Apache: “File Not Found” after setting up php-fpm chroot

699 views
Skip to first unread message

David White

unread,
Nov 3, 2015, 6:32:51 AM11/3/15
to highload-php-en
I asked a question on Server Fault recently, and it hasn't gotten a lot of traction. So I thought I would try here. 

I'm in the process of moving each of my websites that are on a single server from a single PHP instance (whereby all of the files in all websites were owned by apache, and just the default php library was installed without php-fpm) ... and I'm installing a php-fpm pool for each individual website.
Better security and separation of the websites is my goal, the biggest goal being that the PHP scripts in 1 website won't be able to access PHP scripts from another website.

I'm struggling with the final step in implementing a chroot on php-fpm with Apache 2.4 running on CentOS 7.

I've successfully setup and tested the php-fpm connection without the chroot. But as soon as I add the chroot directive into my conf file in /etc/php-fpm.d/file.conf, I get a "File Not Found" as many other people have experienced.

Here's my php-fpm conf file:
[site1.com]
    user = user1
    group = user1
    listen = /var/run/php-fpm/site1.com.sock
    listen.owner = user1
    listen.group = user1
    php_admin_value[disable_functions] = exec,passthru,shell_exec,system
    php_admin_flag[allow_url_fopen] = on
    php_admin_value[short_open_tag] = On
    php_admin_value[doc_root] = /
    php_admin_value[error_log] = /logs/php-errors
    php_admin_flag[log_errors] = on
    pm = ondemand
    pm.max_children = 5
    pm.start_servers = 2
    pm.min_spare_servers = 1
    pm.max_spare_servers = 3
    chroot = /home/www/site1.com
    chdir = /www
    catch_workers_output = yes


As you can see, after I set the chroot, I changed the `chdir` directive so that it is relative to the PHP root. (The system path would be `/home/www/site1.com/www`, and that's what `chdir` was set to before enabling the `chroot` directive).

Here's my relevant http.d/site1.conf file:

    <VirtualHost *:80>
            ServerAdmin admin[at]my-host.com
            ServerName site1.com
            ServerAlias www.site1.com
            DocumentRoot /home/www/site1.com/www
            <Directory "/home/www/site1.com/www">
                    Options Includes FollowSymLinks
                    DirectoryIndex index.php
                    AllowOverride All
                    Order allow,deny
                    Allow from all
            </Directory>
    ErrorLog /home/www/site1.com/logs/errors
    CustomLog /home/www/site1.com/logs/access_log common
            <FilesMatch "\.php$">
                    SetHandler "proxy:unix:///var/run/php-fpm/site1.com.sock|fcgi://site1.com"
            </FilesMatch>
    LogLevel trace3
    </VirtualHost>


I saw this question on the php-fpm mailing list from about a year ago...
So I made the following changes to the http.d/site1.conf file:
  • Commented out the <FilesMatch> section
  • Added the following into the <Directory> section:
                        RewriteEngine On
                        RewriteCond %{REQUEST_FILENAME} ^/((.*\.php)(/.*)?)$
                        RewriteCond %2 -f
                        RewriteRule ^/home/www/site1.com/(.*) fcgi:///var/run/php-fpm/site1.com.sock/home/www/site1.com/www/$1 [L,P]
                        RewriteOptions Inherit


That makes the website work again (with the chroot defines in the php-fpm conf file), but the scripts are not actually chrooted, because I can confirm I'm able to see another website's files with this script:
<?php
$test = file_get_contents('/home/www/site2.com/www/wp-config.php');
echo $test;
echo "<br /><br />";
$files = scandir('/home/www');
print_r($files);
?>

So I'm stuck. What am I doing wrong, and how do I fix it?

Reply all
Reply to author
Forward
0 new messages