summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain Porte <microjoe@microjoe.org>2017-11-03 22:51:44 +0100
committerRomain Porte <microjoe@microjoe.org>2017-11-03 22:51:44 +0100
commitf7b1945008ae46b647da093d6f7c25f0849a75e5 (patch)
tree4154d805e48c7f20a2ea5264ba0389d4cfd23d27
parente8d772a8e10b7e046ec3ab5da2326ab2ba38e6e2 (diff)
downloadMicroJoe.ttrss-f7b1945008ae46b647da093d6f7c25f0849a75e5.tar.gz
MicroJoe.ttrss-f7b1945008ae46b647da093d6f7c25f0849a75e5.zip
Use dedicated php-fpm for security
-rw-r--r--tasks/main.yml16
-rw-r--r--templates/nginx.j22
-rw-r--r--templates/php-fpm.conf20
3 files changed, 37 insertions, 1 deletions
diff --git a/tasks/main.yml b/tasks/main.yml
index 66c7848..d197923 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -82,6 +82,22 @@
group: root
notify: restart nginx
+- name: Verify nginx configuration
+ command: nginx -t
+ changed_when: false
+
+# php-fpm
+
+- name: Install php-fpm pool configuration file
+ template:
+ src: templates/php-fpm.conf
+ dest: /etc/php/7.0/fpm/pool.d/ttrss.conf
+ notify: restart php-fpm
+
+- name: Verify php-fpm configuration
+ command: php-fpm7.0 --test
+ changed_when: false
+
# Install update feed systemd service
- name: Install systemd update service
diff --git a/templates/nginx.j2 b/templates/nginx.j2
index 2046c35..8a9732d 100644
--- a/templates/nginx.j2
+++ b/templates/nginx.j2
@@ -60,7 +60,7 @@ server {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# filter and proxy PHP requests to PHP-FPM
- fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+ fastcgi_pass unix:/var/run/php/php7.0-fpm-ttrss.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
diff --git a/templates/php-fpm.conf b/templates/php-fpm.conf
new file mode 100644
index 0000000..a17ef22
--- /dev/null
+++ b/templates/php-fpm.conf
@@ -0,0 +1,20 @@
+[ttrss]
+user = {{ ttrss_user }}
+group = {{ ttrss_group }}
+
+listen = /var/run/php/php7.0-fpm-ttrss.sock
+listen.owner = www-data
+listen.group = www-data
+
+; Disable possible remote exploit commands
+php_admin_value[disable_functions] = exec,passthru,shell_exec,system
+php_admin_flag[allow_url_fopen] = off
+
+; Pool configuration
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+
+chdir = /