Differences

This shows you the differences between two versions of the page.

Link to this comparison view

openbsd_php [2014/06/13 12:48] (current)
Line 1: Line 1:
 +====== OpenBSD PHP ======
  
 +  * [[OpenBSD]]
 +  * [[OpenBSD nginx]]
 +
 +  * [[http://​www.h-i-r.net/​p/​hirs-secure-openbsd-apache-mysql-and.html|HiR'​s Secure OpenBSD, Apache, MySQL and PHP Guide]]
 +
 +
 +==== Installation ====
 +
 +
 +Install PHP:
 +
 +<​code>​
 +pkg_add php-curl php-gd php-gmp php-mcrypt php-mysql php-mysqli php-pdo_mysql php-zip
 +ln -sf /​var/​www/​conf/​modules.sample/​php-5.4.conf /​var/​www/​conf/​modules/​php.conf
 +ln -sf /​etc/​php-5.4.sample/​bz2.ini /​etc/​php-5.4/​bz2.ini
 +ln -sf /​etc/​php-5.4.sample/​curl.ini /​etc/​php-5.4/​curl.ini
 +ln -sf /​etc/​php-5.4.sample/​gd.ini /​etc/​php-5.4/​gd.ini
 +ln -sf /​etc/​php-5.4.sample/​gmp.ini /​etc/​php-5.4/​gmp.ini
 +ln -sf /​etc/​php-5.4.sample/​mcrypt.ini /​etc/​php-5.4/​mcrypt.ini
 +ln -sf /​etc/​php-5.4.sample/​mysql.ini /​etc/​php-5.4/​mysql.ini
 +ln -sf /​etc/​php-5.4.sample/​mysqli.ini /​etc/​php-5.4/​mysqli.ini
 +ln -sf /​etc/​php-5.4.sample/​pdo_mysql.ini /​etc/​php-5.4/​pdo_mysql.ini
 +ln -sf /​etc/​php-5.4.sample/​zip.ini /​etc/​php-5.4/​zip.ini
 +</​code>​
 +
 +  * Add ''​index.php''​ to ''​DirectoryIndex''​ in ''/​var/​www/​conf/​httpd.conf''​
 +
 +==== General Notes: PHP Security, nginx, DokuWiki ====
 +
 +Setting up PHP securely with nginx is a bit of an impossibility in some ways. 
 +
 +The OpenBSD default to parse all files ending with a .php extension works well, but a theoretical security hole is available: say if ''/​image.gif/​server.php''​ is a URL with no existing ''​server.php''​ file, then it would run ''​image.gif''​ as a PHP file.  (I haven'​t been able to dupicliate this). ​ However, that's limited to if users can upload files -- which depends again on the software the site is running, and what features are enabled.
 +
 +Another security option is to disable CGI fix pathinfo for PHP.  However, this can break some PHP software (WordPress, in theory) that relies on the SERVER variables -- which can also be overriden with some nginx flags so that they are correctly sent.
 +
 +Another issue is with HTTPS requests, since you are sending traffic to the PHP FPM server, again the server variables may not see it as a secure request. ​ Same problem as before (and probably same fix), to tweak nginx.
 +
 +I haven'​t been able to get pretty URLs working with dokuwiki yet either. ​ It's possible to have nginx set up that any location at / if the file itself is not found to use ''​doku.php''​ instead.
 +
 +Altogether, the combination of the three (nginx, PHP FPM and dokuwiki / pretty URLs) make it not worth the hassle.
 +
 +Recommendation for now is to use a simple Apache 2.2 setup in it's place.
 +
 +==== PHP-FPM ====
 +
 +Install PHP-FPM:
 +
 +<​code>​
 +pkg_install php-fpm
 +</​code>​
 +
 +Setup configuration file at ''/​etc/​php-fpm.conf''​ to listen to localhost connections only:
 +
 +<​code>​
 +listen.allowed_clients = 127.0.0.1
 +</​code>​
 +
 +Start the service:
 +
 +<​code>​
 +/​etc/​rc.d/​php-fpm start
 +</​code>​
 +
 +==== PHP-FPM with nginx ====
 +
 +To setup nginx to serve PHP using FPM, there are only two changes to make in ''/​etc/​nginx/​nginx.conf''​.
 +
 +Add ''​index.php''​ to the index directive:
 +
 +<​code>​
 +index         ​index.html index.htm index.php
 +</​code>​
 +
 +and uncomment the PHP FPM settings:
 +
 +<​code>​
 +        location ~ \.php$ {
 +            root           /​var/​www/​htdocs;​
 +            fastcgi_pass ​  ​127.0.0.1:​9000;​
 +            fastcgi_index ​ index.php;
 +            fastcgi_param ​ SCRIPT_FILENAME ​ $document_root$fastcgi_script_name;​
 +            include ​       fastcgi_params;​
 +        }
 +</​code>​
 +
 +==== Install Suhosin ====
 +
 +  * [[PHP Suhosin]]
 +
 +With OpenBSD 5.5, suhosin is not built-in by default, nor available as a package. ​ It will have to be installed manually.
 +
 +First, install a version of autoconf:
 +
 +<​code>​
 +pkg_add autoconf
 +</​code>​
 +
 +Select the version you want to install.
 +
 +Next, download the source code of suhosin, unpack it, and configure and build it:
 +
 +<​code>​
 +AUTOCONF_VERSION=2.69 phpize-5.4
 +./configure --with-php-config=/​usr/​local/​bin/​php-config-5.4
 +make
 +make install
 +</​code>​
 +
 +Finally, load the module by creating an extension file:
 +
 +<​code>​
 +echo extension=suhosin.so > /​etc/​php-5.4/​suhosin.ini
 +</​code>​
 +
 +Restart PHP FPM to use the new module:
 +
 +<​code>​
 +/​etc/​rc.d/​php-fpm restart
 +</​code>​
 +
 +And verify the module is installed:
 +
 +<​code>​
 +php-5.4 -m
 +</​code>​
 +
 +The module is located in the same directory as the other ones, at ''/​usr/​local/​lib/​php-5.4/​modules/''​.