some outputs:
ps -C nginx | awk '{print $1}' | sed 1d | while read -r PID; do ls -l /proc/$PID/root; done
lrwxrwxrwx 1 root root 0 Aug 7 00:22 /proc/451/root -> /srv/http
lrwxrwxrwx 1 http http 0 Aug 7 00:22 /proc/452/root -> /srv/http
ps -ef|grep php-fpm
root 363 1 0 Aug06 ? 00:00:03 php-fpm: master process (/etc/php/php-fpm.conf)
http 364 363 0 Aug06 ? 00:00:00 php-fpm: pool www
http 365 363 0 Aug06 ? 00:00:00 php-fpm: pool www
root 459 438 0 00:22 pts/0 00:00:00 grep php-fpm
Wondering if php files, or php-fpm socket must to be copied to respective jail path.
Any ideas?
Thanks you so much.
]]>