search

Arno0x / TwoFactorAuth

Two Factor Authentication web portal written in PHP
130 stars 43 forks source link

How to configure Nginx 1.12.2 with PHP7 under Alpine 3.7? #10

Closed morpheus65535 closed 6 years ago

morpheus65535 commented 6 years ago

I'm trying to configure Nginx with the code in the readme but it doesn't work under my setup. BTW I'm trying to it in a linuxserver/nginx docker image. I've added those package: php7-gd, php7-sqlite3.

Thanks!

Arno0x commented 6 years ago

I've moved to PHP7 recently and here is the Nginx working configuration I'm using:

auth_request /twofactorauth/nginx/auth.php;

error_page 401 = @error401;

location @error401 {
    return 302 $scheme://$host/twofactorauth/login/login.php?from=$uri;
}

location = /twofactorauth/nginx/auth.php {
    include fastcgi.conf;
    fastcgi_param  CONTENT_LENGTH "";
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

location /twofactorauth/db/ {
    deny all;
}

location = /twofactorauth/login/login.php {
    allow all;
    auth_request off;

    include fastcgi.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

Of course, the exact path to twofactorauth application may be different on your system and also vary depending on how you chose to name the directory hosting the application. You'll need to adapt it.

I've also tested PHP7 within an Alpine docker container, and here is the working docker file I've used (please note: there's a few more php extension because I have other PHP apps needing them) :

FROM php:7-fpm-alpine
MAINTAINER Arno0x0x - https://twitter.com/arno0x0x

# Base image is PHP7 FPM based on Alpine Linux
# We're adding some php extensions: mcrypt, intl and gd

# Installing all dependencies for the PHP extensions we're adding
RUN apk update \
        && apk upgrade  \

        #---- Some utilities
        && apk add shadow \

        #---- Libraries required to build extensions
        && apk add autoconf g++ make \

        #---- Libraries required for mcrypt
        && apk add libmcrypt libmcrypt-dev libltdl \

        #---- Libraries required for intl
        && apk add icu-dev \

        #---- Libraries required for gd
        && apk add freetype libpng libjpeg-turbo freetype-dev libpng-dev libjpeg-turbo-dev \

        #--- Clean up APK cache
        && rm -rf /var/cache/apk/*

# Change the www-data UID and GUID because they do not match between my Debian and Alpine
# On Debian 8: www-data is UID 33 and GUID 33, which is already taken by the XFS user
RUN usermod -u 44 xfs && groupmod -g 44 xfs && usermod -u 33 www-data && groupmod -g 33 www-data

# Installing PHP extensions
RUN echo "\n" | pecl install mcrypt-1.0.1 \
        && docker-php-ext-enable mcrypt \
        && docker-php-ext-install intl \
        && docker-php-ext-configure gd --with-freetype-dir=/usr/include --with-png-dir=/usr/include --with-jpeg-dir=/usr/include \
        && docker-php-ext-install -j1 gd

EXPOSE 9000

ENTRYPOINT ["php-fpm"]

Hope this helps. Let me know.

morpheus65535 commented 6 years ago

Thanks for your help!

I got this error: auth request unexpected status: 502 while sending to client

When trying with this configuration:

auth_request /twofactorauth/nginx/auth.php;

error_page 401 = @error401;

location @error401 {
    return 302 $scheme://$host/twofactorauth/login/login.php?from=$uri;
}

location = /twofactorauth/nginx/auth.php {
    include /etc/nginx/fastcgi.conf;
    fastcgi_param  CONTENT_LENGTH "";
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

location /twofactorauth/db/ {
    deny all;
}

location = /twofactorauth/login/login.php {
    allow all;
    auth_request off;

    include /etc/nginx/fastcgi.conf;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}

I had to manually create the php7.0-fpm.sock that did not exist. You got a hint for me?

Thanks a lot!

Arno0x commented 6 years ago

Well if you had to manually create the unix socket file for PHP7, it sounds like PHP7 is either not properly installed, or that you should rather be using the TCP socket for reaching the php-fpm worker process (defaults to localhost:9000).

morpheus65535 commented 6 years ago

Thanks! I made it work with this configuration:

auth_request /twofactorauth/nginx/auth.php;

error_page 401 = @error401;

location @error401 {
    return 302 $scheme://$host/twofactorauth/login/login.php?from=$uri;
}

location = /twofactorauth/nginx/auth.php {
    include /etc/nginx/fastcgi.conf;
    fastcgi_param  CONTENT_LENGTH "";
    fastcgi_pass 127.0.0.1:9000;
}

location /twofactorauth/db/ {
    deny all;
}

location = /twofactorauth/login/login.php {
    allow all;
    auth_request off;

    include /etc/nginx/fastcgi.conf;
    fastcgi_pass 127.0.0.1:9000;
}