Table of Contents
OpenBSD PHP
Installation
Install PHP:
pkg_add php-curl php-gd php-gmp php-mcrypt php-mysql php-mysqli php-pdo_mysql php-zip ln -sf /var/www/conf/modules.sample/php-5.4.conf /var/www/conf/modules/php.conf ln -sf /etc/php-5.4.sample/bz2.ini /etc/php-5.4/bz2.ini ln -sf /etc/php-5.4.sample/curl.ini /etc/php-5.4/curl.ini ln -sf /etc/php-5.4.sample/gd.ini /etc/php-5.4/gd.ini ln -sf /etc/php-5.4.sample/gmp.ini /etc/php-5.4/gmp.ini ln -sf /etc/php-5.4.sample/mcrypt.ini /etc/php-5.4/mcrypt.ini ln -sf /etc/php-5.4.sample/mysql.ini /etc/php-5.4/mysql.ini ln -sf /etc/php-5.4.sample/mysqli.ini /etc/php-5.4/mysqli.ini ln -sf /etc/php-5.4.sample/pdo_mysql.ini /etc/php-5.4/pdo_mysql.ini ln -sf /etc/php-5.4.sample/zip.ini /etc/php-5.4/zip.ini
- Add
index.phptoDirectoryIndexin/var/www/conf/httpd.conf
General Notes: PHP Security, nginx, DokuWiki
Setting up PHP securely with nginx is a bit of an impossibility in some ways.
The OpenBSD default to parse all files ending with a .php extension works well, but a theoretical security hole is available: say if /image.gif/server.php is a URL with no existing server.php file, then it would run image.gif as a PHP file. (I haven't been able to dupicliate this). However, that's limited to if users can upload files – which depends again on the software the site is running, and what features are enabled.
Another security option is to disable CGI fix pathinfo for PHP. However, this can break some PHP software (WordPress, in theory) that relies on the SERVER variables – which can also be overriden with some nginx flags so that they are correctly sent.
Another issue is with HTTPS requests, since you are sending traffic to the PHP FPM server, again the server variables may not see it as a secure request. Same problem as before (and probably same fix), to tweak nginx.
I haven't been able to get pretty URLs working with dokuwiki yet either. It's possible to have nginx set up that any location at / if the file itself is not found to use doku.php instead.
Altogether, the combination of the three (nginx, PHP FPM and dokuwiki / pretty URLs) make it not worth the hassle.
Recommendation for now is to use a simple Apache 2.2 setup in it's place.
PHP-FPM
Install PHP-FPM:
pkg_install php-fpm
Setup configuration file at /etc/php-fpm.conf to listen to localhost connections only:
listen.allowed_clients = 127.0.0.1
Start the service:
/etc/rc.d/php-fpm start
PHP-FPM with nginx
To setup nginx to serve PHP using FPM, there are only two changes to make in /etc/nginx/nginx.conf.
Add index.php to the index directive:
index index.html index.htm index.php
and uncomment the PHP FPM settings:
location ~ \.php$ {
root /var/www/htdocs;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
Install Suhosin
With OpenBSD 5.5, suhosin is not built-in by default, nor available as a package. It will have to be installed manually.
First, install a version of autoconf:
pkg_add autoconf
Select the version you want to install.
Next, download the source code of suhosin, unpack it, and configure and build it:
AUTOCONF_VERSION=2.69 phpize-5.4 ./configure --with-php-config=/usr/local/bin/php-config-5.4 make make install
Finally, load the module by creating an extension file:
echo extension=suhosin.so > /etc/php-5.4/suhosin.ini
Restart PHP FPM to use the new module:
/etc/rc.d/php-fpm restart
And verify the module is installed:
php-5.4 -m
The module is located in the same directory as the other ones, at /usr/local/lib/php-5.4/modules/.
