Install PHP:

pkg_add php-curl php-gd php-gmp php-mcrypt php-mysql php-mysqli php-pdo_mysql php-zip
ln -sf /var/www/conf/modules.sample/php-5.4.conf /var/www/conf/modules/php.conf
ln -sf /etc/php-5.4.sample/bz2.ini /etc/php-5.4/bz2.ini
ln -sf /etc/php-5.4.sample/curl.ini /etc/php-5.4/curl.ini
ln -sf /etc/php-5.4.sample/gd.ini /etc/php-5.4/gd.ini
ln -sf /etc/php-5.4.sample/gmp.ini /etc/php-5.4/gmp.ini
ln -sf /etc/php-5.4.sample/mcrypt.ini /etc/php-5.4/mcrypt.ini
ln -sf /etc/php-5.4.sample/mysql.ini /etc/php-5.4/mysql.ini
ln -sf /etc/php-5.4.sample/mysqli.ini /etc/php-5.4/mysqli.ini
ln -sf /etc/php-5.4.sample/pdo_mysql.ini /etc/php-5.4/pdo_mysql.ini
ln -sf /etc/php-5.4.sample/zip.ini /etc/php-5.4/zip.ini
  • Add index.php to DirectoryIndex in /var/www/conf/httpd.conf

General Notes: PHP Security, nginx, DokuWiki

Setting up PHP securely with nginx is a bit of an impossibility in some ways.

The OpenBSD default to parse all files ending with a .php extension works well, but a theoretical security hole is available: say if /image.gif/server.php is a URL with no existing server.php file, then it would run image.gif as a PHP file. (I haven't been able to dupicliate this). However, that's limited to if users can upload files – which depends again on the software the site is running, and what features are enabled.

Another security option is to disable CGI fix pathinfo for PHP. However, this can break some PHP software (WordPress, in theory) that relies on the SERVER variables – which can also be overriden with some nginx flags so that they are correctly sent.

Another issue is with HTTPS requests, since you are sending traffic to the PHP FPM server, again the server variables may not see it as a secure request. Same problem as before (and probably same fix), to tweak nginx.

I haven't been able to get pretty URLs working with dokuwiki yet either. It's possible to have nginx set up that any location at / if the file itself is not found to use doku.php instead.

Altogether, the combination of the three (nginx, PHP FPM and dokuwiki / pretty URLs) make it not worth the hassle.

Recommendation for now is to use a simple Apache 2.2 setup in it's place.


Install PHP-FPM:

pkg_install php-fpm

Setup configuration file at /etc/php-fpm.conf to listen to localhost connections only:

listen.allowed_clients =

Start the service:

/etc/rc.d/php-fpm start

PHP-FPM with nginx

To setup nginx to serve PHP using FPM, there are only two changes to make in /etc/nginx/nginx.conf.

Add index.php to the index directive:

index         index.html index.htm index.php

and uncomment the PHP FPM settings:

        location ~ \.php$ {
            root           /var/www/htdocs;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;

Install Suhosin

With OpenBSD 5.5, suhosin is not built-in by default, nor available as a package. It will have to be installed manually.

First, install a version of autoconf:

pkg_add autoconf

Select the version you want to install.

Next, download the source code of suhosin, unpack it, and configure and build it:

AUTOCONF_VERSION=2.69 phpize-5.4
./configure --with-php-config=/usr/local/bin/php-config-5.4
make install

Finally, load the module by creating an extension file:

echo > /etc/php-5.4/suhosin.ini

Restart PHP FPM to use the new module:

/etc/rc.d/php-fpm restart

And verify the module is installed:

php-5.4 -m

The module is located in the same directory as the other ones, at /usr/local/lib/php-5.4/modules/.