Skip to main content

Run multiple WordPress website by different user on Nginx

There are lot of articles tell how to install and setup Nginx + PHP-FPM + MYSQL. But few talk about how to secure WordPress website on the infrastructure. If you are a Windows guy, you perhaps familiar with ACL, it's similar in Linux world. A user or group has 3 essential permission: read, write or execute. Read this article to understanding how permission works on Linux.



Think about this scenarios. You have two website users share one virtual machine, they don't know each other and don't want to share their website files with other. If you just follow up installation guide in internet, you will run into troubleshoot. Because both website folders and files run under user www-data. That means both websites are visible for the user www-data. What if one user upload a webshell?

My understanding is Nginx pass a website request to corresponding .sock in /var/run/ according to website config file in /etc/nginx/sites-enable/. PHP-FPM listens on the same .sock file and immediately executes the PHP script and pass back to Nginx. All the configuration file used here must be set to run by same user. So we basically need to change 3 things: Nginx website config file, PHP-FPM config file and a separate sock file.

Here is a nice article Run php-fpm with separate user/uid and group on linux to show how to setup it.

Chinese version

网上有很多关于如何安装配置 Nginx + PHP-FPM + MYSQL的文章,但是很少有提到怎样在这种架构下做WordPress的安全。如果使用Windows,你可能比较熟悉权限管控机制,其实Linux下也是类似的。一个用户或者组有3个基本的权限:读、写、运行。可以通过这篇文章了解一下Linux下的权限。

想象你有两个做网站的用户共用一台虚拟机,他们相互不认识也不想共享自己的网站代码。如果你用网上的教程装一个这种架构,你会发现所有的网站文件都运行在用户www-data下,也就是说www-data用户可以看到所有的两个网站的内容。如果某人上传一个木马会怎么样?

对于这种架构,我的理解是Nginx根据该网站的配置文件把PHP网页请求传递给对应的***.sock文件(/var/run/下),PHP-FPM监听同一个sock文件,执行该PHP脚本请求并传回给Nginx。这里用到的所有文件、配置都要保持同一个用户运行。所以基本上我们需要修改3个地方:该网站Nginx的配置文件、PHP-FPM配置文件和一个新的sock文件。

具体的配置可以参考这篇文章 Run php-fpm with separate user/uid and group on linux

Popular posts from this blog

Connect-NsxtServer shows "Unable to connect to the remote server"

When you run Connect-NsxtServer in the PowerCLI, it may show "Unable to connect to the remote server".  Because the error message is a little bit confusing with other login issues. It's not easy to troubleshoot. The actual reason is the NSX-T uses a self-signed certificate, and the PowerCLI cannot accept the certificate automatically. The fix is super easy. You need to set the PowerCLI to ignore the invalid certificate with the following command: Set-PowerCLIConfiguration -Scope User -InvalidCertificateAction:Ignore -Confirm:$false

Setup Terraform and Ansible for Windows provisionon CentOS

Provisioning Windows machines with Terraform is easy. Configuring Windows machines with Ansible is also not complex. However, it's a little bit challenging to combine them. The following steps are some ideas about handling a Windows machine from provisioning to post configuration without modifying the winrm configuration on the guest operating system. Install required repos for yum. yum -y install https://repo.ius.io/ius-release-el7.rpm yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum -y install https://packages.endpointdev.com/rhel/7/os/x86_64/endpoint-repo.x86_64.rpm yum -y install epel-release yum -y install yum-utils yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo Install  Terraform . sudo yum -y install terraform Install  Ansible . sudo yum -y install ansible Install  Kerberos . yum -y install gcc python-devel krb5-devel krb5-libs krb5-workstation

How to List All Users in Terraform Cloud

Terraform has a rich API. However, the API documentation does not mention how to list all users. We can leverage the organization membership API and the PowerShell command  Invoke-RestMethod  to get a user list. 1. Create an organization token in Terraform Cloud. 2. Create the token variable ( $Token ) in PowerShell. $Token = "abcde" 3. Create the API parameters variable in PowerShell. $params = @{ Uri = "https://app.terraform.io/api/v2/organizations/ZHENGWU/organization-memberships?page%5Bsize%5D=100" Authentication = "Bearer" Token = $Token ContentType = "application/vnd.api+json" } Note: You need to replace ZHENGWU with your own organization name. And I used 100 at the end of the URI to retrieve the first 100 users. It can be any number.  4. Retrieve the API return and list the user's email address. $Test = Invoke-RestMethod @params $Test.data.attributes.email