It makes sense to me, much better than doing what I see advocated here (DO forums) a lot. make all the websites www-data/www-data… This is better than root but all the websites can access each others files. So I wanted a new group and user for each website. The websites are php CMS sites.
So the main issue I get is the folders are not accessible when I set the owner and group to mysite1:mysite1
I don’t think the folder permissions are wrong at this point because when I set it to www-data:www-data I have working sites.
Thanks I am thinking there might be some step missing that gives mynewgroup the right access in the tutorial it seems like I just create the group but I feel I need to specify some rights for this group?
Thanks
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
You may need to set permissions to reflect ownership by the www-data group since that’s the user that NGINX is running as on most default repositories.
For example, if /home/site1/htdocs is our home directory, you’d run:
chown -R site1:www-data /home/site1/*
You’d then set the previous configuration (from my last reply) back to normal, i.e:
listen.owner = www-data
listen.group = www-data
This is one reason why I normally recommend using TCP instead of sockets. With TCP, there’s no need to allow NGINX direct access to the files and directories. Instead, PHP is granted that access.
NGINX may run as nginx or www-data, or any user you define, while PHP-FPM will run explicitly as the user and group defined by
user = www-data
group = www-data
You can use either or, though I find that sockets can be a little more problematic since it’s not always clear what you need to configure :).
By default, PHP-FPM runs as www-data, so if you’re wanting to set up multiple sites, you’ll need to copy over the default configuration file and modify it to suite your new user and group.
You can find the default PHP-FPM configuration file here:
/etc/php/VERS/fpm/pool.d/www.conf
Where VERS is your PHP version (i.e. 5.6, 7.0, or 7.1).
…
What I normally do is simply rename that file to the first site that I’m configuring, so for this example, I’ll use domain.com and PHP 7.0 as the version.
mv /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/domain.com.conf
Now I’ll open up the configuration file:
nano /etc/php/7.0/fpm/pool.d/domain.com.conf
On line 4 you’ll see [www] – I normally change that to the user that will be associated with my site, so if my user and group are user1, then that becomes [user1].
Now on lines 22 and 23, you’ll see:
user = www-data
group = www-data
We’ll change that to our user and group, so for user1, it’d look like:
user = user1
group = user1
Next, on line 35, you’ll see:
listen = /run/php/php7.0-fpm.sock
I prefer using TCP as it’s often easier to configure, so I change the socket path to a TCP connection, like so:
listen = 127.0.0.1:9000
For each new configuration file, you’d up the port by 1, so it’d become 9001 for the next site, 9002 for the next, and so on.
From there, that’s all the changes you need to make in this file, so we can save and close, then restart PHP-FPM using:
service php7.0-fpm restart
If you’re using 5.6 or 7.1, simply modify the above command to suite.
…
When using TCP connections, you’ll need to modify one more thing in your NGINX server block and that would be fastcgi_pass. You’ll need to make sure the TCP address is used in place of the socket.
So what we’d end up using is:
fastcgi_pass 127.0.0.1:9000
As with the PHP-FPM pool file, you’ll up that port to match each configuration file.
You would then restart NGINX for the changes to take.
…
Once you’ve done all that, then all you need to do is make sure permissions are correct on the files. So for this example, I’d make sure all files and directories in my home path are owned by user1.
If my home directory is:
/home/user1/htdocs/public
Then I’d use chown to recursively set ownership:
chown -R user1:user1 /home/user1/*
Though the approach of using TCP over sockets is interesting, I got the mentioned DO tutorial setup run by giving the “groups” and “others” x-permissions:
chmod go-rw /home/site1/
and
chmod go+x /home/site1/
So www-data can execute all the scripts, while the ownership is still site1:site1
@landed Is there anywhere more info on the TCP over socket approach? Thanx in advance!
In fact looking at the permissions for the directory it shows
drwxr-xr-x 3 style-review style-review..etcafter doing ls -ldSo