Add a configuration variable 'nginx_fpm_openbasedir_enforced' to enforce Nginx/PHP-FPM openbase_dir restrictions

roles/webserver/defaults/main.yml

@@ -12,6 +12,7 @@ nginx_http_config: Null
 nginx_security_xframeoptions: True
 nginx_security_xxssprotection: True
 nginx_security_xcontenttypeoptions: True
+nginx_fpm_openbasedir_enforced: False
 
 with_modphp5: False
 with_modphp: False

roles/webserver/templates/fpm/nginx/fastcgi_pass_fpm.j2

@@ -32,6 +32,9 @@ fastcgi_param   SERVER_PORT         $server_port;
 fastcgi_param   SERVER_NAME         $server_name;
 
 fastcgi_param   REDIRECT_STATUS     200;
+{% if nginx_fpm_openbasedir_enforced %}
+fastcgi_param   PHP_ADMIN_VALUE     "upload_tmp_dir=/tmp\nopen_basedir=$document_root:/tmp:/usr/share:/tmp:/dev/random:/dev/urandom";
+{% endif %}
 
 fastcgi_pass    fpm-backend;
 fastcgi_index   index.php;

roles/webserver/templates/nginx/pma_vhost.j2

@@ -36,7 +36,12 @@ server {
 
     location ~ \.php(/|$) {
         include fastcgi_pass_fpm;
+        fastcgi_read_timeout 300s;
+{% if nginx_fpm_openbasedir_enforced %}
+        fastcgi_param PHP_ADMIN_VALUE "upload_tmp_dir=/tmp\nopen_basedir=$document_root:/etc/phpmyadmin:/var/lib/phpmyadmin:/tmp:/usr/share:/tmp:/dev/random:/dev/urandom\nmax_execution_time=300\nupload_max_filesize=128M\npost_max_size=128M";
+{% else %}
         fastcgi_param PHP_ADMIN_VALUE "max_execution_time=240\nupload_max_filesize=128M\npost_max_size=128M";
+{% endif %}
     }
 {% endif %}
 }
@@ -65,7 +70,12 @@ server {
 
     location ~ \.php(/|$) {
         include fastcgi_pass_fpm;
+        fastcgi_read_timeout 300s;
+{% if nginx_fpm_openbasedir_enforced %}
+        fastcgi_param PHP_ADMIN_VALUE "upload_tmp_dir=/tmp\nopen_basedir=$document_root:/etc/phpmyadmin:/var/lib/phpmyadmin:/tmp:/usr/share:/tmp:/dev/random:/dev/urandom\nmax_execution_time=300\nupload_max_filesize=128M\npost_max_size=128M";
+{% else %}
         fastcgi_param PHP_ADMIN_VALUE "max_execution_time=240\nupload_max_filesize=128M\npost_max_size=128M";
+{% endif %}
     }
 }
 {% endif %}