File:  [NetBSD Developer Wiki] / wikisrc / tutorials / services / 3nmp.mdwn
Revision 1.7: download - view: text, annotated - select for diffs
Wed Aug 8 08:02:38 2012 UTC (8 years, 6 months ago) by imil
Branches: MAIN
CVS tags: HEAD
add nginx.conf path

## Setting up a secure PHP webserver with NetBSD

Since [pkgsrc-2012Q2](, [pkgsrc]( has two major enhancements regarding [PHP]( and Web services in general: [PHP-FPM]( and the [naxsi]( [nginx]( module.

[PHP-FPM]( is a _an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites._
As such, _PHP-FPM_ is often used as the _PHP_ backend for _nginx_ powered websites.
[naxsi]( is a module for _nginx_ that provides basic-to-strong hardening to a dynamic website by protecting them _against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions._

Setting up a _3NMP_ server (_NetBSD-Nginx-Naxsi-MySQL-PHP_) is straightforward and will provide performance and security to your _PHP_ website within minutes.


The simpler approach here would be using [pkgin]( in order to install _php-fpm_'s binary package plus its dependencies.

	# pkgin in php53-fpm

You may also want to install it via _pkgsrc_, in which case you'll have to fetch it:

	# cd /usr && cvs -d co pkgsrc

And then build it:

	# cd /usr/pkgsrc/www/php-fpm
	# make install clean clean-depends

Note that this method can take a long time depending on your computer.

### Nginx + naxsi

Again, having _nginx_ "naxsi-ready" can be achieved by using a repository that enables _naxsi_ in _nginx_'s build or by installing _nginx_  from _pkgsrc_.
We, at [NetBSDfr](, have setup a couple of repositories with "naxsi-enabled" _nginx_ [for 6.0/i386]( or [5.1/amd64]( More architectures are in the way.
When using those repositories, just install _nginx_ with _pkgin_:

	# pkgin in nginx

If you wish to use _pkgsrc_, please add the following to */etc/mk.conf*:

	PKG_OPTIONS.nginx+=     naxsi

And proceed with _nginx_ build the usual way:

	# cd /usr/pkgsrc/www/nginx
	# make install clean clean-depends

### Nginx + PHP-FPM

_Nginx_ by itself is not capable of handling _PHP_, it must communicate with an external process using a local UNIX socket or a TCP stream. _Nginx_'s default configuration file (*${PREFIX}/etc/nginx/nginx.conf*) already has an example of how to achieve this, but here is the complete syntax:

	location ~ \.php$ {
	    root           html;
	    # for a local UNIX socket
	    # fastcgi_pass unix:/tmp/php-fpm.sock;
	    # for a TCP stream
	    fastcgi_index  index.php;
	    fastcgi_param  SCRIPT_FILENAME  /your/documentroot/www$fastcgi_script_name;
	    include        /usr/pkg/etc/nginx/fastcgi_params;

By default, the _php-fpm_ package is configured to listen on a TCP stream and to run withe the *www* user, we must change the latter to *nginx* in *${PREFIX}/etc/php-fpm.conf*:

	user = nginx
	group = nginx

Once done, we just have to enable those two services in */etc/rc.conf*:


And start them:

	# /etc/rc.d/php_fpm start
	# /etc/rc.d/nginx start

### Configuring Naxsi

Having a basic security ruleset is pretty simple. Now that _nginx_ is aware of _naxsi_'s features, we will add the following in the _http_ section:

	include	/usr/pkg/etc/nginx/naxsi_core.rules;

And append the following to the location you want to secure:

	DeniedUrl "/moo.txt";

	CheckRule "$SQL >= 8" BLOCK;
	CheckRule "$RFI >= 8" BLOCK;
	CheckRule "$TRAVERSAL >= 4" BLOCK;
	CheckRule "$EVADE >= 4" BLOCK;
	CheckRule "$XSS >= 8" BLOCK;

Every query matching those scores will be redirected to the *moo.txt* file. Using another *location* may be also a wise choice.

Of course, you are encouraged to carefully read [naxsi's Wiki](

### There you go !

Enjoy your secure PHP webhosting.

CVSweb for NetBSD wikisrc <> software: FreeBSD-CVSweb