17 мая 2018 г. 5:50:16 GMT+03:00, justina colmena <just...@colmena.biz> пишет:
>I just recently installed OpenBSD 6.3, and I was looking for an example
>httpd.conf, but I did not find one. The manual page does document
>more or less how to create one, but there still appears to be some lack
>of ease and safety putting up a basic web page with dynamic content (I
>am most used to PHP and PostgreSQL for that purpose, but of course
>there are many options that more or less replace the ubiquitous "LAMP"
>or "Linux/Apache/MySQL/PHP" stack.
>Now there is nothing in OpenBSD's httpd really like Apache's "UserDir"
>directive. Of course the real user directory has to dwell somewhere in
>the "/var/www" chroot on OpenBSD. The alternative to "UserDirs" of
>course, is wildcard subdomains, but those do not really cooperate all
>that well with https, dnssec, or caa records, or with certain other
>general goals of security.
>The other thing I am curious about is something like "su-php" which
>appears to be deprecated and outdated. So, assuming some sort of
>scenario, (probably more sophisticated than my very basic one I
>have hacked together below,) does php-fpm have a way to prevent one
>user's malicious php script from reading another user's database
>access credentials?
># /etc/httpd.conf for amarillo.colmena.biz
>server "default" {
>        listen on * port 80
>        listen on :: port 80
>        listen on * tls port 443
>        listen on :: tls port 443
>        tls certificate "/etc/ssl/fullchain.pem"
>        directory index index.php
>        location "/.well-known/acme-challenge/*" {
>                root "/acme"
>                root strip 2
>        }
>        location match "/~justina/.*%.php" {
>                root "/justina"
>                root strip 1
>                fastcgi socket "/run/php-fpm.sock"
>        }
>        location "*.php" {
>                fastcgi socket "/run/php-fpm.sock"
>        }
>        location "/~justina/*" {
>                root "/justina"
>                root strip 1
>                directory auto index
>        }
>        location "/~justina" {
>                block return 301 "/~justina/"
>        }
>types {
>        include "/usr/share/misc/mime.types"

Did you ever looked in /etc/examples?

OpenBSD HTTPd is a web server, but not each web server is fully-featured Apache 
HTTP Server replacement. So, yes, no UserDir. If you need this functionality, 
then just install apache-httpd from packages.

Regarding su-php, I'd go with per-user php-fpm process, actually, that's much 
safer, and rarely used ones can easily wait in swap (I feel that you're trying 
to pack as much users as possible). You can ever use symlinks to create, e.g., 
/etc/rc.d/phpXY_fpm_USER1, /etc/rc.d/phpXY_fpm_USER2 and so on, and then set up 
different flags like "-u USER1" for those in rc.conf.

    Vadim Zhukov

Reply via email to