Register a domain and help support LQ
Go Back > Blogs > In The Middle Of Nowhere [edK's blog]
User Name


In The Middle Of Nowhere

Life, universe and everything...
Blog title (C) Orbital
Rate this Entry

chroot PHP for use with nginx

Posted 10-31-2010 at 10:40 AM by Web31337

I never had to deal with chrooted environment before, and there isn't lots of info out there on the net. Best result I've found so far is
Actually, it covers almost entire topic, but I'm going to explain how to bind it with nginx in gentoo linux environment.
Say, you have a site with some app you don't really trust in /app dir. Your own-written site scripts are executed in non-chrooted PHP environment while you considered using chrooted PHP to serve /app/ path.
So let's describe this step-by-step.
First, use that manual to set up your chrooted environment.

Your nginx.conf should not have global inclusion of fastcgi_params file, instead, you should include it in 'server' block. The block for your site may look like the following:
	server {
		listen 80;
		access_log		logs/ main;
		charset 		utf-8;
		location /app/ {
			root /opt/chroot/srv;
			fastcgi_param   DOCUMENT_ROOT   /srv;
			include	fcgi-unpriv.conf;
			index index.html index.php;
			location ~ \.php$ { fastcgi_pass; }

		location / {
			root /srv/;
			index	index.html index.php;
			include fcgi.conf;
			location ~ \.php$ { fastcgi_pass; }
and fcgi-unpriv.conf is:
fastcgi_param	GATEWAY_INTERFACE	CGI/1.1;
fastcgi_param	SERVER_SOFTWARE	nginx;
fastcgi_param	QUERY_STRING	$query_string;
fastcgi_param	REQUEST_METHOD	$request_method;
fastcgi_param	CONTENT_TYPE	$content_type;
fastcgi_param	CONTENT_LENGTH	$content_length;
fastcgi_param	SCRIPT_FILENAME	$document_root$fastcgi_script_name;
fastcgi_param	SCRIPT_NAME		$fastcgi_script_name;
fastcgi_param	REQUEST_URI		$request_uri;
fastcgi_param	DOCUMENT_URI	$document_uri;
fastcgi_param	SERVER_PROTOCOL	$server_protocol;
fastcgi_param	REMOTE_ADDR		$remote_addr;
fastcgi_param	REMOTE_PORT		$remote_port;
fastcgi_param	SERVER_ADDR		$server_addr;
fastcgi_param	SERVER_PORT		$server_port;
fastcgi_param	SERVER_NAME		$server_name;
fastcgi_param	HTTPS			off;
As you can see our actual site files are in /srv/, being passed over fastcgi to localhost:9000, where standard PHP configuration is running.
And directory /app/ has separate config, passing scripts to localhost:8000, where we have chrooted PHP.
Our chroot dir is /opt/chroot/ and files from /app/ reside in /opt/chroot/srv/app/. We set root to /opt/chroot/srv and custom DOCUMENT_ROOT within chroot so that nginx will tell PHP server the correct path to script. The path inside chroot, as /opt/chroot/srv will not work, unless you'll link it inside. Some of you may find this a nice hack, if so, you are free to choose, linking requires less configuration. In fact, specifying real path as 'root' is not required, unless app contains only PHP files, no static content like css, js, images, etc, to which nginx should have direct access. If /app/ is PHP-only, then you can specify that as /srv;

So, from here we are almost ready
Prepare your custom php.ini for unprivileged server.
Assuming you built PHP with fpm support, modify your /etc/init.d/php-fpm and save it as /etc/init.d/php-fpm.unpriv:


opts="depend start stop reload"

depend() {
	need net
	use apache2 lighttpd nginx

start() {
	ebegin "Starting PHP-FPM [unpriv] server"
	start-stop-daemon --start --exec /usr/bin/php-fpm -- -y "${PHP_FPM_CONF}" -c "${PHP_INI}"
	eend $?

stop() {
	ebegin "Stopping PHP-FPM [unpriv] server"
	start-stop-daemon --stop --pidfile /var/run/php/ --exec /usr/bin/php-fpm
	eend $?
Create separate user and group, then modify /etc/php/fpm-php5/php-fpm.conf and save it as php-fpm-unpriv.conf so that it will include correct user:group, chroot path and port configuration.
That's it! Start it and enjoy!
Hope this helps someone...

Keywords for google: php chroot nginx, chroot php, gentoo php chroot, nginx + chrooted php
Posted in opensource, security
Views 4618 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 07:36 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration