-
Notifications
You must be signed in to change notification settings - Fork 615
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mastercontainer - limit access to php-fpm to localhost #3317
Conversation
Signed-off-by: Simon L <szaimen@e.mail.de>
grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ | ||
sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ | |
sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ | |
grep -q 'listen =' /usr/local/etc/php-fpm.d/www.conf; \ | |
sed -i 's|listen =.*|listen = /var/run/php.sock|' /usr/local/etc/php-fpm.d/www.conf; \ |
And change the Apache PHP handler to: SetHandler "proxy:unix:/var/run/php.sock"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all right, lets do it like this then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
grep -q ';listen.allowed_clients' /usr/local/etc/php-fpm.d/www.conf; \ | |
sed -i 's|;listen.allowed_clients.*|listen.allowed_clients = 127.0.0.1,::1|' /usr/local/etc/php-fpm.d/www.conf; \ | |
grep -q 'listen =' /usr/local/etc/php-fpm.d/www.conf; \ | |
sed -i 's|listen =.*|;listen = /var/run/php.sock # handled in zz-docker.conf|' /usr/local/etc/php-fpm.d/www.conf; \ | |
grep -q 'listen =' /usr/local/etc/php-fpm.d/zz-docker.conf; \ | |
sed -i 's|listen =.*|listen = /var/run/php.sock|' /usr/local/etc/php-fpm.d/zz-docker.conf; \ |
And change the Apache PHP handler to: SetHandler "proxy:unix:/var/run/php.sock"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
healthcheck also needs to check if /var/run/php.sock exists
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or we just actually limit it to 127.0.0.1:::1? would that be fine for you? Sounds like the easier approach...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see but perfomance is not critical for the mastercontainer... So I would honestly prefer an easier setup which in this case is limiting to localhost... Wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see why it is simpler to limit ips, instead of using a socket
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2 lines of code vs 4? also we need to adjust the healthcheck but yeah if you really want we can also use a socket
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would use the socket
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Zoey2936 lets switch to the socket in a follow-up.
I would welcome a PR :)
also not needed, since php fpm is by default only exposed to 127.0.0.1 if I remember correctly |
/var/www/html # cat /usr/local/etc/php-fpm.d/www.conf | grep listen | grep -v ";"
listen = 127.0.0.1:9000 |
It is the same in the nextcloud container and there access from a different container is obiously possible so switching to a socket in the mastercontainer probably makes sense... |
This is now released with v7.2.0 Beta. Testing and feedback is welcome! See https://github.com/nextcloud/all-in-one#how-to-switch-the-channel |
Signed-off-by: Zoey <zoey@z0ey.de>
address part of #3172