Diff for /wikisrc/tutorials/services/3nmp.mdwn between versions 1.1 and 1.2

version 1.1, 2012/08/08 07:41:36 version 1.2, 2012/08/08 07:47:07
Line 1 Line 1
 ## Setting up a secure PHP webserver with NetBSD  ## Setting up a secure PHP webserver with NetBSD
   
 Since [pkgsrc-2012Q2](http://mail-index.netbsd.org/pkgsrc-users/2012/07/02/msg016644.html), [pkgsrc](http://www.netbsd.org/docs/software/packages.html) has two major enhancements regarding [PHP](http://www.php.net/) and Web services and genreal: [PHP-FPM](http://php-fpm.org/) and the [naxsi](http://code.google.com/p/naxsi/) [nginx](http://wiki.nginx.org/Main) module.  Since [pkgsrc-2012Q2](http://mail-index.netbsd.org/pkgsrc-users/2012/07/02/msg016644.html), [pkgsrc](http://www.netbsd.org/docs/software/packages.html) has two major enhancements regarding [PHP](http://www.php.net/) and Web services in genreal: [PHP-FPM](http://php-fpm.org/) and the [naxsi](http://code.google.com/p/naxsi/) [nginx](http://wiki.nginx.org/Main) module.
   
 [PHP-FPM](http://php-fpm.org/) is a _an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites._  [PHP-FPM](http://php-fpm.org/) is a _an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites._
 As such, _PHP-FPM_ is often used as the _PHP_ backend for _nginx_ powered websites.  As such, _PHP-FPM_ is often used as the _PHP_ backend for _nginx_ powered websites.
Line 27  Note that this method can take a long ti Line 27  Note that this method can take a long ti
   
 ### Nginx + naxsi  ### Nginx + naxsi
   
 Again, having _nginx_ "naxsi-ready" can be achieved by using a repository that enabled _naxsi_ in _nginx_'s build or by installing _nginx_  from _pkgsrc_.  Again, having _nginx_ "naxsi-ready" can be achieved by using a repository that enables _naxsi_ in _nginx_'s build or by installing _nginx_  from _pkgsrc_.
 We, at [NetBSDfr](http://www.NetBSDfr.org), have setup a couple of repositories with "naxsi-enabled" _nginx_ [for 6.0/i386](http://amd64.packages.netbsdfr.org/stable/6.0/i386/packages/) or [5.1/amd64](http://amd64.packages.netbsdfr.org/stable/5.1/packages/). More architectures are in the way.  We, at [NetBSDfr](http://www.NetBSDfr.org), have setup a couple of repositories with "naxsi-enabled" _nginx_ [for 6.0/i386](http://amd64.packages.netbsdfr.org/stable/6.0/i386/packages/) or [5.1/amd64](http://amd64.packages.netbsdfr.org/stable/5.1/packages/). More architectures are in the way.
 When using those repositories, just install _nginx_ with _pkgin_:  When using those repositories, just install _nginx_ with _pkgin_:
   
Line 53  _Nginx_ by itself is not capable of hand Line 53  _Nginx_ by itself is not capable of hand
             # for a TCP stream              # for a TCP stream
             fastcgi_pass   127.0.0.1:9000;              fastcgi_pass   127.0.0.1:9000;
             fastcgi_index  index.php;              fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME  /home/imil/www$fastcgi_script_name;              fastcgi_param  SCRIPT_FILENAME  /your/documentroot/www$fastcgi_script_name;
             include        /usr/pkg/etc/nginx/fastcgi_params;              include        /usr/pkg/etc/nginx/fastcgi_params;
         }          }
   
Line 74  And start them: Line 74  And start them:
   
 ### Configuring Naxsi  ### Configuring Naxsi
   
 Having a basic security ruleset is pretty simple. Now that _nginx_ is aware of _naxsi_'s features, we will add the following on the _http_ section:  Having a basic security ruleset is pretty simple. Now that _nginx_ is aware of _naxsi_'s features, we will add the following in the _http_ section:
   
         include /usr/pkg/etc/nginx/naxsi_core.rules;          include /usr/pkg/etc/nginx/naxsi_core.rules;
   
Line 89  And append the following to the location Line 89  And append the following to the location
         CheckRule "$EVADE >= 4" BLOCK;          CheckRule "$EVADE >= 4" BLOCK;
         CheckRule "$XSS >= 8" BLOCK;          CheckRule "$XSS >= 8" BLOCK;
   
 Every query matching those scores will redirected to the *moo.txt* file. Using another *location* may be also a wise choice.  Every query matching those scores will be redirected to the *moo.txt* file. Using another *location* may be also a wise choice.
   
 Of course, you are encouraged to carefully read [naxsi's Wiki](http://code.google.com/p/naxsi/wiki/TableOfContents).  Of course, you are encouraged to carefully read [naxsi's Wiki](http://code.google.com/p/naxsi/wiki/TableOfContents).
   

Removed from v.1.1  
changed lines
  Added in v.1.2


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb