From ef01b730be5863ff9d2c912aa62a0507590a9bbd Mon Sep 17 00:00:00 2001 From: Chris Robinson <chris.robinson@deskpro.com> Date: Wed, 18 Sep 2024 16:48:08 +0100 Subject: [PATCH 1/3] Change user for nginx and php processes --- etc/supervisor/conf.d/logging.conf.tmpl | 1 + etc/supervisor/conf.d/web.conf.tmpl | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/etc/supervisor/conf.d/logging.conf.tmpl b/etc/supervisor/conf.d/logging.conf.tmpl index 05c6b57..0961326 100644 --- a/etc/supervisor/conf.d/logging.conf.tmpl +++ b/etc/supervisor/conf.d/logging.conf.tmpl @@ -19,6 +19,7 @@ environment=VECTOR_MARKER="{{ getenv "VECTOR_MARKER" "" }}",VECTOR_COLOR=never [eventlistener:rotate_logs] command=/etc/supervisor/rotate-logs +user=vector events=TICK_60 autorestart=true buffer_size=1 diff --git a/etc/supervisor/conf.d/web.conf.tmpl b/etc/supervisor/conf.d/web.conf.tmpl index fa33554..e4dec49 100644 --- a/etc/supervisor/conf.d/web.conf.tmpl +++ b/etc/supervisor/conf.d/web.conf.tmpl @@ -3,6 +3,8 @@ command=/usr/sbin/nginx -g "daemon off;" autostart={{ getenv "SVC_NGINX_ENABLED" "false" | ternary "true" "false" }} autorestart=true exitcodes=0 +user=dp_app +group=dp_app startsecs=1 startretries=3 redirect_stderr=true @@ -22,6 +24,8 @@ command=/usr/sbin/php-fpm8.3 -F autostart={{ getenv "SVC_PHP_FPM_ENABLED" "false" | ternary "true" "false" }} autorestart=true exitcodes=0 +user=dp_app +group=dp_app startsecs=1 startretries=3 redirect_stderr=true From 8c7a906a39a9f1697795a0169276cdc798b25069 Mon Sep 17 00:00:00 2001 From: Chris Robinson <chris.robinson@deskpro.com> Date: Thu, 19 Sep 2024 11:04:30 +0100 Subject: [PATCH 2/3] explicitly set nginx and php to use unprivileged locations --- etc/nginx/conf.d/01-deskpro_setup.conf.tmpl | 4 ++-- etc/nginx/conf.d/03-status.conf.tmpl | 2 +- etc/nginx/conf.d/deskpro_server_params.tmpl | 12 ++++++------ etc/nginx/nginx.conf.tmpl | 8 +++++++- etc/php/8.3/fpm/php-fpm.conf | 2 +- etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl | 4 ++-- etc/supervisor/conf.d/logging.conf.tmpl | 1 - test/serverspec/spec/default_web/default_php_spec.rb | 8 ++++---- usr/local/bin/phpinfo | 2 +- usr/local/sbin/entrypoint.d/05-opc.sh | 2 +- usr/local/sbin/entrypoint.d/41-deskpro-config.sh | 2 +- 11 files changed, 26 insertions(+), 21 deletions(-) diff --git a/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl b/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl index 2f4b827..0635ba9 100644 --- a/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl +++ b/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl @@ -1,9 +1,9 @@ upstream dpv5_api { - server unix:/run/php_fpm_dp_default.sock max_fails=0 fail_timeout=0; + server unix:/tmp/php_fpm_dp_default.sock max_fails=0 fail_timeout=0; } upstream dpv5_api_internal { - server unix:/run/php_fpm_dp_internal.sock max_fails=0 fail_timeout=0; + server unix:/tmp/php_fpm_dp_internal.sock max_fails=0 fail_timeout=0; } # dpv5_api_backend: Use separate fpm-pool for internal requests diff --git a/etc/nginx/conf.d/03-status.conf.tmpl b/etc/nginx/conf.d/03-status.conf.tmpl index e6db55e..d38ca1c 100644 --- a/etc/nginx/conf.d/03-status.conf.tmpl +++ b/etc/nginx/conf.d/03-status.conf.tmpl @@ -30,6 +30,6 @@ server { fastcgi_param SCRIPT_NAME '/fpm/status'; fastcgi_param SCRIPT_FILENAME '/fpm/status'; - fastcgi_pass unix:/run/php_fpm_$fpm_pool.status.sock; + fastcgi_pass unix:/tmp/php_fpm_$fpm_pool.status.sock; } } diff --git a/etc/nginx/conf.d/deskpro_server_params.tmpl b/etc/nginx/conf.d/deskpro_server_params.tmpl index 930c324..3a3612a 100644 --- a/etc/nginx/conf.d/deskpro_server_params.tmpl +++ b/etc/nginx/conf.d/deskpro_server_params.tmpl @@ -26,17 +26,17 @@ location / { } location ^~ /sys/services/broadcaster/ { - fastcgi_pass unix:/run/php_fpm_dp_broadcaster.sock; + fastcgi_pass unix:/tmp/php_fpm_dp_broadcaster.sock; include /etc/nginx/conf.d/deskpro_fastcgi_params; } location ~ ^/(admin\-api|agent\-api)/ { - fastcgi_pass unix:/run/php_fpm_dp_gql.sock; + fastcgi_pass unix:/tmp/php_fpm_dp_gql.sock; include /etc/nginx/conf.d/deskpro_fastcgi_params; } location ~ ^/(ticket\-channels|sys/services)/ { - fastcgi_pass unix:/run/php_fpm_dp_internal.sock; + fastcgi_pass unix:/tmp/php_fpm_dp_internal.sock; include /etc/nginx/conf.d/deskpro_fastcgi_params; } @@ -103,19 +103,19 @@ location ~ ^/deskpro-messenger/assets/ { } location ^~ /firebase-messaging-sw.js { - fastcgi_pass unix:/run/php_fpm_dp_default.sock; + fastcgi_pass unix:/tmp/php_fpm_dp_default.sock; include /etc/nginx/conf.d/deskpro_fastcgi_params; } location ~ ^/deskpro-messenger/ { add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; - fastcgi_pass unix:/run/php_fpm_dp_default.sock; + fastcgi_pass unix:/tmp/php_fpm_dp_default.sock; include /etc/nginx/conf.d/deskpro_fastcgi_params; } location ~ \.php$ { - fastcgi_pass unix:/run/php_fpm_dp_default.sock; + fastcgi_pass unix:/tmp/php_fpm_dp_default.sock; include /etc/nginx/conf.d/deskpro_fastcgi_params; } diff --git a/etc/nginx/nginx.conf.tmpl b/etc/nginx/nginx.conf.tmpl index 36a24dc..30db0ea 100644 --- a/etc/nginx/nginx.conf.tmpl +++ b/etc/nginx/nginx.conf.tmpl @@ -5,7 +5,7 @@ worker_processes 1; worker_processes {{ getenv "NGINX_WORKER_PROCESSES" "auto" }}; {{end}} pcre_jit on; -pid /run/nginx.pid; +pid /tmp/nginx.pid; events { worker_connections {{ getenv "NGINX_WORKER_CONNECTIONS" "10000" }}; @@ -26,6 +26,12 @@ http { ssl_session_timeout 1h; ssl_session_tickets off; + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + log_format logjson escape=json '{' '"ts":"$time_iso8601", ' diff --git a/etc/php/8.3/fpm/php-fpm.conf b/etc/php/8.3/fpm/php-fpm.conf index 66a6c59..78a82ad 100644 --- a/etc/php/8.3/fpm/php-fpm.conf +++ b/etc/php/8.3/fpm/php-fpm.conf @@ -1,5 +1,5 @@ [global] -pid = /run/php-fpm.pid +pid = /tmp/php-fpm.pid error_log = /var/log/php/fpm_error.log log_level = notice log_limit = 8192 diff --git a/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl b/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl index b66f1b9..e9189f8 100644 --- a/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl +++ b/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl @@ -2,11 +2,11 @@ user = dp_app group = dp_app chdir = /srv/deskpro -listen = /run/php_fpm_{{.}}.sock +listen = /tmp/php_fpm_{{.}}.sock listen.backlog = {{ getenv "PHP_FPM_LISTEN_BACKLOG" "1000" }} listen.mode = 0666 -pm.status_listen = /run/php_fpm_{{.}}.status.sock +pm.status_listen = /tmp/php_fpm_{{.}}.status.sock pm.status_path = /fpm/status catch_workers_output = yes diff --git a/etc/supervisor/conf.d/logging.conf.tmpl b/etc/supervisor/conf.d/logging.conf.tmpl index 0961326..05c6b57 100644 --- a/etc/supervisor/conf.d/logging.conf.tmpl +++ b/etc/supervisor/conf.d/logging.conf.tmpl @@ -19,7 +19,6 @@ environment=VECTOR_MARKER="{{ getenv "VECTOR_MARKER" "" }}",VECTOR_COLOR=never [eventlistener:rotate_logs] command=/etc/supervisor/rotate-logs -user=vector events=TICK_60 autorestart=true buffer_size=1 diff --git a/test/serverspec/spec/default_web/default_php_spec.rb b/test/serverspec/spec/default_web/default_php_spec.rb index a3bf680..3b98dd6 100644 --- a/test/serverspec/spec/default_web/default_php_spec.rb +++ b/test/serverspec/spec/default_web/default_php_spec.rb @@ -71,7 +71,7 @@ end describe command('phpfpminfo --pool dp_default') do - its(:stdout) { should contain "listen = /run/php_fpm_dp_default.sock" } + its(:stdout) { should contain "listen = /tmp/php_fpm_dp_default.sock" } its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ } its(:stdout) { should contain "pm = ondemand" } its(:stdout) { should contain "pm.max_children = 20" } @@ -81,7 +81,7 @@ end describe command('phpfpminfo --pool dp_internal') do - its(:stdout) { should contain "listen = /run/php_fpm_dp_internal.sock" } + its(:stdout) { should contain "listen = /tmp/php_fpm_dp_internal.sock" } its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ } its(:stdout) { should contain "pm = ondemand" } its(:stdout) { should contain "pm.max_children = 1000" } @@ -91,7 +91,7 @@ end describe command('phpfpminfo --pool dp_gql') do - its(:stdout) { should contain "listen = /run/php_fpm_dp_gql.sock" } + its(:stdout) { should contain "listen = /tmp/php_fpm_dp_gql.sock" } its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ } its(:stdout) { should contain "pm = ondemand" } its(:stdout) { should contain "pm.max_children = 20" } @@ -101,7 +101,7 @@ end describe command('phpfpminfo --pool dp_broadcaster') do - its(:stdout) { should contain "listen = /run/php_fpm_dp_broadcaster.sock" } + its(:stdout) { should contain "listen = /tmp/php_fpm_dp_broadcaster.sock" } its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ } its(:stdout) { should contain "pm = ondemand" } its(:stdout) { should contain "pm.max_children = 1000" } diff --git a/usr/local/bin/phpinfo b/usr/local/bin/phpinfo index b601d85..56c563b 100755 --- a/usr/local/bin/phpinfo +++ b/usr/local/bin/phpinfo @@ -39,7 +39,7 @@ if [[ $use_php_fpm -eq 1 ]]; then SCRIPT_NAME=/usr/local/share/deskpro/phpinfo.php \ SCRIPT_FILENAME=/usr/local/share/deskpro/phpinfo.php \ REQUEST_METHOD=GET \ - cgi-fcgi -bind -connect /run/php_fpm_dp_default.sock + cgi-fcgi -bind -connect /tmp/php_fpm_dp_default.sock else php /usr/local/share/deskpro/phpinfo.php fi diff --git a/usr/local/sbin/entrypoint.d/05-opc.sh b/usr/local/sbin/entrypoint.d/05-opc.sh index 9cb3b70..a8ae3f0 100755 --- a/usr/local/sbin/entrypoint.d/05-opc.sh +++ b/usr/local/sbin/entrypoint.d/05-opc.sh @@ -35,7 +35,7 @@ opc_main() { boot_log_message DEBUG "[bc_opc_2_8] Linking /run/php-fpm/dp_default.sock -> /run/php_fpm_dp_default.sock" mkdir -p /run/php-fpm - ln -sf /run/php_fpm_dp_default.sock /run/php-fpm/dp_default.sock + ln -sf /tmp/php_fpm_dp_default.sock /run/php-fpm/dp_default.sock for pool in "dp_broadcaster" "dp_default" "dp_gql" "dp_internal"; do if [ -e "/deskpro/config/${pool}.conf" ]; then diff --git a/usr/local/sbin/entrypoint.d/41-deskpro-config.sh b/usr/local/sbin/entrypoint.d/41-deskpro-config.sh index 23add82..fd74960 100755 --- a/usr/local/sbin/entrypoint.d/41-deskpro-config.sh +++ b/usr/local/sbin/entrypoint.d/41-deskpro-config.sh @@ -25,7 +25,7 @@ function deskpro_config_main() { done } > /srv/deskpro/INSTANCE_DATA/config.php - chown root:root "/srv/deskpro/INSTANCE_DATA/config.php" + chown dp_app:dp_app "/srv/deskpro/INSTANCE_DATA/config.php" chmod 0644 "/srv/deskpro/INSTANCE_DATA/config.php" } From 808b66a25e093b663913ecfda33c1173d4e2dccc Mon Sep 17 00:00:00 2001 From: Chris Robinson <chris.robinson@deskpro.com> Date: Thu, 19 Sep 2024 13:41:05 +0100 Subject: [PATCH 3/3] run nginx as nginx user --- etc/supervisor/conf.d/web.conf.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/supervisor/conf.d/web.conf.tmpl b/etc/supervisor/conf.d/web.conf.tmpl index e4dec49..13627dc 100644 --- a/etc/supervisor/conf.d/web.conf.tmpl +++ b/etc/supervisor/conf.d/web.conf.tmpl @@ -3,8 +3,8 @@ command=/usr/sbin/nginx -g "daemon off;" autostart={{ getenv "SVC_NGINX_ENABLED" "false" | ternary "true" "false" }} autorestart=true exitcodes=0 -user=dp_app -group=dp_app +user=nginx +group=nginx startsecs=1 startretries=3 redirect_stderr=true