Running sites in a LEMP environment is the best solution to achieve performance. Earlier we have described how to host multiple websites in a LEMP stack in detail. You can create as many vhosts you like for hosting multiple sites.
Although the above procedure works fine but there are rooms for improvement from security point of view. If somehow any of the sites get compromised, the hackers may also read sensitive data from other websites too. Because, all sites are accessible through a common nginx user “www-data”.
The above security risk may be overcome in php-fpm by creating a different pool which runs under a different user for each nginx server block (site or virtual host).
Suppose you want to host 2 websites: a) example1.com and b) example2.com
Follow Step 1 to 15 of this tutorial: how to host multiple websites in LEMP stack.
Create required directories first.
sudo mkdir /var/www/html/example1 sudo mkdir /var/www/html/example2
Now create different user for each nginx vhost.
sudo groupadd exm1 sudo useradd -g exm1 exm1 sudo groupadd exm2 sudo useradd -g exm2 exm2
Now create different php-fpm pool configuration for each user.
sudo nano /etc/php5/fpm/pool.d/exm1.conf
Paste the following code.
[exm1] user = exm1 group = exm1 listen = /var/run/php5-fpm-exm1.sock listen.owner = www-data listen.group = www-data php_admin_value[disable_functions] = exec,passthru,shell_exec,system php_admin_flag[allow_url_fopen] = off pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 chdir = /
Similarly,
sudo nano /etc/php5/fpm/pool.d/exm2.conf
Paste the following code.
[exm2] user = exm2 group = exm2 listen = /var/run/php5-fpm-exm2.sock listen.owner = www-data listen.group = www-data php_admin_value[disable_functions] = exec,passthru,shell_exec,system php_admin_flag[allow_url_fopen] = off pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 chdir = /
Restart php-fpm service
sudo service php5-fpm restart
Now create nginx vhost for example1.com
sudo nano /etc/nginx/sites-available/example1
Paste the following code.
server { listen 80; listen [::]:80; root /var/www/html/example1; index index.php index.html index.htm; server_name example1.com; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php5-fpm-exm1.sock; } }
Create nginx vhost for example2.com
sudo nano /etc/nginx/sites-available/example2
Paste the following code.
server { listen 80; listen [::]:80; root /var/www/html/example2; index index.php index.html index.htm; server_name example2.com; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php5-fpm-exm2.sock; } }
Activate nginx vhosts
sudo ln -s /etc/nginx/sites-available/example1.com /etc/nginx/sites-enabled sudo ln -s /etc/nginx/sites-available/example2.com /etc/nginx/sites-enabled
Now for better performance, disable opcache
sudo nano /etc/php5/fpm/conf.d/05-opcache.ini
add the following at the end of the above file.
opcache.enable=0
Restart Nginx
sudo service nginx restart
Well done. Now you have secured you virtual private server by isolating each vhosts from each other.
To investigate how this method works, you may read this tutorial at digitalocean.