Rotten mud: nginx, php-fpm, mysql user permission parsing, nginxphp-fpm

Source: Internet
Author: User
Tags php error php error log wordpress blog

Rotten mud: nginx, php-fpm, mysql user permission parsing, nginxphp-fpm

This article is first published in the dark world.

I learned how to build a wordpress blog under nginx a few days ago. In the article "dirty mud: Using nginx to build a WordPress blog using a virtual host", we specifically mention the user who runs the program.

In this article, we will explain the configuration of nginx, php-fpm, and mysql running under various users.

Let's make a note: nginx itself cannot process PHP, but it is only a web server. After receiving the client request, if it is a php request, it is forwarded to the php interpreter for processing and the result is returned to the client. If the page is static, nginx processes the page and returns the result to the client.

Fastcgi is the most commonly used php interpreter in Nginx. Generally, nginx forwards php requests to the fastcgi management process. The fastcgi management process selects the cgi sub-process for processing, and then returns the processing result to nginx.

Two users are involved in this process. One is the user running nginx and the other is the user running php-fpm. If a static file is accessed, only the user running nginx needs to have the read or write permissions on the file.

If a php file is accessed, the user running nginx needs to have the permission to read the file. After reading the file, it finds that the php file is forwarded to php-fpm, in this case, the php-fpm user must have the read or write permissions on the file.

First, let's check the users where nginx is running. Run the following ps command to view the information:

Ps aux | grep nginx

We can clearly see that the nginx parent process runs under the root user, while the sub-process runs under the nobody user, and there is only one sub-process. This is consistent with the configuration in the nginx configuration file. As follows:

More/usr/local/nginx/conf/nginx. conf

NOTE: If nginx is not configured to run a user, it is run by the nobody user by default. Running nginx with nobody is highly secure.

The above are the running users of nginx.

Now let's check the php-fpm running user and use the ps command. As follows:

Ps aux | grep php-fpm

We can see that the parent process of php-fpm runs under the root user, and all sub-processes run under the apache user.

Let's take a look at the user who runs the mysql database, and use the ps command to view it. As follows:

Ps aux | grep mysql

We can see that mysql runs under the mysql user, and its PID is indeed the same as in/var/run/mysqld. pid.

The preceding figure shows how nginx, php-fpm, and mysql run under various users.

Let's test the configuration in the actual production environment. In the article "mud: Using nginx to build a WordPress blog using a virtual host", we have already configured the virtual host a.ilanni.com. As follows:

Let's take a look at the users and user groups of the.ilanni.com virtual host root directory, as shown below:

In the actual production environment, we generally configure nginx and php-fpm to run under the nobody user, and the root directory of the website must belong to the nobody user, the root directory has all permissions for the nobody user.

This configuration is the safest, because nobody users are the safest. Even if Hackers break the website, they cannot log on to the system.

Now we will not make any configuration, and use their default users to post an article to see the actual results.

For wordpress posts, I usually post through the blog client windows live writer.

We still use this client to post an article with only text and no images, as shown below:

We can see that the article of this test text has been published successfully.

Next, let's test a illustrated article, as shown below:

We can see that there is no way to publish an article with images. An error has been prompted for windows live writer.

Why can't articles with images be published?

In fact, this problem is very simple. Images in the article must be uploaded to the root directory of the website before they can be accessed normally. Currently, php-fpm runs under apache users. The problem is that apache users do not have the access permission to the root directory of the virtual host a.ilanni.com, and do not have the write permission.

Therefore, the above problem occurs. windows live writer cannot publish articles with images.

How can this problem be solved?

In fact, it is very simple. We have already mentioned above. Nginx involves two users: one is nginx running user and the other is php-fpm running user. If a static file is accessed, only the user running nginx needs to have the permission to read the file.

If you access a php file, you first need the nginx running user to have the permission to read the file. After reading the file, you will find that it is a php file and then forward it to php-fpm, in this case, the php-fpm user must have the permission to read the file.

What we need to do now is to unify the running users of naghandler and php-fpm as nobody, and then assign all permissions to the root directory of the nginx virtual host a.ilanni.com to the nobody user and the nobody user group.

Nginx is already running under the nobody user, so we will not adjust it. Let's adjust the php-fpm running user. We installed php-fpm in yum mode. And use the default configuration, the configuration file is/etc/php-fpm.d/www. conf.

Now, edit the file and modify its user-level user group. As follows:

Vi/etc/php-fpm.d/www. conf

After editing, restart php-fpm. As follows:

/Etc/init. d/php-fpm restart

Ps aux | grep php-fpm

We can see that php-fpm is currently running on the nobody user.

After the php-fpm running user is modified, let's modify the root directory user and User Group of the VM. As follows:

Chown nobody: nobody-R a.ilanni.com/

After modifying the user and User Group of the root directory of VM a.ilanni.com, you must also modify the permissions of nobody to the root directory of VM a.ilanni.com.

We can see that the nobody user has the control permission on the root directory of the VM a.ilanni.com.

After the preceding permissions are modified, we can use windows live writer to publish text articles. As follows:

We can see through. This figure has been successfully published to wordpress. Let's take a look at the storage location of images in wordpress.

Ll/ilanni/a.ilanni.com/wp-content/uploads/2014/09

These are the configurations of nginx, php-fpm, and mysql users during actual use. We should end this article.

But in order to better integrate with our actual production environment, we can extend it. If wordpress is a project, it is under development. However, developers did not activate the relevant accounts in the linux system, but only activated one FTP account.

But what should I do if the developer wants to upload and modify the relevant code?

This requires Vsftpd virtual name users. For more information, see my previous article "muddy mud: Using vsftpd virtual users with anonymous users".

Install vsftpd first and use yum. After the installation is complete, we will configure vsftpd.

The content of the configured file is as follows:

Vi/etc/vsftpd. conf

Local_enable = YES

Write_enable = YES

Local_umask = 022

Dirmessage_enable = YES

Xferlog_enable = YES

Connect_from_port_20 = YES

Xferlog_file =/var/log/xferlog

Xferlog_std_format = YES

Idle_session_timeout = 600

Ftpd_banner = http.

Chroot_list_enable = YES

Chroot_list_file =/etc/vsftpd/chroot_list

Listen = YES

Listen_port= 2121

Pasv_min_port = 6000

Pasvanderbilt max_port = 6150

Userlist_enable = YES

Tcp_wrappers = YES

Guest_enable = YES

Guest_username = nobody

Pam_service_name = vsftpd

User_config_dir =/etc/vsftpd/vu_conf

Virtual_use_local_privs = yes

Guest_enable = YES indicates that vsftpd virtual users are enabled, that is, all users logging on to FTP are virtual users in the system.

Guest_username = nobody indicates that the System user corresponding to the virtual user is the nobody user.

Virtual_use_local_privs = yes indicates that the vsftpd virtual user is enabled, and the virtual user has the same permissions as the local user.

Pam_service_name = vsftpd enables vsftpd verification.

Then configure the vsftpd virtual user directory as follows:

Vi vu_conf/ilanni

Local_root =/ilanni/a.ilanni.com

After the above configuration, vsftpd's virtual user ilanni has full control permissions on the nginx virtual host a.ilanni.com root directory.

In this way, the vsftpd control project is achieved.


When nginx + php + mysql is installed in linux, It is stuck on the required php-fpm. My colleagues say that php-fpm is included on php5410, but it is not found.

Is the enable-fpm parameter added during installation? PHP comes with this, so you don't need to find a third party,

How does nginx php fpm Display error logs?

To enable php-fpm to Display error logs, configure php-fpm first.
Configure the file path for the php error log in the php-fpm configuration file (usually in the etc/php-fpm.conf under the php installation directory.
; Error log file; If it's set to "syslog", log is sent to syslogd instead of being written; in a local file .; note: the default prefix is/home/wangwei/php/var; Default Value: log/php-fpm.log; error_log = log/php-fpm.log above is where error logs are configured in my php-fpm.conf files. Remove the; before error_log = log/php-fpm.log and change:
; Error log file; If it's set to "syslog", log is sent to syslogd instead of being written; in a local file .; note: the default prefix is/home/wangwei/php/var; Default Value: log/php-fpm.logerror_log =/home/work/log/php-fpm.log.wf after modification, save the configuration, restart php-fpm.
Note that if the relative path is used, the prefix of the path is based on the var directory of the php installation directory.

Wang Wei [authoritative expert]

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.