php-fpm, nginx configuration and all the commands for http://blog.madrzejewski.com/faire-fonctionner-curl-en-https-dans-un-environnement-php-fpm-chroote

## all the commands used in the article.sh
# All the command used here : http://blog.madrzejewski.com/faire-fonctionner-curl-en-https-dans-un-environnement-php-fpm-chroote
# Centos 7.1, the libs named may changed in the future, so don't just copy/paste and check on your system first

# First example, chroot bash
mkdir chroot_bash
mkdir -p chroot_bash/usr/bin
cp /usr/bin/bash chroot_bash/usr/bin
chroot chroot_bash/ bash
chroot: failed to run command ‘bash’: No such file or directory

ldd /usr/bin/bash
linux-vdso.so.1 =>  (0x00007fff22d80000)
libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f15009d9000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f15007d5000)
libc.so.6 => /lib64/libc.so.6 (0x00007f1500413000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1500c0d000)

mkdir chroot_bash/lib64
cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 chroot_bash/lib64/

chroot chroot_bash/ bash
bash-4.2# pwd
/
bash-4.2# ls
bash: ls: command not found

# Chroot php-fpm
useradd -md /home/tuto tuto
mkdir /home/tuto/www
wget http://fr.wordpress.org/latest-fr_FR.zip
unzip latest-fr_FR.zip && mv wordpress/* /home/tuto/www
rm -rf wordpress/ latest-fr_FR.zip
chwon -R tuto: ~tuto

mkdir -p /home/tuto/{etc,usr/share,var/lib/php/session,var/log/php-fpm,tmp,lib64,lib,bin,dev}
cp -r /usr/share/zoneinfo /home/tuto/usr/share/
cp -r /etc/ld.so.cache /etc/resolv.conf /etc/ld.so.conf /etc/nsswitch.conf /etc/hosts /etc/localtime /home/tuto/etc/
mkdir -p /home/tuto/var/lib/mysql && touch /home/tuto/var/lib/mysql/mysql.sock
chown -R tuto: ~tuto
mount --bind /var/lib/mysql/mysql.sock /home/tuto/var/lib/mysql/mysql.sock
mknod /home/tuto/dev/null c 1 3 -m 666

# Problems with SSL and the DNS resolution

cp -vaR /lib64/libdns-export.so.100.1.1 /lib64/libdns.so.100.1.1 /lib64/libnss_dns-2.17.so .
cd /home/tuto/lib64
ln -s libdns-export.so.100.1.1 libdns-export.so.100
ln -s libdns.so.100.1.1 libdns.so.100
ln -s libnss_dns.so libnss_dns.so.2
ln -s libnss_dns-2.17.so libnss_dns.so

# An quick example on how to use strace
ps -ef |grep php-fpm
strace -p PID_PROCESSUS 2> logs_

# Let's continue with the dns problem
cp -vaR /etc/pki /home/tuto/etc/
cp -vaR /lib64/nss /home/tuto/lib64

# Another strace example to show the ssl problem
strace chroot /home/tuto /bin/curl -v https://google.com 2> logs_3

# SSL solution
cp /lib64/libsoftokn3.so  /lib64/libnss3.so /etc/alternatives/libnssckbi.so.x86_64 /lib64/libnss_compat-2.17.so /lib64/libnss_compat.so.2 /lib64/libnss_db-2.17.so /lib64/libnss_db.so.2 libnss_db-2.17.so /lib64/libfreeblpriv3.so /lib64/libnss_dns-2.17.so /lib64/libnss_files-2.17.so /lib64/libnss_hesiod-2.17.so /lib64/libnss_myhostname.so.2 /lib64/libnss_nis-2.17.so /lib64/libnss_nisplus-2.17.so /lib64/libnsspem.so /lib64/libnss_sss.so.2 /lib64/libnsssysinit.so /lib64/libnssutil3.so /home/tuto/lib64
cp /lib64/libsqlite3.so.0 /lib64/libsqlite3.so.0.8.6 tuto/lib64/

## lddCopy.sh
#!/bin/bash

# Be careful, do not use in production
# Just a quick script for messing around with chroot and ldd

usage(){
	echo "Usage   : $0 cmd_name homedir"
	echo "Example : $0 cp /home/alex"
	exit 1
}

error(){
	test "$1" == "" && (echo "An unknow error occurded" ; exit 1)
	echo "$1" ; exit 1
}

# $1 : cmd
findCmdPath(){
	oldIFS=$IFS
	IFS=$':'
	for dir in $PATH ; do
		fullPath=$(find $dir -name $1 2> /dev/null)
		test "$fullPath" != "" && (echo $fullPath ; return)
	done
}

# $1 : fullPath of cmd
# I tried others commands to find the full/real path for a symlink
# for example "readlink" but it was not working properly for my usage
# I just wanted the "first degree" of symlink so ls -l worked fine for this
findLibs(){
	ldd $1 |tr -d '\t'| tr -d ' ' |cut -d '>' -f 2|cut -d '(' -f 1|grep -E '^/' 2> /dev/null || error "LDD error"
}

# $1 : lib path (or symlink)
# $2 : homedir without the trailing /
copyLib(){
	if test -L $1 ; then
		# symlink
		currentPath=$(dirname $1)
		# copy the symlink
		mkdir -p $2$currentPath 2> /dev/null
		cp -va $1 $2$currentPath
		# find the real file
		realFile=$(ls -lh $1 | tr -d ' ' | cut -d '>' -f 2)
		realFile=$currentPath'/'$realFile
		mkdir -p $2$currentPath 2> /dev/null
		cp -va $realFile $2$currentPath
	else
		# file
		currentPath=$(dirname $1)
		mkdir -p $2$currentPath 2> /dev/null
		cp -va $1 $2$currentPath
	fi
}

# Tests
test "$#" != 2 && usage
cmdPath=$(findCmdPath $1)
test "$cmdPath" == "" && error "$1 was not found in the PATH"
homeDir=$(echo $2 | sed 's:/*$::') # remove the trailing /
test ! -d "$homeDir" && error "$homeDir is not a directory"

# main
for lib in $(findLibs $cmdPath) ; do
	copyLib $lib $homeDir
done

## tuto.conf
[tuto]
listen = /var/run/tuto.sock
listen.allowed_clients = 127.0.0.1
listen.owner = nginx
listen.group = nginx
user = tuto
group = tuto
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
slowlog = /var/log/php-fpm/tuto-slow.log
chroot = /home/tuto
chdir = /www
env[HOSTNAME] = $HOSTNAME
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_flag[display_errors] = on
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session

## vhost.conf
server {
    listen 80;
	server_name tuto.madrzejewski.com;
    root /home/tuto/www;

	access_log  /var/log/nginx/tuto.madrzejewski.com-access.log;
	error_log /var/log/nginx/tuto.madrzejewski.com-error.log;

	location = /favicon.ico {
		log_not_found off;
		access_log off;
	}

	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	# auth for admin directory
	location /wp-admin/ {
		auth_basic "Access restreint";
		auth_basic_user_file /etc/nginx/htpasswd/passwd;
	}

	# no PHP in upload directory
	location ~* /(?:uploads|files)/.*\.php$ {
    		deny all;
	}

	# hide sensitive files
	#location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
	#{
    #	return 444;
	#}

	# no cgi
	location ~* \.(pl|cgi|py|sh|lua)\$ {
        	return 444;
	}

	# no access to specific files
	location ~ /(\.|wp-config.php|readme.html|license.txt) {
    		deny all;
	}

	location / {
		# This is cool because no php is touched for static content.
		# include the "?$args" part so non-default permalinks doesn't break when using query string
		try_files $uri $uri/ /index.php?$args;
	}

	# no weird request
	if ($request_method !~ ^(GET|HEAD|POST)$ )
	{
		return 444;
	}

	location ~ [^/]\.php(/|$) {
		include /etc/nginx/fastcgi.conf;
		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
		if (!-f $document_root$fastcgi_script_name) {
			return 404;
		}

		#fastcgi_pass 127.0.0.1:9000;

		# debug test chroot phpfpm
		fastcgi_param   SCRIPT_FILENAME /www/$fastcgi_script_name;
		fastcgi_pass unix:/var/run/tuto.sock;
		fastcgi_index index.php;
	}

	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
		expires max;
		log_not_found off;
	}
}
	# All the command used here : http://blog.madrzejewski.com/faire-fonctionner-curl-en-https-dans-un-environnement-php-fpm-chroote
	# Centos 7.1, the libs named may changed in the future, so don't just copy/paste and check on your system first

	# First example, chroot bash
	mkdir chroot_bash
	mkdir -p chroot_bash/usr/bin
	cp /usr/bin/bash chroot_bash/usr/bin
	chroot chroot_bash/ bash
	chroot: failed to run command ‘bash’: No such file or directory

	ldd /usr/bin/bash
	linux-vdso.so.1 => (0x00007fff22d80000)
	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f15009d9000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f15007d5000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f1500413000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f1500c0d000)

	mkdir chroot_bash/lib64
	cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 chroot_bash/lib64/

	chroot chroot_bash/ bash
	bash-4.2# pwd
	/
	bash-4.2# ls
	bash: ls: command not found

	# Chroot php-fpm
	useradd -md /home/tuto tuto
	mkdir /home/tuto/www
	wget http://fr.wordpress.org/latest-fr_FR.zip
	unzip latest-fr_FR.zip && mv wordpress/* /home/tuto/www
	rm -rf wordpress/ latest-fr_FR.zip
	chwon -R tuto: ~tuto

	mkdir -p /home/tuto/{etc,usr/share,var/lib/php/session,var/log/php-fpm,tmp,lib64,lib,bin,dev}
	cp -r /usr/share/zoneinfo /home/tuto/usr/share/
	cp -r /etc/ld.so.cache /etc/resolv.conf /etc/ld.so.conf /etc/nsswitch.conf /etc/hosts /etc/localtime /home/tuto/etc/
	mkdir -p /home/tuto/var/lib/mysql && touch /home/tuto/var/lib/mysql/mysql.sock
	chown -R tuto: ~tuto
	mount --bind /var/lib/mysql/mysql.sock /home/tuto/var/lib/mysql/mysql.sock
	mknod /home/tuto/dev/null c 1 3 -m 666

	# Problems with SSL and the DNS resolution

	cp -vaR /lib64/libdns-export.so.100.1.1 /lib64/libdns.so.100.1.1 /lib64/libnss_dns-2.17.so .
	cd /home/tuto/lib64
	ln -s libdns-export.so.100.1.1 libdns-export.so.100
	ln -s libdns.so.100.1.1 libdns.so.100
	ln -s libnss_dns.so libnss_dns.so.2
	ln -s libnss_dns-2.17.so libnss_dns.so

	# An quick example on how to use strace
	ps -ef \|grep php-fpm
	strace -p PID_PROCESSUS 2> logs_

	# Let's continue with the dns problem
	cp -vaR /etc/pki /home/tuto/etc/
	cp -vaR /lib64/nss /home/tuto/lib64

	# Another strace example to show the ssl problem
	strace chroot /home/tuto /bin/curl -v https://google.com 2> logs_3

	# SSL solution
	cp /lib64/libsoftokn3.so /lib64/libnss3.so /etc/alternatives/libnssckbi.so.x86_64 /lib64/libnss_compat-2.17.so /lib64/libnss_compat.so.2 /lib64/libnss_db-2.17.so /lib64/libnss_db.so.2 libnss_db-2.17.so /lib64/libfreeblpriv3.so /lib64/libnss_dns-2.17.so /lib64/libnss_files-2.17.so /lib64/libnss_hesiod-2.17.so /lib64/libnss_myhostname.so.2 /lib64/libnss_nis-2.17.so /lib64/libnss_nisplus-2.17.so /lib64/libnsspem.so /lib64/libnss_sss.so.2 /lib64/libnsssysinit.so /lib64/libnssutil3.so /home/tuto/lib64
	cp /lib64/libsqlite3.so.0 /lib64/libsqlite3.so.0.8.6 tuto/lib64/
	#!/bin/bash

	# Be careful, do not use in production
	# Just a quick script for messing around with chroot and ldd

	usage(){
	echo "Usage : $0 cmd_name homedir"
	echo "Example : $0 cp /home/alex"
	exit 1
	}

	error(){
	test "$1" == "" && (echo "An unknow error occurded" ; exit 1)
	echo "$1" ; exit 1
	}

	# $1 : cmd
	findCmdPath(){
	oldIFS=$IFS
	IFS=$':'
	for dir in $PATH ; do
	fullPath=$(find $dir -name $1 2> /dev/null)
	test "$fullPath" != "" && (echo $fullPath ; return)
	done
	}

	# $1 : fullPath of cmd
	# I tried others commands to find the full/real path for a symlink
	# for example "readlink" but it was not working properly for my usage
	# I just wanted the "first degree" of symlink so ls -l worked fine for this
	findLibs(){
	ldd $1 \|tr -d '\t'\| tr -d ' ' \|cut -d '>' -f 2\|cut -d '(' -f 1\|grep -E '^/' 2> /dev/null \|\| error "LDD error"
	}

	# $1 : lib path (or symlink)
	# $2 : homedir without the trailing /
	copyLib(){
	if test -L $1 ; then
	# symlink
	currentPath=$(dirname $1)
	# copy the symlink
	mkdir -p $2$currentPath 2> /dev/null
	cp -va $1 $2$currentPath
	# find the real file
	realFile=$(ls -lh $1 \| tr -d ' ' \| cut -d '>' -f 2)
	realFile=$currentPath'/'$realFile
	mkdir -p $2$currentPath 2> /dev/null
	cp -va $realFile $2$currentPath
	else
	# file
	currentPath=$(dirname $1)
	mkdir -p $2$currentPath 2> /dev/null
	cp -va $1 $2$currentPath
	fi
	}

	# Tests
	test "$#" != 2 && usage
	cmdPath=$(findCmdPath $1)
	test "$cmdPath" == "" && error "$1 was not found in the PATH"
	homeDir=$(echo $2 \| sed 's:/*$::') # remove the trailing /
	test ! -d "$homeDir" && error "$homeDir is not a directory"

	# main
	for lib in $(findLibs $cmdPath) ; do
	copyLib $lib $homeDir
	done
	[tuto]
	listen = /var/run/tuto.sock
	listen.allowed_clients = 127.0.0.1
	listen.owner = nginx
	listen.group = nginx
	user = tuto
	group = tuto
	pm = dynamic
	pm.max_children = 50
	pm.start_servers = 5
	pm.min_spare_servers = 5
	pm.max_spare_servers = 20
	pm.max_requests = 500
	slowlog = /var/log/php-fpm/tuto-slow.log
	chroot = /home/tuto
	chdir = /www
	env[HOSTNAME] = $HOSTNAME
	env[TMP] = /tmp
	env[TMPDIR] = /tmp
	env[TEMP] = /tmp
	php_flag[display_errors] = on
	php_admin_value[error_log] = /var/log/php-fpm/www-error.log
	php_admin_flag[log_errors] = on
	php_value[session.save_handler] = files
	php_value[session.save_path] = /var/lib/php/session
	server {
	listen 80;
	server_name tuto.madrzejewski.com;
	root /home/tuto/www;

	access_log /var/log/nginx/tuto.madrzejewski.com-access.log;
	error_log /var/log/nginx/tuto.madrzejewski.com-error.log;

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# auth for admin directory
	location /wp-admin/ {
	auth_basic "Access restreint";
	auth_basic_user_file /etc/nginx/htpasswd/passwd;
	}

	# no PHP in upload directory
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}

	# hide sensitive files
	#location ~* \.(engine\|inc\|info\|install\|make\|module\|profile\|test\|po\|sh\|.sql\|theme\|tpl(\.php)?\|xtmpl)$\|^(\..\|Entries.*\|Repository\|Root\|Tag\|Template)$\|\.php_
	#{
	# return 444;
	#}

	# no cgi
	location ~* \.(pl\|cgi\|py\|sh\|lua)\$ {
	return 444;
	}

	# no access to specific files
	location ~ /(\.\|wp-config.php\|readme.html\|license.txt) {
	deny all;
	}

	location / {
	# This is cool because no php is touched for static content.
	# include the "?$args" part so non-default permalinks doesn't break when using query string
	try_files $uri $uri/ /index.php?$args;
	}

	# no weird request
	if ($request_method !~ ^(GET\|HEAD\|POST)$ )
	{
	return 444;
	}

	location ~ [^/]\.php(/\|$) {
	include /etc/nginx/fastcgi.conf;
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	if (!-f $document_root$fastcgi_script_name) {
	return 404;
	}

	#fastcgi_pass 127.0.0.1:9000;

	# debug test chroot phpfpm
	fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name;
	fastcgi_pass unix:/var/run/tuto.sock;
	fastcgi_index index.php;
	}

	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico)$ {
	expires max;
	log_not_found off;
	}
	}