# Problem: Hiawatha and PHP-FPM in separate jails



## gertoe (Jun 11, 2014)

I need help setting up or configuring my server using jails for each service:

I was trying to set up a secure webserver using Hiawatha and PHP-FPM separated in jails.
But a processing of PHP code is not possible. I always get error 500. The log said:


```
/usr/local/www/php/info.php|no output
```

My Hiawatha configuration:


```
# Hiawatha Configuration File
ConnectionsTotal = 250
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log

# BINDING SETTINGS
Binding {
Port = 80
Interface = 10.0.0.2
MaxKeepAlive = 30
TimeForRequest = 3,20
}

Binding {
Port = 443
Interface = 10.0.0.2 
MaxKeepAlive = 30
TimeForRequest = 3,20
SSLcertFile = /usr/local/etc/hiawatha/serverkey.pem 
}

# BANNING SETTINGS
# Deny service to clients who misbehave.
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
KickOnBan = yes
RebanDuringBan = yes

# DEFAULT WEBSITE
Hostname = 10.0.0.2 
WebsiteRoot = /usr/local/www/hiawatha
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log

FastCGIserver {
FastCGIid = php-fpm
ConnectTo = 10.0.0.6:9000
Extension = php, php5
SessionTimeout = 10
}

# VIRTUAL HOSTS
VirtualHost {
Hostname = php.MYDOMAIN.de
WebsiteRoot = /usr/local/www/php
StartFile = info.php
UseFastCGI = php-fpm
TriggerOnCGIstatus = yes
}
```

My php-fpm.conf (PHP in a separate jail) is the standard one with these options set:

```
chdir = /
listen = 10.0.0.6:9000
listen.allowed_clients = any
```

My jails are stored in /jails/php and /jails/www. Both are using a shared directory to their relative path containing the website (/usr/local/www) mounted via nullfs.

My pf.conf looks like this:

```
ext_if="bge0"
jail_if="lo1"

tcp_pass = "{80, 110, 143, 443, 2031}"
udp_pass = "{80, 2031}"
icmp_types = "echoreq"

IP_PUB="192.168.1.5"
NET_JAIL="10.0.0.0/24"

WWW="10.0.0.2"
PHP="10.0.0.6"

PORT_PHP="{9000}"

table <intranet> { 192.168.1.0/24 }
table <bruteforce> persist
table <sshguard> persist

set block-policy drop
set skip on lo1
# set skip on bge0
set loginterface bge0
set optimization normal
set fingerprints "/etc/pf.os"
set ruleset-optimization basic

scrub out all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub in all min-ttl 15 fragment reassemble random-id

# nat all jail traffic
nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB

# PHP
rdr pass on $jail_if proto tcp from any to $PHP port $PORT_PHP -> $PHP
# WWW
rdr pass on $ext_if inet proto tcp to port http -> $WWW port http
rdr pass on $ext_if inet proto tcp to port https -> $WWW port https

# RULES
antispoof for $ext_if inet

# Block IPV6-Connections
block out quick inet6 all
block in quick inet6 all

block log all
block return
block in all

block in quick on $ext_if proto tcp from <sshguard> to any port {22, 2031} label "ssh bruteforce"

block in quick from { urpf-failed no-route } to any
block quick from <bruteforce>
pass in quick from <intranet> to any keep state
pass in on $ext_if proto tcp from any to any port $tcp_pass flags S/SA keep state (max-src-conn 250, max-src-conn-rate 20/2, overload <bruteforce> flush global)
pass in on $ext_if proto udp from any to any port $udp_pass keep state

pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

pass quick on $jail_if proto tcp from $WWW to $PHP
pass quick on $jail_if proto tcp from $PHP to $WWW

pass out quick on $ext_if inet keep state

# PING #
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state

# TRACEROUTE #
pass in on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
```

There is still no connection between Hiawatha and php-fpm I guess, but how do I fix it?


----------



## SirDice (Jun 12, 2014)

There's no need for NAT or redirection for the communication between the www and PHP jails. Both are on the same subnet and can communicate directly with each other.


----------



## gertoe (Jun 13, 2014)

NAT is now disabled between WWW- and PHP-Jail, but I do not see the problem, why hiawatha does not get any response from the PHP-Jail.


----------



## fred974 (Jan 4, 2017)

I know this topic is a few years old now ... but did you managed to get your settup working?
I have the exact same issue as you have

Thank you


----------

