为什么我的 PHP7.0-FPM 池没有 运行 使用它指定的系统用户?
Why is my PHP7.0-FPM pool not running using it's specified system user?
我经常做这个设置,但这次我肯定在监督一些事情。
目标
让 Apache 2.4 虚拟主机使用不同的 PHP-FPM 池,每个虚拟主机在 LXD 容器中使用它们自己的系统用户。
问题
一切正常,除了上传文件时,上传目录必须设置在 www-data 上,这在 PHP-FPM 中不需要。
系统
Ubuntu 16.04 LXD 容器
代码
/etc/apache2/conf-enabled/php7.0-fpm.conf
root@web1:~# cat /etc/apache2/conf-enabled/php7.0-fpm.conf
# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
# Enable http authorization headers
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=
<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
SetHandler "proxy:unix:/run/php/php7.0-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch ".+\.phps$">
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
Require all denied
</FilesMatch>
</IfModule>
/etc/apache2/sites-enabled/hs2.nl.conf
root@web1:~# cat /etc/apache2/sites-enabled/hs2.nl.conf
<VirtualHost *:80>
ServerAdmin webmaster@hs2.nl
ServerName hs2.nl
ServerAlias www.hs2.nl
DocumentRoot /var/www/html/hs2.nl/web
ErrorLog ${APACHE_LOG_DIR}/hs2.nl-error.log
CustomLog ${APACHE_LOG_DIR}/hs2.nl-access.log combined
#LogFormat "%h %l %u %t \"%r\" %>s %b %{X-Forwarded-For}i" common
<Directory /var/www/html/hs2.nl/web>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
<IfModule mod_fastcgi.c>
AddHandler php7-fcgi .php
Action php7-fcgi /php7-fcgi
Alias /php7-fcgi /usr/lib/cgi-bin/hs2.nl-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/hs2.nl-fcgi -socket /var/run/php/hs2.nl-fpm.sock -pass-header Authorization
</IfModule>
</VirtualHost>
/etc/php/7.0/fpm/pool.d/hs2.nl.conf
root@web1:~# cat /etc/php/7.0/fpm/pool.d/hs2.nl.conf
[hs2.nl]
user = hs2.nl
group = hs2.nl
listen = /var/run/php/hs2.nl-fpm.sock
listen.owner = hs2.nl
listen.group = hs2.nl
prefix = /var/www/html/hs2.nl
chroot = $prefix
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
目录权限
hs2.nl@web1:~/web/uploads$ ls -ald .
drwxr-xr-x 2 hs2.nl hs2.nl 2 Oct 26 15:15 .
hs2.nl@web1:~/web/uploads$ pwd
/var/www/html/hs2.nl/web/uploads
进程运行宁作为各自的用户
root@web1:~# ps aux | egrep "USER|php-fpm: master|pool hs2.nl"
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 16470 0.0 0.3 365880 20220 ? Ss 14:55 0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
hs2.nl 16479 0.0 0.0 365688 4764 ? S 14:55 0:00 php-fpm: pool hs2.nl
hs2.nl 16480 0.0 0.0 365688 4764 ? S 14:55 0:00 php-fpm: pool hs2.nl
php信息
hs2.nl@web1:~/web$ cat phpinfo.php
<?php
$id = shell_exec(id);
$whoami = shell_exec(whoami);
echo "Id: " . $id . "<br />";
echo "Who am I?: " . $whoami . "<br />";
phpinfo();
?>
输出
Id: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Who am I?: www-data
进一步思考
我认为这可能与 LXD 有关,但似乎所有池 运行 都在他们自己的用户之下。
编辑:为了消除这个理论,我将完全相同的配置加载到普通的 KVM 虚拟机上,在那里我能够以完全相同的方式重现问题,所以我一定是在我的配置中做错了什么,跟LXD没关系。
在 Koen Reiniers 的博客中找到了答案:http://blog.koenreiniers.nl/guide-to-combining-apache-virtual-hosts-and-php7-fpm/
基本上我的错是为多个虚拟主机 PHP-FPM 套接字设置一个 'Handler'。
我将虚拟主机配置更改为:
<IfModule mod_fastcgi.c>
AddHandler php7-fcgi-hs2.nl .php
Action php7-fcgi-hs2.nl /php7-fcgi-hs2.nl
Alias /php7-fcgi-hs2.nl /usr/lib/cgi-bin/php7-fcgi-hs2.nl
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-hs2.nl -socket /run/php/php7.0-fpm.hs2.nl.sock -pass-header Authorization
<Directory "/usr/lib/cgi-bin">
Require all granted
</Directory>
</IfModule>
<VirtualHost *:80>
ServerAdmin webmaster@hs2.nl
ServerName hs2.nl
ServerAlias www.hs2.nl
DocumentRoot /var/www/html/hs2.nl/web
ErrorLog ${APACHE_LOG_DIR}/hs2.nl-error.log
CustomLog ${APACHE_LOG_DIR}/hs2.nl-access.log combined
#LogFormat "%h %l %u %t \"%r\" %>s %b %{X-Forwarded-For}i" common
<Directory /var/www/html/hs2.nl/web>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<IfModule mod_fastcgi.c>
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler php7-fcgi-hs2.nl
</FilesMatch>
</IfModule>
</VirtualHost>
并且在我的 PHP-FPM 池中我添加了 listen.mode = 0666:
[hs2.nl]
user = hs2.nl
group = hs2.nl
listen = /run/php/php7.0-fpm.hs2.nl.sock
listen.owner = hs2.nl
listen.group = hs2.nl
listen.mode = 0666
;prefix = /var/www/html/hs2.nl
;chroot = $prefix
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
我经常做这个设置,但这次我肯定在监督一些事情。
目标
让 Apache 2.4 虚拟主机使用不同的 PHP-FPM 池,每个虚拟主机在 LXD 容器中使用它们自己的系统用户。
问题
一切正常,除了上传文件时,上传目录必须设置在 www-data 上,这在 PHP-FPM 中不需要。
系统
Ubuntu 16.04 LXD 容器
代码
/etc/apache2/conf-enabled/php7.0-fpm.conf
root@web1:~# cat /etc/apache2/conf-enabled/php7.0-fpm.conf
# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
# Enable http authorization headers
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=
<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
SetHandler "proxy:unix:/run/php/php7.0-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch ".+\.phps$">
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
Require all denied
</FilesMatch>
</IfModule>
/etc/apache2/sites-enabled/hs2.nl.conf
root@web1:~# cat /etc/apache2/sites-enabled/hs2.nl.conf
<VirtualHost *:80>
ServerAdmin webmaster@hs2.nl
ServerName hs2.nl
ServerAlias www.hs2.nl
DocumentRoot /var/www/html/hs2.nl/web
ErrorLog ${APACHE_LOG_DIR}/hs2.nl-error.log
CustomLog ${APACHE_LOG_DIR}/hs2.nl-access.log combined
#LogFormat "%h %l %u %t \"%r\" %>s %b %{X-Forwarded-For}i" common
<Directory /var/www/html/hs2.nl/web>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
<IfModule mod_fastcgi.c>
AddHandler php7-fcgi .php
Action php7-fcgi /php7-fcgi
Alias /php7-fcgi /usr/lib/cgi-bin/hs2.nl-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/hs2.nl-fcgi -socket /var/run/php/hs2.nl-fpm.sock -pass-header Authorization
</IfModule>
</VirtualHost>
/etc/php/7.0/fpm/pool.d/hs2.nl.conf
root@web1:~# cat /etc/php/7.0/fpm/pool.d/hs2.nl.conf
[hs2.nl]
user = hs2.nl
group = hs2.nl
listen = /var/run/php/hs2.nl-fpm.sock
listen.owner = hs2.nl
listen.group = hs2.nl
prefix = /var/www/html/hs2.nl
chroot = $prefix
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
目录权限
hs2.nl@web1:~/web/uploads$ ls -ald .
drwxr-xr-x 2 hs2.nl hs2.nl 2 Oct 26 15:15 .
hs2.nl@web1:~/web/uploads$ pwd
/var/www/html/hs2.nl/web/uploads
进程运行宁作为各自的用户
root@web1:~# ps aux | egrep "USER|php-fpm: master|pool hs2.nl"
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 16470 0.0 0.3 365880 20220 ? Ss 14:55 0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
hs2.nl 16479 0.0 0.0 365688 4764 ? S 14:55 0:00 php-fpm: pool hs2.nl
hs2.nl 16480 0.0 0.0 365688 4764 ? S 14:55 0:00 php-fpm: pool hs2.nl
php信息
hs2.nl@web1:~/web$ cat phpinfo.php
<?php
$id = shell_exec(id);
$whoami = shell_exec(whoami);
echo "Id: " . $id . "<br />";
echo "Who am I?: " . $whoami . "<br />";
phpinfo();
?>
输出
Id: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Who am I?: www-data
进一步思考
我认为这可能与 LXD 有关,但似乎所有池 运行 都在他们自己的用户之下。
编辑:为了消除这个理论,我将完全相同的配置加载到普通的 KVM 虚拟机上,在那里我能够以完全相同的方式重现问题,所以我一定是在我的配置中做错了什么,跟LXD没关系。
在 Koen Reiniers 的博客中找到了答案:http://blog.koenreiniers.nl/guide-to-combining-apache-virtual-hosts-and-php7-fpm/
基本上我的错是为多个虚拟主机 PHP-FPM 套接字设置一个 'Handler'。
我将虚拟主机配置更改为:
<IfModule mod_fastcgi.c>
AddHandler php7-fcgi-hs2.nl .php
Action php7-fcgi-hs2.nl /php7-fcgi-hs2.nl
Alias /php7-fcgi-hs2.nl /usr/lib/cgi-bin/php7-fcgi-hs2.nl
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-hs2.nl -socket /run/php/php7.0-fpm.hs2.nl.sock -pass-header Authorization
<Directory "/usr/lib/cgi-bin">
Require all granted
</Directory>
</IfModule>
<VirtualHost *:80>
ServerAdmin webmaster@hs2.nl
ServerName hs2.nl
ServerAlias www.hs2.nl
DocumentRoot /var/www/html/hs2.nl/web
ErrorLog ${APACHE_LOG_DIR}/hs2.nl-error.log
CustomLog ${APACHE_LOG_DIR}/hs2.nl-access.log combined
#LogFormat "%h %l %u %t \"%r\" %>s %b %{X-Forwarded-For}i" common
<Directory /var/www/html/hs2.nl/web>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<IfModule mod_fastcgi.c>
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler php7-fcgi-hs2.nl
</FilesMatch>
</IfModule>
</VirtualHost>
并且在我的 PHP-FPM 池中我添加了 listen.mode = 0666:
[hs2.nl]
user = hs2.nl
group = hs2.nl
listen = /run/php/php7.0-fpm.hs2.nl.sock
listen.owner = hs2.nl
listen.group = hs2.nl
listen.mode = 0666
;prefix = /var/www/html/hs2.nl
;chroot = $prefix
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3