mastercontainer - limit access to php-fpm to localhost #3317
Conversation
Signed-off-by: Simon L <szaimen@e.mail.de>
szaimen
added
3. to review
| grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ | ||
| sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ |
There was a problem hiding this comment.
| grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ | |
| sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ | |
| grep -q 'listen =' /usr/local/etc/php-fpm.d/www.conf; \ | |
| sed -i 's|listen =.*|listen = /var/run/php.sock|' /usr/local/etc/php-fpm.d/www.conf; \ |
And change the Apache PHP handler to: SetHandler "proxy:unix:/var/run/php.sock"
There was a problem hiding this comment.
all right, lets do it like this then
There was a problem hiding this comment.
| grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ | |
| sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ | |
| grep -q 'listen =' /usr/local/etc/php-fpm.d/www.conf; \ | |
| sed -i 's|listen =.*|;listen = /var/run/php.sock # handled in zz-docker.conf|' /usr/local/etc/php-fpm.d/www.conf; \ | |
| grep -q 'listen =' /usr/local/etc/php-fpm.d/zz-docker.conf; \ | |
| sed -i 's|listen =.*|listen = /var/run/php.sock|' /usr/local/etc/php-fpm.d/zz-docker.conf; \ |
And change the Apache PHP handler to: SetHandler "proxy:unix:/var/run/php.sock"
There was a problem hiding this comment.
healthcheck also needs to check if /var/run/php.sock exists
There was a problem hiding this comment.
or we just actually limit it to 127.0.0.1:::1? would that be fine for you? Sounds like the easier approach...
There was a problem hiding this comment.
I see but perfomance is not critical for the mastercontainer... So I would honestly prefer an easier setup which in this case is limiting to localhost... Wdyt?
There was a problem hiding this comment.
I don't see why it is simpler to limit ips, instead of using a socket
There was a problem hiding this comment.
2 lines of code vs 4? also we need to adjust the healthcheck but yeah if you really want we can also use a socket
There was a problem hiding this comment.
@Zoey2936 lets switch to the socket in a follow-up.
I would welcome a PR :)
|
also not needed, since php fpm is by default only exposed to 127.0.0.1 if I remember correctly |
/var/www/html # cat /usr/local/etc/php-fpm.d/www.conf | grep listen | grep -v ";"
listen = 127.0.0.1:9000 |
It is the same in the nextcloud container and there access from a different container is obiously possible so switching to a socket in the mastercontainer probably makes sense... |
|
This is now released with v7.2.0 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel |
Signed-off-by: Zoey <zoey@z0ey.de>
address part of #3172