From e43ef0c7b9490ece68af38f8a658ad8a710e4e37 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 16 May 2020 00:52:10 +0200
Subject: Nextcloud: use dedicated user and PHP FPM pool.

There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely.
---
 roles/nextcloud/files/etc/nginx/sites-available/nextcloud | 1 +
 1 file changed, 1 insertion(+)

(limited to 'roles/nextcloud/files/etc/nginx/sites-available/nextcloud')

diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
index d748dc9..f1f4b66 100644
--- a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
+++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
@@ -76,6 +76,7 @@ server {
                                  post_max_size=512M
                                  memory_limit=512M";
         fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/var/www/nextcloud:/mnt/nextcloud-data:/etc/nextcloud:/var/cache/nextcloud:/var/log/nextcloud:/usr/share/php:/tmp:/dev";
+        fastcgi_pass  unix:/run/php/php7.3-fpm@nextcloud.sock;
     }
 
     location ~ ^/(?:updater|ocs-provider)(?:$|/) {
-- 
cgit v1.2.3