View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions PHP-FPM pool user same as ftp user ?
Log in to Ask a Question

PHP-FPM pool user same as ftp user ?

Hey there,

  1. It seems it is a good practice to use a different user than Apache as the owner of a website files.

  2. I use a dedicated user (or 'ftp user') for each of my websites.

  3. In the context of PHP-FPM pools, you can choose the user who owns de PHP processes.

So do I have to set the same user in 3. than in 2. ? Doesn't it break condition 1. ?

Thanks

5 Replies

If you want separation by website, you could setup a PHP pool for each website, and run the pool under the website’s account - and use the same user as the FTP user for that website.

I believe this is how panels like CPanel work.

The main thing is that 1) Apache has permission to talk to the PHP-FPM socket and 2) the PHP-FPM user has access to the website’s files.

For 1, you could use a group, so each website user gets added to the Apache group, for example, the socket is “owned” by the website user and the Apache group, and the permissions allow either the owner or the group to read/write the socket.

Running the pool under the website’s user account would sort 2.

@andysh writes:

The main thing is that 1) Apache has permission to talk to the PHP-FPM socket and 2) the PHP-FPM user has access to the website’s files.

This falls under #2 but you need to make sure that any required cache directories are writable by the php-fpm user as well. Not doing this is a very common source of failures…especially among beginning Wordpress'ers.

-- sw

This falls under #2 but you need to make sure that any required cache directories are writable by the php-fpm user as well. Not doing this is a very common source of failures…especially among beginning Wordpress'ers.

Very good point, and one I routinely forget when building a new server!!

The actual folder path will be dependent on the distribution and how PHP was installed (package vs. compiled, for example) and whether the location has been customised in php.ini. On Fedora (so will likely apply to CentOS/RHEL too), this is the folders under /var/lib/php - opcache, peclxml, session, wsdlcache.

to @andysh and @stevewi : thanks for your replies !

I'm going to test this, and go back here if I have more details on how to setup this.

For debian and apache 2.4.10 and higher :

/etc/php/7.4/fpm/pool.d/site1.conf :

[site1]
user = user1
group = group1

listen = /run/php/php7.4-fpm_site1.sock
listen.owner = www-data
listen.group = www-data

(user1 has read/write access to site1 files as the owner, no need to use groups)

/etc/php/7.4/fpm/pool.d/site2.conf :

[site2]
user = user2
group = group2

listen = /run/php/php7.4-fpm_site2.sock
listen.owner = www-data
listen.group = www-data

/etc/apache2/sites-available/site1.conf :

<FilesMatch \.php$>
    SetHandler "proxy:unix:/run/php/php7.4-fpm_site1.sock|fcgi://localhost"
</FilesMatch>

(needs to be added to the virtual host)

/etc/apache2/sites-available/site2.conf :

<FilesMatch \.php$>
    SetHandler "proxy:unix:/run/php/php7.4-fpm_site2.sock|fcgi://localhost"
</FilesMatch>

Hope this helps.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct