Many people asked me to write about setting up Lighttpd under CentOS or RHEL 5 Linux using chroot() call. The instructions are almost same but you need to make little modification as compare to Debian / Ubuntu Linux instructions.
For example purpose we will build jail at /webroot location.
=> Default document root : /home/lighttpd/default/
=> Port : 80
=> IP: Your Public IP address
=> Virtual domain1: /home/lighttpd/vdomain1.com/
=> Virtual domain1 access log file: /var/log/lighttpd/vomain1.com/
=> Default access log file:/var/log/lighttpd/access.log
=> Default error log file:/var/log/lighttpd/error.log
=> Default php error log file: /var/log/lighttpd/php.log
Assumptions
These installation instructions assume you have:
- Linux distribution
- Required RPMs (see below for installation instructions)
- php, php-pear, php-common, php-pdo, php-ldap, php-gd, php-cli, php-mysql
- mysql, mysql-server etc
- lighttpd, lighttpd-fastcgi (rpm available here)
- Installations were tested on Red Hat Enterprise Linux v4/5 or CentOS v4/5 or Fedora Linux 7
Step # 1: Install required packages
Install php and related packages:
# yum install php php-pear php-common php-pdo php-ldap php-gd php-cli php-mysql
Install mysql and related packages:
# yum install mysql mysql-server
Install lighttpd and mod_fastcgi for lighttpd:
# rpm -ivh http://dag.wieers.com/rpm/packages/lighttpd/lighttpd-1.4.18-1.el5.rf.i386.rpm
# rpm -ivh http://dag.wieers.com/rpm/packages/lighttpd/lighttpd-fastcgi-1.4.18-1.el5.rf.i386.rpm
Step # 2: Create /webroot and related directories
# mkdir /webroot
# cd /webroot
# mkdir etc
# mkdir tmp
# chmod 1777 tmp/
# mkdir -p usr/bin
# mkdir -p home/lighttpd/default
# mkdir -p var/run/lighttpd
# mkdir -p var/log/lighttpd
# chown lighttpd:lighttpd var/run/lighttpd/
# chown lighttpd:lighttpd var/log/lighttpd/
# chown -R lighttpd:lighttpd home/
Step # 3: Install chroot script
You need to download and install my script that will help you to build lighttpd in jail:
# cd /sbin/
# wget http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# mv l2chroot.txt l2chroot
# chmod +x l2chroot
Step # 4: Install php in jail
Now copy php-cgi binary and related shared libraries using l2chroot script:
# cd /webroot/usr/bin
# cp /usr/bin/php-cgi .
# l2chroot php-cgi
Step # 5: Copy required files to /etc
Now you must copy php.ini and related all files to /etc/
# cd /webroot/etc
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/nsswitch.conf .
# cp /etc/resolv.conf .
# cp /etc/php.ini .
# cp -avr /etc/php.d/ .
# cp -avr /etc/ld* .
Update (Oct-1-2008, 1:52pm) : You need to copy entire /etc/ and /usr/share/zoneinfo files to work with latest php version:
# cd /webroot/etc
# /bin/cp -avr /etc/* .
Copy all files from /usr/share/zoneinfo/:
# mkdir -p /webroot/usr/share/
# cd /webroot/usr/share/
# cp -avr /usr/share/zoneinfo/ .
Open group and passwd file and only keep entries for root and lighttpd user:
# vi /webroot/etc/group
Make sure file look as follows:
root:x:0:root
lighttpd:x:101:
Also open passwd file inside jail:
# vi /webroot/etc/passwd
Make sure file look as follows:
root:x:0:0:root:/root:/bin/bash
lighttpd:x:100:101:lighttpd web server:/srv/www/lighttpd:/sbin/nologin
Step # 5: Copy php modules
Now copy php mysql support, php gd and other all modules:
# cd /webroot/usr/lib/
# cp -avr /usr/lib/php/ .
# cd php/modules
# for l in *.so; do l2chroot $l; done
Step # 6: Configure lighttpd chroot call
Open /etc/lighttpd/lighttpd.conf file:
# vi /etc/lighttpd/lighttpd.conf
Setup default document root and chroot directory:
server.document-root = "/home/lighttpd/default/"
server.chroot="/webroot"
Save and close the file.
Step # 7: Restart lighttpd
Type the following command:
# /etc/init.d/lighttpd restart
Jail size
# du -ch /webroot/
Output:
12K /webroot/var/log/lighttpd 16K /webroot/var/log 4.0K /webroot/var/run/lighttpd 8.0K /webroot/var/run 28K /webroot/var 8.0K /webroot/etc/ld.so.conf.d 36K /webroot/etc/php.d 160K /webroot/etc 8.0K /webroot/home/lighttpd/default 12K /webroot/home/lighttpd 16K /webroot/home 5.3M /webroot/lib 4.0K /webroot/tmp 872K /webroot/usr/lib/sse2 1.4M /webroot/usr/lib/mysql 676K /webroot/usr/lib/php/modules 4.0K /webroot/usr/lib/php/pear 684K /webroot/usr/lib/php 9.9M /webroot/usr/lib 2.9M /webroot/usr/bin 13M /webroot/usr 19M /webroot/ 19M total
Troubleshooting
Always go thought /var/log/messages and server log files:
# tail -f /var/log/messages
Download mysql testing script
Copy and test php mysql connectivity with this script.
- RSS feed or Weekly email newsletter
- Share to Twitter • Facebook • 10 comments... add one ↓
Linux 25 PHP Security Best Practices For Sys Admins
40 Linux Server Hardening Security Tips [2019 edition]
Lighttpd FasCGI PHP, MySQL chroot jail installation under Debian Linux
30 Best Sources For Linux / *BSD / Unix Documentation On the Web
Install chrooted lighttpd under Ubuntu Linux 64 bit version- Red Hat / CentOS Apache 2 FastCGI PHP Configuration
Top 25 Nginx Web Server Best Security Practices
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Hmm do I have to copy my website files from the old /var/www/docroot to the new /chroot/var/www/docroot
? If I let my files to the /var/www/docroot i get 404, if I move them to /chroot/var/www/docroot, lighttpd displays “No input files specified” and if I place them to both location in same time looks like working :/ crazy problem.
And I have another behaviour, can’t stop services as explained here: http://www.cyberciti.biz/tips/howto-setup-lighttpd-php-mysql-chrooted-jail.html#comment-142040
error message Starting lighttpd: 2008-07-21 08:51:44: (configfile.c.1136) base-docroot doesn’t exist: /home/lighttpd/default/
fix:
vi /etc/lighttpd/lighttpd.conf
server.document-root = “/home/lighttpd/default/”
needs to be;
server.document-root = “home/lighttpd/default/”
I needed to copy the /lib/libnss_dns.so.2 to my chroot “/lib” directory becouse the php-cgi wasn’t able to resolve names in fsockopen/fopen/etc.
(php_network_getaddresses: getaddrinfo failed)
Thanks!
[]s, MM
Hey, you’ve missed the “how to setup mysql” instructions, and mysql wont work…
@ alex
No, I don’t. yum command is used to install mysql-server. However, customization setting up mysql root password, database, accounts is not covered as those are site specific config options.
If you are using lua and mod_magnet you have to follow this step:
# cd /webroot/usr/bin
# cp /usr/bin/lua .
# l2chroot lua
Starting lighttpd: 2010-02-21 01:36:28: (configfile.c.1178) base-docroot doesn’t exist: /webroot/home/lighttpd/default/
2010-02-21 01:36:28: (server.c.584) setting default values failed
[FAILED]
Followed the tutorial to the T, and I don’t see where this directory is created. I tried to create this directory myself:
mkdir /webroot/home/lighttpd/default
mkdir: cannot create directory `/webroot/home/lighttpd/default’: File exists
So does this directory exist or what? If it exists, than what’s the problem with lighttpd?
Same problem as Steve, I’ll keep you posted if I find a fix.
Step # 4: Install php in jail
I’m getting an error “cannot stat `/lib64/libsepol.so.1)’: No such file or directory”
and file is there.
Hi,
thanks. the jail works perfectly. php pages communicates successfully with mysql server. But just phpmyadmin loads a white page.
My issue is phpmyadmin that doesn’t work in the jail.
I don’t know why?. I debug it with strace and copied all of the required libraries to the jail.
please give me a clue?
My test environment is as follows:
CentOs -latest version
httpd- latest version
mysql- latest version
php- latest version
phpmyadmin- latest version
regards,
Ali Aghabagheri