psecio
Support for php-fpm.conf
Quite a few settings are defined per pool when using PHP-FPM, so only scanning php.ini doesn't give the full picture.
Is there a way to detect when the FPM is in use automatically? It's be nice if it tried to detect that too (and maybe required a path to the conf file).
Well, in my case, I simply gave the path to the php-fpm.conf file, but the report was the same as for php.ini, so the scanner has ignored the settings found there.
One problem is that those files contain several pools and each one can have different PHP settings, so it can be quite complex to report back. Each cell giving advice should have a note about the setting for each pool.
Per example, php.ini has no open_basedir setting, but each pool as a path so that users can't access files outside of their home directory
FAIL | WARNING | | open_basedir | [apps] Path is set, [special] Path is set, [php.ini] Warning...
Here is a template to give you an idea of what it looks like
[DOMAINNAME]
listen = /var/run/php5-fpm/DOMAINNAME.socket
listen.backlog = -1
listen.owner = nginx
listen.group = www-data
listen.mode=0660
; Unix user/group of processes
user = (THE USERNAME OF THE USER THAT OWNS THE SITE FILES)
group = www-data
; Choose how the process manager will control the number of child processes.
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
; Pass environment variables
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; host-specific php ini settings here
; php_admin_value[open_basedir] = /var/www/DOMAINNAME/htdocs:/tmp
The bit at the end is where all the custom PHP values will be added