Commit b91f0cbf authored by Till Brehm's avatar Till Brehm

Merge branch 'php-fpm-chroot' into 'master'

PHP-FPM chroot support for nginx

See merge request ispconfig/ispconfig3!721
parents e59dfdcb 89ba0d1b
......@@ -91,3 +91,4 @@ ALTER TABLE `dns_rr` CHANGE `type` `type` ENUM('A','AAAA','ALIAS','CAA','CNAME',
ALTER TABLE `web_domain` ADD COLUMN `ssl_letsencrypt_exclude` enum('n','y') NOT NULL DEFAULT 'n' AFTER `ssl_letsencrypt`;
ALTER TABLE `remote_user` ADD `remote_access` ENUM('y','n') NOT NULL DEFAULT 'y' AFTER `remote_password`;
ALTER TABLE `remote_user` ADD `remote_ips` TEXT AFTER `remote_access`;
ALTER TABLE `web_domain` ADD `php_fpm_chroot` enum('n','y') NOT NULL DEFAULT 'n' AFTER `php_fpm_use_socket`;
......@@ -2049,6 +2049,7 @@ CREATE TABLE `web_domain` (
`apache_directives` mediumtext,
`nginx_directives` mediumtext,
`php_fpm_use_socket` ENUM('n','y') NOT NULL DEFAULT 'y',
`php_fpm_chroot` ENUM('n','y') NOT NULL DEFAULT 'n',
`pm` enum('static','dynamic','ondemand') NOT NULL DEFAULT 'dynamic',
`pm_max_children` int(11) NOT NULL DEFAULT '10',
`pm_start_servers` int(11) NOT NULL DEFAULT '2',
......
......@@ -766,6 +766,12 @@ if($_SESSION["s"]["user"]["typ"] == 'admin'
'default' => 'n',
'value' => array(0 => 'n', 1 => 'y')
),
'php_fpm_chroot' => array (
'datatype' => 'VARCHAR',
'formtype' => 'CHECKBOX',
'default' => 'n',
'value' => array(0 => 'n', 1 => 'y')
),
'pm' => array (
'datatype' => 'VARCHAR',
'formtype' => 'SELECT',
......
......@@ -29,6 +29,7 @@ $wb['vhost_type_txt'] = 'VHost Type';
$wb['hd_quota_txt'] = 'Harddisk Quota';
$wb['traffic_quota_txt'] = 'Traffic Quota';
$wb['cgi_txt'] = 'CGI';
$wb['php_fpm_chroot_txt'] = 'PHP-FPM Chroot';
$wb['ssi_txt'] = 'SSI';
$wb['errordocs_txt'] = 'Own Error-Documents';
$wb['subdomain_txt'] = 'Auto-Subdomain';
......
......@@ -57,6 +57,12 @@
{tmpl_var name='php_fpm_use_socket'}
</div>
</div>
<div class="form-group nginx">
<label class="col-sm-3 control-label">{tmpl_var name='php_fpm_chroot_txt'}</label>
<div class="col-sm-9">
{tmpl_var name='php_fpm_chroot'}
</div>
</div>
<div class="form-group">
<label for="pm" class="col-sm-3 control-label">{tmpl_var name='pm_txt'}</label>
<div class="col-sm-9"><select name="pm" id="pm" class="form-control">
......
......@@ -182,7 +182,11 @@ server {
fastcgi_pass unix:<tmpl_var name='fpm_socket'>;
</tmpl_if>
fastcgi_index index.php;
<tmpl_if name='php_fpm_chroot'>
fastcgi_param SCRIPT_FILENAME /web$fastcgi_script_name;
</tmpl_else>
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
</tmpl_if>
#fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_intercept_errors on;
}
......
......@@ -26,20 +26,38 @@ pm.process_idle_timeout = <tmpl_var name='pm_process_idle_timeout'>s;
</tmpl_if>
pm.max_requests = <tmpl_var name='pm_max_requests'>
<tmpl_if name='php_fpm_chroot'>
prefix = <tmpl_var name='document_root'>
chroot = $prefix
</tmpl_if>
chdir = /
env[HOSTNAME] = $HOSTNAME
<tmpl_if name='php_fpm_chroot'>
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
</tmpl_else>
env[TMP] = <tmpl_var name='document_root'>/tmp
env[TMPDIR] = <tmpl_var name='document_root'>/tmp
env[TEMP] = <tmpl_var name='document_root'>/tmp
</tmpl_if>
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
<tmpl_if name='security_level' op='==' value='20'>
<tmpl_var name='enable_php_open_basedir'>php_admin_value[open_basedir] = <tmpl_var name='php_open_basedir'>
<tmpl_if name='custom_session_save_path' op='!=' value='y'>
<tmpl_if name='php_fpm_chroot'>
php_admin_value[session.save_path] = /tmp
</tmpl_else>
php_admin_value[session.save_path] = <tmpl_var name='document_root'>/tmp
</tmpl_if>
</tmpl_if>
<tmpl_if name='php_fpm_chroot'>
php_admin_value[upload_tmp_dir] = /tmp
</tmpl_else>
php_admin_value[upload_tmp_dir] = <tmpl_var name='document_root'>/tmp
</tmpl_if>
php_admin_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f webmaster@<tmpl_var name='domain'>"
</tmpl_if>
......
......@@ -1024,6 +1024,11 @@ class nginx_plugin {
$socket_dir = escapeshellcmd($web_config['php_fpm_socket_dir']);
if(substr($socket_dir, -1) != '/') $socket_dir .= '/';
if($data['new']['php_fpm_chroot'] == 'y'){
$php_fpm_chroot = 1;
} else {
$php_fpm_chroot = 0;
}
if($data['new']['php_fpm_use_socket'] == 'y'){
$use_tcp = 0;
$use_socket = 1;
......@@ -1033,6 +1038,7 @@ class nginx_plugin {
}
$tpl->setVar('use_tcp', $use_tcp);
$tpl->setVar('use_socket', $use_socket);
$tpl->setVar('php_fpm_chroot', $php_fpm_chroot);
$fpm_socket = $socket_dir.$pool_name.'.sock';
$tpl->setVar('fpm_socket', $fpm_socket);
$tpl->setVar('rnd_php_dummy_file', '/'.md5(uniqid(microtime(), 1)).'.htm');
......@@ -2653,6 +2659,11 @@ class nginx_plugin {
$tpl = new tpl();
$tpl->newTemplate('php_fpm_pool.conf.master');
if($data['new']['php_fpm_chroot'] == 'y'){
$php_fpm_chroot = 1;
} else {
$php_fpm_chroot = 0;
}
if($data['new']['php_fpm_use_socket'] == 'y'){
$use_tcp = 0;
$use_socket = 1;
......@@ -2663,6 +2674,7 @@ class nginx_plugin {
}
$tpl->setVar('use_tcp', $use_tcp);
$tpl->setVar('use_socket', $use_socket);
$tpl->setVar('php_fpm_chroot', $php_fpm_chroot);
$fpm_socket = $socket_dir.$pool_name.'.sock';
$tpl->setVar('fpm_socket', $fpm_socket);
......@@ -2702,7 +2714,14 @@ class nginx_plugin {
$tpl->setVar('security_level', $web_config['security_level']);
$tpl->setVar('domain', $data['new']['domain']);
$php_open_basedir = ($data['new']['php_open_basedir'] == '')?escapeshellcmd($data['new']['document_root']):escapeshellcmd($data['new']['php_open_basedir']);
$tpl->setVar('php_open_basedir', $php_open_basedir);
if($php_fpm_chroot){
$document_root = $data['new']['document_root'];
$domain = $data['new']['domain'];
$php_open_basedir = str_replace(":/srv/www/$domain/web",'',$php_open_basedir);
$php_open_basedir = str_replace(":/var/www/$domain/web",'',$php_open_basedir);
$php_open_basedir = str_replace("$document_root",'',$php_open_basedir);
}
$tpl->setVar('php_open_basedir', $php_open_basedir);
if($php_open_basedir != ''){
$tpl->setVar('enable_php_open_basedir', '');
} else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment