Differences
This shows you the differences between two versions of the page.
openbsd_php [2014/06/13 12:48] |
openbsd_php [2014/06/13 12:48] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== OpenBSD PHP ====== | ||
+ | * [[OpenBSD]] | ||
+ | * [[OpenBSD nginx]] | ||
+ | |||
+ | * [[http://www.h-i-r.net/p/hirs-secure-openbsd-apache-mysql-and.html|HiR's Secure OpenBSD, Apache, MySQL and PHP Guide]] | ||
+ | |||
+ | |||
+ | ==== Installation ==== | ||
+ | |||
+ | |||
+ | Install PHP: | ||
+ | |||
+ | <code> | ||
+ | pkg_add php-curl php-gd php-gmp php-mcrypt php-mysql php-mysqli php-pdo_mysql php-zip | ||
+ | ln -sf /var/www/conf/modules.sample/php-5.4.conf /var/www/conf/modules/php.conf | ||
+ | ln -sf /etc/php-5.4.sample/bz2.ini /etc/php-5.4/bz2.ini | ||
+ | ln -sf /etc/php-5.4.sample/curl.ini /etc/php-5.4/curl.ini | ||
+ | ln -sf /etc/php-5.4.sample/gd.ini /etc/php-5.4/gd.ini | ||
+ | ln -sf /etc/php-5.4.sample/gmp.ini /etc/php-5.4/gmp.ini | ||
+ | ln -sf /etc/php-5.4.sample/mcrypt.ini /etc/php-5.4/mcrypt.ini | ||
+ | ln -sf /etc/php-5.4.sample/mysql.ini /etc/php-5.4/mysql.ini | ||
+ | ln -sf /etc/php-5.4.sample/mysqli.ini /etc/php-5.4/mysqli.ini | ||
+ | ln -sf /etc/php-5.4.sample/pdo_mysql.ini /etc/php-5.4/pdo_mysql.ini | ||
+ | ln -sf /etc/php-5.4.sample/zip.ini /etc/php-5.4/zip.ini | ||
+ | </code> | ||
+ | |||
+ | * Add ''index.php'' to ''DirectoryIndex'' in ''/var/www/conf/httpd.conf'' | ||
+ | |||
+ | ==== General Notes: PHP Security, nginx, DokuWiki ==== | ||
+ | |||
+ | Setting up PHP securely with nginx is a bit of an impossibility in some ways. | ||
+ | |||
+ | The OpenBSD default to parse all files ending with a .php extension works well, but a theoretical security hole is available: say if ''/image.gif/server.php'' is a URL with no existing ''server.php'' file, then it would run ''image.gif'' as a PHP file. (I haven't been able to dupicliate this). However, that's limited to if users can upload files -- which depends again on the software the site is running, and what features are enabled. | ||
+ | |||
+ | Another security option is to disable CGI fix pathinfo for PHP. However, this can break some PHP software (WordPress, in theory) that relies on the SERVER variables -- which can also be overriden with some nginx flags so that they are correctly sent. | ||
+ | |||
+ | Another issue is with HTTPS requests, since you are sending traffic to the PHP FPM server, again the server variables may not see it as a secure request. Same problem as before (and probably same fix), to tweak nginx. | ||
+ | |||
+ | I haven't been able to get pretty URLs working with dokuwiki yet either. It's possible to have nginx set up that any location at / if the file itself is not found to use ''doku.php'' instead. | ||
+ | |||
+ | Altogether, the combination of the three (nginx, PHP FPM and dokuwiki / pretty URLs) make it not worth the hassle. | ||
+ | |||
+ | Recommendation for now is to use a simple Apache 2.2 setup in it's place. | ||
+ | |||
+ | ==== PHP-FPM ==== | ||
+ | |||
+ | Install PHP-FPM: | ||
+ | |||
+ | <code> | ||
+ | pkg_install php-fpm | ||
+ | </code> | ||
+ | |||
+ | Setup configuration file at ''/etc/php-fpm.conf'' to listen to localhost connections only: | ||
+ | |||
+ | <code> | ||
+ | listen.allowed_clients = 127.0.0.1 | ||
+ | </code> | ||
+ | |||
+ | Start the service: | ||
+ | |||
+ | <code> | ||
+ | /etc/rc.d/php-fpm start | ||
+ | </code> | ||
+ | |||
+ | ==== PHP-FPM with nginx ==== | ||
+ | |||
+ | To setup nginx to serve PHP using FPM, there are only two changes to make in ''/etc/nginx/nginx.conf''. | ||
+ | |||
+ | Add ''index.php'' to the index directive: | ||
+ | |||
+ | <code> | ||
+ | index index.html index.htm index.php | ||
+ | </code> | ||
+ | |||
+ | and uncomment the PHP FPM settings: | ||
+ | |||
+ | <code> | ||
+ | location ~ \.php$ { | ||
+ | root /var/www/htdocs; | ||
+ | fastcgi_pass 127.0.0.1:9000; | ||
+ | fastcgi_index index.php; | ||
+ | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
+ | include fastcgi_params; | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ==== Install Suhosin ==== | ||
+ | |||
+ | * [[PHP Suhosin]] | ||
+ | |||
+ | With OpenBSD 5.5, suhosin is not built-in by default, nor available as a package. It will have to be installed manually. | ||
+ | |||
+ | First, install a version of autoconf: | ||
+ | |||
+ | <code> | ||
+ | pkg_add autoconf | ||
+ | </code> | ||
+ | |||
+ | Select the version you want to install. | ||
+ | |||
+ | Next, download the source code of suhosin, unpack it, and configure and build it: | ||
+ | |||
+ | <code> | ||
+ | AUTOCONF_VERSION=2.69 phpize-5.4 | ||
+ | ./configure --with-php-config=/usr/local/bin/php-config-5.4 | ||
+ | make | ||
+ | make install | ||
+ | </code> | ||
+ | |||
+ | Finally, load the module by creating an extension file: | ||
+ | |||
+ | <code> | ||
+ | echo extension=suhosin.so > /etc/php-5.4/suhosin.ini | ||
+ | </code> | ||
+ | |||
+ | Restart PHP FPM to use the new module: | ||
+ | |||
+ | <code> | ||
+ | /etc/rc.d/php-fpm restart | ||
+ | </code> | ||
+ | |||
+ | And verify the module is installed: | ||
+ | |||
+ | <code> | ||
+ | php-5.4 -m | ||
+ | </code> | ||
+ | |||
+ | The module is located in the same directory as the other ones, at ''/usr/local/lib/php-5.4/modules/''. |