Forum

php-fpm and hiawatha in separate jails on FreeBSD 10

ickeeisbaer
11 June 2014, 17:39
As described here (https://www.hiawatha-webserver.org/forum/topic/1617) I was trying to set up a secure webserver using Hiawatha and PHP-FPM separated in jails.
Still there is no PHP-output possible. I get Error 500. The log said:

/usr/local/www/php/info.php|no output

My config has not changed much since the last topic:
# Hiawatha Configuration File
ConnectionsTotal = 250
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log

# BINDING SETTINGS
Binding {
Port = 80
Interface = 10.0.0.2
MaxKeepAlive = 30
TimeForRequest = 3,20
}

Binding {
Port = 443
Interface = 10.0.0.2
MaxKeepAlive = 30
TimeForRequest = 3,20
SSLcertFile = /usr/local/etc/hiawatha/serverkey.pem
}

# BANNING SETTINGS
# Deny service to clients who misbehave.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes

# DEFAULT WEBSITE
Hostname = 10.0.0.2
WebsiteRoot = /usr/local/www/hiawatha
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log

FastCGIserver {
FastCGIid = php-fpm
ConnectTo = 10.0.0.6:9000
Extension = php, php5
SessionTimeout = 10
}

# VIRTUAL HOSTS
VirtualHost {
Hostname = php.MYDOMAIN.de
WebsiteRoot = /usr/local/www/php
StartFile = info.php
UseFastCGI = php-fpm
TriggerOnCGIstatus = yes
}

My php-fpm.conf (php in separate jail) is the standard one with having

chdir = /
listen = 10.0.0.6:9000
listen.allowed_clients = any

My Jails are stored in

/jails/php and /jails/www .

both are using a shared directory to their relative path containing the website (/usr/local/www)
mounted via nullfs.

My pf.conf looks like:
ext_if="bge0"
jail_if="lo1"

tcp_pass = "{80, 110, 143, 443, 2031}"
udp_pass = "{80, 2031}"
icmp_types = "echoreq"


IP_PUB="192.168.1.5"
NET_JAIL="10.0.0.0/24"

WWW="10.0.0.2"
PHP="10.0.0.6"

PORT_PHP="{9000}"

table <intranet> { 192.168.1.0/24 }
table <bruteforce> persist
table <sshguard> persist

set block-policy drop
set skip on lo1
# set skip on bge0
set loginterface bge0
set optimization normal
set fingerprints "/etc/pf.os"
set ruleset-optimization basic

scrub out all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub in all min-ttl 15 fragment reassemble random-id

# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB

# PHP
rdr pass on $jail_if proto tcp from any to $PHP port $PORT_PHP -> $PHP
# WWW
rdr pass on $ext_if inet proto tcp to port http -> $WWW port http
rdr pass on $ext_if inet proto tcp to port https -> $WWW port https

# RULES
antispoof for $ext_if inet

# Block IPV6-Connections
block out quick inet6 all
block in quick inet6 all

block log all
block return
block in all

block in quick on $ext_if proto tcp from <sshguard> to any port {22, 2031} label "ssh bruteforce"

block in quick from { urpf-failed no-route } to any
block quick from <bruteforce>
pass in quick from <intranet> to any keep state
pass in on $ext_if proto tcp from any to any port $tcp_pass flags S/SA keep state (max-src-conn 250, max-src-conn-rate 20/2, overload <bruteforce> flush global)
pass in on $ext_if proto udp from any to any port $udp_pass keep state

pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

pass quick on $jail_if proto tcp from $WWW to $PHP
pass quick on $jail_if proto tcp from $PHP to $WWW

pass out quick on $ext_if inet keep state

# PING #
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# TRACEROUTE #
pass in on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

There is still no connection between hiawatha and php-fpm I guess, but how to fix it?

FreeBSD_Machine
|----/jails (192.168.1.5)
|---php (10.0.0.6)
|---www (10.0.0.2)
|----/usr
|---local
|--www
|-php
|-info.php
|...

Hiawatha version: 9.5
Operating System: FreeBSD 10 (64 Bit)
Hugo Leisink
11 June 2014, 23:28
I'm not really familiar with FreeBSD and definitely not with jails. So, I'm afraid I can't help you with this.
René
13 June 2014, 11:05
Why don't you ask this in the FreeBSD Forums [forums.freebsd.org]. They can tell you if your scenario works or not.
ickeeisbaer
13 June 2014, 22:48
Thank you for your replies. I've already wrote a post in the FreeBSD Forums, though I am still waiting for a productive reply.
This topic has been closed.