Annotation of wikisrc/tutorials/services/3nmp.mdwn, revision 1.1

1.1     ! imil        1: ## Setting up a secure PHP webserver with NetBSD
        !             2: 
        !             3: Since [pkgsrc-2012Q2](http://mail-index.netbsd.org/pkgsrc-users/2012/07/02/msg016644.html), [pkgsrc](http://www.netbsd.org/docs/software/packages.html) has two major enhancements regarding [PHP](http://www.php.net/) and Web services and genreal: [PHP-FPM](http://php-fpm.org/) and the [naxsi](http://code.google.com/p/naxsi/) [nginx](http://wiki.nginx.org/Main) module.
        !             4: 
        !             5: [PHP-FPM](http://php-fpm.org/) is a _an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites._
        !             6: As such, _PHP-FPM_ is often used as the _PHP_ backend for _nginx_ powered websites.
        !             7: [naxsi](http://code.google.com/p/naxsi/) is a module for _nginx_ that provides basic-to-strong hardening to a dynamic website by protecting them _against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions._
        !             8: 
        !             9: Setting up a _3NMP_ server (_NetBSD-Nginx-Naxsi-MySQL-PHP_) is straightforward and will provide performance and security to your _PHP_ website within minutes.
        !            10: 
        !            11: ### PHP-FPM
        !            12: 
        !            13: The simpler approach here would be using [pkgin](http://www.pkgin.net) in order to install _php-fpm_'s binary package plus its dependencies.
        !            14: 
        !            15:        # pkgin in php53-fpm
        !            16: 
        !            17: You may also want to install it via _pkgsrc_, in which case you'll have to fetch it:
        !            18: 
        !            19:        # cd /usr && cvs -d anoncvs.netbsd.org:/cvsroot co pkgsrc
        !            20: 
        !            21: And then build it:
        !            22: 
        !            23:        # cd /usr/pkgsrc/www/php-fpm
        !            24:        # make install clean clean-depends
        !            25: 
        !            26: Note that this method can take a long time depending on your computer.
        !            27: 
        !            28: ### Nginx + naxsi
        !            29: 
        !            30: Again, having _nginx_ "naxsi-ready" can be achieved by using a repository that enabled _naxsi_ in _nginx_'s build or by installing _nginx_  from _pkgsrc_.
        !            31: We, at [NetBSDfr](http://www.NetBSDfr.org), have setup a couple of repositories with "naxsi-enabled" _nginx_ [for 6.0/i386](http://amd64.packages.netbsdfr.org/stable/6.0/i386/packages/) or [5.1/amd64](http://amd64.packages.netbsdfr.org/stable/5.1/packages/). More architectures are in the way.
        !            32: When using those repositories, just install _nginx_ with _pkgin_:
        !            33: 
        !            34:        # pkgin in nginx
        !            35: 
        !            36: If you wish to use _pkgsrc_, please add the following to */etc/mk.conf*:
        !            37: 
        !            38:        PKG_OPTIONS.nginx+=     naxsi
        !            39: 
        !            40: And proceed with _nginx_ build the usual way:
        !            41: 
        !            42:        # cd /usr/pkgsrc/www/nginx
        !            43:        # make install clean clean-depends
        !            44: 
        !            45: ### Nginx + PHP-FPM
        !            46: 
        !            47: _Nginx_ by itself is not capable of handling _PHP_, it must communicate with an external process using a local UNIX socket or a TCP stream. _Nginx_'s default configuration file already have an example of how top achieve this, but here is the complete syntax:
        !            48: 
        !            49:        location ~ \.php$ {
        !            50:            root           html;
        !            51:            # for a local UNIX socket
        !            52:            # fastcgi_pass unix:/tmp/php-fpm.sock;
        !            53:            # for a TCP stream
        !            54:            fastcgi_pass   127.0.0.1:9000;
        !            55:            fastcgi_index  index.php;
        !            56:            fastcgi_param  SCRIPT_FILENAME  /home/imil/www$fastcgi_script_name;
        !            57:            include        /usr/pkg/etc/nginx/fastcgi_params;
        !            58:        }
        !            59: 
        !            60: By default, the _php-fpm_ package is configured to listen on a TCP stream and to run withe the *www* user, we must change the latter to *nginx*:
        !            61: 
        !            62:        user = nginx
        !            63:        group = nginx
        !            64: 
        !            65: Once done, we just have to enable those two services in */etc/rc.conf*:
        !            66: 
        !            67:        php_fpm=YES
        !            68:        nginx=YES
        !            69: 
        !            70: And start them:
        !            71: 
        !            72:        # /etc/rc.d/php_fpm start
        !            73:        # /etc/rc.d/nginx start
        !            74: 
        !            75: ### Configuring Naxsi
        !            76: 
        !            77: Having a basic security ruleset is pretty simple. Now that _nginx_ is aware of _naxsi_'s features, we will add the following on the _http_ section:
        !            78: 
        !            79:        include /usr/pkg/etc/nginx/naxsi_core.rules;
        !            80: 
        !            81: And append the following to the location you want to secure:
        !            82: 
        !            83:        DeniedUrl "/moo.txt";
        !            84:        SecRulesEnabled;
        !            85: 
        !            86:        CheckRule "$SQL >= 8" BLOCK;
        !            87:        CheckRule "$RFI >= 8" BLOCK;
        !            88:        CheckRule "$TRAVERSAL >= 4" BLOCK;
        !            89:        CheckRule "$EVADE >= 4" BLOCK;
        !            90:        CheckRule "$XSS >= 8" BLOCK;
        !            91: 
        !            92: Every query matching those scores will redirected to the *moo.txt* file. Using another *location* may be also a wise choice.
        !            93: 
        !            94: Of course, you are encouraged to carefully read [naxsi's Wiki](http://code.google.com/p/naxsi/wiki/TableOfContents).
        !            95: 
        !            96: ### There you go !
        !            97: 
        !            98: Enjoy your secure PHP webhosting.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb