允许apache用户通过auth套接字连接到mysql

问题描述 投票:1回答:1

我有以下堆栈:

  • apache
  • php-fpm
  • mysql
  • 几个WordPress实例

我想使用unix_socket进行mysql身份验证。我为每个mysql用户创建了一个linux用户,以便他们可以访问其数据库。例如:

我有一个WP博客foo.com,并且创建了一个用户foo_com和一个db用户foo_com和一个数据库foo_com。如果我su foo_com我可以连接到db(mysql foo_com),但是如果我尝试以root身份与mysql -u foo_com foo_com连接,那么我就无法连接到该数据库,我猜这是因为这是unix_socket的工作方式。

[当用户访问www.foo.com时,apache将尝试为WordPress博客提供服务。它将尝试连接到mysql(使用wp-config.php中定义的凭据),但是由于wwwrun用户正在运行apache,我们将看到数据库身份验证错误。

所以,我的问题:如何在WordPress设置中运行apache并同时使用unix_socket(假设我运行了WP的多个实例?

php mysql wordpress apache
1个回答
1
投票

我已经用php-fpm解决了这个问题。

您需要以下内容。在apache中,您需要为php文件定义代理:

  <FilesMatch "\.php$">
    <If "-f %{REQUEST_FILENAME}">
      SetHandler "proxy:unix:/run/phpfpm/foo_com.sock"
    </If>
  </FilesMatch>

在PHP-fpm的配置需要定义(例如用于foo.com位点):

[foo_com]
group = wwwrun
listen = /run/phpfpm/foo_com.sock
listen.group = wwwrun
listen.owner = wwwrun
pm = dynamic
pm.max_children = 32
pm.max_requests = 500
pm.max_spare_servers = 4
pm.min_spare_servers = 2
pm.start_servers = 2
user = wp-foo_com

然后在mysql中,您需要具有wp-foo_com用户的权限,例如foo_com数据库。

在wp-config.php中,假设define( 'DB_HOST', '120.0.0.1' );是mysql套接字的路径,将define( 'DB_HOST', 'localhost:/run/mysqld/mysqld.sock' );替换为/run/mysqld/mysqld.sock。>

为什么这样做?因为当对任何php文件的请求进入时,它将被传递到php-fpm(由apache传递),然后php-fpm以上述配置中定义的用户身份执行该代码(在我们的示例中为wp-foo_com用户)。] >

如果有人在nixos上,您可以使用此配置:

{ config, pkgs, lib, ... }:
let
  domain = "foo.com";
  normalizedDomain = "foo_com";

  user = "wp-${normalizedDomain}";
  group = config.services.httpd.group;
in {

  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.mysql.package = pkgs.mysql;
  services.mysql.enable = true;
  services.mysql.ensureDatabases = [ normalizedDomain ];
  services.mysql.ensureUsers = [{
    name = user;
    ensurePermissions = { "${normalizedDomain}.*" = "ALL PRIVILEGES"; };
  }];

  users.users.${user}.group = group;
  services.phpfpm.pools."${normalizedDomain}" = {
    inherit user group;
    phpPackage = pkgs.php;
    settings = {
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.max_spare_servers" = 4;
      "pm.min_spare_servers" = 2;
      "pm.start_servers" = 2;
      "listen.owner" = config.services.httpd.user;
      "listen.group" = config.services.httpd.group;
    };
  };

  services.httpd = {
    enable = true;
    enablePHP = true;
    extraModules = [ "proxy_fcgi" ];

    virtualHosts."${normalizedDomain}" = {
      adminAddr = "admin@localhost";
      serverAliases = [ domain "www.${domain}" ];
      documentRoot = "/var/www/${normalizedDomain}/public_html";
      extraConfig = ''
        <Directory "/var/www/${normalizedDomain}/public_html">
          <FilesMatch "\.php$">
            <If "-f %{REQUEST_FILENAME}">
              SetHandler "proxy:unix:/run/phpfpm/${normalizedDomain}.sock|fcgi://localhost/"
            </If>
          </FilesMatch>

          # standard wordpress .htaccess contents
          <IfModule mod_rewrite.c>
            RewriteEngine On
            RewriteBase /
            RewriteRule ^index\.php$ - [L]
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteRule . /index.php [L]
          </IfModule>

          DirectoryIndex index.php
          Require all granted
          Options +FollowSymLinks
        </Directory>

        # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php
        <Files wp-config.php>
          Require all denied
        </Files>
      '';
    };

  };

  services.httpd.adminAddr = "[email protected]";
}

© www.soinside.com 2019 - 2024. All rights reserved.