How to secure nginx +php using fastcgi in shared enviorment

Kraiser10 · 08-29-2014, 09:07 AM

Hello I would like to know if I have many domains on one server how to secure the files so if someone will try to read/write to other domain he won't be able to.

For example user1 have domain1 in /var/www/domain1 and user2 have domain2 /var/www/domain2 now I dont want those 2 users to read/write files which are not theirs. How do I do that with nginx + php fastcgi?

sundialsvcs · 08-29-2014, 12:56 PM

There's copious material out there on that. Each domain-definition should occupy its own set of "<location>s" and have its own set of directives ... and the PHP software which runs the site (which will probably run as "nobody") must be configured so that it will not attempt to read any outside locations, even though it can. The software must also be configured so that "rogue" URLs, including ".."s and such, are not honored. Spend 10 minutes surfing Google and you will have days' worth of material to ponder.

Kraiser10 · 08-31-2014, 03:49 AM

Quote:

Originally Posted by sundialsvcs

There's copious material out there on that. Each domain-definition should occupy its own set of "<location>s" and have its own set of directives ... and the PHP software which runs the site (which will probably run as "nobody") must be configured so that it will not attempt to read any outside locations, even though it can. The software must also be configured so that "rogue" URLs, including ".."s and such, are not honored. Spend 10 minutes surfing Google and you will have days' worth of material to ponder.

Yeah well maybe im doing it wrong but I haven't found anything related to my question could you tell what you wrote in google search?

I have managed to make /var/www kinda chroot by using open_basedir but it still doesn't fixes my issue with permissions with diffrent domain if user1 manages to exploit web1 he will have READ access to web2 too .
structure of my server
/var/www/web1 phpcgi user/group
/var/www/web2 phpcgi2 user/group

when somebody will be able to exploit web1 he will have READ access to web2 too. I don't want to do that.

Kraiser10 · 08-31-2014, 06:41 AM

Ok here is what I did created 2 seperate php-cgi processes one under php-cgi port 9000 the other under php-cgi2 port 9001 user and passed to those in conf.d
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}

fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
include fastcgi_params;
}
other domain have same but 9000.

of nginx made chmod 640 on .php files and it seems like it works Im not sure if it is proper concept of making this right , Can this be exploited somehow ? I tried using c99 and there is no READ access to files except for .css not sure why I had to set 644 to css and image files to make my site work properly.