-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path4.isolate_app
99 lines (70 loc) · 4.25 KB
/
4.isolate_app
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
//===============================
// Isolating Apps
//===============================
// So right now we have our Laravel application up and running on the VPS.
// Nginx runs as a web server and phpFPM works with it to maintain a pool of PHP processes that handle
// the requests coming from Nginx. The Laravel application is owned by an Ubuntu user called www-data,
// which is used by both Nginx and phpFPM to read and write files.
// we will consider our project name is `laracasts` and we will create user with name `laracasts`
// create user for each site allow this user to pull from the git repo and restrict its
// access to only the site it owns.
// we are going to create a new user for each site, allow this user to pull from the git repository
// and restrict its access to only the site it owns.
> sudo adduser laracasts
// Now let's move our application files from the default /var/www to the laracasts user's home directory
> sudo mv /var/www/laracasts /home/laracasts/www
// now if we check the home direcory we will find two users one for ubuntu user and one for
// laracasts user
// move from ubuntu user to laracasts user
> sudo su laracasts
// check the laracast direcory we will find www directory still owned by www-data user,
we need to change the ownership to the laracasts user and group,
and to do that we need to exist our laracasts session and go back to ubunutu
> exit or ctrl + d
> sudo shown -R laracasts:laracasts /home/laracasts/www
> ll
// after list, we see the permissions on each of the home directories here indicate that the owner can
// read, write and execute.
// members for the group can read and execute only.
// and all other users can not do anything inside these directories
// Since all the site files now belongs to the laracasts user group, www-data won't be able to access them,
// and to fix that we are going to add www-data user to the laracasts group,
// this will allow it to read files but won't write. and then we are going to change the user used by
// phpfpm to laracasts instead of www-data, so it can read and write files in this directory
> sudo usermod -a -G laracasts www-data
// now we need to update the Nginx and phpFPM configuration to use the new laracasts user
// instead of the www-data user
> sudo nano /etc/php/8.1/fpm/pool.d/www.conf
// UPDATE FILE: we will first change the name of the pool from www to laracasts,
// we will create separate pools for all sites on the server
www >> laracasts
// UPDATE FILE: then we will find an attribute called user and change it to laracasts.
www-data >> laracasts
// UPDATE FILE: then we find an attribute name owner, change it to laracasts. and same for the group as well
www-data >> laracasts
// the first user and group attribute decide which user php-fpm will use when reading and
// writing the application files, the listen owner and listen group attributes decide the owners of
// the socket file php-fpm creats as a communication channel between it and nginx
// Since the owner and group are set to laracasts, phpfpm will be able to read and write on this files.
// and since the www-data user used by nginx now belongs to the laracasts group it will also able to
// read and write on this file.
// the default permissions on that socket file is 660 which means that owners can read and write,
// the user and the group member as well
// So now let's go edit the nginx configuration file
> sudo nano /etc/nginx/sites-availabe/laracats
// UPDATE FILE: change root to /home/laracasts/www/public
> /var/www/laracasts/public -> /home/laracasts/www/public
// restart nginx and fpm & clear cache if required
> sudo service nginx reload
> sudo service php8.1-fpm restart
// to allow the laracasts user to pull from the github repo, and to do that we are going to
// move the keys we previously generated for the ubuntu user to the laracasts user.
// that way laracasts can access the github repo
> sudo mkdir /home/laracasts/.ssh
> sudo mv /home/ubuntu/.ssh/id_rsa.pub /home/laracasts/.ssh/id_rsa.pub
> sudo mv /home/ubuntu/.ssh/id_rsa /home/laracasts/.ssh/id_rsa
> sudo chown -R laracasts:laracasts /home/laracasts // this will enclude the permission keys we are moved
> sudo chmod 0700 /home/laracasts/.ssh
> sudo su laracasts
> cd www
> git pull origin main