Hosting Multiple Websites in a Secure Way on LEMP


Running sites in a LEMP environment is the best solution to achieve performance. Earlier we have described how to host multiple websites in a LEMP stack in detail. You can create as many vhosts you like for hosting multiple sites.

Although the above procedure works fine but there are rooms for improvement from security point of view. If somehow any of the sites get compromised, the hackers may also read sensitive data from other websites too. Because, all sites are accessible through a common nginx user “www-data”.

The above security risk may be overcome in php-fpm by creating a different pool which runs under a different user for each nginx server block (site or virtual host).

Suppose you want to host 2 websites: a) example1.com and b) example2.com
Follow Step 1 to 15 of this tutorial: how to host multiple websites in LEMP stack.

Create required directories first.

sudo mkdir /var/www/html/example1
sudo mkdir /var/www/html/example2

Now create different user for each nginx vhost.

sudo groupadd exm1
sudo useradd -g exm1 exm1
sudo groupadd exm2
sudo useradd -g exm2 exm2

Now create different php-fpm pool configuration for each user.

sudo nano /etc/php5/fpm/pool.d/exm1.conf

Paste the following code.

[exm1]
user = exm1
group = exm1
listen = /var/run/php5-fpm-exm1.sock
listen.owner = www-data
listen.group = www-data
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /

Similarly,

sudo nano /etc/php5/fpm/pool.d/exm2.conf

Paste the following code.

[exm2]
user = exm2
group = exm2
listen = /var/run/php5-fpm-exm2.sock
listen.owner = www-data
listen.group = www-data
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /

Restart php-fpm service

sudo service php5-fpm restart

Now create nginx vhost for example1.com

sudo nano /etc/nginx/sites-available/example1

Paste the following code.

server {
	listen 80;
	listen [::]:80;
	root /var/www/html/example1;
	index index.php index.html index.htm;
	server_name example1.com;
	location / {
		try_files $uri $uri/ /index.php?$args;
	}
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php5-fpm-exm1.sock;
	}
}

Create nginx vhost for example2.com

sudo nano /etc/nginx/sites-available/example2

Paste the following code.

server {
	listen 80;
	listen [::]:80;
	root /var/www/html/example2;
	index index.php index.html index.htm;
	server_name example2.com;
	location / {
		try_files $uri $uri/ /index.php?$args;
	}
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_pass unix:/var/run/php5-fpm-exm2.sock;
	}
}

Activate nginx vhosts

sudo ln -s /etc/nginx/sites-available/example1.com /etc/nginx/sites-enabled
sudo ln -s /etc/nginx/sites-available/example2.com /etc/nginx/sites-enabled

Now for better performance, disable opcache

sudo nano /etc/php5/fpm/conf.d/05-opcache.ini

add the following at the end of the above file.

opcache.enable=0

Restart Nginx

sudo service nginx restart

Well done. Now you have secured you virtual private server by isolating each vhosts from each other.

To investigate how this method works, you may read this tutorial at digitalocean.


Leave a Reply

Your email address will not be published.