Custom PHP pool and user/group per site

[andremacola]

Like: wo site create mysite.com --wp --umyuserr:gmygroup

The script create and assign the user and group for the folder, fix the permissions and create the php pool.
RunCloud does exactly like that.

I'm doing this manually everytime

Ex PHP POOL:

[mysite]
listen = 127.0.0.1:9087
listen.owner = www-data
listen.group = www-data
listen.backlog = 65536
pm.status_path = /status
ping.path = /ping
ping.response = pong
user = mysite
group = mysite
pm = ondemand
php_admin_value[open_basedir] = /var/www/mysite:/var/lib/php/session:/tmp

[ankitsnlq]

Hi VirtuBox,

I have noticed that if you have custom php pool configured manually during wordops update Pools get deleted. So please can make wordops update to not remove custom pools configured manually?

[VirtuBox]

Hello @ankitsnlq,
yes, I will only force www.conf & www-two.conf file deletion instead of removing everything in the pool.d directory

[VirtuBox]

Issue has been fixed with PR #43

[ankitsnlq]

Thanks you @VirtuBox Tested it and it is good now. Are you planning per-site PHP pool module in wordops v4.0?

[VirtuBox]

Hello @ankitsnlq,

this is not planned yet, because there are several other features already planned (wildcard SSL certs, monitoring, backup) but also because it will probably be the biggest change on WO structure and configuration. It will require to run a lot of tests, to see if there is an impact on performances, especially with open_basedir and opcache.

[andremacola]

What I do is something like this on the nginx

    set $phpfpm_port 9099;
    set $index_https "-https";

# wpsc-php7 replace
location ~ \.php$ {
	try_files $uri =404;
	include fastcgi_params;
	fastcgi_pass 127.0.0.1:$phpfpm_port;
	# Following line is needed by WP Super Cache plugin
	fastcgi_param SERVER_NAME $http_host;
}

# FOR WP-SUPERCACHE
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index$index_https.html $uri $uri/ /index.php?$args;

Fix the permissions on /var/www/domain.ltd folder
chown -R user:group /var/www/domain.ltd
chmod a-w /var/www/domain.ltd

[michacassola]

@andremacola
What are the main benefits? More security?

Will applying cgroups to those users or groups limit the whole site: PHP, NGINX and the Database?

Also found an interesting article: https://ma.ttias.be/a-better-way-to-run-php-fpm/

[andremacola]

@michacassola with the correct approach yes. The Database itself is already running with a separate user.

Running each website with own user prevents a bunch of security problems.

[kassemz]

Yes this would be good to implement and should be the default imo. Each site PHP running under its own user.

[andremacola]

I had to remove open_basedir from default pool because of performance on a bunch of heavy sites traffic.

[dingman]

Any updates on this?

Or does anyone have a config implementation of this?

Would really like to see this for increased system security

[dingman]

@VirtuBox any updates here? This seems like it would help a lot for security.

[dingman]

@VirtuBox this seems like the highest security risk right now to this setup. Any updates to when we can expect to have this feature?

[michacassola]

Additional to separation due to security I also need to distribute/limit resources (that's what I am selling after all together with managing services), that is why I have started using LXD (Linux Containers) on top of my servers for near complete separation. It also gives me the ability to quickly move a complete container to another host server and also do backups in that way through LXD itself.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions]

This issue was closed because it has been stalled for 5 days with no activity.