Setup NGINX/PHP

install | source | nginx | advanced | analyze | php | redirect

install PHP and FPM-PHP from pseudo-official repository

ver=8.2

ls -lF /etc/apt/trusted.gpg.d/php.gpg # no exist
wget https://packages.sury.org/php/apt.gpg -O /etc/apt/trusted.gpg.d/php.gpg

lsb_release -sc
ls -lF /etc/apt/sources.list.d/sury.list # no exist
echo "deb https://packages.sury.org/php/ `lsb_release -sc` main" > /etc/apt/sources.list.d/sury.list

apt update
apt search ^php[[:digit:]]\.[[:digit:]]-redis-
apt search ^php[[:digit:]]\.[[:digit:]]-mongodb-
apt install php$ver php$ver-{fpm,redis,mongodb}

systemctl stop apache2
systemctl disable apache2
systemctl status php$ver-fpm # up & enabled

in case you tune PHP later-on (NOT REQUIRED)

mv -i /etc/php/$ver/fpm/php.ini /etc/php/$ver/fpm/php.ini.dist
grep -vE '^;|^$' /etc/php/$ver/fpm/php.ini.dist > /etc/php/$ver/fpm/php.ini.clean
grep -vE '^;|^$' /etc/php/$ver/fpm/php.ini.dist > /etc/php/$ver/fpm/php.ini
vi /etc/php/$ver/fpm/php.ini

; already the default
short_open_tag = On

; in case you want it old school (derive PATH_INFO from SCRIPT_FILENAME)
cgi.fix_pathinfo=0

harden FastCGI

mv -i /etc/php/$ver/fpm/pool.d/www.conf /etc/php/$ver/fpm/pool.d/www.conf.dist
grep -vE '^;|^$' /etc/php/$ver/fpm/pool.d/www.conf.dist > /etc/php/$ver/fpm/pool.d/www.conf.clean
grep -vE '^;|^$' /etc/php/$ver/fpm/pool.d/www.conf.dist > /etc/php/$ver/fpm/pool.d/www.conf

users and groups are fine on debian (www-data)

vi /etc/php/$ver/fpm/pool.d/www.conf

owner = www-data
group = www-data

listen.owner = www-data
listen.group = www-data

# default already
security.limit_extensions = .php

systemctl restart php$ver-fpm
ls -lF /run/php/php*.sock

Ready to go

cat /etc/nginx/fastcgi_params
vi /etc/nginx/conf.d/catch-all.conf

server {
    listen 80 default_server;
    server_name _;
    root /var/www/html;
    index index.php index.html index.htm;
    access_log /var/log/nginx/catch-all.access.log;
    error_log /var/log/nginx/catch-all.error.log;
    location ~* \.php$ {
        fastcgi_pass unix:/run/php/php-fpm.sock;
        #fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

cd /var/www/html/
vi index.php

<p><?php
    echo gethostname();
    echo " says PHP hello for ";
    echo $_SERVER['SERVER_NAME'];
    echo "\n";
?>

TODO

run every vhost with different user and fastcgi socket

Resources

setup

Connecting NGINX to PHP FPM¶ https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/

Is the PHP option ‘cgi.fix_pathinfo’ really dangerous with Nginx + PHP-FPM? https://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm

hardening

How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2023 Pierre-Philipp Braun