madrzejewski · April 23, 2020 14:31 · Nov 1, 2015 · Nov 1, 2015 · Nov 1, 2015 · Nov 1, 2015
diff --git a/all the commands used in the article → all the commands used in the article.sh b/all the commands used in the article → all the commands used in the article.sh
diff --git a/all the commands used in the article b/all the commands used in the article
@@ -0,0 +1,65 @@
+# All the command used here : http://blog.madrzejewski.com/faire-fonctionner-curl-en-https-dans-un-environnement-php-fpm-chroote
+# Centos 7.1, the libs named may changed in the future, so don't just copy/paste and check on your system first
+
+# First example, chroot bash
+mkdir chroot_bash
+mkdir -p chroot_bash/usr/bin
+cp /usr/bin/bash chroot_bash/usr/bin
+chroot chroot_bash/ bash
+chroot: failed to run command ‘bash’: No such file or directory
+
+ldd /usr/bin/bash
+linux-vdso.so.1 =>  (0x00007fff22d80000)
+libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f15009d9000)
+libdl.so.2 => /lib64/libdl.so.2 (0x00007f15007d5000)
+libc.so.6 => /lib64/libc.so.6 (0x00007f1500413000)
+/lib64/ld-linux-x86-64.so.2 (0x00007f1500c0d000)
+
+mkdir chroot_bash/lib64
+cp /lib64/libtinfo.so.5 /lib64/libdl.so.2 /lib64/libc.so.6 /lib64/ld-linux-x86-64.so.2 chroot_bash/lib64/
+
+chroot chroot_bash/ bash
+bash-4.2# pwd
+/
+bash-4.2# ls
+bash: ls: command not found
+
+# Chroot php-fpm
+useradd -md /home/tuto tuto
+mkdir /home/tuto/www
+wget http://fr.wordpress.org/latest-fr_FR.zip
+unzip latest-fr_FR.zip && mv wordpress/* /home/tuto/www
+rm -rf wordpress/ latest-fr_FR.zip
+chwon -R tuto: ~tuto
+
+mkdir -p /home/tuto/{etc,usr/share,var/lib/php/session,var/log/php-fpm,tmp,lib64,lib,bin,dev}
+cp -r /usr/share/zoneinfo /home/tuto/usr/share/
+cp -r /etc/ld.so.cache /etc/resolv.conf /etc/ld.so.conf /etc/nsswitch.conf /etc/hosts /etc/localtime /home/tuto/etc/
+mkdir -p /home/tuto/var/lib/mysql && touch /home/tuto/var/lib/mysql/mysql.sock
+chown -R tuto: ~tuto
+mount --bind /var/lib/mysql/mysql.sock /home/tuto/var/lib/mysql/mysql.sock
+mknod /home/tuto/dev/null c 1 3 -m 666
+
+# Problems with SSL and the DNS resolution
+
+cp -vaR /lib64/libdns-export.so.100.1.1 /lib64/libdns.so.100.1.1 /lib64/libnss_dns-2.17.so .
+cd /home/tuto/lib64
+ln -s libdns-export.so.100.1.1 libdns-export.so.100
+ln -s libdns.so.100.1.1 libdns.so.100
+ln -s libnss_dns.so libnss_dns.so.2
+ln -s libnss_dns-2.17.so libnss_dns.so
+
+# An quick example on how to use strace 
+ps -ef |grep php-fpm
+strace -p PID_PROCESSUS 2> logs_
+
+# Let's continue with the dns problem
+cp -vaR /etc/pki /home/tuto/etc/
+cp -vaR /lib64/nss /home/tuto/lib64
+
+# Another strace example to show the ssl problem
+strace chroot /home/tuto /bin/curl -v https://google.com 2> logs_3
+
+# SSL solution 
+cp /lib64/libsoftokn3.so  /lib64/libnss3.so /etc/alternatives/libnssckbi.so.x86_64 /lib64/libnss_compat-2.17.so /lib64/libnss_compat.so.2 /lib64/libnss_db-2.17.so /lib64/libnss_db.so.2 libnss_db-2.17.so /lib64/libfreeblpriv3.so /lib64/libnss_dns-2.17.so /lib64/libnss_files-2.17.so /lib64/libnss_hesiod-2.17.so /lib64/libnss_myhostname.so.2 /lib64/libnss_nis-2.17.so /lib64/libnss_nisplus-2.17.so /lib64/libnsspem.so /lib64/libnss_sss.so.2 /lib64/libnsssysinit.so /lib64/libnssutil3.so /home/tuto/lib64
+cp /lib64/libsqlite3.so.0 /lib64/libsqlite3.so.0.8.6 tuto/lib64/
diff --git a/lddCopy.sh b/lddCopy.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Be careful, do not use in production
+# Just a quick script for messing around with chroot and ldd
+
+usage(){
+	echo "Usage   : $0 cmd_name homedir"
+	echo "Example : $0 cp /home/alex"
+	exit 1
+}
+
+error(){
+	test "$1" == "" && (echo "An unknow error occurded" ; exit 1)
+	echo "$1" ; exit 1
+}
+
+# $1 : cmd
+findCmdPath(){
+	oldIFS=$IFS
+	IFS=$':'
+	for dir in $PATH ; do
+		fullPath=$(find $dir -name $1 2> /dev/null)
+		test "$fullPath" != "" && (echo $fullPath ; return)
+	done
+}
+
+# $1 : fullPath of cmd
+# I tried others commands to find the full/real path for a symlink
+# for example "readlink" but it was not working properly for my usage
+# I just wanted the "first degree" of symlink so ls -l worked fine for this
+findLibs(){
+	ldd $1 |tr -d '\t'| tr -d ' ' |cut -d '>' -f 2|cut -d '(' -f 1|grep -E '^/' 2> /dev/null || error "LDD error"
+}
+
+# $1 : lib path (or symlink)
+# $2 : homedir without the trailing /
+copyLib(){
+	if test -L $1 ; then
+		# symlink
+		currentPath=$(dirname $1)
+		# copy the symlink
+		mkdir -p $2$currentPath 2> /dev/null
+		cp -va $1 $2$currentPath	
+		# find the real file
+		realFile=$(ls -lh $1 | tr -d ' ' | cut -d '>' -f 2)
+		realFile=$currentPath'/'$realFile
+		mkdir -p $2$currentPath 2> /dev/null
+		cp -va $realFile $2$currentPath
+	else
+		# file
+		currentPath=$(dirname $1)
+		mkdir -p $2$currentPath 2> /dev/null
+		cp -va $1 $2$currentPath
+	fi
+}
+
+# Tests
+test "$#" != 2 && usage
+cmdPath=$(findCmdPath $1)
+test "$cmdPath" == "" && error "$1 was not found in the PATH"
+homeDir=$(echo $2 | sed 's:/*$::') # remove the trailing /
+test ! -d "$homeDir" && error "$homeDir is not a directory"
+
+# main
+for lib in $(findLibs $cmdPath) ; do
+	copyLib $lib $homeDir
+done
diff --git a/vhost.conf b/vhost.conf
@@ -0,0 +1,78 @@
+server {
+    listen 80;
+	server_name tuto.madrzejewski.com;
+    root /home/tuto/www;
+
+	access_log  /var/log/nginx/tuto.madrzejewski.com-access.log;
+	error_log /var/log/nginx/tuto.madrzejewski.com-error.log;
+
+	location = /favicon.ico {
+		log_not_found off;
+		access_log off;
+	}
+
+	location = /robots.txt {
+		allow all;
+		log_not_found off;
+		access_log off;
+	}
+
+	# auth for admin directory	
+	location /wp-admin/ {
+		auth_basic "Access restreint";
+		auth_basic_user_file /etc/nginx/htpasswd/passwd;
+	}
+
+	# no PHP in upload directory
+	location ~* /(?:uploads|files)/.*\.php$ {
+    		deny all;
+	}
+
+	# hide sensitive files
+	#location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
+	#{
+    #	return 444;
+	#}
+
+	# no cgi
+	location ~* \.(pl|cgi|py|sh|lua)\$ {
+        	return 444;
+	}	
+
+	# no access to specific files
+	location ~ /(\.|wp-config.php|readme.html|license.txt) {
+    		deny all;
+	}
+
+	location / {
+		# This is cool because no php is touched for static content.
+		# include the "?$args" part so non-default permalinks doesn't break when using query string
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	# no weird request
+	if ($request_method !~ ^(GET|HEAD|POST)$ )
+	{
+		return 444;
+	}
+
+	location ~ [^/]\.php(/|$) {
+		include /etc/nginx/fastcgi.conf;
+		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+		if (!-f $document_root$fastcgi_script_name) {
+			return 404;
+		}
+
+		#fastcgi_pass 127.0.0.1:9000;
+
+		# debug test chroot phpfpm
+		fastcgi_param   SCRIPT_FILENAME /www/$fastcgi_script_name;
+		fastcgi_pass unix:/var/run/tuto.sock;
+		fastcgi_index index.php;
+	}
+
+	location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+		expires max;
+		log_not_found off;
+	}
+}
diff --git a/tuto.conf b/tuto.conf
@@ -0,0 +1,25 @@
+[tuto]
+listen = /var/run/tuto.sock
+listen.allowed_clients = 127.0.0.1
+listen.owner = nginx
+listen.group = nginx
+user = tuto
+group = tuto
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 5
+pm.min_spare_servers = 5
+pm.max_spare_servers = 20
+pm.max_requests = 500
+slowlog = /var/log/php-fpm/tuto-slow.log
+chroot = /home/tuto 
+chdir = /www
+env[HOSTNAME] = $HOSTNAME
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
+php_flag[display_errors] = on
+php_admin_value[error_log] = /var/log/php-fpm/www-error.log
+php_admin_flag[log_errors] = on
+php_value[session.save_handler] = files
+php_value[session.save_path] = /var/lib/php/session
No results found