Slime: Nginx, php-fpm, MySQL user Rights resolution

Source: Internet
Author: User
Tags fpm file permissions wordpress blog

This article is starting in Slime Line the world .

a few days ago study, under the Nginx build WordPress blog. In the article " slime: Using Nginx to build WordPress blog ", we specifically mentioned the user under which the program runs.

In this article, we will specifically explain the configuration of Nginx, PHP-FPM, and MySQL running under individual users.

First of all to do a description:Nginx itself can not handle PHP, it is just a Web server. When a client request is received, if it is a PHP request, it is forwarded to the PHP interpreter for processing and returns the result to the client. If it is a static page, Nginx handles it itself and returns the result to the client.

The most used PHP interpreter under Nginx is fastcgi. In general, the PHP request forwarded to the FASTCGI management process processing, the FASTCGI management process to select the CGI sub-process processing, and then return the processing results to nginx.

In this process involves two users, one is Nginx running user, one is php-fpm running user. If you are accessing a static file, you only need the user who is running nginx to have read or write access to the file.

And if the access is a PHP file, you first need to run the user to the file has Read permissions, read to the file after the discovery is a PHP file, then forwarded to PHP-FPM, at this time you need to PHP-FPM users have read access to the file or read and write permissions.

First, let's look at what user Nginx is running under. Use the PS command to view the following:

PS Aux|grep Nginx

650) this.width=650; "title=" clip_image001 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image001" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697748HDt7.png" width= " 1046 "height="/>

We can clearly see that the Nginx parent process is running under the root user, while the child process runs under the nobody user, and there is only one child process. This is consistent with our configuration in the Nginx configuration file. As follows:

More/usr/local/nginx/conf/nginx.conf

650) this.width=650; "title=" clip_image002 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image002" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697748pMbr.png" width= " 485 "height=" 207 "/>

Note: Nginx is run with nobody user by default if no user is configured to run. Using nobody to run Nginx security is relatively high.

The above is Nginx running user.

Now let's look at the running user under PHP-FPM, using the PS command. As follows:

PS aux |grep php-fpm

650) this.width=650; "title=" clip_image003 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image003" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697749O6J3.png" width= " 980 "height=" 238 "/>

Through, we can see that the parent process of php-fpm runs under the root user, and the child processes are all running under Apache users.

Let's take a look at which user the MySQL database is running under and use the PS command to view it. As follows:

PS aux |grep MySQL

650) this.width=650; "title=" clip_image004 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image004" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697751epga.png" width= " "height=" 205 "/>

As we can see, MySQL runs under the MySQL user, and its PID is exactly the same as it was saved in/var/run/mysqld/mysqld.pid.

The above is Nginx, PHP-FPM, MySQL running under the circumstances of the various users.

Let's start testing the configuration in the actual production environment in the slime: Using Nginx to build WordPress blog with virtual host "In the article we have configured the virtual host a.ilanni.com. as follows:

650) this.width=650; "title=" clip_image005 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image005" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697752Sw7I.png" width= " 1077 "height=" 483 "/>

Let's take a look at the user and user groups of the a.ilanni.com virtual host root directory, as follows:

650) this.width=650; "title=" clip_image006 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image006" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697752iUrs.png" width= " 609 "height=" 475 "/>

In the actual production environment, our general configuration is Nginx and PHP-FPM are running under the nobody user, and the root directory of the site also belongs to nobody users, and the root directory for the nobody user has all permissions.

This configuration is most secure because the nobody user is the safest. Even if hackers break the site, they cannot log on to the system.

Now let's not make any configuration, and use the respective default user to publish an article to see the actual effect.

For WordPress published articles, I generally through the Windows Live writer this blog client published.

We are still using this client to publish an article with only text and no pictures, as follows:

650) this.width=650; "title=" clip_image007 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image007" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697756R4yb.png" width= " 930 "height=" 625 "/>

650) this.width=650; "title=" clip_image008 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image008" src= "Http://img1.51cto.com/attachment/201410/7/526870_14126977577end.png" width= " 959 "height=" 592 "/>

Through, we can obviously see that this Test text article has been successfully published.

Next we will test an illustrated article, as follows:

650) this.width=650; "title=" clip_image009 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image009" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697758zBZZ.png" width= " 1053 "height=" 560 "/>

650) this.width=650; "title=" clip_image010 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image010" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697759Ybf0.png" width= " 672 "height=" 421 "/>

Through, we can see the article with the picture is no way to publish. Windows Live Writer has prompted an error.

Why can't I publish an article with a picture?

In fact, the problem is very simple, the picture in the article needs to be uploaded to the root directory of the Web site before normal access. PHP-FPM now runs under Apache users, and the problem is that Apache users do not have access to the virtual host a.ilanni.com root directory, and have no write permission.

As a result, Windows Live Writer cannot publish an article with pictures.

So how do we solve this problem?

In fact, it's very simple, we have already said in the front. Nginx involves two users, one is Nginx running user, one is php-fpm running user. If you are accessing a static file, you only need the user who is running Nginx to have read access to the file.

And if the access is a PHP file, the first need for nginx user to read the file permissions, read to the file found to be a PHP file, then forwarded to PHP-FPM, at this time you need to php-fpm the user has Read permissions to the file.

What we need to do now is unified Naginx and PHP-FPM run the user as nobody, and then the Nginx virtual host a.ilanni.com the site root directory to nobody users and nobody user groups have all permissions.

Nginx has been run under the nobody user, we will not be adjusted. Let's adjust the php-fpm running user, php-fpm we install it through Yum. It also uses the default configuration, which is/etc/php-fpm.d/www.conf.

Now start editing the file and modify the user-level user group to run it. As follows:

Vi/etc/php-fpm.d/www.conf

650) this.width=650; "title=" clip_image011 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image011" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697759Wtzz.png" width= " 745 "height=" 164 "/>

When you are finished editing, restart PHP-FPM. As follows:

/ETC/INIT.D/PHP-FPM restart

PS Aux|grep php-fpm

650) this.width=650; "title=" clip_image012 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image012" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697760XkKO.png" width= " 990 "height=" 262 "/>

Through, we can see that currently PHP-FPM is already running on nobody users.

PHP-FPM after the user is modified, we will now modify the root directory user and user group of the virtual host. As follows:

Chown Nobody:nobody-r a.ilanni.com/

650) this.width=650; "title=" clip_image013 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image013" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697760mj0d.png" width= " 887 "height=" 439 "/>

After the user and user group a.ilanni.com the root directory of the virtual host are modified, you should also be careful to modify the nobody permissions on the virtual host a.ilanni.com root directory.

As we can see, currently nobody users already have control over the a.ilanni.com root directory of the virtual host.

Once the above permissions have been modified, we can then publish the text through Windows Live Writer. As follows:

650) this.width=650; "title=" clip_image014 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;margin:0px;padding-right:0px;border-top-width:0px; " Border= "0" alt= "clip_image014" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697761oNyr.png" width= " 967 "height=" 625 "/>

Through which we can see. This paper has been successfully published in WordPress. Let's take a look at the image storage location in WordPress.

ll/ilanni/a.ilanni.com/wp-content/uploads/2014/09

650) this.width=650; "title=" clip_image015 "style=" border-right-width:0px;background-image:none; border-bottom-width:0px;padding-top:0px;padding-left:0px;padding-right:0px;border-top-width:0px; "border=" 0 "alt = "clip_image015" src= "Http://img1.51cto.com/attachment/201410/7/526870_1412697761oNYg.png" width= "762" height= " 393 "/>

The above is Nginx, PHP-FPM, MySQL in the actual use of the user's configuration. Supposedly, we should end the article here.

But in order to be more able to combine with our actual production environment, we have to extend. If we say that now this WordPress is a project, the project is being developed. And developers we are not in the Linux system to open the relevant account, only opened an FTP account.

But what if the developer uploads the code and modifies the relevant code?

This will need to be set up in conjunction with the VSFTPD virtual name user. For information on this, refer to my previous article, "Slime: vsftpd Virtual user with anonymous user".

First, install the VSFTPD, using the Yum method. Once the installation is complete, we will configure the VSFTPD.

The following files are configured:

Vi/etc/vsftpd/vsftpd.conf

Local_enable=yes

Write_enable=yes

local_umask=022

Dirmessage_enable=yes

Xferlog_enable=yes

Connect_from_port_20=yes

Xferlog_file=/var/log/xferlog

Xferlog_std_format=yes

idle_session_timeout=600

Ftpd_banner=http.

Chroot_list_enable=yes

Chroot_list_file=/etc/vsftpd/chroot_list

Listen=yes

listen_port=2121

pasv_min_port=6000

pasv_max_port=6150

Userlist_enable=yes

Tcp_wrappers=yes

Guest_enable=yes

Guest_username=nobody

Pam_service_name=vsftpd

User_config_dir=/etc/vsftpd/vu_conf

Virtual_use_local_privs=yes

Where guest_enable=yes means that vsftpd virtual users are enabled, that is, all users who log on to FTP are virtual users on the system.

Guest_username=nobody indicates that the virtual user corresponds to the system user as the nobody user.

Virtual_use_local_privs=yes means that the VSFTPD virtual user is enabled and the virtual user and the local user have the same permissions.

PAM_SERVICE_NAME=VSFTPD Enable VSFTPD authentication.

Then configure the directory for the VSFTPD virtual user, as follows:

VI Vu_conf/ilanni

local_root=/ilanni/a.ilanni.com

Through the above configuration vsftpd virtual user Ilanni, has been to Nginx virtual host a.ilanni.com root directory has Full Control permissions.

This also achieves the goal of controlling the project through VSFTPD.

This article is from the "Slime Row World" blog, please be sure to keep this source http://ilanni.blog.51cto.com/526870/1561097

Slime: Nginx, php-fpm, MySQL user Rights resolution

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.