- Chroot sets the ‘root’ directory – you cannot navigate above the root directory.
- Chdir simply changes the starting directory – it is still possible to navigate to other directories (including those above this).
- If you don’t specify a chroot path, then the ‘real’ root applies – and you specify an absolute chdir.
- If you do specify a chroot path, then you specify a path relative to the chroot’d path (which redefines the root directory).
The settings you have proposed seem quite fine.
- The starting path would be the chroot path + the chdir path
- The app will be able to access all files under the chroot path (unless there are other restrictions – e.g. php_openbasedir, permissions, etc) in place.
As a side note – your php-application will also have access to your nginx.conf and php-fpm.conf based on the document structure you have shown – which seems like something you may want to change (at least making the files read-only to that user).