There are lot of articles tell how to install and setup Nginx + PHP-FPM + MYSQL. But few talk about how to secure WordPress website on the infrastructure. If you are a Windows guy, you perhaps familiar with ACL, it’s similar in Linux world. A user or group has 3 essential permission: read, write or execute. Read this article to understanding how permission works on Linux.
Think about this scenarios. You have two website users share one virtual machine, they don’t know each other and don’t want to share their website files with other. If you just follow up installation guide in internet, you will run into troubleshoot. Because both website folders and files run under user www-data. That means both websites are visible for the user www-data. What if one user upload a webshell?
My understanding is Nginx pass a website request to corresponding .sock in /var/run/ according to website config file in /etc/nginx/sites-enable/. PHP-FPM listens on the same .sock file and immediately executes the PHP script and pass back to Nginx. All the configuration file used here must be set to run by same user. So we basically need to change 3 things: Nginx website config file, PHP-FPM config file and a separate sock file.
Here is a nice article Run php-fpm with separate user/uid and group on linux to show how to setup it.
Chinese version
网上有很多关于如何安装配置 Nginx + PHP-FPM + MYSQL的文章,但是很少有提到怎样在这种架构下做WordPress的安全。如果使用Windows,你可能比较熟悉权限管控机制,其实Linux下也是类似的。一个用户或者组有3个基本的权限:读、写、运行。可以通过这篇文章了解一下Linux下的权限。
想象你有两个做网站的用户共用一台虚拟机,他们相互不认识也不想共享自己的网站代码。如果你用网上的教程装一个这种架构,你会发现所有的网站文件都运行在用户www-data下,也就是说www-data用户可以看到所有的两个网站的内容。如果某人上传一个木马会怎么样?
对于这种架构,我的理解是Nginx根据该网站的配置文件把PHP网页请求传递给对应的***.sock文件(/var/run/下),PHP-FPM监听同一个sock文件,执行该PHP脚本请求并传回给Nginx。这里用到的所有文件、配置都要保持同一个用户运行。所以基本上我们需要修改3个地方:该网站Nginx的配置文件、PHP-FPM配置文件和一个新的sock文件。
具体的配置可以参考这篇文章 Run php-fpm with separate user/uid and group on linux
