librewolf/bunkerized-nginx
4
0
Fork 1
mirror of https://github.com/bunkerity/bunkerized-nginx synced 2023-12-13 21:30:18 +01:00
Code Issues Projects Releases Wiki Activity

FPM Linux/Ansible Doc

Browse source
This commit is contained in:
AxyFr 2022-07-18 17:20:58 +02:00
parent 4d61e96e47
commit eca010231c
1 changed files with 455 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

530
docs/quickstart-guide.md
View file

@ -1822,53 +1822,178 @@ The following settings can be used :
We will assume that you already have the [Linux integration](/1.4/integrations/#linux) stack running on your machine. We will assume that you already have the [Linux integration](/1.4/integrations/#linux) stack running on your machine.
You have to install php-fpm
```shell
apt install php-fpm
```
Configuration of BunkerWeb is done by editing the `/opt/bunkerweb/variables.env` file : Configuration of BunkerWeb is done by editing the `/opt/bunkerweb/variables.env` file :
```conf Depanding of your system, you may need to change ```LOCAL_PHP_PATH```.
SERVER_NAME=www.example.com
HTTP_PORT=80 === "Ubuntu"
HTTPS_PORT=443 ```conf
DNS_RESOLVERS=8.8.8.8 8.8.4.4 SERVER_NAME=www.example.com
USE_REVERSE_PROXY=yes HTTP_PORT=80
REVERSE_PROXY_URL=/ HTTPS_PORT=443
REVERSE_PROXY_HOST=http://127.0.0.1:8000 DNS_RESOLVERS=8.8.8.8 8.8.4.4
``` DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
LOCAL_PHP=/run/php/php-fpm.sock
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
=== "Debian"
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
LOCAL_PHP=/run/php/php-fpm.sock
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
=== "CentOs"
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
LOCAL_PHP=/run/php-fpm/www.sock
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
=== "Fedora"
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
LOCAL_PHP=/run/php-fpm/www.sock
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
Let's check the status of BunkerWeb : Let's check the status of BunkerWeb :
```shell ```shell
systemctl status bunkerweb systemctl status bunkerweb
``` ```
If it's already running we can just reload it : If it's already running we can just reload it :
```shell ```shell
systemctl reload bunkerweb systemctl reload bunkerweb
``` ```
Otherwise, we will need to start it : Then you will have to install php-fpm
```shell ```shell
systemctl start bunkerweb apt install php-fpm
``` ```
Depending on your system, the configuration of the php-fpm service may change:
=== "Ubuntu"
By default, the user and the group of the php-fpm service is "www-data".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "Debian"
By default, the user and the group of the php-fpm service is "www-data".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "CentOs"
By default, the user and the group of the php-fpm service is "apache".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "Fedora"
By default, the user and the group of the php-fpm service is "apache".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
Reload the php-fpm service :
```shell
systemctl reload php-fpm
```
=== "Ansible" === "Ansible"
When the variable `custom_configs` is set to "true" , you could use the You will need to add the settings to your `variables.env` file accordingly to your system :
`custom_configs_path[]` variable to write the configs to the /opt/bunkerweb/configs folder.
Here is an example for server-http/hello-world.conf : === "Ubuntu"
```conf ```conf
location /hello { SERVER_NAME=www.example.com
default_type 'text/plain'; HTTP_PORT=80
content_by_lua_block { HTTPS_PORT=443
ngx.say('world') DNS_RESOLVERS=8.8.8.8 8.8.4.4
} DISABLE_DEFAULT_SERVER=no
} USE_CLIENT_CACHE=yes
``` USE_GZIP=yes
LOCAL_PHP=/run/php/php-fpm.sock
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
In your Ansible inventory, you can use the `variables_env` variable to configure BunkerWeb : === "Debian"
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
LOCAL_PHP=/run/php/php-fpm.sock
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
=== "CentOs"
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
LOCAL_PHP=/run/php-fpm/www.sock
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
=== "Fedora"
```conf
SERVER_NAME=www.example.com
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
LOCAL_PHP=/run/php-fpm/www.sock
LOCAL_PHP_PATH=/opt/bunkerweb/www/
```
In your Ansible inventory, you can use the `variables_env` variable to configure BunkerWeb and `custom_site` to add your own site configuration :
```yaml ```yaml
all: all:
children: children:
@ -1876,14 +2001,8 @@ The following settings can be used :
hosts: hosts:
"Your_IP_Address": "Your_IP_Address":
vars: vars:
custom_configs: true variables_env: ../variables.env,
custom_configs_path: { custom_site=../site
server-http: ../hello-world.conf,
#http: ../http.conf,
#default-server-http: ../default-server-http.conf,
#modsec-crs: ../modsec-crs,
#modsec: ../modsec
}
``` ```
Or in INI format : Or in INI format :
@ -1892,8 +2011,8 @@ The following settings can be used :
host host
[all:vars] [all:vars]
custom_configs=true variables_env = ../variables.env
custom_configs_path={'server-http': '../hello-world.conf', 'http': '../http.conf', 'default-server-http': '../default-server-http.conf', 'modsec-crs': '../modsec-crs', 'modsec': '../modsec'} custom_site = ../site
``` ```
Run the playbook : Run the playbook :
@ -1901,6 +2020,57 @@ The following settings can be used :
ansible-playbook -i inventory.yml playbook.yml ansible-playbook -i inventory.yml playbook.yml
``` ```
Then you will have to install php-fpm
```shell
apt install php-fpm
```
Depending on your system, the configuration of the php-fpm service may change:
=== "Ubuntu"
By default, the user and the group of the php-fpm service is "www-data".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "Debian"
By default, the user and the group of the php-fpm service is "www-data".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "CentOs"
By default, the user and the group of the php-fpm service is "apache".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "Fedora"
By default, the user and the group of the php-fpm service is "apache".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
Reload the php-fpm service :
```shell
systemctl reload php-fpm
```
### Multiple applications ### Multiple applications
=== "Docker" === "Docker"
@ -2124,42 +2294,207 @@ The following settings can be used :
=== "Linux" === "Linux"
When using the [Linux integration](/1.4/integrations/#linux), custom configurations must be written to the /opt/bunkerweb/configs folder. We will assume that you already have the [Linux integration](/1.4/integrations/#linux) stack running on your machine.
Here is an example for server-http/hello-world.conf : If you have multiple services to protect, the easiest way to do it is by enabling the “multisite” mode. When using multisite, bunkerized-nginx will create one server block per server defined in the SERVER_NAME environment variable. You can configure each servers independently by adding the server name as a prefix.
```conf
location /hello {
default_type 'text/plain';
content_by_lua_block {
ngx.say('world')
}
}
```
Because BunkerWeb runs as an unprivileged user (nginx:nginx), you will need to edit the permissions : === "Ubuntu"
```conf
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
```
=== "Debian"
```conf
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
```
=== "CentOs"
```conf
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
app1.example.com_LOCAL_PHP=/run/php-fpm/www.sock
app2.example.com_LOCAL_PHP=/run/php-fpm/www.sock
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
```
=== "Fedora"
```conf
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
app1.example.com_LOCAL_PHP=/run/php-fpm/www.sock
app2.example.com_LOCAL_PHP=/run/php-fpm/www.sock
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
```
When using the multisite mode, some special folders must have a specific structure with subfolders named the same as the servers defined in the `SERVER_NAME` environment variable. Lets take the app2.example.com as an example : if some static files need to be served by nginx, you need to place them under www/app2.example.com.
Let's check the status of BunkerWeb :
```shell ```shell
chown -R root:nginx /opt/bunkerweb/configs && \ systemctl status bunkerweb
chmod -R 770 /opt/bunkerweb/configs ```
If it's already running we can just reload it :
```shell
systemctl reload bunkerweb
``` ```
Don't forget to reload the bunkerweb service once it's done. Then you will have to install php-fpm
```shell
apt install php-fpm
```
Depending on your system, the configuration of the php-fpm service may change:
=== "Ubuntu"
By default, the user and the group of the php-fpm service is "www-data".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "Debian"
By default, the user and the group of the php-fpm service is "www-data".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "CentOs"
By default, the user and the group of the php-fpm service is "apache".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "Fedora"
By default, the user and the group of the php-fpm service is "apache".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
Reload the php-fpm service :
```shell
systemctl reload php-fpm
```
=== "Ansible" === "Ansible"
When the variable `custom_configs` is set to "true" , you could use the You will need to add the settings to your `variables.env` file accordingly to your system :
`custom_configs_path[]` variable to write the configs to the /opt/bunkerweb/configs folder.
Here is an example for server-http/hello-world.conf : === "Ubuntu"
```conf ```conf
location /hello { SERVER_NAME=app1.example.com app2.example.com
default_type 'text/plain'; MULTISITE=yes
content_by_lua_block { HTTP_PORT=80
ngx.say('world') HTTPS_PORT=443
} DNS_RESOLVERS=8.8.8.8 8.8.4.4
} DISABLE_DEFAULT_SERVER=no
``` USE_CLIENT_CACHE=yes
USE_GZIP=yes
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
```
In your Ansible inventory, you can use the `variables_env` variable to configure BunkerWeb : === "Debian"
```conf
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
app1.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app2.example.com_LOCAL_PHP=/run/php/php-fpm.sock
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
```
=== "CentOs"
```conf
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
app1.example.com_LOCAL_PHP=/run/php-fpm/www.sock
app2.example.com_LOCAL_PHP=/run/php-fpm/www.sock
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
```
=== "Fedora"
```conf
SERVER_NAME=app1.example.com app2.example.com
MULTISITE=yes
HTTP_PORT=80
HTTPS_PORT=443
DNS_RESOLVERS=8.8.8.8 8.8.4.4
DISABLE_DEFAULT_SERVER=no
USE_CLIENT_CACHE=yes
USE_GZIP=yes
app1.example.com_LOCAL_PHP=/run/php-fpm/www.sock
app2.example.com_LOCAL_PHP=/run/php-fpm/www.sock
app1.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app1.example.com
app2.example.com_LOCAL_PHP_PATH=/opt/bunkerweb/www/app2.example.com
```
When using the multisite mode, some special folders must have a specific structure with subfolders named the same as the servers defined in the `SERVER_NAME` environment variable. Lets take the app2.example.com as an example : if some static files need to be served by nginx, you need to place them under www/app2.example.com.
In your Ansible inventory, you can use the `variables_env` variable to configure BunkerWeb and `custom_site` to add your own site configuration :
```yaml ```yaml
all: all:
children: children:
@ -2167,14 +2502,8 @@ The following settings can be used :
hosts: hosts:
"Your_IP_Address": "Your_IP_Address":
vars: vars:
custom_configs: true variables_env: ../variables.env,
custom_configs_path: { custom_site=../site
server-http: ../hello-world.conf,
#http: ../http.conf,
#default-server-http: ../default-server-http.conf,
#modsec-crs: ../modsec-crs,
#modsec: ../modsec
}
``` ```
Or in INI format : Or in INI format :
@ -2183,11 +2512,62 @@ The following settings can be used :
host host
[all:vars] [all:vars]
custom_configs=true variables_env = ../variables.env
custom_configs_path={'server-http': '../hello-world.conf', 'http': '../http.conf', 'default-server-http': '../default-server-http.conf', 'modsec-crs': '../modsec-crs', 'modsec': '../modsec'} custom_site = ../site
``` ```
Run the playbook : Run the playbook :
```shell ```shell
ansible-playbook -i inventory.yml playbook.yml ansible-playbook -i inventory.yml playbook.yml
```
Then you will have to install php-fpm
```shell
apt install php-fpm
```
Depending on your system, the configuration of the php-fpm service may change:
=== "Ubuntu"
By default, the user and the group of the php-fpm service is "www-data".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "Debian"
By default, the user and the group of the php-fpm service is "www-data".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "CentOs"
By default, the user and the group of the php-fpm service is "apache".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
=== "Fedora"
By default, the user and the group of the php-fpm service is "apache".
```conf
[www]
user = nginx
group = nginx
listen.owner = nginx
listen.group = nginx
```
Reload the php-fpm service :
```shell
systemctl reload php-fpm
``` ```