no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


openbsd_php [2014/06/13 18:48] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== OpenBSD PHP ======
  
 +  * [[OpenBSD]]
 +  * [[OpenBSD nginx]]
 +
 +  * [[http://www.h-i-r.net/p/hirs-secure-openbsd-apache-mysql-and.html|HiR's Secure OpenBSD, Apache, MySQL and PHP Guide]]
 +
 +
 +==== Installation ====
 +
 +
 +Install PHP:
 +
 +<code>
 +pkg_add php-curl php-gd php-gmp php-mcrypt php-mysql php-mysqli php-pdo_mysql php-zip
 +ln -sf /var/www/conf/modules.sample/php-5.4.conf /var/www/conf/modules/php.conf
 +ln -sf /etc/php-5.4.sample/bz2.ini /etc/php-5.4/bz2.ini
 +ln -sf /etc/php-5.4.sample/curl.ini /etc/php-5.4/curl.ini
 +ln -sf /etc/php-5.4.sample/gd.ini /etc/php-5.4/gd.ini
 +ln -sf /etc/php-5.4.sample/gmp.ini /etc/php-5.4/gmp.ini
 +ln -sf /etc/php-5.4.sample/mcrypt.ini /etc/php-5.4/mcrypt.ini
 +ln -sf /etc/php-5.4.sample/mysql.ini /etc/php-5.4/mysql.ini
 +ln -sf /etc/php-5.4.sample/mysqli.ini /etc/php-5.4/mysqli.ini
 +ln -sf /etc/php-5.4.sample/pdo_mysql.ini /etc/php-5.4/pdo_mysql.ini
 +ln -sf /etc/php-5.4.sample/zip.ini /etc/php-5.4/zip.ini
 +</code>
 +
 +  * Add ''index.php'' to ''DirectoryIndex'' in ''/var/www/conf/httpd.conf''
 +
 +==== General Notes: PHP Security, nginx, DokuWiki ====
 +
 +Setting up PHP securely with nginx is a bit of an impossibility in some ways. 
 +
 +The OpenBSD default to parse all files ending with a .php extension works well, but a theoretical security hole is available: say if ''/image.gif/server.php'' is a URL with no existing ''server.php'' file, then it would run ''image.gif'' as a PHP file.  (I haven't been able to dupicliate this).  However, that's limited to if users can upload files -- which depends again on the software the site is running, and what features are enabled.
 +
 +Another security option is to disable CGI fix pathinfo for PHP.  However, this can break some PHP software (WordPress, in theory) that relies on the SERVER variables -- which can also be overriden with some nginx flags so that they are correctly sent.
 +
 +Another issue is with HTTPS requests, since you are sending traffic to the PHP FPM server, again the server variables may not see it as a secure request.  Same problem as before (and probably same fix), to tweak nginx.
 +
 +I haven't been able to get pretty URLs working with dokuwiki yet either.  It's possible to have nginx set up that any location at / if the file itself is not found to use ''doku.php'' instead.
 +
 +Altogether, the combination of the three (nginx, PHP FPM and dokuwiki / pretty URLs) make it not worth the hassle.
 +
 +Recommendation for now is to use a simple Apache 2.2 setup in it's place.
 +
 +==== PHP-FPM ====
 +
 +Install PHP-FPM:
 +
 +<code>
 +pkg_install php-fpm
 +</code>
 +
 +Setup configuration file at ''/etc/php-fpm.conf'' to listen to localhost connections only:
 +
 +<code>
 +listen.allowed_clients = 127.0.0.1
 +</code>
 +
 +Start the service:
 +
 +<code>
 +/etc/rc.d/php-fpm start
 +</code>
 +
 +==== PHP-FPM with nginx ====
 +
 +To setup nginx to serve PHP using FPM, there are only two changes to make in ''/etc/nginx/nginx.conf''.
 +
 +Add ''index.php'' to the index directive:
 +
 +<code>
 +index         index.html index.htm index.php
 +</code>
 +
 +and uncomment the PHP FPM settings:
 +
 +<code>
 +        location ~ \.php$ {
 +            root           /var/www/htdocs;
 +            fastcgi_pass   127.0.0.1:9000;
 +            fastcgi_index  index.php;
 +            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
 +            include        fastcgi_params;
 +        }
 +</code>
 +
 +==== Install Suhosin ====
 +
 +  * [[PHP Suhosin]]
 +
 +With OpenBSD 5.5, suhosin is not built-in by default, nor available as a package.  It will have to be installed manually.
 +
 +First, install a version of autoconf:
 +
 +<code>
 +pkg_add autoconf
 +</code>
 +
 +Select the version you want to install.
 +
 +Next, download the source code of suhosin, unpack it, and configure and build it:
 +
 +<code>
 +AUTOCONF_VERSION=2.69 phpize-5.4
 +./configure --with-php-config=/usr/local/bin/php-config-5.4
 +make
 +make install
 +</code>
 +
 +Finally, load the module by creating an extension file:
 +
 +<code>
 +echo extension=suhosin.so > /etc/php-5.4/suhosin.ini
 +</code>
 +
 +Restart PHP FPM to use the new module:
 +
 +<code>
 +/etc/rc.d/php-fpm restart
 +</code>
 +
 +And verify the module is installed:
 +
 +<code>
 +php-5.4 -m
 +</code>
 +
 +The module is located in the same directory as the other ones, at ''/usr/local/lib/php-5.4/modules/''.

Trace:

Navigation
QR Code
QR Code openbsd_php (generated for current page)