Setup NGINX/PHP

install | source | nginx | advanced | analyze | php | redirect

install PHP and FPM-PHP from official repository

ver=8.1

ls -lF /etc/apt/trusted.gpg.d/php.gpg # no exist
wget https://packages.sury.org/php/apt.gpg -O /etc/apt/trusted.gpg.d/php.gpg

lsb_release -sc
ls -lF /etc/apt/sources.list.d/php.list # no exist
echo "deb https://packages.sury.org/php/ `lsb_release -sc` main" > /etc/apt/sources.list.d/php.list

apt update
apt search ^php[[:digit:]]\.[[:digit:]]-redis-
apt search ^php[[:digit:]]\.[[:digit:]]-mongodb-
apt install php$ver php$ver-{fpm,redis,mongodb}

systemctl stop apache2
systemctl disable apache2
systemctl status php$ver-fpm # enabled

tune PHP

cp -pi /etc/php/$ver/fpm/php.ini /etc/php/$ver/fpm/php.ini.dist
vi /etc/php/$ver/fpm/php.ini

short_open_tag = On
cgi.fix_pathinfo=0

harden FastCGI

cp -pi /etc/php/$ver/fpm/pool.d/www.conf /etc/php/$ver/fpm/pool.d/www.conf.dist
vi /etc/php/$ver/fpm/pool.d/www.conf

owner = ...
group = ...

listen.owner = ...
listen.group = ...

# default already
security.limit_extensions = .php

systemctl restart php$ver-fpm
ls -lF /run/php/php*.sock

Ready to go

cat /etc/nginx/fastcgi_params
vi /etc/nginx/conf.d/catch-all.conf

server {
    listen 80 default_server;
    server_name _;
    root /var/www/html;
    index index.php index.html index.htm;
    access_log /var/log/nginx/catch-all.access.log;
    error_log /var/log/nginx/catch-all.error.log;
    location ~* \.php$ {
        fastcgi_pass unix:/run/php/php-fpm.sock;
        #fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

cd /var/www/html/
vi index.php

<p><?php
    echo gethostname();
    echo " says PHP hello for ";
    echo $_SERVER['SERVER_NAME'];
    echo "\n";
?>

TODO

run every vhost with different user and fastcgi socket

Resources

setup

Connecting NGINX to PHP FPM¶ https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/

Is the PHP option ‘cgi.fix_pathinfo’ really dangerous with Nginx + PHP-FPM? https://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm

hardening

How To Host Multiple Websites Securely With Nginx And Php-fpm On Ubuntu 14.04 https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5
Copyright © 2023 Pierre-Philipp Braun