Separate php-fpm pools for great victory
The Blog of Nathan D. Smith

Each application should have its own database with its own unique username and password. I think most people know this, but stating it here for good measure.

Each web application should have its own local unprivileged user account. If that account never needs a shell environment, it is best to not give it a login shell either. GNU Social requires a shell to run its queue daemon scripts, so here is how I did it:

useradd -m -s /bin/bash social

Assuming you have "PermitEmptyPasswords no" in your sshd\_config, you don't have to set a password. Otherwise set a very strong one. It'll never be used under normal operations.

A note specific to GNU Social: the queue daemons should run as this user as well. We're in a systemd world now on Linux, so see an example of a unit file for queue daemons. You'll want to set the user to set:

User=social
Group=social

Take note of the group your webserver (nginx in my example) runs as. In Centos it is "nginx", in Debian derivatives it appears to be "www-data".

You've extracted your web application's files into var/www/social.example.com . You'll want to lock this down so that only the application pool user and the webserver can have access:

chown -R social:nginx /var/www/social.example.com/
chmod -R o-rwx /var/www/social.example.com/
# Also follow GNU Social's install instructions for setting
# write permissions on avatar/ file/, and the base directory so
# config.php can be written by the installer

This way the web server can read the application's root contents (e.g. php scripts and static files), and the php-fpm pool for your application will have write access (for writing the configuration at install time and uploading files). Other users should have no access to this location (go ahead, test it).

When you create a separate php-fpm pool below, you'll need to provide a session and cache path which are writable by the social user:

mkdir -p /var/lib/social/{cache,session}
chown root:social /var/lib/social/{cache,session}
chmod 770 /var/lib/social/{cache,session}

Pools for php-fpm.d are typically found in etc/php-fpm.d. Your mileage may vary based on distribution, etc. Take a look at the default pool to see how it is configured.

Depending on the resources of your system, you may want to reduce the value of pm.max_children (and relate settings) to make room for your new pool. This can be tuned depending on the relative resource demands of your pools.

Now copy the default pool to a new file in the same directory called social.conf and edit it. Below are the required edits:

1. Give the pool a unique socket, either a different path for a POSIX socket, or a different port number for a TCP sockets. Assuming everything is on a single server, I recommend the POSIX socket, e.g. "listen = /var/run/php-fpm-social.sock"
2. Set "user = social"
3. Set "group = social"
4. Set "php\_value[session.save\_path] = /var/lib/social/session"
5. Set "php\_value[wsdl\_cache\_dir] = /var/lib/social/cache"

Configure your nginx configuration file for the site to use the unique socket listed above:

fastcgi_pass unix:/var/run/php-fpm-social.sock;

Now you are ready to restart php-fpm and nginx and your queue daemons. If you run the following, you should see some php-fpm workers running as social:

ps aux | grep php-fpm

If there is trouble, there are a few places you'll want to look:

• nginx error log
• nginx access log
• php-fpm error.log
• php-fpm www-error.log

Assuming that worked, you've got a separate, more-secure install of GNU Social. I did the foolish thing and changed the configuration after installing the site. I don't recommend it, unless you want an exercise in rapid troubleshooting. ;-)