This ticket is mostly a tracker for a proposal: "support for PHP WebApp with Nginx (out-of-the-box)". Open for discussion, feedback. Fox now most webapp provides a httpd configuration and work "out-of-the-box" with http + mod_php. Goal: change packaging of nginx + php + webapp to allow the same thing. Issue: - most important thing is to be able to drop a working configuration with php-fpm, and with every webapp, including a "global" alias. - include conf.d/*conf is at http level, so can contains "server" definition, but cannot contains "location" Change proposal 1/ create a minimal subpackage "nginx-filesystem" (as httpd-filesystem) to have ownership on configuration/content directories, without having to require nginx (so a webapp can drop a file in both httpd and nginx configuration dir) Requires: httpd-filesystem, nginx-filesystem, webserver 2/ move the default server configuration in /etc/nginx/conf.d/default.conf this is not mandatory, but can make things simpler. 3/ move index directive out of location this allow override (in global includes) 4/ global includes Before default location, for global definition at "server" level include global.d/*.conf; 5/ php-fpm => /etc/nginx/fpm.conf Configuration for the default FastCGI server # PHP-FPM FastCGI server fastcgi_pass 127.0.0.1:9000; And Requires: nginx-filesystem 6/ php-fpm /etc/nginx/global.d/99-php.conf Need a numerical prefix to ensure load order (after the webapp) # pass the PHP scripts to FastCGI server # # See fpm.conf for adress/port # index index.php; location ~ \.php$ { root html; fastcgi_intercept_errors on; fastcgi_index index.php; include fastcgi_params; include fpm.conf; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } ===> with this change, when nginx + php-fpm are installed, php script will work out-of-the-box (for scripts in documentroot) 7/ phpMyAdmin (well kown webapp, for example, PoC) - add the /etc/nginx/global.d/phpMyAdmin.conf location /phpMyAdmin/ { alias /usr/share/phpMyAdmin/; } location ~ ^/phpMyAdmin/(.+\.php)$ { fastcgi_intercept_errors on; include fastcgi_params; include fpm.conf; fastcgi_param SCRIPT_FILENAME /usr/share$fastcgi_script_name; } Notice: if a web add use php_* directive in http config file, those must be conditional, so the webapp could work with - apache + mod_php - apache + php-fpm - nginx + php-fpm ===> phpMyAdmin should also work "out-of-the-box" Notice, I'm not a nginx expert, so perhaps we can do it simpler. But, this is only a quick and dirty PoC, and from my test, it works
Adding Robert (phpMyAdmin) and Adam (OwnCloud) to have more people onboard.
I think this sounds like a fantastic idea, and I'd be willing to help out with testing its implementation.
Perhaps better 5/ php-fpm => /etc/nginx/conf.d/php-fpm.conf Configuration for the default FastCGI server # PHP-FPM FastCGI server upstream php-fpm { server 127.0.0.1:9000; } And for 6 and 7, - include fpm.conf; + fastcgi_pass php-fpm;
SGTM. I know little about nginx either. ownCloud ships an nginx config but I don't know if it works at all, let alone OOTB. Testing it was on my list of Stuff To Do When I Get Time, and would help me learn nginx.
I am happy to add additional default configurations, however stuff still needs to work for the IMHO most common case (mod_php + httpd). How does it work practically regarding owned directories being writable to Apache? Is Nginx using the same group? I am sorry, I am not a nginx user thus I would need help and input here.
(In reply to Robert Scheck from comment #5) > How does it work practically regarding owned directories being writable to > Apache? Is Nginx using the same group? nginx redirect php scripts to php-fpm, and default provided pool runs under "apache" account (and also inherits selinux from httpd). So for directory ownership, "apache" is fine.
People interested can look at http://pkgs.fedoraproject.org/cgit/nginx.git?h=private-remi-1142298
Created attachment 938527 [details] php-fpm.conf /etc/nginx/conf.d/php-fpm.conf => PHP-FPM FastCGI server
Created attachment 938528 [details] 90-php.conf /etc/nginx/global.d/90-php.conf
Created attachment 938529 [details] 50-phpMyAdmin.conf /etc/nginx/global.d/50-phpMyAdmin.conf
Created attachment 938530 [details] 50-glpi.conf /etc/nginx/global.d/50-glpi.conf
Created attachment 938857 [details] 50-phpMyAdmin.conf /etc/nginx/global.d/50-phpMyAdmin.conf
Did you verify that your config isn't vulnerable to the common nginx + php misconfigurations that can lead to vulnerabilties? Much documentation in the past few years tells people how to do it wrong. =(
@Warren, thanks for the notice. Of course we should provide a secured configuration. Please remind that this is only a Poc. I'm absolutely not a nginx expert, just trying to improve things, as I think that the current configuration is a terrible mess. But perhaps people think is is better to provide everything disabled and let sysadmin manage their own configuration (and fall in the common configuration and security mistakes). Perhaps it will be a good idea to ask some upstream guy to review this proposal. Some people ask me to propose this as a feature for F22, but I don't want to own such a feature. This is a nginx one, I can help (on the PHP and webapp side), but obviously cannot do all the work. Now, if nginx owner are not interested, feel free to close this tracker as "wontfix".
Hi! nginx package owner here. Looks like a great proposal. Thanks for the work! I'll take a look at the changes. Comments to follow. (NB: Busy $DAYJOB schedule this week and next. Input may be sporadic/slow.)
Just pushed two changes to rawhide: split into nginx-filesystem subpackage, and create /etc/nginx/default.d directory. (1) I chose "default.d" over "global.d" because it applies configuration to the default server block. Additional server blocks can be specified by dropping files in "conf.d". However, none of these blocks are affected by any configuration in "global.d" (unless the admin Includes it themselves), which makes the term "global" seem inappropriate to me. However, I'm willing to be convinced otherwise. (2) I also decided not to split the default server block into a separate default.conf. In many cases, admins will delete default.conf if they do not need it. If the next update of nginx changes default.conf, it will create "conf.d/default.conf" again and may cause problems/conflicts for their configuration (since all files in conf.d/*.conf are included). If we keep the default server block in nginx.conf, we don't have this problem. Again, I'm willing to be convinced otherwise.
Created attachment 940080 [details] Configuration for OwnCloud Adapted from the configuration supplied by OwnCloud upstream. Gets to login page, not tested further.
Not familiar with glpi, but a configuration below may be better. (1) http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP Add try_files. (2) http://forum.nginx.org/read.php?2,174517,174534#msg-174534 Nested locations (which gives some performance boost if we are dumping loads of locations with regexps into files in "default.d"). (3) http://nginx.org/en/docs/http/ngx_http_core_module.html#alias "root" better than "alias" when location matches last part of directive's value. (4) http://wiki.nginx.org/Pitfalls#FastCGI_Path_in_Script_Filename Better to have $document_root than absolute path. (5) Added "allow 127.0.0.1;" so that I could access the default page, but not familiar enough with glpi to know whether this is a bad idea. location /glpi/ { root /usr/share; index index.php; location ~ ^/glpi/config/(.+)$ { deny all; } location ~ ^/glpi/scripts/(.+)$ { deny all; } location /glpi/install/mysql { deny all; } location ~ ^/glpi/install/(.+\.php)$ { allow 127.0.0.1; deny all; try_files $uri =404; fastcgi_intercept_errors on; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php-fpm; } location ~ ^/glpi/(.+\.php)$ { try_files $uri =404; fastcgi_intercept_errors on; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php-fpm; } }
Thanks for the(In reply to Jamie Nguyen from comment #16) > Just pushed two changes to rawhide: split into nginx-filesystem subpackage, > and create /etc/nginx/default.d directory. Thanks, looks good (will run more tests tomorrow). (In reply to Jamie Nguyen from comment #18) > Not familiar with glpi, but a configuration below may be better. Thanks, yes previous config was not perfect... I haven't found a good/working solution to protect "install" from remote usage As I already said, I'm not a nginx expert ;)
I've also now pushed commits to create nginx-filesystem subpackage on f20/f19/epel7/el6.
For EPEL we need to find a way to provide the php configuration files, as this will very probably won't be provided by php-fpm.
Notice, for GLPI (and perhaps other application which rely on server_name), I have to have (more close to apache behavior) -fastcgi_param SERVER_NAME $server_name; +fastcgi_param SERVER_NAME $host; Probably I can keep this in glpi specific config file. For the default host... having $_SERVER['SERVER_NAME'] set to "localhost" doesn't seems to be a very good value...
@Jamie, can you please review the conf.d/fpm.conf and default.d/90-php.conf so I can add them on next PHP build ? Notice according to doc (location definition shouldn't matter) I shouldn't have to add this numeric prefix... so I need to run more tests.
conf.d/php-fpm.conf is fine. I'd go with this for php.conf. location ~ \.php$ { try_files $uri =404; fastcgi_intercept_errors on; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass php-fpm; } AFAIK, assuming we have a distinct subdirectory for every web-app, it shouldn't be necessary to have a numeric prefix for every file.
Created attachment 940411 [details] php.conf
Created attachment 940412 [details] glpi.conf
Created attachment 940414 [details] phpMyAdmin.conf
Testing nginx-1.6.2-2 with the above additional file, everything seems ok: - PHP from default docroot (/usr/share/nginx/html) - phpMyAdmin - GLPI
Changes applied in PHP / rawhide: http://pkgs.fedoraproject.org/cgit/php.git/commit/?id=48afca509a51449e7bcfc8361304839b95ea8a93 @Jamie: I noticed nginx-1.6.2-2.fc21 is built with the needed changes, but I can't find any F21 update in Bodhi ?
(In reply to Remi Collet from comment #29) > Changes applied in PHP / rawhide: > http://pkgs.fedoraproject.org/cgit/php.git/commit/ > ?id=48afca509a51449e7bcfc8361304839b95ea8a93 > > @Jamie: I noticed nginx-1.6.2-2.fc21 is built with the needed changes, but I > can't find any F21 update in Bodhi ? Oops. Update submitted. I forgot that f21 needs updates to be requested now.
nginx-1.6.2-4.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/nginx-1.6.2-4.fc21
nginx-1.4.7-5.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/nginx-1.4.7-5.fc20
nginx-1.4.7-5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/nginx-1.4.7-5.fc19
nginx-1.6.2-4.el7 has been submitted as an update for Fedora EPEL 7. https://admin.fedoraproject.org/updates/nginx-1.6.2-4.el7
nginx-1.0.15-10.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/nginx-1.0.15-10.el6
Package nginx-1.0.15-10.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing nginx-1.0.15-10.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-3561/nginx-1.0.15-10.el6 then log in and leave karma (feedback).
nginx-1.6.2-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.4.7-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.4.7-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.0.15-10.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.6.2-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.