mirror of
https://github.com/opnsense/docs
synced 2024-11-09 01:10:33 +00:00
145 lines
5.6 KiB
ReStructuredText
145 lines
5.6 KiB
ReStructuredText
============================
|
|
nginx: Local Website Hosting
|
|
============================
|
|
|
|
.. Warning::
|
|
|
|
Even if you can host websites directly from OPNsense, it is not recommended for security reasons - especially when
|
|
sending requests to a local PHP interpreter. Do NOT consider using the feature to serve PHP content locally in
|
|
enterprise networks. It is intended for home users who want to save money by saving power and know what they are
|
|
doing. If you do not know how to handle a web server properly, do not enable this feature.
|
|
|
|
Prepare
|
|
=======
|
|
|
|
First of all, a directory has to be created. For example `/srv/web_application1`. Please note that this directory must be
|
|
accessable by nginx and PHP (both running as `www`).
|
|
|
|
For example, you can chmod it (+rx for directories, +r for files for this user) or `chown` it.
|
|
|
|
.. code-block:: sh
|
|
|
|
# create a directory
|
|
mkdir -p /srv/web_application1
|
|
cd /srv
|
|
stat web_application1
|
|
# Example Result:
|
|
# 86 18009 drwxr-xr-x 2 root wheel 14050 512 "Aug 31 18:28:19 2018"
|
|
# "Aug 31 18:28:19 2018" "Aug 31 18:28:19 2018" "Aug 31 18:28:19 2018"
|
|
# 32768 8 0 web_application1
|
|
#
|
|
# as you can see, everyone can read (r) and switch into the directory (x))
|
|
#
|
|
# do this if the directory is not readable or excutable:
|
|
chmod +rx web_application1
|
|
|
|
.. Warning::
|
|
|
|
Never use chmod 777 and be careful with write permissions. the most secure way is to
|
|
change the owner to www (`chown www filename`) and give write permission only to the
|
|
web server user (`chmod o+w filename`). The same is valid for directories. It would be
|
|
a good idea not to execute anything in those directories (for example via a special
|
|
location block in nginx).
|
|
If you write your own applications, it is recommended to store such data outside of
|
|
your web root.
|
|
|
|
When the directory exists, you can create a file in this directory. Let's say, it should be called test.php and should show
|
|
some information about PHP:
|
|
|
|
|
|
.. code-block:: sh
|
|
|
|
cat > /srv/web_application1/test.php
|
|
<?php phpinfo();
|
|
|
|
Press control + d to end the input.
|
|
|
|
.. Note::
|
|
|
|
you can also use vim if you install vim-lite via pkg.
|
|
|
|
.. code-block:: sh
|
|
|
|
# If needed, change the permission to make it readable:
|
|
chmod +r test.php
|
|
|
|
.. Note::
|
|
|
|
In a real world scenario, you would probably copy an archive (.tar.gz, .tar.xz, .tar.bz or .zip) via SFTP or SCP on the
|
|
firewall and execute a command to extract it. Read the man pages for tar, the compression tool or unzip for more detailed
|
|
instructions.
|
|
|
|
Configure Locations
|
|
===================
|
|
|
|
.. image:: images/nginx_edit_location_dialog.png
|
|
|
|
For a location, the following directives are important:
|
|
|
|
=============================== ======================================================================
|
|
Directive Description
|
|
=============================== ======================================================================
|
|
Match Type and URL Pattern How to match the location and the pattern
|
|
File System Root Directory of web applicaton
|
|
Upstream Servers Send it to a remote interpreter instead of using the local one
|
|
Pass Request To PHP Interpreter Check if you want to enable PHP (runs locally as user www) or remotely
|
|
Router Script Sends all request to a specific script (entry point of application)
|
|
=============================== ======================================================================
|
|
|
|
|
|
=============================== ============================
|
|
Directive Value
|
|
=============================== ============================
|
|
Match Type and URL Pattern ~* .*.php or simmilar
|
|
File System Root /srv/web_application1
|
|
Upstream Servers empty
|
|
Pass Request To PHP Interpreter checked
|
|
Router Script empty
|
|
=============================== ============================
|
|
|
|
|
|
Configure HTTP Server
|
|
=====================
|
|
|
|
.. image:: images/nginx_edit_http_server_dialog.png
|
|
|
|
Configuring the HTTP server is simple. You need a hostname (for example website.test), a port (8080/TCP is the
|
|
HTTP alternative port, so it is good for testing. For production sites you should stick with the defaults).
|
|
Please select the prevously created location to serve web content. Please also configure a root here,
|
|
because all requests, which do not match, will be handled by the server default. The default server will
|
|
just serve the static file.
|
|
|
|
|
|
Testing
|
|
=======
|
|
|
|
To test if you web server is running, you can paste call it by its IP and port.
|
|
|
|
.. Note::
|
|
|
|
Please note that IPv6 addresses must be enclosed within square brackets like http://[::1]/ or http://[::1]:8080/.
|
|
|
|
.. code-block:: sh
|
|
|
|
curl "http://192.168.0.1:8080/test.php"
|
|
|
|
|
|
Security Considerations
|
|
=======================
|
|
|
|
* This is nginx and not httpd. It will not care about your .htaccess files.
|
|
Do not put secret data in unprotected directories. You can protect those directories by yourself,
|
|
but make sure you don't forget them. Some application depend on this file.
|
|
* Do not overlap nor use OPNsense directories as root
|
|
* Do not upload badly maintained software. If your firewall gets compromised,
|
|
it will become easy to compromise your hosts too.
|
|
* All your applications run under the same user (www)
|
|
* Watch out for advisories_
|
|
* Install updates ASAP
|
|
* Check your logs regularly.
|
|
* Consider hardening your directory and file access permission (like making directories and files read only
|
|
for nginx and PHP)
|
|
|
|
.. _advisories: https://nginx.org/en/security_advisories.html
|
|
|