PHP/MySQL with nginx on OpenBSD

Introduction

As of OpenBSD 5.7, nginx is no longer included in the base distribution. This new guide will be kept up-to-date going forward, replacing the old walk-through that covered nginx from OpenBSD 5.2-5.6, though I basically copied/pasted that guide to start with.

It's pretty easy to get most PHP/MySQL applications working with nginx, but this requires a FastCGI implementation of PHP, and I've chosen PHP-FPM for this walk-through. As of October 29, 2016, this guide has been updated for OpenBSD 6.0. It was tested on the amd64 and i386 architectures.

Preparation

First, install OpenBSD. Be sure to create a user-level account for yourself during the installation process, and I'd recommend disabling remote root logins while you're at it. This user account will be added to the wheel group. On BSD systems, wheel group is comparable to an administrator group, granting access to use the su command, etc. You can add other trusted users to this group later on.

OpenBSD no longer includes sudo in the base install as of 5.8 Release. It's still in ports if you must use it, but we'll be making use of the new doas(1) tool, which is similar to sudo in several ways. Create a file called /etc/doas.conf. The man pages for doas and doas.conf are quite helpful, but as a quick and dirty way to get up and running with doas, here's
a minimal doas.conf file. You can also add "nopass" after "permit" if you don't want to be prompted for a password. I don't recommend doing that to a production environment.

permit :wheel
If you have a hard time with typing "sudo" instead of "doas", you might want to add an alias to your shell profile.

Now, set up the package manager by adding an installpath line in /etc/pkg.conf. For best results, you should pick an OpenBSD mirror that is near you both physically and network-wise. Try pinging and tracerouting different mirrors in your country and seeing which ones have the best response times or the fewest hops. pkg.conf syntax has been simplified recently. You can simply include any http mirror that's accessible with "/pub/OpenBSD..." to the installpath variable. My pkg.conf looks like this:

installpath = mirrors.sonic.net

If you bought the OpenBSD media and have packages on CD you'd like to use, you can add them to the installpath instead of the FTP mirror, or in addition to it.
 

Install Packages

OpenBSD includes the Suhosin Hardened PHP patches in their default PHP package, which is nice. Httpd will require the use of PHP with FastCGI. We'll be using php-fpm for this, which was merged into the main PHP packages recently. Since OpenBSD's package manager automatically installs dependencies, you can get away with this command, which should install PHP, mariadb client tools, and everything else we need to get our PHP web application server up and running:

doas pkg_add nginx php-mysql mariadb-server

You will be prompted for which version of certain packages you want to install. Unless you have a good reason not to, it’s best to go with the newest (highest version number) available. At the time of writing, that’s PHP 5.6.23p0. I opted for the vanilla installation of nginx, but you may wish to explore the nasxi variant, which includes web application firewall functionality.

A few post-installation instructions will show up when you install the above packages. Some of those can be ignored (such as the php5 modules link which is only needed if you’re running Apache and mod_php), but you will want to set up the php-mysql link:

doas ln -sf /etc/php-5.6.sample/mysql.ini /etc/php-5.6/mysql.ini

Configure MariaDB, PHP-FPM and nginx

Setup and secure MariaDB with the below commands:

doas /usr/local/bin/mysql_install_db

doas rcctl start mysqld

doas /usr/local/bin/mysql_secure_installation

Follow the prompts and choose a good password for the root user while you’re at it. 

Next, edit /etc/nginx/nginx.conf and add "index.php" to the line that has the other index files. The config block should look like this, but you can alter the order if you wish.

location / {
   root /htdocs;
   index index.html index.htm index.php;
}


Uncomment the following block of configuration to enable nginx to forward PHP requests to php-fpm.

location ~ \.php$ {
   try_files $uri $uri/ =404;
   fastcgi_pass unix:run/php-fpm.sock;
   fastcgi_index index.php;
   fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   include fastcgi_params;
}

Nginx makes it relatively easy to set up multiple virtual hosts, but that's beyond the scope of this article. We'll install everything to /var/www/htdocs as the default web root.

That’s almost all there is to it. Just tell OpenBSD to start the php-fpm, mysqld and nginx services with rcctl enable:


doas rcctl enable mysqld
doas rcctl enable nginx
doas rcctl enable php56_fpm
You can manually start all these services (mysqld is already running because we started it earlier), or just reboot to make sure everything works.





doas rcctl start nginx
doas rcctl start php56_fpm

Set up LAMP style web-apps

Since the web environment is in a chroot restricted to /var/www and the MySQL socket is not inside /var/www, your best bet is to create your MySQL users for a host of “127.0.0.1” instead of localhost. This forces MySQL connections over TCP. There are some hacky ways of getting the socket into /var/www, such as forcing MySQL to write it inside /var/www or creating hard links to the socket. Those are beyond the scope of this article.

My first test was a simple PHPInfo file saved as index.php.

Most pre-packaged PHP web applications run just as well under this configuration as they do under a more traditional LAMP stack, if not better.

blog comments powered by Disqus