Generally Sysadmin

Php-cgi and suexec like configuration using NginX and php-fpm (LEMP Setup)

If we want to secure our own LAMP server or provide web space for friends or customers we would usually use php-cgi and suexec to let the scripts execute with different users. With NginX the setup somewhat differs but with php-fpm pools we can achieve the same sort of additional security.

The following example is based on Ubuntu 14.04 LTS. It also works for other distributions with slight modifications.


apt-get install php5-fpm nginx



Our php-fpm processes are launched by the pool manager. And each NginX domains is configured to access a different php-fpm pool. After installation we already have a www pool we can use for a general website to be shown for our server domain ( e.g. for example.

We’ll be configuring a php-fpm pool for each customer. It is also possible to do this for each domain.

First we’ll create a file web1000.conf in folder /etc/php5/fpm/pool.d.

user = web1000                            # System Username
group = web1000                           # System Groupname 
listen = /var/run/php5-fpm-web1000.sock   # Uniqe Socket per Pool

listen.owner = www-data = www-data

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

We also have to create the new user.

adduser –disabled-password web1000

And restart our php-fpm pool manager afterwards.

service php5-fpm restart

We should find our new socket in the /var/run/ folder.


Next we have to tell NginX to use the new pool. In this example we’ll use /home/www/kunde/projekt as the document root. You might as well use something below /var .

For that we got to /etc/nginx/sites-available and create a new file web1000.conf .

server {
        listen   80;

        root /home/www/web1000/testdomain/docs;
        index index.php index.html index.htm;

        error_log /home/www/web1000/testdomain/logs/error.log;
        access_log /home/www/web1000/testdomain/logs/access.log;

        location / {
                try_files $uri $uri/ /index.html =404;

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/www;

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm-web1000.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;

The configuration for other customers is similar but with different sockets and user and group names.

Additional konfiguration

This usually would be accompanied by a chroot sftp server and PHP basedir restrictions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.