Organize and summarize the permission division of nginx, php-fpm, mysql, etc.

This article will talk about the basic knowledge of PHP and give you an in-depth understanding of the user permissions of nginx, php-fpm and mysql. I hope it will be helpful to you!

Normally, the servers we run web applications on include Linux distributions such as CentOS, Ubuntu, Debian, etc. At this time, the permission control of applications such as Nginx, PHP and MySQL that are necessary to form the service architecture becomes very important. Each service has different permission requirements for the code directory. The lack of certain permissions will cause the service to be unable to read or write or Running errors reduce permission requirements and create the risk of intrusion and modification. Here we will summarize the permission division of services such as nginx, php-fpm and mysql.

1. Web server Nginx permissions

The running framework of PHP is usually combined with Nginx to form LNMP or combined with Apache to form LAMP architecture. Here, Nginx is used as an example to describe what is needed to run the Nginx service. permissions.
We know that Nginx itself cannot parse PHP syntax, so Nginx will directly parse and return results for static files (such as HTML, etc.), but for PHP files, Nginx will transfer them to the PHP interpreter php-fpm Process it, and then return the response to the client browser after processing.

Therefore, we need to unify the permissions required for Nginx and php services in our code directory.

① If the root user is used uniformly, general guest accounts will not be able to access the application. If nginx is configured to run as root, there will be great security risks. Once attacked, the root identity will be obtained. All operations of the system.

② If all code directory permissions are set to rwxrwxrwx, there is a hidden danger that users can modify the code directory directly through the browser.

So the best way is tounify them into a new user group and assign the necessary permissions to run Nginx and php to the user group to achieve permissions for web applications. Directory management. Under normal circumstances, many teams will name this user group www, The www user will uniformly manage the code directory permissions.

We can see the Nginx configuration file nginix.confThe running permissions divided in it are configured under the www user, so the Nginx child process is also executed by the www user, which can be passedps aux | grep nginx to view:

You can see that the main process of nginx is root, and the other sub-processes are all users of www

nginx.conf configuration:

2. PHP permission configuration

Similarly, how PHP is run It is also run by the main process root, and is configured in the child process pool (pool) to be executed by the www user. The specific configuration is under <span style="color: rgb(192, 0, 0);">etc\php-fpm.conf</span> in the php root directory. Just add two lines:

user = www
group = www

. You can also use ps aux | grep php to view the user identity used by the process:

3. Permission configuration of MySQL service

Through ps aux | grep mysql, you can see that the MySQL service is running under the mysql user. This service only requires us to bring the mysql username and password when the php code connects to mysql. It does not need to be unified as www, because the data layer needs to be isolated from the business logic layer to ensure the security of the underlying data. The authorization of mysql is mainly to add new users and divide permissions in the mysql service, which is used to control different PHP businesses to connect with identities with different permission ranges to ensure data security.

4. Summary

nginx configuration:

user www www;

php-fpm:

user = www
group = www

Directory:

drwxr-xr-x 就是755

Recommended study: "PHP Video Tutorial"

The above is the detailed content of Organize and summarize the permission division of nginx, php-fpm, mysql, etc.. For more information, please follow other related articles on the PHP Chinese website!