chrooting php-fpm with nginx

Question

I'm setting up a new server with PHP 5.3.9 and nginx, so I compiled PHP with the php-fpm SAPI options. By itself it works great using the following server entry in nginx:

server {
    listen 80;
    server_name domain.com www.domain.com;

    root /var/www/clients/domain.com/www/public;
    index index.php;

    log_format gzip '$remote_addr - $remote_user [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"';
    access_log /var/www/clients/domain.com/logs/www-access.log;
    error_log /var/www/clients/domain.com/logs/www-error.log error;

    location ~\.php$ {
            fastcgi_pass 127.0.0.1:9001;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /var/www/clients/domain.com/www/public$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            include /etc/nginx/fastcgi_params;
    }
}

It servers my PHP files just fine. For added security I wanted to chroot my FPM instance, so I added the following lines to my conf file for this FPM instance:

# FPM config
chroot = /var/www/clients/domain.com

and changed the nginx config:

#nginx config for chroot
location ~\.php$ {
            fastcgi_pass 127.0.0.1:9001;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME www/public$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            include /etc/nginx/fastcgi_params;
    }

With those changes, nginx gives me a File not found message for any PHP scripts. Looking in the error log I can see that it's prepending the root path to my DOCUMENT_ROOT variable that's passed to fastcgi, so I tried to override it in the location block like this:

fastcgi_param DOCUMENT_ROOT /www/public/;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;

but I still get the same error, and the debug log shows the full, unchrooted path being sent to PHP-FPM.

What am I missing to get this to work?

Change to this... fastcgi_param SCRIPT_FILENAME /www/public$fastcgi_script_name; — EminezArtus, Feb 15 '16 at 09:13

score 4 · Answer 1 · answered May 23 '12 at 07:54

I have the same situation and this is my solition:

fpm config:

prefix = /var/www/example.com
chroot = $prefix
chdir = /
listen = tmp/php5-fpm.sock
slowlog = log/$pool.log.slow

nginx config:

 location ~ \.php$ {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/www/example.com/tmp/php5-fpm.sock;
    fastcgi_param SCRIPT_FILENAME /htdocs$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT /htdocs;
 }

folder structure of /var/www/example.com

drwxr-x---  6 www-data www-data 4096 May 22 10:57 .
drwxr-xr-x 10 root     root     4096 May 22 08:52 ..
drwxr-x---  2 www-data www-data 4096 May 22 10:57 htdocs
drwxr-x---  2 www-data www-data 4096 May 22 10:34 log
drwxr-x---  2 www-data www-data 4096 May 22 10:56 tmp

was struggling with this for a while, until I found this answer, worked a treat. — Kingsley, Dec 14 '21 at 18:12

score 4 · Answer 2 · answered Aug 04 '12 at 20:07

4

It looks like you forgot a /.

fastcgi_param SCRIPT_FILENAME www/public$fastcgi_script_name;

Should read:

fastcgi_param SCRIPT_FILENAME /www/public$fastcgi_script_name;

answered Aug 04 '12 at 20:07

Michael Hampton

244,070
43
506
972

score 0 · Answer 3 · answered Feb 02 '12 at 17:00

0

Nginx doesn't know if you have setup chroot on your PHP-FPM. So, you'd still need to provide the fullpath in fastcgi_param. Basically, your initially configuration is what you needed.

answered Feb 02 '12 at 17:00

Pothi Kalimuthu

6,117
2
26
38

Just tried that, and I get the same result. Most of the tutorials I've seen said that the fastcgi_param settings needed to be relative to the chroot, as chrooting causes it to not see the full path. When I've used chroot before with Apache and mod_php that's also how it worked. – dragonmantank Feb 02 '12 at 20:14

chrooting php-fpm with nginx

3 Answers3