我有以下堆栈:
我想使用unix_socket进行mysql身份验证。我为每个mysql用户创建了一个linux用户,以便他们可以访问其数据库。例如:
我有一个WP博客foo.com
,并且创建了一个用户foo_com
和一个db用户foo_com
和一个数据库foo_com
。如果我su foo_com
我可以连接到db(mysql foo_com
),但是如果我尝试以root身份与mysql -u foo_com foo_com
连接,那么我就无法连接到该数据库,我猜这是因为这是unix_socket的工作方式。
[当用户访问www.foo.com时,apache将尝试为WordPress博客提供服务。它将尝试连接到mysql(使用wp-config.php中定义的凭据),但是由于wwwrun
用户正在运行apache,我们将看到数据库身份验证错误。
所以,我的问题:如何在WordPress设置中运行apache并同时使用unix_socket(假设我运行了WP的多个实例?
我已经用php-fpm解决了这个问题。
您需要以下内容。在apache中,您需要为php文件定义代理:
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/phpfpm/foo_com.sock"
</If>
</FilesMatch>
在PHP-fpm的配置需要定义(例如用于foo.com位点):
[foo_com]
group = wwwrun
listen = /run/phpfpm/foo_com.sock
listen.group = wwwrun
listen.owner = wwwrun
pm = dynamic
pm.max_children = 32
pm.max_requests = 500
pm.max_spare_servers = 4
pm.min_spare_servers = 2
pm.start_servers = 2
user = wp-foo_com
然后在mysql中,您需要具有wp-foo_com
用户的权限,例如foo_com
数据库。
在wp-config.php中,假设define( 'DB_HOST', '120.0.0.1' );
是mysql套接字的路径,将define( 'DB_HOST', 'localhost:/run/mysqld/mysqld.sock' );
替换为/run/mysqld/mysqld.sock
。>
为什么这样做?因为当对任何php文件的请求进入时,它将被传递到php-fpm(由apache传递),然后php-fpm以上述配置中定义的用户身份执行该代码(在我们的示例中为wp-foo_com
用户)。] >
如果有人在nixos上,您可以使用此配置:
{ config, pkgs, lib, ... }:
let
domain = "foo.com";
normalizedDomain = "foo_com";
user = "wp-${normalizedDomain}";
group = config.services.httpd.group;
in {
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.mysql.package = pkgs.mysql;
services.mysql.enable = true;
services.mysql.ensureDatabases = [ normalizedDomain ];
services.mysql.ensureUsers = [{
name = user;
ensurePermissions = { "${normalizedDomain}.*" = "ALL PRIVILEGES"; };
}];
users.users.${user}.group = group;
services.phpfpm.pools."${normalizedDomain}" = {
inherit user group;
phpPackage = pkgs.php;
settings = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.max_spare_servers" = 4;
"pm.min_spare_servers" = 2;
"pm.start_servers" = 2;
"listen.owner" = config.services.httpd.user;
"listen.group" = config.services.httpd.group;
};
};
services.httpd = {
enable = true;
enablePHP = true;
extraModules = [ "proxy_fcgi" ];
virtualHosts."${normalizedDomain}" = {
adminAddr = "admin@localhost";
serverAliases = [ domain "www.${domain}" ];
documentRoot = "/var/www/${normalizedDomain}/public_html";
extraConfig = ''
<Directory "/var/www/${normalizedDomain}/public_html">
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/phpfpm/${normalizedDomain}.sock|fcgi://localhost/"
</If>
</FilesMatch>
# standard wordpress .htaccess contents
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
DirectoryIndex index.php
Require all granted
Options +FollowSymLinks
</Directory>
# https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php
<Files wp-config.php>
Require all denied
</Files>
'';
};
};
services.httpd.adminAddr = "[email protected]";
}