File:  [NetBSD Developer Wiki] / wikisrc / tutorials / services / 3nmp.mdwn
Revision 1.7: download - view: text, annotated - select for diffs
Wed Aug 8 08:02:38 2012 UTC (8 years, 2 months ago) by imil
Branches: MAIN
CVS tags: HEAD
add nginx.conf path

    1: ## Setting up a secure PHP webserver with NetBSD
    2: 
    3: Since [pkgsrc-2012Q2](http://mail-index.netbsd.org/pkgsrc-users/2012/07/02/msg016644.html), [pkgsrc](http://www.netbsd.org/docs/software/packages.html) has two major enhancements regarding [PHP](http://www.php.net/) and Web services in general: [PHP-FPM](http://php-fpm.org/) and the [naxsi](http://code.google.com/p/naxsi/) [nginx](http://wiki.nginx.org/Main) module.
    4: 
    5: [PHP-FPM](http://php-fpm.org/) is a _an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites._
    6: As such, _PHP-FPM_ is often used as the _PHP_ backend for _nginx_ powered websites.
    7: [naxsi](http://code.google.com/p/naxsi/) is a module for _nginx_ that provides basic-to-strong hardening to a dynamic website by protecting them _against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions._
    8: 
    9: Setting up a _3NMP_ server (_NetBSD-Nginx-Naxsi-MySQL-PHP_) is straightforward and will provide performance and security to your _PHP_ website within minutes.
   10: 
   11: ### PHP-FPM
   12: 
   13: The simpler approach here would be using [pkgin](http://www.pkgin.net) in order to install _php-fpm_'s binary package plus its dependencies.
   14: 
   15: 	# pkgin in php53-fpm
   16: 
   17: You may also want to install it via _pkgsrc_, in which case you'll have to fetch it:
   18: 
   19: 	# cd /usr && cvs -d anoncvs.netbsd.org:/cvsroot co pkgsrc
   20: 
   21: And then build it:
   22: 
   23: 	# cd /usr/pkgsrc/www/php-fpm
   24: 	# make install clean clean-depends
   25: 
   26: Note that this method can take a long time depending on your computer.
   27: 
   28: ### Nginx + naxsi
   29: 
   30: Again, having _nginx_ "naxsi-ready" can be achieved by using a repository that enables _naxsi_ in _nginx_'s build or by installing _nginx_  from _pkgsrc_.
   31: We, at [NetBSDfr](http://www.NetBSDfr.org), have setup a couple of repositories with "naxsi-enabled" _nginx_ [for 6.0/i386](http://amd64.packages.netbsdfr.org/stable/6.0/i386/packages/) or [5.1/amd64](http://amd64.packages.netbsdfr.org/stable/5.1/packages/). More architectures are in the way.
   32: When using those repositories, just install _nginx_ with _pkgin_:
   33: 
   34: 	# pkgin in nginx
   35: 
   36: If you wish to use _pkgsrc_, please add the following to */etc/mk.conf*:
   37: 
   38: 	PKG_OPTIONS.nginx+=     naxsi
   39: 
   40: And proceed with _nginx_ build the usual way:
   41: 
   42: 	# cd /usr/pkgsrc/www/nginx
   43: 	# make install clean clean-depends
   44: 
   45: ### Nginx + PHP-FPM
   46: 
   47: _Nginx_ by itself is not capable of handling _PHP_, it must communicate with an external process using a local UNIX socket or a TCP stream. _Nginx_'s default configuration file (*${PREFIX}/etc/nginx/nginx.conf*) already has an example of how to achieve this, but here is the complete syntax:
   48: 
   49: 	location ~ \.php$ {
   50: 	    root           html;
   51: 	    # for a local UNIX socket
   52: 	    # fastcgi_pass unix:/tmp/php-fpm.sock;
   53: 	    # for a TCP stream
   54: 	    fastcgi_pass   127.0.0.1:9000;
   55: 	    fastcgi_index  index.php;
   56: 	    fastcgi_param  SCRIPT_FILENAME  /your/documentroot/www$fastcgi_script_name;
   57: 	    include        /usr/pkg/etc/nginx/fastcgi_params;
   58: 	}
   59: 
   60: By default, the _php-fpm_ package is configured to listen on a TCP stream and to run withe the *www* user, we must change the latter to *nginx* in *${PREFIX}/etc/php-fpm.conf*:
   61: 
   62: 	user = nginx
   63: 	group = nginx
   64: 
   65: Once done, we just have to enable those two services in */etc/rc.conf*:
   66: 
   67: 	php_fpm=YES
   68: 	nginx=YES
   69: 
   70: And start them:
   71: 
   72: 	# /etc/rc.d/php_fpm start
   73: 	# /etc/rc.d/nginx start
   74: 
   75: ### Configuring Naxsi
   76: 
   77: Having a basic security ruleset is pretty simple. Now that _nginx_ is aware of _naxsi_'s features, we will add the following in the _http_ section:
   78: 
   79: 	include	/usr/pkg/etc/nginx/naxsi_core.rules;
   80: 
   81: And append the following to the location you want to secure:
   82: 
   83: 	DeniedUrl "/moo.txt";
   84: 	SecRulesEnabled;
   85: 
   86: 	CheckRule "$SQL >= 8" BLOCK;
   87: 	CheckRule "$RFI >= 8" BLOCK;
   88: 	CheckRule "$TRAVERSAL >= 4" BLOCK;
   89: 	CheckRule "$EVADE >= 4" BLOCK;
   90: 	CheckRule "$XSS >= 8" BLOCK;
   91: 
   92: Every query matching those scores will be redirected to the *moo.txt* file. Using another *location* may be also a wise choice.
   93: 
   94: Of course, you are encouraged to carefully read [naxsi's Wiki](http://code.google.com/p/naxsi/wiki/TableOfContents).
   95: 
   96: ### There you go !
   97: 
   98: Enjoy your secure PHP webhosting.

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb