Knowledge blog

Running websites under different users by configuring PHP-FPM Pools on per-site basis

Running websites under different users by configuring PHP-FPM Pools on per-site basis

By default the web server and php-fpm runs with the user called www-data. It is often required that we need to run php-fpm on different users for different websites. Running each site with its own uid/gid is more secure and easier to deal with. If all sites ran with same user, then php on one site could read/write the files of other users. This is a security concern. Moreover having separate users gives benefits like separate crontabs, ability to identify processes from each user etc.

We can achieve this by creating separate PHP-FPM pools for each sites or group of sites.

Create PHP-FPM Pools

I am going to create 2 websites and run them with separate PHP-Pools for each. So, as first we need to create 2 users.

sudo adduser site1usersudo adduser site2user

You will be prompted for user details and Password. Complete them and remember the passwords.

Then it is good to add them under www-data and/or an admin group that you use for your server administration (not sudo).

sudo usermod -a -G www-data,administrator site1usersudo usermod -a -G www-data,administrator site2user

Now you need to duplicate the www.config file and change few values for new pool creation. You can either download and duplicate via FTP or use below command to do it on SSH.

Copysudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/fpm-site1.confsudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/fpm-site2.conf

Open the files and edit below values as shown below. Replace [www]  to [site1user] and change user, group and listen as shown below.

[site1user]
user = site1user
group = site1user
listen = /run/php/php7.4-fpm-site1user.sock

After your changes the file should look like below. Remember to upload if you are doing edits locally via FTP/SFTP.

Restart PHP-FPM service

sudo service php7.4-fpm restart

Now change the socket description in your nginx server block as below (located at /etc/nginx/sites-available).

fastcgi_pass unix:/var/run/php7.4-fpm-site1user.sock;

Now your nginx site config file should look like below.

Make an Nginx restart.

sudo service nginx restart

Now place a phpinfo.php file with echo phpinfo(); script and verify the site is running with the new pool you created. In phpinfo output you can see it on many places but under environment it will look obvious like the screen below. So that we can make sure that we are running with the new php-fpm pool.