Tag Archives: nginx

Using Regular Expressions to Reduce Exposure

Posted on by .
Leave a reply

The Internet is filled with bots (zombie machines working to the master’s bid), spiders and etc. Recently, I saw a large number of attempts gaining access to my WordPress Login page (and only the wp-login.php, obviously attempts from some scripts). Okay, I believe I have good password and username hygiene which did deterred the bots but then why not prevent non-public addresses from accessing it?

Such configuration I believe can be easily done by .htaccess in Apache, but I’m using nginx and it’s slightly different so here’s my method. nginx allows the user to put rules into config so look into the your nginx configuration.

One way to do this is to do a regular expression matching for the remote IP address ($remote_addr) or if you are like me who puts the Web Server behind a HAProxy, look at the IP address forwarded for ($http_x_forwarded_for). You can generate your IP range using Google IP Address Range Rules (IP regular expression generator). And here is my additional configuration, this is to be inserted below the basic web root config.

location ~ /wp-login.php {
 if ($remote_addr !~ ^(192.168.([0-7]).([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))$ ) { 
  //Only allow my private addresses to have access
  return 403;
 } 

 if ($http_x_forwarded_for != "" ) { 
  //Any proxy-ed access will be denied too
  return 403;
 }

 root html;
 fastcgi_pass unix:/tmp/php-fpm.sock;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME /var/www/html/wordpress$fastcgi_script_name;
 include fastcgi_params;
}

Setting up a FreeBSD9.1 Server

Posted on by .
Leave a reply

It’s been a while since I last posted something here.

Recently got interested in the “beastie” aka BSD one flavor of UNIX, not say I’m no longer loving the penguin but then it’s good to know more systems out there and FreeBSD is one of the most well know systems for stability and uptime of like 5 years without restarting. So here is how to get it up with Nginx, PHP and MySQL, running inside a VMware environment.

The first thing to do is to get portsnap to do a update from the port tree.

portsnap fetch extract update

Most of the popular applications will be in the ports tree so most of these installation can be automated without much issues.

Installing VMware Tools

Installing Perl5.16

/usr/ports/lang/perl5.16/
make config-recursive
make install clean

Install compat6x

/usr/ports/misc/compat6x/
make config-recursive
make install clean

Manual installation of 2 VMware modules

“Insert” the vmware tools disc, and mount using type cd9660 as such

mount -t cd9600 /dev/cd0 /mnt

then access the mounted disc and copy the tool file to somewhere locally for extraction.

<DIR>vmware-tools-distrib/lib/modules/source/

Untar the following, make and make install them before installing the main perl script

vmmemctl.tar
vmblock.tar

Installing Bash-completion

Firstly will be the installation of  “bash-completion” as I find “csh” not that friendly, plus tab-ing is the way to go… 🙂

cd /usr/ports/shells/bash-completion
make config-recursive

No additional selections is necessary (defaults are alright)

make install clean

Then you have to change the default shell of the user by using

chpass

and change the Shell to

/usr/local/bin/bash

Installing VIM

And how can we go about a Unix/Linux system without VIM? vi is just quite painful to use. And since I’m using this machine as a server, I don’t need gvim so vim-lite is suffice.

cd /usr/ports/editors/vim-lite
make config-recursive
make install clean

Do remember to configure your own ~/.vimrc

syntax on
set background=dark
set shiftwidth=2
set tabstop=2
set nocompatible
set expandtab
set autoindent
set ruler
if has("autocmd")
 filetype plugin indent on
endif
set showcmd " Show (partial) command in status line.
set showmatch " Show matching brackets.
set ignorecase " Do case insensitive matching
set smartcase " Do smart case matching
set incsearch " Incremental search
set hidden " Hide buffers when they are abandoned
set backspace=indent,eol,start
set mouse=

Installing wget

cd /usr/ports/ftp/wget
make config-recursive
make install clean

Installing PHP

cd /usr/ports/lang/php5
make config-recursive
make install clean

You will also have to install php extenstions for things like session, mbstring, mycrypt, mysql, mysqli and etc.

cd /usr/ports/lang/php5-extensions
make config-recursive
make install clean

Configuring PHP-FPM

vim /usr/local/etc/php-fpm.conf
events.mechanism = kqueue
listen = /var/run/php-fpm.sock

listen.owner = www
listen.group = www
listen.mode = 0666

You will also have to configure the php.ini for your needs, I need to set my local timezone

cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
vim /usr/local/etc/php.ini
date.timezone = Asia/Singapore

You will have to add the following line into the rc.conf.

vim /etc/rc.conf
php_fpm_enable="YES"

Installing nginx

cd /usr/ports/www/nginx
make config-recursive
make install clean

Configuring nginx

vim /usr/local/etc/nginx/nginx.conf

Some things that needs to be included are the use of kqueue which is used in BSD.

events {
 worker_connections 1024;
 use kqueue;
}
location ~ .php$ {
 #root html;
 #fastcgi_pass 127.0.0.1:9000;
 fastcgi_pass unix:/var/run/php-fpm.sock;
 #fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME /usr/local/www$fastcgi_script_name;
 fastcgi_param PATH_INFO $fastcgi_script_name;
 include fastcgi_params;
}

You will have to add the following line into the rc.conf.

vim /etc/rc.conf
nginx_enable="YES"

Installing MySQL

Depending on requirements, the choice of MySQL configuration will be different, pick the most suitable one and copy it.

cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf

Manually start MySQL server to install and configure it.

/usr/local/etc/rc.d/mysql-server start

Follow the guide from the secure installation script.

mysql_secure_installation

You will have to add the following line into the rc.conf.

vim /etc/rc.conf
mysql_enable="YES"

Installing Web-apps

After completing the above installation, it should be a breeze to install the rest of the web-apps like phpMyAdmin and WordPress, just place them at the correct place /usr/local/www 🙂

Installing Centos 6 – LNMP

Posted on by .
Leave a reply

I’ve decided to re-start blogging again! That is after 1 year of silence…

Well, I guess it’s time to start a Tech blog on what I do as a techie and to document what’s necessary, as a reference for myself and others if they chance into the problem, let me start first by getting LNMP to work on CentOS6. LNMP is otherwise know as Linux Nginx MySQL and PHP.

Installing CentOS6 is pretty straight forward. Pop the disc/USB in, follow the instructions and voilla, you have a working machine. There are some variations also like installing using the network method, but I won’t cover that here.

Nginx. Nginx is an awesome piece of web server. It’s lightweight and fast. Much lighter than the world famous Apache. Installing it in today’s context is rather easy. With the package already compiled for you.

Firstly, you have to add the Nginx repo into your repo list. And CentOS uses yum. So, you have to create a “nginx.repo” in “/etc/yum.repo./” with this following code

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/$basearch/
gpgcheck=0
enabled=1

After that, it’s just run

yum install nginx

And nginx will be installed. Next, Centos usually has iptables enabled, iptables is a firewall, so you’ll have to add in a rule to allow 80 (http) or 443 (https) into the Allow rules.

vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
service nginx start

Then you restart iptables and http(s) should work.

Then for nginx to load everytime the machine boots

chkconfig --level 345 nginx on

MySQL, the lovely database magic box. Installing a updated copy is not that straight forward as it seems. I have to add additional repos, in this case “remi”‘s repo, set of repo maintained by this french guy. But you also have to get “epel” repo also. So here are the commands:

rpm -Uvh http://mirror.nus.edu.sg/fedora/epel/6/i386/epel-release-6-5.noarch.rpm
rpm -Uvh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

Then you install MySQL as such

yum --enablerepo=remi install mysql mysql-server

After installing the binaries, you have to install the database

mysql_install_db --user=mysql

After which start MySQL

mysqld_safe &

Change the default password using

mysql_secure_installation

verify that the change was correct by properly shutting down MySQL

mysqladmin shutdown -p

Similarly for load on reboot

chkconfig --levels 235 mysqld on

Note: unless necessary, remember to add additional firewall rule if you want your MySQL to be remotely accessible. There are also some configuration changes to me made to make that work which I will not cover here.

Now PHP. Pre-Hypertext Processor and my favourite language. We will still be using “remi” repo. So,

yum --enablerepo=remi install php php-fpm
yum --enablerepo=remi install php-gd php-mysql php-mbstring php-xml php-mcrypt php-pecl-apc php-pecl-memcache php-xmlrpc

After installation

service php-fpm start

To check whether PHP is working, you have to configure some things.

Firstly, edit nginx config file.

vim /etc/nginx/conf.d/default.conf
location / {
 root /usr/share/nginx/html;
 index index.html index.htm index.php;
 }

Uncomment the php-pfm codes and input the root of the web file directory.

location ~ .php$ {
 root html;
 fastcgi_pass 127.0.0.1:9000;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name;
 include fastcgi_params;
 }

Reload nginx

service nginx reload

And create a test file at the document root

vim /usr/share/nginx/html/info.php

Append the following

<?php phpinfo(); ?>

Go to the website

http://serverNameOrIPAddressHere/info.php

And you should see information related to PHP.

A recommendation by me will be to move PHP-FPM from the TCP socket to the Unix socket and it can be done in such a manner.

Firstly edit

vim /etc/php-fpm.d/www.conf

comment/delete and change the following lines to

;listen = 127.0.0.1:9000
listen = /tmp/php-fpm.sock
;listen.allowed_clients = 127.0.0.1

Change your user and group to

user = nginx
group = nginx

You can verify the changes using

netstat -l -n

Now if you reload your info.php() it will not work, you have to go and adjust the nginx server configuration file. Comment away the old TCP socket and replace with the Unix socket.

vim /etc/nginx/conf.d/default.conf
location ~ .php$ {
 root html;
 #fastcgi_pass 127.0.0.1:9000;
 fastcgi_pass unix:/tmp/php-fpm.sock;
 fastcgi_index index.php;
 fastcgi_param SCRIPT_FILENAME /usr/share/nginx/html$fastcgi_script_name;
 include fastcgi_params;
 }

Restart nginx

service nginx restart

And reload your info.php test page to make sure that it’s running.

To make sure php-fpm runs every time the machine boots

chkconfig --levels 235 php-fpm on

An there as you have it, a Linux Nginx MySQL PHP machine is ready for you to use, be it for WordPress, OwnCloud, phpMyAdmin or other PHP based software.

Hope you had fun configuring it. 🙂