PHP/MySQL with nginx on OpenBSD

Introduction

As of OpenBSD 5.7, nginx is no longer included in the base distribution. This new guide will be kept up-to-date going forward, replacing the old walk-through that covered nginx from OpenBSD 5.2-5.6

It's pretty easy to get most PHP/MySQL applications working with nginx, but this requires a FastCGI implementation of PHP, and I've chosen PHP-FPM for this walk-through. As of April 23, 2017, this guide has been updated for OpenBSD 6.1. It was tested on the amd64 architecture, but will likely work on i386 and perhaps others.

Preparation

First, install OpenBSD. Be sure to create a user-level account for yourself during the installation process, and I'd recommend disabling remote root logins while you're at it. This user account will be added to the wheel group. On BSD systems, wheel group is comparable to an administrator group, granting access to use the su command, etc. You can add other trusted users to this group later on.

OpenBSD no longer includes sudo in the base install as of 5.8 Release. It's still in ports if you must use it, but we'll be making use of the replacement doas(1) tool, which is similar to sudo in several ways. Create a file called /etc/doas.conf. The man pages for doas and doas.conf are quite helpful, but as a quick and dirty way to get up and running with doas, there's a minimal doas.conf file below. You can also add "nopass" after "permit" if you don't want to be prompted for a password. I don't recommend doing that to a production environment.

permit :wheel

If you have a hard time with typing "sudo" instead of "doas", you might want to add an alias to your shell profile.

New in OpenBSD 6.1 is the /etc/installurl file, replacing /etc/pkg.conf. If you installed sets from an official OpenBSD mirror, the installurl file likely already exists with the mirror you installed from. Otherwise, create this file and add a mirror to it.  My /etc/installurl looks like this:

https://ftp5.usa.openbsd.org/pub/OpenBSD

Install Packages

OpenBSD includes the Suhosin Hardened PHP patches in their default PHP package, which is nice. Nginx will require the use of PHP with FastCGI. We'll be using php-fpm for this, which was merged into the main PHP packages recently. Since OpenBSD's package manager automatically installs dependencies, you can get away with this command, which should install PHP, mariadb client tools, and everything else we need to get our PHP web application server up and running:

doas pkg_add nginx php-mysqli mariadb-server

You will be prompted for which version of PHP you want to install. Unless you have a good reason not to, it's best to go with the newest (highest version number) available. In OpenBSD 6.1, that's PHP 7.0.16. Enable php-mysqli by symlinking the sample mysqli.ini to the /etc/php-7.0 directory.

doas ln -sf /etc/php-7.0.sample/mysqli.ini /etc/php-7.0/mysql.ini 

Configure MariaDB, PHP-FPM and nginx

Setup and secure MariaDB with the below commands:

doas /usr/local/bin/mysql_install_db
doas rcctl start mysqld
doas /usr/local/bin/mysql_secure_installation

Follow the prompts and choose a good password for the root user while you're at it.

Next, edit /etc/nginx/nginx.conf and add "index.php" to the line that has the other index files. The config block should look like this, but you can alter the order if you wish.

location / {
   root /htdocs;
   index index.html index.htm index.php;
}


Uncomment the following block of configuration to enable nginx to forward PHP requests to php-fpm.

location ~ \.php$ {
   try_files $uri $uri/ =404;
   fastcgi_pass unix:run/php-fpm.sock;
   fastcgi_index index.php;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   include fastcgi_params;
}


Nginx makes it relatively easy to set up multiple virtual hosts, but that's beyond the scope of this article. We'll install everything to /var/www/htdocs as the default web root.

In /etc/php-fpm.conf, I would suggest increasing the value of pm.max_children to something higher than the default of 5, as even in my testing environment, this was insufficient. I went with 25. It seems to be working well in my production web server environments.

That's almost all there is to it. Just tell OpenBSD to start the nginx, php-fpm and mysqld services with rcctl enable:
doas rcctl enable nginx
doas rcctl enable php70_fpm
doas rcctl enable mysqld

You can manually start all these services (mysqld is already running because we started it earlier), or just reboot to make sure everything works.

doas rcctl start nginx
doas rcctl start php70_fpm

Set up LAMP style web-apps

Since the web environment is in a chroot restricted to /var/www and the MySQL socket is not inside /var/www, the easiest way to get database access is to create your MySQL users for a host of "127.0.0.1" instead of localhost. This forces MySQL connections over TCP. There are some complicated ways of getting the socket into /var/www, such as forcing MySQL to write it inside /var/www or creating hard links to the socket. Those are beyond the scope of this article. My first test, as usual, was a simple PHPInfo file saved as index.php.



I've managed to install various pre-packaged content management systems on OpenBSD's with nginx without any problems. Some apps (like OwnCloud) seem to require some extra work.