Join Log in
Score:0
MrL avatar Server

PHP-FPM + Apache2 security

at flag
MrL

I have configured my server (an Ubuntu 22.04 machine) so that it is managed by Apache (v2.4.55) and php7.4-fpm. The current configuration allows every vhosts to be divided into specific php-fpm pools, and each of these pools running with different users.

Everything works fine, but security related only to users to control permissions (or based on open_basedir) cannot stop shell_exec (which I need) from accessing, for example, configuration files inside /etc, or doing an ls -l /var/.

What I would like, therefore, is a way to prevent a user from being able to go around and view linux's standard folders.

I don't want to get to the point of making calls like:

setfacl -Rm u:user_site1:--- /;
setfacl -Rm d:u:user_site1:--- /;

and then authorizing each fundamental folder one by one. It seems too messy.

I had therefore thought of using chroot inside each pool, but I was not able to do so because there was always a problem related to paths AH01071: Got error 'Primary script unknown', and all online solutions say to modify the ProxyPassMatch call based on port 9000, but I use SetHandler with sockets and I don't want to change this setting.

What are the possible techniques? Do I really have to install SELinux?

Below, I am adding my configurations to better understand the situation.

/etc/apache2/sites-enabled/www.site.com.conf

<VirtualHost *:80>
    Protocols h2 h2c http/1.1
    H2Direct on
    ServerAdmin [email protected]
    ServerName www.site.com
    DocumentRoot /var/www/vhosts/www.site.com/httpdocs
    ErrorLog /var/www/vhosts/www.site.com/log/error.log
    CustomLog /var/www/vhosts/www.site.com/log/access.log combined
    <FilesMatch ".+\.ph(ar|p|tml)$">
        SetHandler "proxy:unix:/run/php/php7.4-fpm-www_site_com.sock|fcgi://localhost"
    </FilesMatch>
</VirtualHost>
<VirtualHost *:443>
    Protocols h2 h2c http/1.1
        H2Direct on
        ServerAdmin [email protected]
        ServerName www.site.com
    DocumentRoot /var/www/vhosts/www.site.com/httpdocs
    ErrorLog /var/www/vhosts/www.site.com/log/error_ssl.log
    CustomLog /var/www/vhosts/www.site.com/log/access_ssl.log combined
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/www.site.com.crt
    SSLCertificateKeyFile   /etc/ssl/private/www.site.com.key
    <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>
    <FilesMatch ".+\.ph(ar|p|tml)$">
        SetHandler "proxy:unix:/run/php/php7.4-fpm-www_site_com.sock|fcgi://localhost"
    </FilesMatch>
</VirtualHost>

/etc/php/7.4/fpm/php-fpm.conf

[global]
pid = /run/php/php7.4-fpm.pid
error_log = "syslog"
syslog.ident = php-fpm
include=/etc/php/7.4/fpm/pool.d/*.conf

/etc/php/7.4/fpm/pool.d/www_site_com.conf

[www.site.com]
user = user_site1
group = user_site1
listen = /run/php/php7.4-fpm-www_site_com.sock
listen.owner = user_site1
listen.group = www-data
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
150
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.