chroot PHP for use with nginx
Posted 10-31-2010 at 10:40 AM by Web31337
I never had to deal with chrooted environment before, and there isn't lots of info out there on the net. Best result I've found so far is http://www.cyberciti.biz/tips/howto-...oted-jail.html
Actually, it covers almost entire topic, but I'm going to explain how to bind it with nginx in gentoo linux environment.
Say, you have a site example.org with some app you don't really trust in /app dir. Your own-written site scripts are executed in non-chrooted PHP environment while you considered using chrooted PHP to serve /app/ path.
So let's describe this step-by-step.
First, use that manual to set up your chrooted environment.
Your nginx.conf should not have global inclusion of fastcgi_params file, instead, you should include it in 'server' block. The block for your site may look like the following:
and fcgi-unpriv.conf is:
As you can see our actual site files are in /srv/example.org/, being passed over fastcgi to localhost:9000, where standard PHP configuration is running.
And directory /app/ has separate config, passing scripts to localhost:8000, where we have chrooted PHP.
Our chroot dir is /opt/chroot/ and files from /app/ reside in /opt/chroot/srv/app/. We set root to /opt/chroot/srv and custom DOCUMENT_ROOT within chroot so that nginx will tell PHP server the correct path to script. The path inside chroot, as /opt/chroot/srv will not work, unless you'll link it inside. Some of you may find this a nice hack, if so, you are free to choose, linking requires less configuration. In fact, specifying real path as 'root' is not required, unless app contains only PHP files, no static content like css, js, images, etc, to which nginx should have direct access. If /app/ is PHP-only, then you can specify that as /srv;
So, from here we are almost ready
Prepare your custom php.ini for unprivileged server.
Assuming you built PHP with fpm support, modify your /etc/init.d/php-fpm and save it as /etc/init.d/php-fpm.unpriv:
Create separate user and group, then modify /etc/php/fpm-php5/php-fpm.conf and save it as php-fpm-unpriv.conf so that it will include correct user:group, chroot path and port configuration.
That's it! Start it and enjoy!
Hope this helps someone...
Keywords for google: php chroot nginx, chroot php, gentoo php chroot, nginx + chrooted php
Actually, it covers almost entire topic, but I'm going to explain how to bind it with nginx in gentoo linux environment.
Say, you have a site example.org with some app you don't really trust in /app dir. Your own-written site scripts are executed in non-chrooted PHP environment while you considered using chrooted PHP to serve /app/ path.
So let's describe this step-by-step.
First, use that manual to set up your chrooted environment.
Your nginx.conf should not have global inclusion of fastcgi_params file, instead, you should include it in 'server' block. The block for your site may look like the following:
Code:
server { listen 80; server_name example.org; access_log logs/example.org main; charset utf-8; location /app/ { root /opt/chroot/srv; fastcgi_param DOCUMENT_ROOT /srv; include fcgi-unpriv.conf; index index.html index.php; location ~ \.php$ { fastcgi_pass 127.0.0.1:8000; } } location / { root /srv/example.org/; index index.html index.php; include fcgi.conf; location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; } } }
Code:
fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; fastcgi_param HTTPS off;
And directory /app/ has separate config, passing scripts to localhost:8000, where we have chrooted PHP.
Our chroot dir is /opt/chroot/ and files from /app/ reside in /opt/chroot/srv/app/. We set root to /opt/chroot/srv and custom DOCUMENT_ROOT within chroot so that nginx will tell PHP server the correct path to script. The path inside chroot, as /opt/chroot/srv will not work, unless you'll link it inside. Some of you may find this a nice hack, if so, you are free to choose, linking requires less configuration. In fact, specifying real path as 'root' is not required, unless app contains only PHP files, no static content like css, js, images, etc, to which nginx should have direct access. If /app/ is PHP-only, then you can specify that as /srv;
So, from here we are almost ready
Prepare your custom php.ini for unprivileged server.
Assuming you built PHP with fpm support, modify your /etc/init.d/php-fpm and save it as /etc/init.d/php-fpm.unpriv:
Code:
#!/sbin/runscript PHP_FPM_CONF="/etc/php/fpm-php5/php-fpm-unpriv.conf" PHP_INI="/etc/php/fpm-php5/php.unpriv.ini" opts="depend start stop reload" depend() { need net use apache2 lighttpd nginx } start() { ebegin "Starting PHP-FPM [unpriv] server" start-stop-daemon --start --exec /usr/bin/php-fpm -- -y "${PHP_FPM_CONF}" -c "${PHP_INI}" eend $? } stop() { ebegin "Stopping PHP-FPM [unpriv] server" start-stop-daemon --stop --pidfile /var/run/php/fpm.unpriv.pid --exec /usr/bin/php-fpm eend $? }
That's it! Start it and enjoy!
Hope this helps someone...
Keywords for google: php chroot nginx, chroot php, gentoo php chroot, nginx + chrooted php
Total Comments 0