Secure Nginx + PHP‑FPM: Prevent Cross‑Site & Directory Access with open_basedir

Overall restriction via php-fpm.conf

In php-fpm.conf you can set environment variables and php_admin_value directives to limit script access. Example:

env[TMP]=/tmp/
env[TMPDIR]=/tmp/
env[TEMP]=/tmp/
php_admin_value[sendmail_path]=/usr/sbin/sendmail -t -i -f [email protected]
php_admin_value[open_basedir]=/home/wwwroot/www:/tmp/:/var/tmp/:/proc/
php_admin_value[session.save_path]=/tmp/
php_admin_value[upload_tmp_dir]=/tmp/
slowlog=/usr/local/php/var/log/$pool.log
request_slowlog_timeout=3s

These settings confine PHP scripts to the specified directories.

Method 1 – Add fastcgi_param in Nginx

Insert the following line into the server block or the included fastcgi.conf:

fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/:/proc/";

$document_root is the root directory defined by Nginx. The /tmp and /proc directories must be accessible; /proc allows PHP to read system load information. This method works for each virtual host.

Method 2 – Configure in php.ini

Append to php.ini:

[HOST=www.iamle.com]
open_basedir=/home/wwwroot/www.iamle.com:/tmp/:/proc/
[PATH=/home/wwwroot/www.iamle.com]
open_basedir=/home/wwwroot/www.iamle.com:/tmp/:/proc/

This approach may not suit wildcard domains (e.g., *.iamle.com).

Method 3 – Use a .user.ini file in the site root

Enable user‑defined ini files by setting in php.ini:

user_ini.filename=".user.ini"
user_ini.cache_ttl=300

Create a .user.ini file in the document root containing: open_basedir=/home/wwwroot/www.iamle.com:/tmp/:/proc/ No need to restart Nginx or php‑fpm, but the file should be read‑only for security.

For more details see the official PHP manual.