Contao unter nginx betreiben

Contao Konferenz 2014

Kirsten Roschanski / @k_roschanski

Systemvoraussetzungen

  • Debian Wheezy/Ubuntu 12.04 LTS
  • keinen installierten Webserver
  • keine installierte Datenbank
  • als ROOT am System angemeldet


So wie man einen Server von einem Hoster in der Regel bekommt.

Contao

Contao, was ist das eigentlich, wie ist Contao entstanden, .....

nginx

nginx ist ein Webserver, der heute schon von vielen Anwendungen/Diensten genutzt wird, die viel Leistung benötigen und der sich wachsender Beliebtheit erfreut.

MariaDB

"Aufgrund der hervorragenden Performance und im Sinne des Open Source-Gedankens verwenden wir MariaDB anstatt MySQL. Trotzdem funktioniert alles so, wie Sie es von MySQL her kennen." Leo Feyer



Informationen zu MariaDB und weiteren Paketdateien gibt es unter: https://downloads.mariadb.org

Quelle zum System hinzufügen


#: apt-get install python-software-properties
#: apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db
#: add-apt-repository 'deb http://mirror.netcologne.de/mariadb/repo/5.5/debian wheezy main'
                        

Wer möchte kann auch die Quelle manuell hinzu fügen:
/etc/apt/sources.list.d/MariaDB.list oder direkt in /etc/apt/sources.list



# MariaDB 5.5 repository list - created 2014-05-14 14:08 UTC
# http://mariadb.org/mariadb/repositories/
deb http://mirror.netcologne.de/mariadb/repo/5.5/debian wheezy main
deb-src http://mirror.netcologne.de/mariadb/repo/5.5/debian wheezy main
                        

MariaDB installieren


#: apt-get update
#: apt-get install mariadb-server
                        


Den Anweisungen folgen und die MariaDB, analog MySQL, konfigurieren.
Man kann auch schon eine DB und einen Benutzer für Contao einrichten.
zum Kapitel Datenbank einrichten.



                            #: service mysqld start
                        

nginx installieren

In den aktuellen Distributionen ist nginx bereits in den Paktquellen enthalten, daher ist die Installation mit einem Aufruf bereits erledigt.



                            #: apt-get install nginx
                        

Nach dem Start des Webservers sollte dieser bereits laufen.



                            #: service nginx start
                        
Bildschirmfoto von Ausgabe im Browser.

Das standardmäßige Stammverzeichnis ist unter /usr/share/nginx/www,
und nginx läuft als Benutzer nginx in der Gruppe nginx.

PHP-FPM installieren und einrichten

PHP-FPM (FastCGI Process Manager) ist eine alternative PHP FastCGI Implementation, mit einem effizienten FastCGI-Prozessmanager.
Diese bietet sich bei großen Seiten besonders an, da man die PHP-Prozesse unter dem jeweiligen Benutzer laufen lassen kann.



                            #: apt-get install php5-fpm
                        

Wenn man noch weitere php-Module benötigt, können die jetzt mit installiert werden.
Meine Standard-Instlattion sieht wie folgt aus:



                            #: apt-get install php5 php5-cli php5-fpm php5-curl php5-geoip php5-mysql php5-xmlrpc php5-ldap php5-imagick php5-gd
                        

nginx für PHP-FPM konfigurieren

Die nginx-Konfiguration findet man unter:



                            #: nano /etc/nginx/nginx.conf
                        

Man sollte die keepalive_timeout und die worker_processes auf höhere Werte setzen.

Hinzu wechsle ich den Benutzer und die Gruppe auf www-data da man sich dann nicht umgewöhnen muss ;-)




                            #: adduser www-data
                        

user www-data;
worker_processes 4;
pid /var/run/nginx.pid;

events {
    worker_connections 4096;
    multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 2;
    types_hash_max_size 2048;
    server_tokens off;
    client_max_body_size 200M;
    fastcgi_buffers 16 20M;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    #gzip_vary on;
    #gzip_proxied any;
    #gzip_comp_level 6;
    #gzip_buffers 16 32k;
    #gzip_http_version 1.1;
    #gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    # config to don't allow the browser to render the page inside an frame or iframe
    # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
    # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
    add_header X-Frame-Options SAMEORIGIN;

    # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
    # to disable content-type sniffing on some browsers.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
    # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
    # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
    add_header X-Content-Type-Options nosniff;

    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
    # this particular website if it was disabled by the user.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-XSS-Protection "1; mode=block";

    # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
    # you can tell the browser that it can only download content from the domains you explicitly allow
    # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
    # https://www.owasp.org/index.php/Content_Security_Policy
    # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
    # directives for css and js(if you have inline css or js, you will need to keep it too).
    # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://ajax.googleapis.com  https://ajax.googleapis.com https://maps.googleapis.com https://maps.gstatic.com https://maps.google.com https://www.google.com https://ajax.googleapis.com https://ssl.google-analytics.com http://www.google-analytics.com; img-src 'self' https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com http://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com http://themes.googleusercontent.com ; frame-src 'self' https://www.youtube-nocookie.com https://www.youtube.com; object-src 'self'";

    ## Include the upstream servers for PHP FastCGI handling config.
    ## This one uses the FCGI process listening on TCP sockets.
    #include upstream_phpcgi_tcp.conf;

    ## Include the upstream servers for PHP FastCGI handling
    ## configuration. This setup uses UNIX sockets for talking with the
    ## upstream.
    #include upstream_phpcgi_unix.conf;

    ## Include the map to block HTTP methods.
    # include map_block_http_methods.conf;
}
                        

Statt der php.ini bearbeitet man unter PHP-FPM die php-fpm.conf



                            #: nano /etc/php5/fpm/php-fpm.conf
                        


;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; All relative paths in this configuration file are relative to PHP's install
; prefix (/usr). This prefix can be dynamicaly changed by using the
; '-p' argument from the command line.

; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
; Relative path can also be used. They will be prefixed by:
;  - the global prefix if it's been set (-p arguement)
;  - /usr otherwise
;include=/etc/php5/fpm/*.conf

;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;

[global]
; Pid file
; Note: the default prefix is /var
; Default Value: none
pid = /var/run/php5-fpm.pid

; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written
; in a local file.
; Note: the default prefix is /var
; Default Value: log/php-fpm.log
error_log = /var/log/php5-fpm.log

; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
;syslog.facility = daemon

; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
;syslog.ident = php-fpm

; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
;log_level = notice

; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
;emergency_restart_threshold = 0

; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated.  This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;emergency_restart_interval = 0

; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;process_control_timeout = 0

; The maximum number of processes FPM will fork. This has been design to control
; the global number of processes when using dynamic PM within a lot of pools.
; Use it with caution.
; Note: A value of 0 indicates no limit
; Default Value: 0
; process.max = 128

; Specify the nice(2) priority to apply to the master process (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
;       - The pool process will inherit the master process priority
;         unless it specified otherwise
; Default Value: no set
; process.priority = -19

; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
;daemonize = yes

; Set open file descriptor rlimit for the master process.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit for the master process.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Specify the event mechanism FPM will use. The following is available:
; - select     (any POSIX os)
; - poll       (any POSIX os)
; - epoll      (linux >= 2.5.44)
; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
; - /dev/poll  (Solaris >= 7)
; - port       (Solaris >= 10)
; Default Value: not set (auto detection)
; events.mechanism = epoll

;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;

; Multiple pools of child processes may be started with different listening
; ports and different management options.  The name of the pool will be
; used in logs and stats. There is no limitation on the number of pools which
; FPM can handle. Your system will tell you anyway :)

; To configure the pools it is recommended to have one .conf file per
; pool in the following directory:
include=/etc/php5/fpm/pool.d/*.conf
                        

nginx-vHost konfigurieren

Wie auch bei anderen Webservern muss der Server für die Domain konfiguriert werden.
Beim nginx findet man die Standard-Konfiguration unter:



#: nano /etc/nginx/sites-available/default
                        

Standard-vHost-Konfiguration



server {
    listen 80; ## listen for ipv4; this line is default and implied
    listen [::]:80 default ipv6only=on; ## listen for ipv6

    # Make site accessible from http://localhost/
    server_name _;

    root   /var/www;

    index index.php index.html index.htm;
    error_page 404 /404.html;

    location / {
        index index.php index.html index.htm;
        try_files $uri $uri/ /index.php?$args;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
    location ~*  \.(jpg|jpeg|png|gif|css|js|ico)$ {
        expires max;
        log_not_found off;
    }
    location ~ \.php$ {
        try_files $uri =404;
        include /etc/nginx/fastcgi_params;

        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

        # With php5-cgi alone:
        #fastcgi_pass 127.0.0.1:9000;
        # With php5-fpm:
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}
                        

Server neu Starten


#: service php5-fpm restart
#: service nginx restart
                        

So jetzt kann man Contao inkl. Live Update Service nutzen.

PHP-Info

Damit man schauen kann, ob alles richtig konfiguriert ist, legt man einfach eine PHP-Datei mit folgendem Inhalt an:



                            #: nano /var/www/info.php
                        



                        
Bildschirmfoto von Ausgabe PHPInfo

Contao installieren aus github

Damit der Server nun voll getestet werden kann, muss Contao installiert werden.
Dazu installieren wir erstmal noch curl und git



                            #: apt-get install curl git
                        

Datenbank einrichten

Da wir für Contao auf jedenfall eine Datenbank benötigen, fangen wir damit einfach an:



#: mysqladmin -u -p create contao
#: mysql -u root -p
                        

Die Rechte müssen auch noch gesetzt werden:



GRANT ALL PRIVILEGES ON contao.* TO 'contao'@'localhost' IDENTIFIED BY 'meingeheimespasswort';
FLUSH PRIVILEGES;
QUIT;
                        

Pakete aus github holen

Wir laden die aktuelle Entwicklerversion direkt aus github:



#: cd /var/www
#: git clone https://github.com/contao/core.git contao-git
#: cd contao-git
#: git checkout -b local develop
#: curl -sS https://getcomposer.org/installer | php
#: php composer.phar install --prefer-dist
                        

nginx für neuen vHost konfigurieren

ACHTUNG: Live-Update-Service funktioniert noch nicht.



#: nano /etc/nginx/sites-available/contao
                        

server {
    listen 80; ## listen for ipv4; this line is default and implied
    listen [::]:80 default ipv6only=on; ## listen for ipv6

    server_name myvhost.de;
    root /var/www/contao-git;

    index index.php index.html index.html;
    client_max_body_size 200M;
    sendfile on;
    error_page 404 /404.html;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location ~* \.(tpl|html5|xhtml)$ {
        deny all;
    }
    location ~ /\. {
        deny all;
    }
    location ~* (/system/logs|/system/bin|/system/config) {
        deny all;
    }

    location ~ \.php$ {
        try_files $uri =404;
        include fastcgi_params;

        fastcgi_split_path_info ^(.+\.php)(/.+)$; # use cgi.fix_pathinfo=0 in php.ini
        fastcgi_pass unix:/var/run/php5-fpm-$name.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Logging
    access_log  /var/log/nginx/contao.access.log;
    error_log  /var/log/nginx/contao.error.log notice;
}
                        

Server neu Starten


#: service php5-fpm restart
#: service nginx restart
                        

So jetzt kann man Contao wie gewohnt installieren.
myvhost.de/contao

Live Update Service

Der Live Update Service ist ein kostepflichtiger Dienst des
Contao Entwicklers Leo Feyer.

phar-Datei auf Schreibrechte prüfen

Das Live Update benötigt schreibrechte über *.phar

Bildschirmfoto von Ausgabe PHPInfo Abschnitt PHAR

php.ini anpassen

Damit die *.phar auch Daten schreiben kann, muss man vorher dieses in der /etc/php5/fpm/php.ini erlauben.


#: nano /etc/php5/fpm/php.ini
                        

....
[Phar]
detect_unicode = Off

; http://php.net/phar.readonly
phar.readonly = Off

; http://php.net/phar.require-hash
phar.require_hash = Off

;phar.cache_list =
....
                        

nginx vHost-Konfiguration


#: nano /etc/nginx/sites-available/contao
                        


location ^~ /contao/update.phar.php {
    fastcgi_split_path_info ^((?U).+\.php)(/.+)?$;

    include /etc/nginx/fastcgi_params;

    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    #fastcgi_param PATH_INFO $fastcgi_path_info;

    if (!-e $document_root$fastcgi_script_name) {
        return 404;
    }

    fastcgi_pass unix:/var/run/php5-fpm.sock;
}
                        

Server neu Starten


#: service php5-fpm restart
#: service nginx restart
                        

So jetzt kann man Contao inkl. Live Update Service nutzen.

Links

THE END

Kirsten Roschanski

Realisiert mit reveal.js