diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-05-16 00:52:10 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-05-16 01:30:44 +0200 |
commit | e43ef0c7b9490ece68af38f8a658ad8a710e4e37 (patch) | |
tree | f9dedcfa6dee7cfe280aedf10695e73f9ce69962 /roles/nextcloud/files/etc | |
parent | 38c697083d50764d833adc039b10b203d36c8f56 (diff) |
Nextcloud: use dedicated user and PHP FPM pool.
There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely.
Diffstat (limited to 'roles/nextcloud/files/etc')
-rw-r--r-- | roles/nextcloud/files/etc/cron.d/nextcloud | 2 | ||||
-rw-r--r-- | roles/nextcloud/files/etc/nginx/sites-available/nextcloud | 1 | ||||
-rw-r--r-- | roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf | 17 |
3 files changed, 19 insertions, 1 deletions
diff --git a/roles/nextcloud/files/etc/cron.d/nextcloud b/roles/nextcloud/files/etc/cron.d/nextcloud index 681cd43..3c4aac0 100644 --- a/roles/nextcloud/files/etc/cron.d/nextcloud +++ b/roles/nextcloud/files/etc/cron.d/nextcloud @@ -1,2 +1,2 @@ MAILTO=root -*/5 * * * * www-data php -f /usr/local/share/nextcloud/cron.php +*/5 * * * * _nextcloud php -f /usr/local/share/nextcloud/cron.php diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud index d748dc9..f1f4b66 100644 --- a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud +++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud @@ -76,6 +76,7 @@ server { post_max_size=512M memory_limit=512M"; fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/var/www/nextcloud:/mnt/nextcloud-data:/etc/nextcloud:/var/cache/nextcloud:/var/log/nextcloud:/usr/share/php:/tmp:/dev"; + fastcgi_pass unix:/run/php/php7.3-fpm@nextcloud.sock; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { diff --git a/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf new file mode 100644 index 0000000..dfbb8bf --- /dev/null +++ b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf @@ -0,0 +1,17 @@ +[nextcloud] +user = _nextcloud +group = nogroup +listen = /run/php/php7.3-fpm@nextcloud.sock +listen.owner = www-data +listen.group = www-data +listen.mode = 0600 +pm = dynamic +pm.max_children = 5 +pm.start_servers = 2 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/bin:/bin +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp |