Last active
April 23, 2020 14:31
-
-
Save madrzejewski/cafc6f7a8fcc6f1c6adb to your computer and use it in GitHub Desktop.
php-fpm, nginx configuration and all the commands for http://blog.madrzejewski.com/faire-fonctionner-curl-en-https-dans-un-environnement-php-fpm-chroote
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# All the command used here : http://blog.madrzejewski.com/faire-fonctionner-curl-en-https-dans-un-environnement-php-fpm-chroote | |
# Centos 7.1, the libs named may changed in the future, so don't just copy/paste and check on your system first | |
# First example, chroot bash | |
mkdir chroot_bash | |
mkdir -p chroot_bash/usr/bin | |
cp /usr/bin/bash chroot_bash/usr/bin | |
chroot chroot_bash/ bash | |
chroot: failed to run command ‘bash’: No such file or directory | |
ldd /usr/bin/bash | |
linux-vdso.so.1 => (0x00007fff22d80000) | |
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f15009d9000) | |
libdl.so.2 => /lib64/libdl.so.2 (0x00007f15007d5000) | |
libc.so.6 => /lib64/libc.so.6 (0x00007f1500413000) | |
/lib64/ld-linux-x86-64.so.2 (0x00007f1500c0d000) | |
mkdir chroot_bash/lib64 | |
cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 chroot_bash/lib64/ | |
chroot chroot_bash/ bash | |
bash-4.2# pwd | |
/ | |
bash-4.2# ls | |
bash: ls: command not found | |
# Chroot php-fpm | |
useradd -md /home/tuto tuto | |
mkdir /home/tuto/www | |
wget http://fr.wordpress.org/latest-fr_FR.zip | |
unzip latest-fr_FR.zip && mv wordpress/* /home/tuto/www | |
rm -rf wordpress/ latest-fr_FR.zip | |
chwon -R tuto: ~tuto | |
mkdir -p /home/tuto/{etc,usr/share,var/lib/php/session,var/log/php-fpm,tmp,lib64,lib,bin,dev} | |
cp -r /usr/share/zoneinfo /home/tuto/usr/share/ | |
cp -r /etc/ld.so.cache /etc/resolv.conf /etc/ld.so.conf /etc/nsswitch.conf /etc/hosts /etc/localtime /home/tuto/etc/ | |
mkdir -p /home/tuto/var/lib/mysql && touch /home/tuto/var/lib/mysql/mysql.sock | |
chown -R tuto: ~tuto | |
mount --bind /var/lib/mysql/mysql.sock /home/tuto/var/lib/mysql/mysql.sock | |
mknod /home/tuto/dev/null c 1 3 -m 666 | |
# Problems with SSL and the DNS resolution | |
cp -vaR /lib64/libdns-export.so.100.1.1 /lib64/libdns.so.100.1.1 /lib64/libnss_dns-2.17.so . | |
cd /home/tuto/lib64 | |
ln -s libdns-export.so.100.1.1 libdns-export.so.100 | |
ln -s libdns.so.100.1.1 libdns.so.100 | |
ln -s libnss_dns.so libnss_dns.so.2 | |
ln -s libnss_dns-2.17.so libnss_dns.so | |
# An quick example on how to use strace | |
ps -ef |grep php-fpm | |
strace -p PID_PROCESSUS 2> logs_ | |
# Let's continue with the dns problem | |
cp -vaR /etc/pki /home/tuto/etc/ | |
cp -vaR /lib64/nss /home/tuto/lib64 | |
# Another strace example to show the ssl problem | |
strace chroot /home/tuto /bin/curl -v https://google.com 2> logs_3 | |
# SSL solution | |
cp /lib64/libsoftokn3.so /lib64/libnss3.so /etc/alternatives/libnssckbi.so.x86_64 /lib64/libnss_compat-2.17.so /lib64/libnss_compat.so.2 /lib64/libnss_db-2.17.so /lib64/libnss_db.so.2 libnss_db-2.17.so /lib64/libfreeblpriv3.so /lib64/libnss_dns-2.17.so /lib64/libnss_files-2.17.so /lib64/libnss_hesiod-2.17.so /lib64/libnss_myhostname.so.2 /lib64/libnss_nis-2.17.so /lib64/libnss_nisplus-2.17.so /lib64/libnsspem.so /lib64/libnss_sss.so.2 /lib64/libnsssysinit.so /lib64/libnssutil3.so /home/tuto/lib64 | |
cp /lib64/libsqlite3.so.0 /lib64/libsqlite3.so.0.8.6 tuto/lib64/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Be careful, do not use in production | |
# Just a quick script for messing around with chroot and ldd | |
usage(){ | |
echo "Usage : $0 cmd_name homedir" | |
echo "Example : $0 cp /home/alex" | |
exit 1 | |
} | |
error(){ | |
test "$1" == "" && (echo "An unknow error occurded" ; exit 1) | |
echo "$1" ; exit 1 | |
} | |
# $1 : cmd | |
findCmdPath(){ | |
oldIFS=$IFS | |
IFS=$':' | |
for dir in $PATH ; do | |
fullPath=$(find $dir -name $1 2> /dev/null) | |
test "$fullPath" != "" && (echo $fullPath ; return) | |
done | |
} | |
# $1 : fullPath of cmd | |
# I tried others commands to find the full/real path for a symlink | |
# for example "readlink" but it was not working properly for my usage | |
# I just wanted the "first degree" of symlink so ls -l worked fine for this | |
findLibs(){ | |
ldd $1 |tr -d '\t'| tr -d ' ' |cut -d '>' -f 2|cut -d '(' -f 1|grep -E '^/' 2> /dev/null || error "LDD error" | |
} | |
# $1 : lib path (or symlink) | |
# $2 : homedir without the trailing / | |
copyLib(){ | |
if test -L $1 ; then | |
# symlink | |
currentPath=$(dirname $1) | |
# copy the symlink | |
mkdir -p $2$currentPath 2> /dev/null | |
cp -va $1 $2$currentPath | |
# find the real file | |
realFile=$(ls -lh $1 | tr -d ' ' | cut -d '>' -f 2) | |
realFile=$currentPath'/'$realFile | |
mkdir -p $2$currentPath 2> /dev/null | |
cp -va $realFile $2$currentPath | |
else | |
# file | |
currentPath=$(dirname $1) | |
mkdir -p $2$currentPath 2> /dev/null | |
cp -va $1 $2$currentPath | |
fi | |
} | |
# Tests | |
test "$#" != 2 && usage | |
cmdPath=$(findCmdPath $1) | |
test "$cmdPath" == "" && error "$1 was not found in the PATH" | |
homeDir=$(echo $2 | sed 's:/*$::') # remove the trailing / | |
test ! -d "$homeDir" && error "$homeDir is not a directory" | |
# main | |
for lib in $(findLibs $cmdPath) ; do | |
copyLib $lib $homeDir | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[tuto] | |
listen = /var/run/tuto.sock | |
listen.allowed_clients = 127.0.0.1 | |
listen.owner = nginx | |
listen.group = nginx | |
user = tuto | |
group = tuto | |
pm = dynamic | |
pm.max_children = 50 | |
pm.start_servers = 5 | |
pm.min_spare_servers = 5 | |
pm.max_spare_servers = 20 | |
pm.max_requests = 500 | |
slowlog = /var/log/php-fpm/tuto-slow.log | |
chroot = /home/tuto | |
chdir = /www | |
env[HOSTNAME] = $HOSTNAME | |
env[TMP] = /tmp | |
env[TMPDIR] = /tmp | |
env[TEMP] = /tmp | |
php_flag[display_errors] = on | |
php_admin_value[error_log] = /var/log/php-fpm/www-error.log | |
php_admin_flag[log_errors] = on | |
php_value[session.save_handler] = files | |
php_value[session.save_path] = /var/lib/php/session |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
server_name tuto.madrzejewski.com; | |
root /home/tuto/www; | |
access_log /var/log/nginx/tuto.madrzejewski.com-access.log; | |
error_log /var/log/nginx/tuto.madrzejewski.com-error.log; | |
location = /favicon.ico { | |
log_not_found off; | |
access_log off; | |
} | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
# auth for admin directory | |
location /wp-admin/ { | |
auth_basic "Access restreint"; | |
auth_basic_user_file /etc/nginx/htpasswd/passwd; | |
} | |
# no PHP in upload directory | |
location ~* /(?:uploads|files)/.*\.php$ { | |
deny all; | |
} | |
# hide sensitive files | |
#location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ | |
#{ | |
# return 444; | |
#} | |
# no cgi | |
location ~* \.(pl|cgi|py|sh|lua)\$ { | |
return 444; | |
} | |
# no access to specific files | |
location ~ /(\.|wp-config.php|readme.html|license.txt) { | |
deny all; | |
} | |
location / { | |
# This is cool because no php is touched for static content. | |
# include the "?$args" part so non-default permalinks doesn't break when using query string | |
try_files $uri $uri/ /index.php?$args; | |
} | |
# no weird request | |
if ($request_method !~ ^(GET|HEAD|POST)$ ) | |
{ | |
return 444; | |
} | |
location ~ [^/]\.php(/|$) { | |
include /etc/nginx/fastcgi.conf; | |
fastcgi_split_path_info ^(.+?\.php)(/.*)$; | |
if (!-f $document_root$fastcgi_script_name) { | |
return 404; | |
} | |
#fastcgi_pass 127.0.0.1:9000; | |
# debug test chroot phpfpm | |
fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name; | |
fastcgi_pass unix:/var/run/tuto.sock; | |
fastcgi_index index.php; | |
} | |
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { | |
expires max; | |
log_not_found off; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment