Your best isolation is to not allow any write access to nginx other then its logfiles.
With PHP it is more or less the same except you need to allow some write access for php code that needs this such as session folders, explicitly allow access there but no where else.
2) set open_basedir in php.ini (and don't allow write access) and do not set its value by passing it on.
With PHP it is more or less the same except you need to allow some write access for php code that needs this such as session folders, explicitly allow access there but no where else.
2) set open_basedir in php.ini (and don't allow write access) and do not set its value by passing it on.