/all the commands used in the article.sh
Last active Nov 1, 2015
| # All the command used here : http://blog.madrzejewski.com/faire-fonctionner-curl-en-https-dans-un-environnement-php-fpm-chroote | |
| # Centos 7.1, the libs named may changed in the future, so don't just copy/paste and check on your system first | |
| # First example, chroot bash | |
| mkdir chroot_bash | |
| mkdir -p chroot_bash/usr/bin | |
| cp /usr/bin/bash chroot_bash/usr/bin | |
| chroot chroot_bash/ bash | |
| chroot: failed to run command ‘bash’: No such file or directory | |
| ldd /usr/bin/bash | |
| linux-vdso.so.1 => (0x00007fff22d80000) | |
| libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f15009d9000) | |
| libdl.so.2 => /lib64/libdl.so.2 (0x00007f15007d5000) | |
| libc.so.6 => /lib64/libc.so.6 (0x00007f1500413000) | |
| /lib64/ld-linux-x86-64.so.2 (0x00007f1500c0d000) | |
| mkdir chroot_bash/lib64 | |
| cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 chroot_bash/lib64/ | |
| chroot chroot_bash/ bash | |
| bash-4.2# pwd | |
| / | |
| bash-4.2# ls | |
| bash: ls: command not found | |
| # Chroot php-fpm | |
| useradd -md /home/tuto tuto | |
| mkdir /home/tuto/www | |
| wget http://fr.wordpress.org/latest-fr_FR.zip | |
| unzip latest-fr_FR.zip && mv wordpress/* /home/tuto/www | |
| rm -rf wordpress/ latest-fr_FR.zip | |
| chwon -R tuto: ~tuto | |
| mkdir -p /home/tuto/{etc,usr/share,var/lib/php/session,var/log/php-fpm,tmp,lib64,lib,bin,dev} | |
| cp -r /usr/share/zoneinfo /home/tuto/usr/share/ | |
| cp -r /etc/ld.so.cache /etc/resolv.conf /etc/ld.so.conf /etc/nsswitch.conf /etc/hosts /etc/localtime /home/tuto/etc/ | |
| mkdir -p /home/tuto/var/lib/mysql && touch /home/tuto/var/lib/mysql/mysql.sock | |
| chown -R tuto: ~tuto | |
| mount --bind /var/lib/mysql/mysql.sock /home/tuto/var/lib/mysql/mysql.sock | |
| mknod /home/tuto/dev/null c 1 3 -m 666 | |
| # Problems with SSL and the DNS resolution | |
| cp -vaR /lib64/libdns-export.so.100.1.1 /lib64/libdns.so.100.1.1 /lib64/libnss_dns-2.17.so . | |
| cd /home/tuto/lib64 | |
| ln -s libdns-export.so.100.1.1 libdns-export.so.100 | |
| ln -s libdns.so.100.1.1 libdns.so.100 | |
| ln -s libnss_dns.so libnss_dns.so.2 | |
| ln -s libnss_dns-2.17.so libnss_dns.so | |
| # An quick example on how to use strace | |
| ps -ef |grep php-fpm | |
| strace -p PID_PROCESSUS 2> logs_ | |
| # Let's continue with the dns problem | |
| cp -vaR /etc/pki /home/tuto/etc/ | |
| cp -vaR /lib64/nss /home/tuto/lib64 | |
| # Another strace example to show the ssl problem | |
| strace chroot /home/tuto /bin/curl -v https://google.com 2> logs_3 | |
| # SSL solution | |
| cp /lib64/libsoftokn3.so /lib64/libnss3.so /etc/alternatives/libnssckbi.so.x86_64 /lib64/libnss_compat-2.17.so /lib64/libnss_compat.so.2 /lib64/libnss_db-2.17.so /lib64/libnss_db.so.2 libnss_db-2.17.so /lib64/libfreeblpriv3.so /lib64/libnss_dns-2.17.so /lib64/libnss_files-2.17.so /lib64/libnss_hesiod-2.17.so /lib64/libnss_myhostname.so.2 /lib64/libnss_nis-2.17.so /lib64/libnss_nisplus-2.17.so /lib64/libnsspem.so /lib64/libnss_sss.so.2 /lib64/libnsssysinit.so /lib64/libnssutil3.so /home/tuto/lib64 | |
| cp /lib64/libsqlite3.so.0 /lib64/libsqlite3.so.0.8.6 tuto/lib64/ |
| #!/bin/bash | |
| # Be careful, do not use in production | |
| # Just a quick script for messing around with chroot and ldd | |
| usage(){ | |
| echo "Usage : $0 cmd_name homedir" | |
| echo "Example : $0 cp /home/alex" | |
| exit 1 | |
| } | |
| error(){ | |
| test "$1" == "" && (echo "An unknow error occurded" ; exit 1) | |
| echo "$1" ; exit 1 | |
| } | |
| # $1 : cmd | |
| findCmdPath(){ | |
| oldIFS=$IFS | |
| IFS=$':' | |
| for dir in $PATH ; do | |
| fullPath=$(find $dir -name $1 2> /dev/null) | |
| test "$fullPath" != "" && (echo $fullPath ; return) | |
| done | |
| } | |
| # $1 : fullPath of cmd | |
| # I tried others commands to find the full/real path for a symlink | |
| # for example "readlink" but it was not working properly for my usage | |
| # I just wanted the "first degree" of symlink so ls -l worked fine for this | |
| findLibs(){ | |
| ldd $1 |tr -d '\t'| tr -d ' ' |cut -d '>' -f 2|cut -d '(' -f 1|grep -E '^/' 2> /dev/null || error "LDD error" | |
| } | |
| # $1 : lib path (or symlink) | |
| # $2 : homedir without the trailing / | |
| copyLib(){ | |
| if test -L $1 ; then | |
| # symlink | |
| currentPath=$(dirname $1) | |
| # copy the symlink | |
| mkdir -p $2$currentPath 2> /dev/null | |
| cp -va $1 $2$currentPath | |
| # find the real file | |
| realFile=$(ls -lh $1 | tr -d ' ' | cut -d '>' -f 2) | |
| realFile=$currentPath'/'$realFile | |
| mkdir -p $2$currentPath 2> /dev/null | |
| cp -va $realFile $2$currentPath | |
| else | |
| # file | |
| currentPath=$(dirname $1) | |
| mkdir -p $2$currentPath 2> /dev/null | |
| cp -va $1 $2$currentPath | |
| fi | |
| } | |
| # Tests | |
| test "$#" != 2 && usage | |
| cmdPath=$(findCmdPath $1) | |
| test "$cmdPath" == "" && error "$1 was not found in the PATH" | |
| homeDir=$(echo $2 | sed 's:/*$::') # remove the trailing / | |
| test ! -d "$homeDir" && error "$homeDir is not a directory" | |
| # main | |
| for lib in $(findLibs $cmdPath) ; do | |
| copyLib $lib $homeDir | |
| done |
| [tuto] | |
| listen = /var/run/tuto.sock | |
| listen.allowed_clients = 127.0.0.1 | |
| listen.owner = nginx | |
| listen.group = nginx | |
| user = tuto | |
| group = tuto | |
| pm = dynamic | |
| pm.max_children = 50 | |
| pm.start_servers = 5 | |
| pm.min_spare_servers = 5 | |
| pm.max_spare_servers = 20 | |
| pm.max_requests = 500 | |
| slowlog = /var/log/php-fpm/tuto-slow.log | |
| chroot = /home/tuto | |
| chdir = /www | |
| env[HOSTNAME] = $HOSTNAME | |
| env[TMP] = /tmp | |
| env[TMPDIR] = /tmp | |
| env[TEMP] = /tmp | |
| php_flag[display_errors] = on | |
| php_admin_value[error_log] = /var/log/php-fpm/www-error.log | |
| php_admin_flag[log_errors] = on | |
| php_value[session.save_handler] = files | |
| php_value[session.save_path] = /var/lib/php/session |
| server { | |
| listen 80; | |
| server_name tuto.madrzejewski.com; | |
| root /home/tuto/www; | |
| access_log /var/log/nginx/tuto.madrzejewski.com-access.log; | |
| error_log /var/log/nginx/tuto.madrzejewski.com-error.log; | |
| location = /favicon.ico { | |
| log_not_found off; | |
| access_log off; | |
| } | |
| location = /robots.txt { | |
| allow all; | |
| log_not_found off; | |
| access_log off; | |
| } | |
| # auth for admin directory | |
| location /wp-admin/ { | |
| auth_basic "Access restreint"; | |
| auth_basic_user_file /etc/nginx/htpasswd/passwd; | |
| } | |
| # no PHP in upload directory | |
| location ~* /(?:uploads|files)/.*\.php$ { | |
| deny all; | |
| } | |
| # hide sensitive files | |
| #location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ | |
| #{ | |
| # return 444; | |
| #} | |
| # no cgi | |
| location ~* \.(pl|cgi|py|sh|lua)\$ { | |
| return 444; | |
| } | |
| # no access to specific files | |
| location ~ /(\.|wp-config.php|readme.html|license.txt) { | |
| deny all; | |
| } | |
| location / { | |
| # This is cool because no php is touched for static content. | |
| # include the "?$args" part so non-default permalinks doesn't break when using query string | |
| try_files $uri $uri/ /index.php?$args; | |
| } | |
| # no weird request | |
| if ($request_method !~ ^(GET|HEAD|POST)$ ) | |
| { | |
| return 444; | |
| } | |
| location ~ [^/]\.php(/|$) { | |
| include /etc/nginx/fastcgi.conf; | |
| fastcgi_split_path_info ^(.+?\.php)(/.*)$; | |
| if (!-f $document_root$fastcgi_script_name) { | |
| return 404; | |
| } | |
| #fastcgi_pass 127.0.0.1:9000; | |
| # debug test chroot phpfpm | |
| fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name; | |
| fastcgi_pass unix:/var/run/tuto.sock; | |
| fastcgi_index index.php; | |
| } | |
| location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { | |
| expires max; | |
| log_not_found off; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment