Home>Article>Backend Development> Organize and summarize the permission division of nginx, php-fpm, mysql, etc.
This article will talk about the basic knowledge of PHP and give you an in-depth understanding of the user permissions of nginx, php-fpm and mysql. I hope it will be helpful to you!
Normally, the servers we run web applications on include Linux distributions such as CentOS, Ubuntu, Debian, etc. At this time, the permission control of applications such as Nginx, PHP and MySQL that are necessary to form the service architecture becomes very important.Each service has different permission requirements for the code directory. The lack of certain permissions will cause the service to be unable to read or write or Running errors reduce permission requirements and create the risk of intrusion and modification. Here we will summarize the permission division of services such as nginx, php-fpm and mysql.
The running framework of PHP is usually combined with Nginx to form LNMP or combined with Apache to form LAMP architecture. Here, Nginx is used as an example to describe what is needed to run the Nginx service. permissions.
We know that Nginx itself cannot parse PHP syntax, soNginx will directly parse and return results for static files (such as HTML, etc.), but for PHP files, Nginx will transfer them to the PHP interpreter php-fpm Process it, and then return the response to the client browserafter processing.
Therefore, we need to unify the permissions required for Nginx and php services in ourcode directory.
① If the root user is used uniformly, general guest accounts will not be able to access the application. If nginx is configured to run as root, there will be great security risks. Once attacked, the root identity will be obtained. All operations of the system.
② If all code directory permissions are set to rwxrwxrwx, there is a hidden danger that users can modify the code directory directly through the browser.
So the best way is tounify them into a new user group and assign the necessary permissions to run Nginx and php to the user groupto achieve permissions for web applications. Directory management. Under normal circumstances, many teams will name this user group www,The www user will uniformly manage the code directory permissions.
We can see the Nginx configuration filenginix.conf
The running permissions divided in it are configured under the www user, so the Nginx child process is also executed by the www user, which can be passedps aux | grep nginx
to view:
You can see that the main process of nginx is root, and the other sub-processes are all users of www
nginx.conf configuration:
Similarly, how PHP is run It is also run by the main process root, and is configured in the child process pool (pool) to be executed by the www user. The specific configuration is underetc\php-fpm.conf
in the php root directory. Just add two lines:
user = www group = www
. You can also useps aux | grep php
to view the user identity used by the process:
Throughps aux | grep mysql
, you can see that the MySQL service is running under themysqluser. This serviceonly requires us to bring the mysql username and password when the php code connects to mysql. It does not need to be unified as www, because the data layer needs to be isolated from the business logic layer to ensure the security of the underlying data. The authorization of mysql is mainly to add new users and divide permissions in the mysql service, which is used to control different PHP businesses to connect with identities with different permission ranges to ensure data security.
nginx configuration:
user www www;
php-fpm:
user = www group = www
Directory:
drwxr-xr-x 就是755
Recommended study: "PHP Video Tutorial"
The above is the detailed content of Organize and summarize the permission division of nginx, php-fpm, mysql, etc.. For more information, please follow other related articles on the PHP Chinese website!