FAMP on pfsense using PHP-FPM
The article is a continuation of my publication , where the possibility of installing packages that are not native to pfsense using the example of FAMP was considered. This opportunity is not without flaws:
1. After installing non-native php packages, native libraries and dependencies change, which causes php varings (can be disabled) and glitches are observed when trying to install a large native application during the checksum verification phase. Moreover, small application pfsense installed without problems.
2. I had to create the missing starting BSD scripts that caused the warnings in the shell.
3. lack of integration with the webfile pfsense.
In the new article I will try to correct the above disadvantages by bringing the project closer to the pfsense native application in subsequent publications.
The first drawback is due to the fact that in the system all services are tied to php-fpm cli, but the same drawback can be used to run php on the web server through fastcgi, thereby saving Apache from php5_module and increasing the performance of the site.
More about the pleasant moment, there is no native Apache in its pure form, but there is an ApS-based ModSecurity assembly.
As stated in the description, ModSecurity is a web application firewall, designed to work either as a built-in or reverse proxy ... and used to redirect to web servers hosted by pfsense.
Upon closer examination, it becomes clear that this package can be turned into a full-fledged Apache with the help of certain manipulations.
So we have two components of FAMP, namely Apache and PHP, which are native to pfsense.
With mysql is more difficult - in one native packet it is not. But, in extended php there is an extension mysql.so. Install mysql and embed the ability to start and stop the webmong service pfsense.
In webcast
Release 80 port from webmord based on lighttpd and enable sshd.
Install the very first Apache with mod_security_dev package
Mysql. In the console
')
Create a settings file /usr/local/etc/my.cnf
Install the user base
create start script /usr/local/etc/rc.d/mysql.sh
Performance Bits and Rights
Add the service to /cf/config.xml after apache
Delete the config cache
We go under webcam
Status - Services
And test (start / stop) the mysql service
PHP Add to the script /etc/rc.php_ini_setup
before; Extensions
after; Extensions
Below, in the same file we change the settings responsible for php-fpm
Apache setting
In webcam, create a user for the virtual host.
System - User Manager - Groups - add a group www
Users tab - add the bitrix user in the www group
System - packages - install FileManager
Using FileManager create a directory for web content / home / bitrix / www
Service - Mod_Security - Virtual hosts - add a new one:
Enable
Protocol = Http
Server Names = bitrix.ru
www.bitrix.ru
Custom Options:
Reboot and watch the test file /home/bitrix/www/test.php
On the client machine, do not forget to edit / etc / hosts
That's all, but most CMS require the php55-GD graphics package.
Which, when installed, will pull the dependencies, including php55 itself, which is not good.
Therefore, we will install only dependencies:
A package unpack itself in the root of the system
Reboot and install our CMS.
In the case of the bitrix, there will be one error:
Processing .htaccess - Disabled
It occurs due to php-fpm and security issues. This is an oversight of the bitrix itself. Ignore the error.
We got a working solution. With integrated services in pfsense. With convenient control using the web.
1. After installing non-native php packages, native libraries and dependencies change, which causes php varings (can be disabled) and glitches are observed when trying to install a large native application during the checksum verification phase. Moreover, small application pfsense installed without problems.
2. I had to create the missing starting BSD scripts that caused the warnings in the shell.
3. lack of integration with the webfile pfsense.
In the new article I will try to correct the above disadvantages by bringing the project closer to the pfsense native application in subsequent publications.
The first drawback is due to the fact that in the system all services are tied to php-fpm cli, but the same drawback can be used to run php on the web server through fastcgi, thereby saving Apache from php5_module and increasing the performance of the site.
More about the pleasant moment, there is no native Apache in its pure form, but there is an ApS-based ModSecurity assembly.
As stated in the description, ModSecurity is a web application firewall, designed to work either as a built-in or reverse proxy ... and used to redirect to web servers hosted by pfsense.
Upon closer examination, it becomes clear that this package can be turned into a full-fledged Apache with the help of certain manipulations.
So we have two components of FAMP, namely Apache and PHP, which are native to pfsense.
With mysql is more difficult - in one native packet it is not. But, in extended php there is an extension mysql.so. Install mysql and embed the ability to start and stop the webmong service pfsense.
In webcast
Release 80 port from webmord based on lighttpd and enable sshd.
Install the very first Apache with mod_security_dev package
Mysql. In the console
pkg update pkg install mysql56-server ')
Create a settings file /usr/local/etc/my.cnf
[client] port = 3306 socket = /var/tmp/mysql.sock default-character-set = utf8 [mysqld] port = 3306 socket = /var/tmp/mysql.sock init-connect='SET NAMES utf8' collation_server = utf8_unicode_ci character_set_server = utf8 character_set_client = utf8 character_set_filesystem = utf8 Install the user base
/usr/local/bin/mysql_install_db --basedir=/usr/local --defaults-extra-file=/usr/local/etc/my.cnf --datadir=/var/db/mysql —force create start script /usr/local/etc/rc.d/mysql.sh
#!/bin/sh rc_start() { if [ ! -f /var/run/mysql/mysql.pid ] then mkdir /var/run/mysql chown -R mysql:mysql /var/run/mysql /usr/local/libexec/mysqld --defaults-extra-file=/usr/local/etc/my.cnf --user=mysql --datadir=/var/db/mysql --pid-file=/var/run/mysql/mysql.pid fi } rc_stop() { if [ -f /var/run/mysql/mysql.pid ]; then PID=`cat /var/run/mysql/mysql.pid` kill $PID else killall mysqld 2>/dev/null fi } case $1 in start) rc_start ;; stop) rc_stop ;; restart) rc_stop rc_start ;; esac Performance Bits and Rights
chmod 755 /usr/local/etc/rc.d/mysql.sh chown -R mysql:mysql /var/db/mysql Add the service to /cf/config.xml after apache
<service> <name>mysql</name> <rcfile>mysql.sh</rcfile> <executable>mysqld</executable> <description><![CDATA[Mysql server]]></description> </service> Delete the config cache
rm /tmp/config.cache We go under webcam
Status - Services
And test (start / stop) the mysql service
PHP Add to the script /etc/rc.php_ini_setup
before; Extensions
mbstring.internal_encoding = UTF-8 mbstring.func_overload = 2 after; Extensions
extension = mysql.so extension = gd.so Below, in the same file we change the settings responsible for php-fpm
listen = /var/run/php-fpm.socket listen.owner = www listen.group = www listen.mode = 0660 Apache setting
In webcam, create a user for the virtual host.
System - User Manager - Groups - add a group www
Users tab - add the bitrix user in the www group
System - packages - install FileManager
Using FileManager create a directory for web content / home / bitrix / www
Service - Mod_Security - Virtual hosts - add a new one:
Enable
Protocol = Http
Server Names = bitrix.ru
www.bitrix.ru
Custom Options:
<Directory "/home/bitrix/www"> Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all Require all granted </Directory> DirectoryIndex index.php index.html LoadModule proxy_module libexec/apache24/mod_proxy.so LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm.socket|fcgi://127.0.0.1/home/bitrix/www Reboot and watch the test file /home/bitrix/www/test.php
<?php phpinfo(); ?> On the client machine, do not forget to edit / etc / hosts
192.168.100.1 bitrix.ru That's all, but most CMS require the php55-GD graphics package.
Which, when installed, will pull the dependencies, including php55 itself, which is not good.
Therefore, we will install only dependencies:
pkg install freetype2 jpeg libxml2 pcre png t1lib libXaw xproto printproto libXpm libXext xextproto libXau libX11 libxcb libXdmcp libpthread-stubs kbproto libXt libSM libICE libXp libXmu A package unpack itself in the root of the system
cd / fetch http://pkg.freebsd.org/freebsd:9:x86:64/latest/All/php55-gd-5.5.22.txz tar xpf php55-gd-5.5.22.txz rm php55-gd-5.5.22.txz Reboot and install our CMS.
fetch http://www.1c-bitrix.ru/download/business_encode_php5.tar.gz tar xpf business_encode_php5.tar.gz In the case of the bitrix, there will be one error:
Processing .htaccess - Disabled
It occurs due to php-fpm and security issues. This is an oversight of the bitrix itself. Ignore the error.
We got a working solution. With integrated services in pfsense. With convenient control using the web.
Source: https://habr.com/ru/post/254965/
All Articles