Where has this gone?

[Aussie Cable]

http://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/

I refer to this thread all the time, where has it gone?

[Adriano Faria]

Probably moved to some area where we don't have permission to view.

[Aussie Cable]

I would prefer that it was returned so I can download it - for future reference to my own IPB server setup.

I mean, every single other thread about servers and setups is available................except Kirito's posts - which does put us who refer to them, at a disadvantage (hint hint IPS).

[jair101]

nooo

I was planing to use this thread to setup my VPS when I move out soon. I don't think the thread broke any rules, please bring it back, lock it if you have to, but there was tons of useful information there.

[AndyF]

The author requested its removal, along with their resources. As it was in effect a support topic the decision was made to remove the topic, normally topics stay however.

[Ae9803]

Well thats a shame, a really shame. Why would it have been requested to be removed? :(

[Makoto]

I'm sorry for having the topic removed without any prior notice. I didn't think anyone would really notice it was gone.

For a number of reasons, I no longer plan on participating in the IPS community and cannot continue to offer support to anyone.

I'm mostly just sick of all the drama I've been involved with and have personally put myself in here. Management in general and most of the active developers/contributors have long wanted me gone anyways, and for a number of reasons they probably have a justifiable reason to feel that way. But really, at the same time, I feel like all of the effort I've put into contributing to the community and contributing to IPS as a whole over the years has been completely shunned and disregarded by the administration in response to a few personal disputes, and that really has made me lose any of the remaining motivation I had for staying.

But as for why I requested to have the topic removed, there are a number of reasons. The topic in question was in need of a rewrite. It was messy and disorganized with some out of date information. When I first created the topic, I didn't even realize at the time that topics in this forum were restricted to members with an active client account only. My initial hopes for the thread were that it would be information freely available to everyone, whether or not they had a currently active/renewed subscription.

Rather than completely abandon the thread and leave, my intention was to rewrite it and publish it publicly elsewhere, where It can be freely edited/updated as needed and where the guide can be freely used and referenced by anyone.

I'm going to try and write something to submit to Nginx's Wiki and re-publish an updated version of the guide somewhere else at a later date, but if you need the reference, here's a copy of the old thread:

This is a guide for those interested in setting up an IP.Board installation using NGiNX as their primary web server. This guide will mostly just cover the basics. In the future, I plan to write extensions to this guide for more advanced configuration techniques, such as global SSL/HTTPS support, Google SPDY and converting to MariaDB + XtraDB.

If you have to ask this, you might not need or want to. Apache is the easier, more popular route people tend to take. NGiNX is a small but very powerful and highly efficient web server. Apache with mod_php can be inefficient and needlessly waste system resources. NGiNX can offer a potential gain in performance with the added benefit of not hogging your servers memory pool. NGiNX is also simply a personal preference of mine, even though I'm not resource constrained on my box.

---

Add the following repository to your

file,

Now import the PGP key,

Update and install,

NGiNX should automatically start after installation. If you have Apache installed and running however, this will fail. So please ensure you stop (and optionally uninstall) Apache before proceeding further. If you don't uninstall Apache, just know the two will be fighting for ports and IP's to bind every time you restart the server.

You can confirm NGiNX is running by using

.

Now import the PGP key,

Install and start,

If you have Apache installed and running, NGiNX will fail to start, so please ensure you stop Apache before proceeding further.

You can confirm NGiNX is running by using

.

You can also have NGiNX start automatically on boot by running

.

Now import the GPG key,

Update and install,

You can also have PHP-FPM start automatically on boot by running

.

Now that you have both NGiNX and PHP-FPM up and running, we can move on to configuring the web server. First, let's make some small adjustments to

,

There's not much to say here. Increase worker_processes from the default of 1 to however many processor cores your server has. For example, if your server has a single quad core processor, set this value to 4. I've also changed the error_log directive to only log errors.

Now let's move on to configuring your IP.Board website. Use this as your base template for

,

There are a lot of things to cover here. First things first, replace

in the server_name directive with your forums domain name. Include both the www and non-www version of the domain as above, regardless of which you actually use. You'll also need to replace

in the root and error_log directives.

Next, let's cover where we're going to be installing the forum to. You'll notice I'm not using a /home/someuser heirachy as you're likely used to. There are two main reasons for this. Neatness and security. If you have your own server, you should keep your personal user account seperated from the actual web server. This is simply good practice in general.

on the Linux filesystem is for site-specific data which is

e

ed by the system. On all of my servers, I use a /srv/http/{host}/{subhost} hierarchy. "root" referrences the domains root. If you ever host another service on your forum (such as a wiki at wiki.yourdomain.com), you could store it in /srv/http/yourdomain.com/wiki

Let's go ahead and set this up for your IP.Board website now. Remember to replace yourdomain.com!

If you want to disable access logging on your site to reduce disk load, just uncomment the access_log directive under the basic web server configuration section. Either way, we'll be setting NGiNX up to not waste log entries for static resources further down.

Now adjust

to the maximum allowed file size users can upload to your site. So if your highest allowed upload size for any of your members anywhere on your site is 750 MegaBytes, set this to 750M.

Next, we get into configuring rewrite rules. There's nothing you really need to do here. All we have to do with NGiNX is pass a

directive, which is better than relying on the rewrite method required with Apache.

The Stub Status module allows you to see how many active connections your server has by visiting yourdomain.com/server_status. If you have a static IP address, you can set it up to ensure that only you will have access to this page, though leaving it public isn't really a vulnerability.

Next, we want a secure installation, right? So that means we're not going to be using /admin anymore. Come up with something creative that you can easily remember to replace /admin. The example above uses "nimda" (which is just "admin" backwards), so replace that with whatever you come up with.

Going a step further, there are two primary ways you can further secure your ACP. The most secure way would be to only allow connections from your IP. Though this will obviously not be feasible if you or another one of your administrators have an IP that constantly changes. If you do have a static IP that you can use, however, uncomment the "allow" and "deny" lines while adding an allow directive for your IP address bellow

. The second option is to use .htpasswd authentication. IP.Board has a built in function to set this up for you in the security center. You can configure this after installing your forum. After creating the .htpasswd file in your ACP, all you will need to do is uncomment the auth_basic directives and restart NGiNX.

The caching directives are split for user avatars and everything else not processed by IP.Board. I have avatars set to expire after one day. For everything else it's one week. Feel free to adjust this to your own personal prefference.

---

On to PHP-FPM! First, let's go ahead and get rid of the default/example configuration we don't need. This is

on Debian and

on CentOS. Now, create a new file replacing www.conf with ipboard.conf and using this as the base template:

First, replace all instances of "yourdomain.com" accordingly again. Next, let's go ahead and set up everything we need for PHP-FPM to run properly,

You can skip creating the directory on CentOS, as it will have already been created, but you will still need to apply the new permissions.

Finding the optimal setting for

is a bit of trial and error. I have it set to 10 as a default. You may need to increase or lower this setting depending on how constrained your server is and how much traffic your site receives. IP.Board tends to use an average of about ~52MB per process for me. So if you have 2GB of memory

on your server after accounting for MySQL and any other services you run, you could probably safely support up to 35 static processes, though you may not need nearly this many. Setting this too high may result in your server running out of memory, so be careful.

At this point, let's go ahead and test to make sure everything works. (Use /etc/init.d/php5-fpm restart for Debian)

No problems? Good! Problems? Double check your work and check your error logs.

Let's create

as a test file with a simple phpinfo() call,

Now visit

. You should see a PHPINFO page containing the open_basedir and other directives we set. If you don't, you did something wrong. Go back and review. If all is well, delete the test.php file. (Really, delete it. Security audit tools scan for files like this, and you don't want to needlessly expose your server information to malicious parties.)

---

If you're setting up a new IP.Board website, you'll need to install mysql-server, set up a new database and so on. There are plenty of resources available for learning how to do this if you don't know how already. After you copy your entire forum directory into

, we just need to set up proper permissions,

If you haven't already, rename your /admin directory to whatever you chose earlier. Afterwards, create the following

file in your forums root, replacing "nimda" appropriately,

Update the permissions,

And that's it! IP.Board should be up and running. If you're having trouble, review all of the above steps and check your error log (/var/log/nginx/error.log).

Setting up a secure IP.Board installation with NGiNX


What will be covered in this guide:Installing the latest stable release of NGiNX on Debian or CentOSBasic NGiNX configurationSetting up rewrite rules for IP.Board through NGiNXInstalling and configuring PHP-FPMSetting up proper, secure permissions for your IP.Board powered websiteWhy should I use NGiNX over Apache?





NGiNX Installation instructions

Debian/etc/apt/sources.list

# NGiNX Official Debian Repository
deb http://nginx.org/packages/debian/ squeeze nginx
deb-src http://nginx.org/packages/debian/ squeeze nginx

wget http://nginx.org/keys/nginx_signing.key
apt-key add nginx_signing.key
rm nginx_signing.key

apt-get update
apt-get install nginx

/etc/init.d/nginx status

CentOS

,

Add the following repository to

/etc/yum.repos.d/nginx.repo

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1

wget http://nginx.org/keys/nginx_signing.key
rpm --import nginx_signing.key
rm nginx_signing.key

yum install nginx
/etc/init.d/nginx start

/etc/init.d/nginx status

chkconfig --level 345 nginx on

PHP-FPM Installation Instructions

Debian

file,

Add the following repository to your

/etc/apt/sources.list

# DotDeb Debian Repository
deb http://packages.dotdeb.org squeeze all
deb-src http://packages.dotdeb.org squeeze all

wget http://www.dotdeb.org/dotdeb.gpg
apt-key add dotdeb.gpg
rm dotdeb.gpg

apt-get update
apt-get install php5 php5-apc php5-cli php5-common php5-curl php5-fpm php5-gd php5-imagick php5-imap php5-mysql

CentOS

Nothing complicated here. Just install,

yum install php-cli php-curl php-fpm php-gd php-imap php-mysql php-xml php-pecl-apc

chkconfig --level 345 php-fpm on

---

NGiNX Configuration
/etc/nginx/nginx.conf

user  nginx;
worker_processes  4;

error_log  /var/log/nginx/error.log error;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  30;

    #gzip  on;

    include conf.d/*.conf;
}

/etc/nginx/conf.d/ipboard.conf

server {
    listen       80;
    server_name  yourdomain.com www.yourdomain.com;
    root         /srv/http/yourdomain.com/root;

    # Basic web server configuration.
    index        index.php;
    #access_log   off;
    client_max_body_size  1G;

    # GZIP static content not processed by IPB.
    gzip  on;
    gzip_static on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 3;
    gzip_proxied any;
    gzip_types text/plain text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js;
    gzip_buffers 16 8k;
    gzip_disable "MSIE [1-6].(?!.*SV1)";

    # Set up rewrite rules.
    location / {
        try_files  $uri $uri/ /index.php;
    }
    location ~^(/page/).*(.php)$ {
        try_files  $uri $uri/ /index.php;
    }

    # Stub Status module
    location /server_status {
        stub_status on;
        #allow 127.0.0.1;
        #deny all;
    }

    # Deny access to hidden files
    location ~ /. {
        deny  all;
    }

    # Mask fake admin directory
    location ~^/admin/(.*)$ {
        deny     all;
    }

    # Secure real admin directory
    location ~^(/nimda/).*(.php) {
        #allow         127.0.0.1;
        #deny          all;
        #auth_basic    "Restricted Area";
        #auth_basic_user_file $document_root/nimda/.htpasswd;
        fastcgi_pass   unix:/var/run/php-fpm/ipboard.sock;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        /etc/nginx/fastcgi_params;
    }

    # IP.Board PHP/CGI Protection
    location ~^(/uploads/).*(.php)$ {
        deny     all;
    }
    location ~^(/hooks/).*(.php)$ {
        deny     all;
    }
    location ~^(/cache/).*(.php)$ {
        deny     all;
    }
    location ~^(/screenshots/).*(.php)$ {
        deny     all;
    }
    location ~^(/downloads/).*(.php)$ {
        deny     all;
    }
    location ~^(/blog/).*(.php)$ {
        deny     all;
    }
    location ~^(/public/style_).*(.php)$ {
        deny     all;
    }

    # Caching directives for static files.
    location ~^(/uploads/profile/).*.(jpg|jpeg|gif|png)$ {
        access_log off;
        expires    1d;
    }
    location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml|htm|txt|swf|cur)$ {
        access_log off;
        expires    1w;
    }

    # Pass PHP scripts to php-fpm
    location ~ .php$ {
        fastcgi_pass   unix:/var/run/php-fpm/ipboard.sock;
        fastcgi_index  index.php;
        fastcgi_buffers 16 8k;
        fastcgi_buffer_size 16k;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        /etc/nginx/fastcgi_params;
    }
}

yourdomain.com www.yourdomain.comyourdomain.com

/srv/srv

mkdir -p /srv/http/yourdomain.com/root
useradd --system ipboard
groupadd --system http
gpasswd -a nginx http
chown -R ipboard:http /srv/http/yourdomain.com

client_max_body_size

try_files





allow 127.0.0.1

PHP-FPM Configuration
/etc/php5/fpm/pool.d/www.conf/etc/php-fpm.d/www.conf

[ipboard]

; Set the prefix directory and the user/group to run under
prefix = /var/run/php-fpm
user = php-fpm
group = http

; Configure listen(2) directives
listen = ipboard.sock
listen.backlog = 4096
listen.owner = php-fpm
listen.group = http
listen.mode = 0660

; Set up the process manager
pm = static
pm.max_children = 10
pm.max_requests = 250
pm.status_path = /fpm.php

; The timeout for serving a single request. Prevents runaway scripts.
request_terminate_timeout = 5m

; Only execute .php scripts.
chdir = /srv/http/yourdomain.com/root
security.limit_extensions = .php

; Environment variables.
;env[HOSTNAME] = $HOSTNAME
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
env[DOCUMENT_ROOT] = /srv/http/yourdomain.com/root

; PHP flags and security directives for just this site
php_flag[display_errors] = off
php_admin_value[open_basedir] = /srv/http/yourdomain.com/root:/tmp:/usr/bin
php_admin_value[disable_functions] = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,show_source,shell_exec,symlink
php_admin_value[upload_max_filesize] = 1G
php_admin_value[post_max_size] = 1G

mkdir /var/run/php-fpm
useradd --system php-fpm
chown php-fpm:root /var/run/php-fpm

pm.max_childrento spare

/etc/init.d/nginx restart
/etc/init.d/php-fpm restart

/srv/http/yourdomain.com/root/test.php

<?php
phpinfo();
?>

yourdomain.com/test.php

Setting Up IP.Board
/srv/http/yourdomain.com/root

chown -R ipboard:http /srv/http/yourdomain.com
httproot=/srv/http/yourdomain.com/root
find $httproot -type d -exec chmod 0750 {} ;
find $httproot -type f -exec chmod 0640 {} ;
find $httproot/{uploads,cache,downloads,hooks,screenshots,blog,public/style_*} -type d -exec chmod 0770 {} ;
find $httproot/{uploads,cache,downloads,hooks,screenshots,blog,public/style_*} -type f -exec chmod 0660 {} ;

constants.php

<?php

    define( 'CP_DIRECTORY', 'nimda' );

?>

chmod 0640 constants.php
chown ipboard:http constants.php

I probably could have just requested to have the thread locked instead of removed, I guess. But anyways, there you go. You're still welcome to send me a message if you have questions/need help, but I can't guarantee a quick response (or a response at all).

[Dmacleo]

shoot, meant to print the whole topic (with replies) to pdf other day and didn't.

was a super useful post.

thanks for posting this part.

[Aussie Cable]

I'm sorry for having the topic removed without any prior notice. I didn't think anyone would really notice it was gone.

For a number of reasons, I no longer plan on participating in the IPS community and cannot continue to offer support to anyone.

I'm mostly just sick of all the drama I've been involved with and have personally put myself in here. Management in general and most of the active developers/contributors have long wanted me gone anyways, and for a number of reasons they probably have a justifiable reason to feel that way. But really, at the same time, I feel like all of the effort I've put into contributing to the community and contributing to IPS as a whole over the years has been completely shunned and disregarded by the administration in response to a few personal disputes, and that really has made me lose any of the remaining motivation I had for staying.

But as for why I requested to have the topic removed, there are a number of reasons. The topic in question was in need of a rewrite. It was messy and disorganized with some out of date information. When I first created the topic, I didn't even realize at the time that topics in this forum were restricted to members with an active client account only. My initial hopes for the thread were that it would be information freely available to everyone, whether or not they had a currently active/renewed subscription.

Rather than completely abandon the thread and leave, my intention was to rewrite it and publish it publicly elsewhere, where It can be freely edited/updated as needed and where the guide can be freely used and referenced by anyone.

I'm going to try and write something to submit to Nginx's Wiki and re-publish an updated version of the guide somewhere else at a later date, but if you need the reference, here's a copy of the old thread:

I probably could have just requested to have the thread locked instead of removed, I guess. But anyways, there you go. You're still welcome to send me a message if you have questions/need help, but I can't guarantee a quick response (or a response at all).

Thank you very much for reposting this information.

I was very upset with myself (like Dmacleo) because when I went to save as a pdf - It was gone :hyper: It was just one of those things I had put off for so long.........lesson learnt.

If I could ask, could you PM me when you do update the Nginx wiki (or provide links) please - I would love to see the entry and bookmark it.

Again thanks very much, you have no idea how helpful this information is to us ;) (well I guess you do now :grin: )

EDIT: I do hope that what ever is happening - it settles down to everyone's satisfaction!

[Enkidu]

another developer gone :sad:

[Aussie Cable]

another developer gone :sad:

Yeah - that concerns me a fair bit. As there has to be a reason why this continues to happen.

I do hope that whatever is causing these problems, are nipped in the bud ASAP before we lose more dev's.

Just thought that I would add that Kirito's posts are always informative and are (shudders - or was) a huge help to this community :thumbsup:

[Dmacleo]

had that topic saved as bookmark in forefox toolbar and accessed a lot, was very useful.

hope it all works out.