Php-fpm pools configuration for multiple websites in Centos 7.

February 3, 2016 1.2k views
Configuration Management Security Nginx LEMP PHP Getting Started

After following this tutorial for installing Lemp on Centos 7, I decided to host multiple sites on the same droplet. Using Nginx i created a server block for each site, and everything worked fine. Now i decided to add a bit of security, what concerns me is that if you got access to php you could access the whole server. So this tutorial looked exactly like what i needed.

Now i have some questions about this tutorial, and some issues i encountered at the beginning(php-fpm pools configuration).

  1. In the first tutorial(Installing Lemp), in the php-fpm configuration we configured
    the file "www.conf", and the pool name was www(that was written in the head of the file like this[www]). Does this configuration only applies for sites that listen to the sock i specified there? Or is this configuration the default for other pools?

  2. In the first tutorial we uncomment "listen.owner" and "", so they are set to "nobody". but in the second tutorial we set it to "www-data", is that only for Ubuntu? or i should do it too? and how does this contribute to security?

  3. in the first tutorial we set the "user" and "group" to a user and a group i created for this specific website. so if i don't plan on giving anyone access to the server, does that contribute to security? i mean, creating a different pool for each site wont be enough?
    i don't really understand how does that work.

  4. Can i set a default configuration for all the sites, and only write the changes specifically for each site in its own pool?

Those are all my questions, i hope you could help me with this.
I tried searching the web for some answers, but i still don't get it.
Thanks ahead!

1 Answer

I think the confusion you're encountering here is that the first tutorial is for CentOS while the second one is for Ubuntu. The default users used for these distros for web services are different. There is no www-data user on CentOS by default.

Have another answer? Share your knowledge.