目标

Question

我经常做这个设置，但这次我肯定会监督一些事情。

目标

让Apache 2.4 vhost在LXD容器中使用自己的系统用户为每个vhost使用不同的PHP-FPM池。

问题

一切正常，但上传文件时，必须在www-data上设置上传目录，这在PHP-FPM中是不需要的。

系统

Ubuntu 16.04 LXD contianer

代码

/etc/apache2/conf-enabled/php7.0-fpm.conf

＆＃13;

root@web1:~# cat /etc/apache2/conf-enabled/php7.0-fpm.conf 
# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    <FilesMatch ".+\.ph(p[3457]?|t|tml)$">
        SetHandler "proxy:unix:/run/php/php7.0-fpm.sock|fcgi://localhost"
    </FilesMatch>
    <FilesMatch ".+\.phps$">
        # Deny access to raw php sources by default
        # To re-enable it's recommended to enable access to the files
        # only in specific virtual host or directory
        Require all denied
    </FilesMatch>
    # Deny access to files without filename (e.g. '.php')
    <FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
        Require all denied
    </FilesMatch>
</IfModule>

＆＃13;

/etc/apache2/sites-enabled/hs2.nl.conf

＆＃13;

root@web1:~# cat /etc/apache2/sites-enabled/hs2.nl.conf 
<VirtualHost *:80>
  ServerAdmin webmaster@hs2.nl
  ServerName hs2.nl
  ServerAlias www.hs2.nl
  DocumentRoot /var/www/html/hs2.nl/web
  ErrorLog ${APACHE_LOG_DIR}/hs2.nl-error.log
  CustomLog ${APACHE_LOG_DIR}/hs2.nl-access.log combined
  #LogFormat "%h %l %u %t \"%r\" %>s %b %{X-Forwarded-For}i" common
  <Directory /var/www/html/hs2.nl/web>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>
  <Directory /usr/lib/cgi-bin>
    Require all granted
  </Directory>
  <IfModule mod_fastcgi.c>
    AddHandler php7-fcgi .php
    Action php7-fcgi /php7-fcgi
    Alias /php7-fcgi /usr/lib/cgi-bin/hs2.nl-fcgi
    FastCgiExternalServer /usr/lib/cgi-bin/hs2.nl-fcgi -socket /var/run/php/hs2.nl-fpm.sock -pass-header Authorization
  </IfModule>
</VirtualHost>

＆＃13;

/etc/php/7.0/fpm/pool.d/hs2.nl.conf

＆＃13;

root@web1:~# cat /etc/php/7.0/fpm/pool.d/hs2.nl.conf 
[hs2.nl]
user = hs2.nl
group = hs2.nl
listen = /var/run/php/hs2.nl-fpm.sock
listen.owner = hs2.nl
listen.group = hs2.nl
prefix = /var/www/html/hs2.nl
chroot = $prefix
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

＆＃13;

目录权限

＆＃13;

hs2.nl@web1:~/web/uploads$ ls -ald .
drwxr-xr-x 2 hs2.nl hs2.nl 2 Oct 26 15:15 .
hs2.nl@web1:~/web/uploads$ pwd
/var/www/html/hs2.nl/web/uploads

＆＃13;

作为各自用户运行的进程

＆＃13;

root@web1:~# ps aux | egrep "USER|php-fpm: master|pool hs2.nl"
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     16470  0.0  0.3 365880 20220 ?        Ss   14:55   0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
hs2.nl   16479  0.0  0.0 365688  4764 ?        S    14:55   0:00 php-fpm: pool hs2.nl
hs2.nl   16480  0.0  0.0 365688  4764 ?        S    14:55   0:00 php-fpm: pool hs2.nl

＆＃13;

的phpinfo

＆＃13;

hs2.nl@web1:~/web$ cat phpinfo.php 
<?php
$id = shell_exec(id);
$whoami = shell_exec(whoami);
echo "Id: " . $id . "<br />";
echo "Who am I?: " . $whoami . "<br />";
phpinfo();
?>

＆＃13;

输出

＆＃13;

Id: uid=33(www-data) gid=33(www-data) groups=33(www-data) 
Who am I?: www-data

＆＃13;

进一步的想法

我认为这可能与LXD有关，但似乎所有游泳池都在他们自己的用户下运行。

编辑：为了消除这个理论我已经将相同的配置加载到普通的KVM虚拟机上，在那里我能够以完全相同的方式重现问题所以我必须在我的错误中做错了配置，它与LXD无关。

Answer 1

在Koen Reiniers的博客中找到答案：http://blog.koenreiniers.nl/guide-to-combining-apache-virtual-hosts-and-php7-fpm/

基本上我的错是为多个虚拟主机PHP-FPM套接字提供一个“处理程序”。

我将我的vhost配置更改为：

<IfModule mod_fastcgi.c>
  AddHandler php7-fcgi-hs2.nl .php
  Action php7-fcgi-hs2.nl /php7-fcgi-hs2.nl
  Alias /php7-fcgi-hs2.nl /usr/lib/cgi-bin/php7-fcgi-hs2.nl
  FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-hs2.nl -socket /run/php/php7.0-fpm.hs2.nl.sock -pass-header Authorization
  <Directory "/usr/lib/cgi-bin">
  Require all granted
  </Directory>
</IfModule>
<VirtualHost *:80>
  ServerAdmin webmaster@hs2.nl
  ServerName hs2.nl
  ServerAlias www.hs2.nl
  DocumentRoot /var/www/html/hs2.nl/web
  ErrorLog ${APACHE_LOG_DIR}/hs2.nl-error.log
  CustomLog ${APACHE_LOG_DIR}/hs2.nl-access.log combined
  #LogFormat "%h %l %u %t \"%r\" %>s %b %{X-Forwarded-For}i" common
  <Directory /var/www/html/hs2.nl/web>
    Options -Indexes +FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>
  <IfModule mod_fastcgi.c>
      <FilesMatch ".+\.ph(p[345]?|t|tml)$">
          SetHandler php7-fcgi-hs2.nl
      </FilesMatch>
  </IfModule>
</VirtualHost>

在我的PHP-FPM池中，我添加了listen.mode = 0666：

[hs2.nl]
user = hs2.nl
group = hs2.nl
listen = /run/php/php7.0-fpm.hs2.nl.sock
listen.owner = hs2.nl
listen.group = hs2.nl
listen.mode = 0666
;prefix = /var/www/html/hs2.nl
;chroot = $prefix
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

为什么我的PHP7.0-FPM池没有使用它指定的系统用户运行？

目标

问题

系统

代码

/etc/apache2/conf-enabled/php7.0-fpm.conf

/etc/apache2/sites-enabled/hs2.nl.conf

/etc/php/7.0/fpm/pool.d/hs2.nl.conf

目录权限

作为各自用户运行的进程

的phpinfo

输出

进一步的想法

1 个答案: