OpenBSD Blog #12: Multiple OpenBSD httpd instances with multiple chroots
Draft! |
This page is a draft and may be incomplete, incorrect, or just a
stub or outline. I've decided to allow myself to put draft pages on
my website as an experiment. I'm hoping they will:
|
OpenBSD’s httpd web server calls chroot when it runs so that it
cannot access files outside of the specified directory. This is
awesome for security, but annoying for my weirdo internal home
setup where I might want to, say, serve media from a large
capacity drive mounted outside of /var/www/.
I tried to get around this, but chroot is quite effective
and I stopped short of allowing httpd to access anything under /
because I like the idea of security, even if this computer
isn’t publicly accessible.
Instead, I set up a second instance of httpd to
run on port 8080.
I made a copy of /etc/httpd.conf called
/etc/httpd-media.conf and invoked it with:
$ httpd -f /etc/httpd-media.conf
Here’s httpd-media.conf:
# web server cannot access anything outside this directory
chroot "/big-drive/media"
server "phobos2" {
listen on * port 8080
# web server will look here for files (default is '/htdocs')
root "/"
directory index "index.php"
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
}
I manually created the following directories as well:
-
/big-drive/media/logs/ -
/big-drive/media/run/
php-fpm
You’ll notice I’m also running PHP on this instance. The reason is that PHP-FPM also restricts the directory it will operate in.
So I also made a copy of /etc/php-fpm.conf called
/etc/php-fpm-media.conf and invoked it with:
$ php-fpm -y /etc/php-fpm-media.conf
The relevant portions of php-fpm-media.conf:
...
listen = /big-drive/media/run/php-fpm.sock
...
chroot = /big-drive/media
You will also likely have noticed that the socket
used to connect from httpd to PHP_FPM must be under
the chroot and is traditionally at run/php-fpm.sock.