Setting up a secure PHP webserver with NetBSD

Since pkgsrc-2012Q2, pkgsrc has two major enhancements regarding PHP and Web services in general: PHP-FPM and the naxsi nginx module.

PHP-FPM is a an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. As such, PHP-FPM is often used as the PHP backend for nginx powered websites. naxsi is a module for nginx that provides basic-to-strong hardening to a dynamic website by protecting them against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.

Setting up a 3NMP server (NetBSD-Nginx-Naxsi-MySQL-PHP) is straightforward and will provide performance and security to your PHP website within minutes.

PHP-FPM

The simpler approach here would be using pkgin in order to install php-fpm's binary package plus its dependencies.

# pkgin in php53-fpm

You may also want to install it via pkgsrc, in which case you'll have to fetch it:

# cd /usr && cvs -d anoncvs.netbsd.org:/cvsroot co pkgsrc

And then build it:

# cd /usr/pkgsrc/www/php-fpm
# make install clean clean-depends

Note that this method can take a long time depending on your computer.

Nginx + naxsi

Again, having nginx "naxsi-ready" can be achieved by using a repository that enables naxsi in nginx's build or by installing nginx from pkgsrc. We, at NetBSDfr, have setup a couple of repositories with "naxsi-enabled" nginx for 6.0/i386 or 5.1/amd64. More architectures are in the way. When using those repositories, just install nginx with pkgin:

# pkgin in nginx

If you wish to use pkgsrc, please add the following to /etc/mk.conf:

PKG_OPTIONS.nginx+=     naxsi

And proceed with nginx build the usual way:

# cd /usr/pkgsrc/www/nginx
# make install clean clean-depends

Nginx + PHP-FPM

Nginx by itself is not capable of handling PHP, it must communicate with an external process using a local UNIX socket or a TCP stream. Nginx's default configuration file (${PREFIX}/etc/nginx/nginx.conf) already has an example of how to achieve this, but here is the complete syntax:

location ~ \.php$ {
    root           html;
    # for a local UNIX socket
    # fastcgi_pass unix:/tmp/php-fpm.sock;
    # for a TCP stream
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  /your/documentroot/www$fastcgi_script_name;
    include        /usr/pkg/etc/nginx/fastcgi_params;
}

By default, the php-fpm package is configured to listen on a TCP stream and to run withe the www user, we must change the latter to nginx in ${PREFIX}/etc/php-fpm.conf:

user = nginx
group = nginx

Once done, we just have to enable those two services in /etc/rc.conf:

php_fpm=YES
nginx=YES

And start them:

# /etc/rc.d/php_fpm start
# /etc/rc.d/nginx start

Configuring Naxsi

Having a basic security ruleset is pretty simple. Now that nginx is aware of naxsi's features, we will add the following in the http section:

include /usr/pkg/etc/nginx/naxsi_core.rules;

And append the following to the location you want to secure:

DeniedUrl "/moo.txt";
SecRulesEnabled;

CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

Every query matching those scores will be redirected to the moo.txt file. Using another location may be also a wise choice.

Of course, you are encouraged to carefully read naxsi's Wiki.

There you go !

Enjoy your secure PHP webhosting.