Running websites under different users by configuring PHP-FPM Pools on per-site basis
By default the web server and php-fpm runs with the user called www-data. It is often required that we need to run php-fpm on different users for different websites. Running each site with its own uid/gid is more secure and easier to deal with. If all sites ran with same user, then php on one site could read/write the files of other users. This is a security concern. Moreover having separate users gives benefits like separate crontabs, ability to identify processes from each user etc.
We can achieve this by creating separate PHP-FPM pools for each sites or group of sites.
Create PHP-FPM Pools
I am going to create 2 websites and run them with separate PHP-Pools for each. So, as first we need to create 2 users.
sudo adduser site1user
sudo adduser site2user
You will be prompted for user details and Password. Complete them and remember the passwords.
Then it is good to add them under www-data and/or an admin group that you use for your server administration (not sudo).
sudo usermod -a -G www-data,administrator site1user
sudo usermod -a -G www-data,administrator site2user
Now you need to duplicate the www.config file and change few values for new pool creation. You can either download and duplicate via FTP or use below command to do it on SSH.
sudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/fpm-site1.conf
sudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/fpm-site2.conf
Open the files and edit below values as shown below. Replace [www] to [site1user] and change user, group and listen as shown below.
[site1user] user = site1user group = site1user listen = /run/php/php7.4-fpm-site1user.sock
After your changes the file should look like below. Remember to upload if you are doing edits locally via FTP/SFTP.
Restart PHP-FPM service
sudo service php7.4-fpm restart
Now change the socket description in your nginx server block as below (located at /etc/nginx/sites-available).
Now your nginx site config file should look like below.
Make an Nginx restart.
sudo service nginx restart
Now place a phpinfo.php file with echo phpinfo(); script and verify the site is running with the new pool you created. In phpinfo output you can see it on many places but under environment it will look obvious like the screen below. So that we can make sure that we are running with the new php-fpm pool.