Nginx+PHP-FPM secure server installation guide

[Jason Sorenti]

well, I think I was resolved by myself :smile:

Thank you for your support

P/S: you reply so fast. Can't believe it o.0

[Makoto]

Glad to hear it!

No problem, and I get that all the time, I guess I just don't really have a life :P

[Aussie Cable]

So I have this bizarre issue.......

After rebooting, my /var/run/php-fpm folder is missing and I have to recreate it again, then restart php-fpm.

Running Debian Wheezy, this has me lost, and is prolly very simple, any idea's?

[Makoto]

Debian Wheezy now mounts /var/run as a tmpfs by default. (/var/run is actually just symlinked to /run now, which is a tmpfs)

To prevent the php-fpm directory from being lost after reboot, you'll need to modify the php-fpm init script.

(Make sure you've followed the directions here first: http://community.invisionpower.com/index.php?app=forums&module=forums&section=findpost&pid=2404669)

Open /etc/init.d/php-fpm in your favorite text editor and add this to it,

# Replace php-fpm directory that may be lost on reboot
test -e /var/run/php-fpm || install -m 755 -o php-fpm -g root -d /var/run/php-fpm

The final output should look like this:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          php-fpm php5-fpm
# Required-Start:    $remote_fs $network
# Required-Stop:     $remote_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6 
# Short-Description: starts php5-fpm
# Description:       Starts PHP5 FastCGI Process Manager Daemon
### END INIT INFO
 
# Author: Ondrej Sury <ondrej@debian.org>
 
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="PHP5 FastCGI Process Manager"
NAME=php5-fpm
DAEMON=/usr/sbin/$NAME
DAEMON_ARGS="--fpm-config /etc/php5/fpm/php-fpm.conf"
PIDFILE=/var/run/php5-fpm.pid
TIMEOUT=30
SCRIPTNAME=/etc/init.d/$NAME
 
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
 
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
 
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
 
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
 
# Replace php-fpm directory that may be removed on reboot
test -e /var/run/php-fpm || install -m 755 -o php-fpm -g root -d /var/run/php-fpm
 
#
# Function to check the correctness of the config file
#
do_check()
{
    [ "$1" != "no" ] && $DAEMON $DAEMON_ARGS -t 2>&1 | grep -v "[ERROR]"
    FPM_ERROR=$($DAEMON $DAEMON_ARGS -t 2>&1 | grep "[ERROR]")
 
    if [ -n "${FPM_ERROR}" ]; then
echo "Please fix your configuration file..."
$DAEMON $DAEMON_ARGS -t 2>&1 | grep "[ERROR]"
return 1
    fi
    return 0
}
 
#
# Function that starts the daemon/service
#
do_start()
{
# Return
#   0 if daemon has been started
#   1 if daemon was already running
#   2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null 
|| return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- 
$DAEMON_ARGS 2>/dev/null 
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one.  As a last resort, sleep for some time.
}
 
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
#   0 if daemon has been stopped
#   1 if daemon was already stopped
#   2 if daemon could not be stopped
#   other if a failure occurred
start-stop-daemon --stop --quiet --retry=QUIT/$TIMEOUT/TERM/5/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently.  A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/TERM/5/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
 
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal USR2 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
 
case "$1" in
    start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_check $VERBOSE
case "$?" in
   0)
do_start
case "$?" in
   0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
   2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
   1) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
    stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
    status)
        status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
        ;;
    check)
        do_check yes
;;
    reload|force-reload)
log_daemon_msg "Reloading $DESC" "$NAME"
do_reload
log_end_msg $?
;;
    reopen-logs)
log_daemon_msg "Reopening $DESC logs" $NAME
if start-stop-daemon --stop --signal USR1 --oknodo --quiet 
   --pidfile $PIDFILE --exec $DAEMON
then
   log_end_msg 0
else
   log_end_msg 1
fi
;;
    restart)
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
 0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
 *)
  # Failed to stop
log_end_msg 1
;;
esac
;;
    *)
echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
exit 1
    ;;
esac
 
:

[Enkidu]

good job Kirito. I wonder if you have used Centmin mod.

http://centminmod.com/

[Makoto]

Nope, never heard of it. Looks interesting though. I've considered writing my own management scripts for handling NSD zones and basic Nginx configurations, but I haven't gotten around to playing with the idea yet. Right now I just manage most everything by hand.

[Enkidu]

me too. First time I hear about it was on xF website but I'm waiting for someone to give it a try :)

[Makoto]

Recently I've been preoccupied playing with CodeIgniter for some pet projects of mine.

It's a really beautiful and fun PHP framework, a friend recently suggested it to me and I've been addicted since. I've never actually used any PHP framework before, so it's a fun first experience.

I feel like this and {wrap}bootstrap has spoiled me. It takes almost all of the painful tediousness out of programming, heh :tongue:

[Aussie Cable]

Debian Wheezy now mounts /var/run as a tmpfs by default. (/var/run is actually just symlinked to /run now, which is a tmpfs)

To prevent the php-fpm directory from being lost after reboot, you'll need to modify the php-fpm init script.

(Make sure you've followed the directions here first: http://community.invisionpower.com/index.php?app=forums&module=forums&section=findpost&pid=2404669)

Open /etc/init.d/php-fpm in your favorite text editor and add this to it,

# Replace php-fpm directory that may be lost on reboot
test -e /var/run/php-fpm || install -m 755 -o php-fpm -g root -d /var/run/php-fpm

The final output should look like this:

<SNIP> STUPID EDITOR BUG AGAIN!

Perfect :smile:

I figured that it had something to do with it being tmpfs, but could not figure out what was going on, maybe next time I will sleep on it first.

Once again thanks Kirito :thumbsup:

[p4guru]

good job Kirito. I wonder if you have used Centmin mod.

http://centminmod.com/

IPB works fine on Centmin Mod see examples at http://centminmod.com/nginx_configure.html including IPB setup example :)

[Enkidu]

IPB works fine on Centmin Mod see examples at http://centminmod.com/nginx_configure.html including IPB setup example :smile:

cool! Now all I need is a tutorial on adding ModSecurity to it

[Jason Sorenti]

Hello Kirito !

I have a new question. I hope you can help :D

I'm using nginx as reverse proxy for apache. But number of online user (in 15 minutes) show on my board stat decrease to very low. I usualy have 100-150 user online (show on board stat), but when switch to nginx my board stat just show about 10-20, so strange

Here is my nginx config

server {
	listen 80;
	server_name www.domain.com domain.com;
	
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                proxy_pass              http://IP_SERVER:8080;
				client_max_body_size       16m;
				client_body_buffer_size    128k;
				proxy_buffering     on;  

				proxy_connect_timeout      90;
				proxy_send_timeout         90;
				proxy_read_timeout         120;
				proxy_buffer_size          8k;
				proxy_buffers              32 32k;
				proxy_busy_buffers_size    64k;
				proxy_temp_file_write_size 64k;
				error_page              502 503 /usr/share/nginx/html/50x.html;
				
        }
        #static files
        location ~* ^.+.(nrg|htm|html|jpg|jpeg|gif|png|ico|css|zip|7z|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|avi|mp3|mp4|mpg|iso|djvu|dmg|flac|r70|mdf|chm|sisx|sis|flv|thm|bin)$ {

           root /path/to/public_html;
        }

I don't know why. Please help me

[Saiga]

Just a note to everyone browsing this thread and that needs support, the OP says that he's leaving this community and can no longer make any posts. I guess he was banned. No alternate forms of contact were provided.

[Ae9803]

The OP?

[Saiga]

The topic creator.

[Dmacleo]

damn that sucks

due to getting hit with ton of bills jad to dump the 48gb dual xeon and move to a 2gb vps so am setting this up now.

heck of a way to force me into cmd line running LOL

was about to ask how people used phpmyadmin in this setup, if used as a sub or not (on cent os 6.4) since there is no sites-enabled directory most instructions mention.

[Luis Manson]

not sure what you are asking about Dmacleo, but once i made the wrong setup which made phpmyadmin only work if you specify index.php, if you dont it will give a forbbiden error, which i like :)

[yacenty]

how to set up nginx config f we have forum on /forum/ folder and would like have ip.content on main folder?

just now it's like that:

 location / {
        index  index.php index.html index.htm;


        if (!-e $request_filename) {
            rewrite . /forum/index.php last;
        }
    }

[Dmacleo]

not sure what you are asking about Dmacleo, but once i made the wrong setup which made phpmyadmin only work if you specify index.php, if you dont it will give a forbbiden error, which i like :smile:

I just ran it as a subdomain and it seems to work.

trying to learn how to add email address/webmail to setup like this.

SO used to using an interface and having ability to add email accounts to the domain in question, huge learning curve for me.

getting there though, site seems to be ok and apc running around 99.2% hit rate.

seems I first have to manually add a user then manually add email acct. just reading up how to make sure they use correct domain.tld

learning curve.

as far as getting site up, followed this tutorial and was running in 20 minutes, is a good tutorial.

[Dmacleo]

learning as I go :)

have multiple sites (3) running following this guide (just change socket name in fpmm config) and no issues with Phpmyadmin/squirrelmail/roundcube.

since running a few I am considering using the /home/ directory method but thats just a simple path change in config.

this tutorial allowed me to have stuff running in 20 minutes, should be a sticky post.

very useful info.

I did enable remi repo and mariadb to use that and I manually compiled nginx 1.5.1 but that was simple to do also.

[Enkidu]

Just a note to everyone browsing this thread and that needs support, the OP says that he's leaving this community and can no longer make any posts. I guess he was banned. No alternate forms of contact were provided.

why what happened?

[Saiga]

why what happened?

Drama I guess.