Custom PHP pool and user/group per site about wordops HOT 16 CLOSED

Hello @ankitsnlq,
yes, I will only force www.conf & www-two.conf file deletion instead of removing everything in the pool.d directory

from wordops.

@michacassola with the correct approach yes. The Database itself is already running with a separate user.

Running each website with own user prevents a bunch of security problems.

from wordops.

Additional to separation due to security I also need to distribute/limit resources (that's what I am selling after all together with managing services), that is why I have started using LXD (Linux Containers) on top of my servers for near complete separation. It also gives me the ability to quickly move a complete container to another host server and also do backups in that way through LXD itself.

from wordops.

Hi VirtuBox,

I have noticed that if you have custom php pool configured manually during wordops update Pools get deleted. So please can make wordops update to not remove custom pools configured manually?

from wordops.

Issue has been fixed with PR #43

from wordops.

Thanks you @VirtuBox Tested it and it is good now. Are you planning per-site PHP pool module in wordops v4.0?

from wordops.

Hello @ankitsnlq,

this is not planned yet, because there are several other features already planned (wildcard SSL certs, monitoring, backup) but also because it will probably be the biggest change on WO structure and configuration. It will require to run a lot of tests, to see if there is an impact on performances, especially with open_basedir and opcache.

from wordops.

What I do is something like this on the nginx

    set $phpfpm_port 9099;
    set $index_https "-https";

# wpsc-php7 replace
location ~ \.php$ {
	try_files $uri =404;
	include fastcgi_params;
	fastcgi_pass 127.0.0.1:$phpfpm_port;
	# Following line is needed by WP Super Cache plugin
	fastcgi_param SERVER_NAME $http_host;
}

# FOR WP-SUPERCACHE
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index$index_https.html $uri $uri/ /index.php?$args;

Fix the permissions on /var/www/domain.ltd folder
chown -R user:group /var/www/domain.ltd
chmod a-w /var/www/domain.ltd

from wordops.

@andremacola
What are the main benefits? More security?

Will applying cgroups to those users or groups limit the whole site: PHP, NGINX and the Database?

Also found an interesting article: https://ma.ttias.be/a-better-way-to-run-php-fpm/

from wordops.

Yes this would be good to implement and should be the default imo. Each site PHP running under its own user.

from wordops.

I had to remove open_basedir from default pool because of performance on a bunch of heavy sites traffic.

from wordops.

Any updates on this?

Or does anyone have a config implementation of this?

Would really like to see this for increased system security

from wordops.

@VirtuBox any updates here? This seems like it would help a lot for security.

from wordops.

@VirtuBox this seems like the highest security risk right now to this setup. Any updates to when we can expect to have this feature?

from wordops.

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

from wordops.

This issue was closed because it has been stalled for 5 days with no activity.

from wordops.