Installation and configuration: Nginx + php5-fpm

In this article, it will be shown how to put a bunch of Nginx + php5-fpm (php5.3) on Debian Lenny and set up a secure configuration.

Installation and Setup

Important: all commands from root.

Add repositories and generate keys:

  echo "deb http://backports.debian.org/debian-backports lenny-backports main" >> /etc/apt/sources.list
 echo "deb http://php53.dotdeb.org stable all" >> /etc/apt/sources.list
 gpg --keyserver keys.gnupg.net --recv-key 89DF5277 && gpg -a --export 89DF5277 |  apt-key add - 

Update:

  aptitude update 

Install nginx and php5-fpm:

  aptitude install -t lenny-backports "nginx"
 apt-get install php5-cli php5-common php5-suhosin 
 apt-get install php5-fpm php5-cgi 

We give the config /etc/nginx/nginx.conf to the form:

  user www-data;
 worker_processes 1;  # Put the number of the number of cores

 timer_resolution 100ms;
 worker_rlimit_nofile 8192;
 worker_priority -5;  # Increase priority

 error_log /var/log/nginx/error.log;
 pid /var/run/nginx.pid;
 events {
     worker_connections 1024;
 }
 http {
     include /etc/nginx/mime.types;
     access_log /var/log/nginx/access.log;

     sendfile on;
     keepalive_timeout 65;
     tcp_nodelay on;

     gzip on;
     gzip_min_length 1100;
     #gzip_disable "msie6";  # Faster, but works only on new versions of nginx
     gzip_disable "MSIE [1-6] \. (?!. * SV1)";
     gzip_proxied any;
     gzip_comp_level 4;
     gzip_types text / plain text / css application / x-javascript text / xml application / xml application / xml + rss text / javascript;
     gzip_vary on;

     include /etc/nginx/conf.d/*.conf;
     include / etc / nginx / sites-enabled / *;
 }

Delete /etc/nginx/sites-available/default

Config example

Config for use with CMS WordPress, considering using chroot /etc/nginx/sites-enabled/example.ru :

 server {
	 listen 80;
	 server_name www.example.ru;
	 rewrite ^ http: //example.com$request_uri?  permanent;  # 301 redirect
 }
 server {
     listen 80;
	 server_name example.ru; 
	 root /var/www/example.ru;
	 index index.php;

	 location / {
		 try_files $ uri $ uri / /index.php?q=$uri&$args;
	 }
	 location ~ * ^. +. (js | css | png | jpg | jpeg | gif | ico) $ {
		 access_log off;
		 expires max;
	 }
	 location ~ \ .php $ {
		 # fastcgi_split_path_info ^ (. + \. php) (. *) $;
		 fastcgi_pass 127.0.0.1:9000;
		 fastcgi_index index.php;

		 fastcgi_param DOCUMENT_ROOT /example.com;
		 fastcgi_param SCRIPT_FILENAME /example.com$fastcgi_script_name;
		 fastcgi_param PATH_TRANSLATED /example.com$fastcgi_script_name;

		 include fastcgi_params;
		 fastcgi_param QUERY_STRING $ query_string;
		 fastcgi_param REQUEST_METHOD $ request_method;
		 fastcgi_param CONTENT_TYPE $ content_type;
		 fastcgi_param CONTENT_LENGTH $ content_length;
		 fastcgi_intercept_errors on;
		 fastcgi_ignore_client_abort off;
		 fastcgi_connect_timeout 60;
		 fastcgi_send_timeout 180;
		 fastcgi_read_timeout 180;
		 fastcgi_buffer_size 128k;
		 fastcgi_buffers 4 256k;
		 fastcgi_busy_buffers_size 256k;
		 fastcgi_temp_file_write_size 256k;
	 }
	
	 location = /favicon.ico {
		 log_not_found off;
		 access_log off;
	 }
	 location = / robots.txt {
		 allow all;
		 log_not_found off;
		 access_log off;
	 }
	 ## Disable viewing .htaccess & .htpassword 
	 location ~ /\.ht {
		 deny all;
	 }
 }

Install mysql:

  apt-get install mysql-server mysql-client php5-mysql
 mkdir -p / var / www / var / run / mysqld
 mount --bind / var / run / mysqld / / var / www / var / run / mysqld / 

Create a directory and file index.php:

  mkdir -p /var/www/example.ru
 echo "<? php phpinfo ();?>"> /var/www/example.ru/index.php 

Restart nginx and php5-fpm:

  /etc/init.d/nginx restart
 /etc/init.d/php5-fpm restart 

Security

We put down the correct rights directories:

  chown -R www-data /var/www/example.ru && chmod -R 750 /var/www/example.ru 

We fix the vulnerability associated with

  location ~ .php $ { 

, for this, we write in /etc/php5/fpm/php.ini

  cgi.fix_pathinfo = 0 

Enable the use of chroot to limit PHP access to the system. To do this, edit the file /etc/php5/fpm/php5-fpm.conf, prescribe:

 chroot = / var / www
 chdir = /

Next, we will encounter a problem that PHP will not be able to resolve the address, fix it:

 mkdir / var / www / {etc, lib};
 cp / etc / hosts / var / www / etc / hosts;
 cp /etc/resolv.conf /var/www/etc/resolv.conf;
 cp /lib/libnss_dns.so.2 /var/www/lib/libnss_dns.so.2 // your system is 32 bit
 cp /lib64/libnss_dns.so.2 /var/www/lib64/libnss_dns.so.2 // your system is 64 bit 

Restart php5-fpm:

  /etc/init.d/php5-fpm restart 

We go to the page of our site example.ru and admire the phpinfo () of our site.
PS With settings helped me figure out inkvizitor68sl blog author Debian.pro.
NEW:

Installing Nginx 0.8.54

 apt-get update
 apt-get install libxml2-dev libbz2-dev libcurl4-openssl-dev libmcrypt-dev libmhash2 libmhash-dev libpcre3 libpcre3-dev make

 wget http://sysoev.ru/nginx/nginx-0.8.54.tar.gz
 tar zxf nginx-0.8.54.tar.gz
 cd nginx-0.8.54
 
 ./configure \
 --conf-path = / etc / nginx / nginx.conf \
 --error-log-path = / var / log / nginx / error.log \
 --http-client-body-temp-path = / var / lib / nginx / body \
 --http-fastcgi-temp-path = / var / lib / nginx / fastcgi \
 --http-log-path = / var / log / nginx / access.log \
 --http-proxy-temp-path = / var / lib / nginx / proxy \
 --lock-path = / var / lock / nginx.lock \
 --pid-path = / var / run / nginx.pid \
 --with-debug --with-http_dav_module \
 --with-http_gzip_static_module \
 --with-http_realip_module \
 --with-http_stub_status_module \
 --with-http_sub_module

 make && make install 

Debian "Squeeze"

To install the php-fpm package you will need:

 echo "deb http://packages.dotdeb.org squeeze all" >> /etc/apt/sources.list
 wget http://www.dotdeb.org/dotdeb.gpg && cat dotdeb.gpg |  apt-key add - && aptitude update

UPD: Added a couple of lines to the mysql installation, the indication in the localhost settings now works. Thank you inkvizitor68sl .