## Setting up a secure PHP webserver with NetBSD Since [pkgsrc-2012Q2](http://mail-index.netbsd.org/pkgsrc-users/2012/07/02/msg016644.html), [pkgsrc](http://www.netbsd.org/docs/software/packages.html) has two major enhancements regarding [PHP](http://www.php.net/) and Web services in general: [PHP-FPM](http://php-fpm.org/) and the [naxsi](http://code.google.com/p/naxsi/) [nginx](http://wiki.nginx.org/Main) module. [PHP-FPM](http://php-fpm.org/) is a _an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites._ As such, _PHP-FPM_ is often used as the _PHP_ backend for _nginx_ powered websites. [naxsi](http://code.google.com/p/naxsi/) is a module for _nginx_ that provides basic-to-strong hardening to a dynamic website by protecting them _against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions._ Setting up a _3NMP_ server (_NetBSD-Nginx-Naxsi-MySQL-PHP_) is straightforward and will provide performance and security to your _PHP_ website within minutes. ### PHP-FPM The simpler approach here would be using [pkgin](http://www.pkgin.net) in order to install _php-fpm_'s binary package plus its dependencies. # pkgin in php53-fpm You may also want to install it via _pkgsrc_, in which case you'll have to fetch it: # cd /usr && cvs -d anoncvs.netbsd.org:/cvsroot co pkgsrc And then build it: # cd /usr/pkgsrc/www/php-fpm # make install clean clean-depends Note that this method can take a long time depending on your computer. ### Nginx + naxsi Again, having _nginx_ "naxsi-ready" can be achieved by using a repository that enables _naxsi_ in _nginx_'s build or by installing _nginx_ from _pkgsrc_. We, at [NetBSDfr](http://www.NetBSDfr.org), have setup a couple of repositories with "naxsi-enabled" _nginx_ [for 6.0/i386](http://amd64.packages.netbsdfr.org/stable/6.0/i386/packages/) or [5.1/amd64](http://amd64.packages.netbsdfr.org/stable/5.1/packages/). More architectures are in the way. When using those repositories, just install _nginx_ with _pkgin_: # pkgin in nginx If you wish to use _pkgsrc_, please add the following to */etc/mk.conf*: PKG_OPTIONS.nginx+= naxsi And proceed with _nginx_ build the usual way: # cd /usr/pkgsrc/www/nginx # make install clean clean-depends ### Nginx + PHP-FPM _Nginx_ by itself is not capable of handling _PHP_, it must communicate with an external process using a local UNIX socket or a TCP stream. _Nginx_'s default configuration file (*${PREFIX}/etc/nginx/nginx.conf*) already has an example of how to achieve this, but here is the complete syntax: location ~ \.php$ { root html; # for a local UNIX socket # fastcgi_pass unix:/tmp/php-fpm.sock; # for a TCP stream fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /your/documentroot/www$fastcgi_script_name; include /usr/pkg/etc/nginx/fastcgi_params; } By default, the _php-fpm_ package is configured to listen on a TCP stream and to run withe the *www* user, we must change the latter to *nginx* in *${PREFIX}/etc/php-fpm.conf*: user = nginx group = nginx Once done, we just have to enable those two services in */etc/rc.conf*: php_fpm=YES nginx=YES And start them: # /etc/rc.d/php_fpm start # /etc/rc.d/nginx start ### Configuring Naxsi Having a basic security ruleset is pretty simple. Now that _nginx_ is aware of _naxsi_'s features, we will add the following in the _http_ section: include /usr/pkg/etc/nginx/naxsi_core.rules; And append the following to the location you want to secure: DeniedUrl "/moo.txt"; SecRulesEnabled; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; Every query matching those scores will be redirected to the *moo.txt* file. Using another *location* may be also a wise choice. Of course, you are encouraged to carefully read [naxsi's Wiki](http://code.google.com/p/naxsi/wiki/TableOfContents). ### There you go ! Enjoy your secure PHP webhosting.