1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
$ cd /usr $ sudo cvs -d anoncvs@anoncvs.fr.NetBSD.org:/cvsroot co -rpkgsrc-2012Q4 pkgsrc /usr/pkg/etc/pkgin/repositories.conf http://packages.netbsdfr.org/latest/6.0/amd64/packages/All # pkgin up vi /etc/mk.conf PKG_OPTIONS.nginx+= naxsi realip # pkgin in nginx $ cd /usr/pkgsrc/www/nginx $ sudo make install clean # cp /usr/pkg/share/examples/rc.d/nginx /etc/rc.d/ # echo "nginx=YES" >> /etc/rc.conf # /etc/rc.d/nginx start # pkgin in php54-fpm $ grep PHP /etc/mk.conf PHP_VERSION_DEFAULT= 54 # cd /usr/pkgsrc/www/php-fpm # make install clean # cp /usr/pkg/share/examples/rc.d/php_fpm /etc/rc.d # echo "php_fpm=YES" >> /etc/rc.conf /usr/pkg/etc/php-fpm.conf /usr/pkg/etc/php.ini # pkgin in mysql-server-5.1 $ cd /usr/pkgsrc/databases/mysql55-server $ sudo make install clean |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 |
nginx.conf location ~ \.php$ { fastcgi_pass unix:/tmp/fcgi-php.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_buffers 256 4k; include /usr/pkg/etc/nginx/fastcgi_params; } php-fpm.conf listen = /tmp/fcgi-php.sock listen = 192.168.0.1:9000 listen = 127.0.0.1:9000 fastcgi_pass fastcgi_pass 127.0.0.1:9000; # /etc/rc.d/php-fpm start # nginx -t nginx: the configuration file /usr/pkg/etc/nginx/nginx.conf syntax is ok nginx: configuration file /usr/pkg/etc/nginx/nginx.conf test is successful # nginx -s reload $ cat > test.php <?php phpinfo(); ?> ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## <?php $content = file($_GET['path']); foreach($content as $line) { echo $line; } ?> # NAXSI - /usr/pkg/share/examples/nginx/conf/naxsi_core.rules # cp /usr/pkg/share/examples/nginx/conf/naxsi_core.rules \ /usr/pkg/etc/nginx/ nginx.conf include /usr/pkg/etc/nginx/naxsi_core.rules; naxsi.rules SecRulesEnabled; DeniedUrl "/denied"; ## check rules CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; location /denied { rewrite ^ http://foobar.net/503.gif break; } naxsi.rules include /usr/pkg/etc/nginx/naxsi.rules; $ curl -I -o- http://coruscant/own.php?path=/etc/passwd HTTP/1.1 302 Moved Temporarily Server: nginx/1.2.6 Date: Sun, 17 Feb 2013 13:43:32 GMT Content-Type: text/html Content-Length: 160 Connection: keep-alive Location: http://foobar.net/503.gif?ip=192.168.0.1&server=coruscant&uri=/own.php&learning=0&total_processed=4&total_blocked=4&zone0=ARGS&id0=1202&var_name0=path error_log /var/log/nginx/error.log; set_real_ip_from 192.168.0.254; real_ip_header X-Forwarded-For; nginx.conf include /usr/pkg/etc/nginx/sites/*; user www www; worker_processes 1; error_log /var/log/nginx/error.log; events { worker_connections 1024; } http { include /usr/pkg/etc/nginx/mime.types; default_type text/plain; sendfile on; keepalive_timeout 65; set_real_ip_from 192.168.100.254; real_ip_header X-Forwarded-For; include /usr/pkg/etc/nginx/naxsi_core.rules; include /usr/pkg/etc/nginx/sites/*; } sites/ ls sites/ dynamic static server { server_name gcu.info www.gcu.info gcu-squad.org www.gcu-squad.org; root /chemin/vers/gcu/www; include /usr/pkg/etc/nginx/php.conf; } client_max_body_size 20M; include /usr/pkg/etc/nginx/logs.conf; include /usr/pkg/etc/nginx/denied; include /usr/pkg/etc/nginx/global.conf; location / { index index.php index.html; try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include /usr/pkg/etc/nginx/naxsi.rules; include /usr/pkg/etc/nginx/fastcgi_params; } Nous avons parlé de la location ~ \.php$ plus haut dans cet article, aussi voyons le contenu des 3 inclusions : $ cat /usr/pkg/etc/nginx/logs.conf if ($host ~ gcu) { set $log_fqdn $host; } access_log /var/log/nginx/$log_fqdn.access_log; Le fichier global.conf regroupe des paramètres que nous souhaitons inclure dans chacun des vhosts : listen 80; location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ /\.ht.* { deny all; } # -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- port 80, 404 robots.txt. htaccess / htpasswd. # -- -- -- -- -- -- -- -- -- ------------------------------------------ - [1] https://github.com/nbs-system/naxsi-rules - [2] http://php.net/manual/en/install.unix.apache2.php - [3] http://code.google.com/p/naxsi/ - [4] http://php-fpm.org/ - [5] http://news.netcraft.com/archives/2013/02/01/february-2013-web-server-survey.html - [6] http://www.nbs-system.com/ - [7] http://www.netbsdfr.org/ - [8] http://wiki.nginx.org/HttpRealipModule - [9] http://fr.wikipedia.org/wiki/Proxy_inverse - [10] http://fr.wikipedia.org/wiki/R%C3%A9entrance - [11] http://www.gcu-squad.org/ - [12] https://www.varnish-cache.org/ - [13] http://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-138/Varnish-un-proxy-qui-vous-veut-du-bien - [14] http://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-140/Plus-loin-avec-Varnish |