NGINX - Prevent directory traversal attack

To create absolutely isolated environments, you should

a) use Apache backend + suexec + mod_php, because php-fpm does not supports "suexec" as fully as Apache does

b) create not only individual users but also individual groups per your domains

c) configure a couple of name-base virtual hosts, one per domain serviced (hope, you've done already), and set the individual username as suexec parameter

In this case you cat setup 0700 rights to your domain DocumentRoots, and filesystem permissions will definitely separate your domainsusers each from other.

