2
0
mirror of https://github.com/opnsense/docs synced 2024-11-09 01:10:33 +00:00
opensense-docs/source/manual/how-tos/nginx_hosting.rst

145 lines
5.6 KiB
ReStructuredText
Raw Normal View History

2018-09-01 08:22:58 +00:00
============================
nginx: Local Website Hosting
============================
.. Warning::
Even if you can host websites directly from OPNsense, it is not recommended for security reasons - especially when
sending requests to a local PHP interpreter. Do NOT consider using the feature to serve PHP content locally in
enterprise networks. It is intended for home users who want to save money by saving power and know what they are
doing. If you do not know how to handle a web server properly, do not enable this feature.
Prepare
=======
First of all, a directory has to be created. For example `/srv/web_application1`. Please note that this directory must be
accessable by nginx and PHP (both running as `www`).
For example, you can chmod it (+rx for directories, +r for files for this user) or `chown` it.
.. code-block:: sh
# create a directory
mkdir -p /srv/web_application1
cd /srv
stat web_application1
# Example Result:
# 86 18009 drwxr-xr-x 2 root wheel 14050 512 "Aug 31 18:28:19 2018"
# "Aug 31 18:28:19 2018" "Aug 31 18:28:19 2018" "Aug 31 18:28:19 2018"
# 32768 8 0 web_application1
#
# as you can see, everyone can read (r) and switch into the directory (x))
#
# do this if the directory is not readable or excutable:
chmod +rx web_application1
.. Warning::
Never use chmod 777 and be careful with write permissions. the most secure way is to
change the owner to www (`chown www filename`) and give write permission only to the
web server user (`chmod o+w filename`). The same is valid for directories. It would be
a good idea not to execute anything in those directories (for example via a special
location block in nginx).
If you write your own applications, it is recommended to store such data outside of
your web root.
When the directory exists, you can create a file in this directory. Let's say, it should be called test.php and should show
some information about PHP:
.. code-block:: sh
cat > /srv/web_application1/test.php
<?php phpinfo();
Press control + d to end the input.
.. Note::
you can also use vim if you install vim-lite via pkg.
.. code-block:: sh
# If needed, change the permission to make it readable:
chmod +r test.php
.. Note::
In a real world scenario, you would probably copy an archive (.tar.gz, .tar.xz, .tar.bz or .zip) via SFTP or SCP on the
firewall and execute a command to extract it. Read the man pages for tar, the compression tool or unzip for more detailed
instructions.
Configure Locations
===================
.. image:: images/nginx_edit_location_dialog.png
For a location, the following directives are important:
=============================== ======================================================================
Directive Description
=============================== ======================================================================
Match Type and URL Pattern How to match the location and the pattern
2018-11-09 12:52:31 +00:00
File System Root Directory of web applicaton
2018-09-01 08:22:58 +00:00
Upstream Servers Send it to a remote interpreter instead of using the local one
2018-11-09 12:52:31 +00:00
Pass Request To PHP Interpreter Check if you want to enable PHP (runs locally as user www) or remotely
2018-09-01 08:22:58 +00:00
Router Script Sends all request to a specific script (entry point of application)
=============================== ======================================================================
=============================== ============================
Directive Value
=============================== ============================
Match Type and URL Pattern ~* .*.php or simmilar
File System Root /srv/web_application1
Upstream Servers empty
Pass Request To PHP Interpreter checked
Router Script empty
=============================== ============================
Configure HTTP Server
=====================
.. image:: images/nginx_edit_http_server_dialog.png
Configuring the HTTP server is simple. You need a hostname (for example website.test), a port (8080/TCP is the
HTTP alternative port, so it is good for testing. For production sites you should stick with the defaults).
Please select the prevously created location to serve web content. Please also configure a root here,
because all requests, which do not match, will be handled by the server default. The default server will
just serve the static file.
Testing
=======
To test if you web server is running, you can paste call it by its IP and port.
.. Note::
Please note that IPv6 addresses must be enclosed within square brackets like http://[::1]/ or http://[::1]:8080/.
.. code-block:: sh
curl "http://192.168.0.1:8080/test.php"
Security Considerations
=======================
* This is nginx and not httpd. It will not care about your .htaccess files.
Do not put secret data in unprotected directories. You can protect those directories by yourself,
but make sure you don't forget them. Some application depend on this file.
* Do not overlap nor use OPNsense directories as root
* Do not upload badly maintained software. If your firewall gets compromised,
it will become easy to compromise your hosts too.
* All your applications run under the same user (www)
* Watch out for advisories_
* Install updates ASAP
* Check your logs regularly.
* Consider hardening your directory and file access permission (like making directories and files read only
for nginx and PHP)
.. _advisories: https://nginx.org/en/security_advisories.html