nginx.conf
location ~ \.php$ {
fastcgi_pass unix:/tmp/fcgi-php.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffers 256 4k;
include /usr/pkg/etc/nginx/fastcgi_params;
}
php-fpm.conf
listen = /tmp/fcgi-php.sock
listen = 192.168.0.1:9000
listen = 127.0.0.1:9000
fastcgi_pass
fastcgi_pass 127.0.0.1:9000;
# /etc/rc.d/php-fpm start
# nginx -t
nginx: the configuration file /usr/pkg/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/pkg/etc/nginx/nginx.conf test is successful
# nginx -s reload
$ cat > test.php
<?php phpinfo(); ?>
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
<?php
$content = file($_GET['path']);
foreach($content as $line) {
echo $line;
}
?>
# NAXSI -
/usr/pkg/share/examples/nginx/conf/naxsi_core.rules
# cp /usr/pkg/share/examples/nginx/conf/naxsi_core.rules \
/usr/pkg/etc/nginx/
nginx.conf
include /usr/pkg/etc/nginx/naxsi_core.rules;
naxsi.rules
SecRulesEnabled;
DeniedUrl "/denied";
## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
location /denied {
rewrite ^ http://foobar.net/503.gif break;
}
naxsi.rules
include /usr/pkg/etc/nginx/naxsi.rules;
$ curl -I -o- http://coruscant/own.php?path=/etc/passwd
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.2.6
Date: Sun, 17 Feb 2013 13:43:32 GMT
Content-Type: text/html
Content-Length: 160
Connection: keep-alive
Location: http://foobar.net/503.gif?ip=192.168.0.1&server=coruscant&uri=/own.php&learning=0&total_processed=4&total_blocked=4&zone0=ARGS&id0=1202&var_name0=path
error_log /var/log/nginx/error.log;
set_real_ip_from 192.168.0.254;
real_ip_header X-Forwarded-For;
nginx.conf
include /usr/pkg/etc/nginx/sites/*;
user www www;
worker_processes 1;
error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
}
http {
include /usr/pkg/etc/nginx/mime.types;
default_type text/plain;
sendfile on;
keepalive_timeout 65;
set_real_ip_from 192.168.100.254;
real_ip_header X-Forwarded-For;
include /usr/pkg/etc/nginx/naxsi_core.rules;
include /usr/pkg/etc/nginx/sites/*;
}
sites/
ls sites/
dynamic static
server {
server_name gcu.info www.gcu.info gcu-squad.org www.gcu-squad.org;
root /chemin/vers/gcu/www;
include /usr/pkg/etc/nginx/php.conf;
}
client_max_body_size 20M;
include /usr/pkg/etc/nginx/logs.conf;
include /usr/pkg/etc/nginx/denied;
include /usr/pkg/etc/nginx/global.conf;
location / {
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include /usr/pkg/etc/nginx/naxsi.rules;
include /usr/pkg/etc/nginx/fastcgi_params;
}
Nous avons parlé de la location ~ \.php$ plus haut dans cet article, aussi voyons le contenu des 3 inclusions :
$ cat /usr/pkg/etc/nginx/logs.conf
if ($host ~ gcu) {
set $log_fqdn $host;
}
access_log /var/log/nginx/$log_fqdn.access_log;
Le fichier global.conf regroupe des paramètres que nous souhaitons inclure dans chacun des vhosts :
listen 80;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\.ht.* {
deny all;
}
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
port 80,
404 robots.txt.
htaccess / htpasswd.
# -- -- -- -- -- -- -- -- -- ------------------------------------------
- [1] https://github.com/nbs-system/naxsi-rules
- [2] http://php.net/manual/en/install.unix.apache2.php
- [3] http://code.google.com/p/naxsi/
- [4] http://php-fpm.org/
- [5] http://news.netcraft.com/archives/2013/02/01/february-2013-web-server-survey.html
- [6] http://www.nbs-system.com/
- [7] http://www.netbsdfr.org/
- [8] http://wiki.nginx.org/HttpRealipModule
- [9] http://fr.wikipedia.org/wiki/Proxy_inverse
- [10] http://fr.wikipedia.org/wiki/R%C3%A9entrance
- [11] http://www.gcu-squad.org/
- [12] https://www.varnish-cache.org/
- [13] http://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-138/Varnish-un-proxy-qui-vous-veut-du-bien
- [14] http://connect.ed-diamond.com/GNU-Linux-Magazine/GLMF-140/Plus-loin-avec-Varnish