Apache-2.4
設置 php7.0-fpm + Apache 和多使用者池:只有 1 個站點有效
我正在使用 Ubuntu 16.04、Apache 2.4.29 和 php7.0-fpm。我正在嘗試為多個使用者和網站創建單獨的池,以便它們在單獨的使用者下執行,並且每個站點都受到保護,以防萬一被黑客入侵。我按照有關此主題的類似文章的說明進行操作,但效果不佳。
這是我在 /etc/php/7.0/fpm/pool.d 中的兩個範例 pool.d conf 文件
使用者名1.conf
[username] user = username1 group = username1 listen = /run/php/php7.0-fpm.username1.sock listen.owner = www-data #(I've already tried username1 here too) listen.group = www-data #(I've already tried username1 here too) listen.mode = 0660 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3
使用者名2.conf
[username] user = username2 group = username2 listen = /run/php/php7.0-fpm.username2.sock listen.owner = www-data #(I've already tried username2 here too) listen.group = www-data #(I've already tried username2 here too) listen.mode = 0660 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3
請注意,我在保存每個 conf 文件後重新載入了 php7.0-fpm 和 apache2。此外,這是我的兩個 Apache VirtualHost 文件:
website1.com.conf(使用 username1)
<VirtualHost *:80> ServerAdmin admin@website1.com ServerName www.website1.com ServerAlias website1.com RewriteEngine on RewriteCond %{SERVER_NAME} =website1.com [OR] RewriteCond %{SERVER_NAME} =www.website1.com RewriteRule ^ https://www.website1.com%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> <VirtualHost *:443> <IfModule mod_fastcgi.c> AddHandler php7-fcgi-username1 .php Action php7-fcgi-username1 /php7-fcgi-username1 Alias /php7-fcgi-username1 /usr/lib/cgi-bin/php7-fcgi-username1 FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-username1 -socket /run/php/php7.0-fpm.username1.sock -pass-header Authorization <Directory "/usr/lib/cgi-bin"> Require all granted </Directory> </IfModule> ServerAdmin admin@website1.com ServerName www.website1.com ServerAlias website1.com DocumentRoot /home/username1/website1.com DirectoryIndex index.html index.php <Directory /home/username1/website1.com> Options +SymLinksIfOwnerMatch AllowOverride None Require all granted RewriteEngine On RewriteCond %{HTTP_HOST} ^website1.com RewriteRule (.*) https://www.website1.com/$1 [R=301,L] <IfModule mod_fastcgi.c> <FilesMatch ".+\.ph(p[3457]?|t|tml)$"> SetHandler php7-fcgi-username1 </FilesMatch> </IfModule> </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/www.website1.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.website1.com/privkey.pem
website2.com.conf(帶有使用者名2)
<VirtualHost *:80> ServerAdmin admin@website2.com ServerName www.website2.com ServerAlias website2.com RewriteEngine on RewriteCond %{SERVER_NAME} =website2.com [OR] RewriteCond %{SERVER_NAME} =www.website2.com RewriteRule ^ https://www.website2.com%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> <VirtualHost *:443> <IfModule mod_fastcgi.c> AddHandler php7-fcgi-username2 .php Action php7-fcgi-username2 /php7-fcgi-username2 Alias /php7-fcgi-username2 /usr/lib/cgi-bin/php7-fcgi-username2 FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-username2 -socket /run/php/php7.0-fpm.username2.sock -pass-header Authorization <Directory "/usr/lib/cgi-bin"> Require all granted </Directory> </IfModule> ServerAdmin admin@website2.com ServerName www.website2.com ServerAlias website2.com DocumentRoot /home/username2/website2.com DirectoryIndex index.html index.php <Directory /home/username2/website2.com> Options +SymLinksIfOwnerMatch AllowOverride None Require all granted RewriteEngine On RewriteCond %{HTTP_HOST} ^website2.com RewriteRule (.*) https://www.website2.com/$1 [R=301,L] <IfModule mod_fastcgi.c> <FilesMatch ".+\.ph(p[3457]?|t|tml)$"> SetHandler php7-fcgi-username2 </FilesMatch> </IfModule> </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/www.website2.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.website2.com/privkey.pem </VirtualHost>
以下是我啟用的所有 Apache 模組的列表:
啟用 Apache 模組
authn_core.load@ --> /etc/apache2/mods-available/authn_core.load authn_file.load@ --> /etc/apache2/mods-available/authn_file.load authz_core.load@ --> /etc/apache2/mods-available/authz_core.load authz_host.load@ --> /etc/apache2/mods-available/authz_host.load authz_user.load@ --> /etc/apache2/mods-available/authz_user.load autoindex.conf@ --> /etc/apache2/mods-available/autoindex.conf autoindex.load@ --> /etc/apache2/mods-available/autoindex.load deflate.conf@ --> /etc/apache2/mods-available/deflate.conf deflate.load@ --> /etc/apache2/mods-available/deflate.load dir.conf@ --> /etc/apache2/mods-available/dir.conf dir.load@ --> /etc/apache2/mods-available/dir.load env.load@ --> /etc/apache2/mods-available/env.load fastcgi.conf@ --> /etc/apache2/mods-available/fastcgi.conf fastcgi.load@ --> /etc/apache2/mods-available/fastcgi.load filter.load@ --> /etc/apache2/mods-available/filter.load headers.load@ --> /etc/apache2/mods-available/headers.load http2.load@ --> /etc/apache2/mods-available/http2.load mime.conf@ --> /etc/apache2/mods-available/mime.conf mime.load@ --> /etc/apache2/mods-available/mime.load mpm_event.conf@ --> /etc/apache2/mods-available/mpm_event.conf mpm_event.load@ --> /etc/apache2/mods-available/mpm_event.load negotiation.conf@ --> /etc/apache2/mods-available/negotiation.conf negotiation.load@ --> /etc/apache2/mods-available/negotiation.load proxy.conf@ --> /etc/apache2/mods-available/proxy.conf proxy.load@ --> /etc/apache2/mods-available/proxy.load proxy_fcgi.load@ --> /etc/apache2/mods-available/proxy_fcgi.load reqtimeout.conf@ --> /etc/apache2/mods-available/reqtimeout.conf reqtimeout.load@ --> /etc/apache2/mods-available/reqtimeout.load rewrite.load@ --> /etc/apache2/mods-available/rewrite.load security2.conf@ --> /etc/apache2/mods-available/security2.conf security2.load@ --> /etc/apache2/mods-available/security2.load setenvif.conf@ --> /etc/apache2/mods-available/setenvif.conf setenvif.load@ --> /etc/apache2/mods-available/setenvif.load socache_shmcb.load@ --> /etc/apache2/mods-available/socache_shmcb.load ssl.conf@ --> /etc/apache2/mods- available/ssl.conf ssl.load@ --> /etc/apache2/mods-available/ssl.load status.conf@ --> /etc/apache2/mods-available/status.conf status.load@ --> /etc/apache2/mods-available/status.load unique_id.load@ --> /etc/apache2/mods-available/unique_id.load userdir.conf@ --> /etc/apache2/mods-available/userdir.conf userdir.load@ --> /etc/apache2/mods-available/userdir.load
問題:似乎只有一個站點以這種方式正常工作。第二個站點在瀏覽器中收到 500 錯誤。我會收到這樣的錯誤:
[Fri Mar 09 00:01:36.965019 2018] [fastcgi:error] [pid 31964:tid 134959322724992] (2)No such file or directory: [client ***.***.***.***:47348] FastCGI: failed to connect to server "/usr/lib/cgi-bin/php7-fcgi-username2": connect() failed [Fri Mar 09 00:01:36.966129 2018] [fastcgi:error] [pid 31964:tid 139355612722992] [client ***.***.***.***:47348] FastCGI: incomplete headers (0 bytes) received from server "/usr/lib/cgi-bin/php7-fcgi-username2"
另外,當我查看 /var/run/php 目錄時,我看到:
php7.0-fpm.sock php7.0-fpm.username1.sock php7.0-fpm.pid # (without php7.0-fpm.username2.sock)
在我的“/home”目錄中,“www-data”是所有使用者及其網站的組所有者:
drwx--x--- 11 username1 www-data 4096 Mar 3 07:25 username1 drwx--x--- 11 username2 www-data 4096 Mar 3 07:25 username1
讓我知道我應該從這裡去哪裡。我將有大約 30 個使用者執行大約 60 個站點。我需要 Apache 以使用者身份執行網站(而不是 www-data)。它需要以這樣的方式完成,以便如果黑客闖入 Wordpress 網站,他們無法使用 www-data 訪問和感染其餘使用者及其網站。如果黑客闖入,只需將損害隔離到一個使用者即可。
您的兩個配置的第一行
pool.d
是相同的[username]
。這就是為什麼它們被視為單一配置而您只看到/run/php/php7.0-fpm.username1.sock
. 編輯第一行以包含實際使用者名作為池名稱。