Categories
Life in lockdown Weather

Houston Blizzard + Back Online

So much has happened in the last few weeks. Texas was hit with the worst snowstorm I think in recorded history. The snow in Houston didn’t look that bad via photographs but trust me. It was icy, heavy sleet and snow — not that fluffy stuff you ski on. Of course it cause havoc on our electrical grid and our water pipes. Thankfully all in my neighborhood are well and the weather is now in the 70’s! I’ll post a few more pictures when I have some time.

I lost power along with most Texans for large parts of early last week. Power has been stable since last Thursday. The last snow and ice melted last Saturday (so it was on the ground for a good 5 days). The worst days for me were Tuesday and Wednesday when we have the rolling power outages.

Ella enjoying a boogie board style toboggan at the nearby park.

Lastly, I needed to update my SSL cert for this website which I’ve now done. Silly me for taking so long to do that; I had a bit on my plate.

Categories
Software

FreeNAS 11.3 Jail + WordPress & Nginx

I’ve recently upgraded my FreeNAS server to version 11.3 and I setup my personal WordPress site in a FreeNAS Iocage Jail using PHP-FPM and Nginx web server. There are precious few write ups of this process so I decided to write one (and document my challenges). I hope you enjoy. Before you get started this is of moderate difficulty and there are much easier hosted solutions at WordPress.com. This is mostly an exercise of “is this possible” and the answer is yes!

BTW, many thanks to https://www.mjaleel.com/2019/02/28/20/how-to-setup-wordpress-on-freenas-iocage-jail/ which is the post which I originally used to get myself configured. I’ve added to it and changed a few things. Please note my Iocage Jail section is much different and I’ve added the WordPress configuration steps.

Step 1) Create the Iocage Jail

There are numerous tutorials for doing this. I will be brief here. In the FreeNAS 11.3 web GUI interface, navigate to Jails and select Add. I named mine WordPress, you can choose whichever name suits your fancy; www is another good option. I selected default Jail type and release 11.3-Release (more about this later).

I selected DHCP auto configure for IPv4 which means FreeNAS will request an IP address from your router via DHCP (Dyn Host Config Protocol). Only select NAT if you want to put it on the same IP as your FreeNAS server but that takes some work since FreeNAS also sits on port 80, so save yourself the trouble and select DHCP. I unchecked autoconfigure of IPv6. In general I keep IPv6 off for security reasons. Hit next and then create.

Start your Jail using the FreeNAS web GUI. Note down the IP address of your jail for later. SSH (Secure Shell) into your Freenas (there are many tutorials on how to do that, I’ll leave to the reader) and type jls to view the Jails that have been configured and are running (note the JID or jail identifier). You can see in the screenshot below that my WordPress jail is running on jid 9. Execute the command “sudo exec 9 /bin/tcsh” to ssh into WordPress jail. BTW, there are like a half dozen ways to ssh into a jail, this is just the way I’m most comfortable with.

Step 2) Install packages

Now that you are ssh’ed into your FreeNAS 11.3 jail, we will install a number of software packages. This may or may not get out of date. I will attempt to keep it more or less current. Please note that we’ll install mysql 5.7 packages as the mysql 8.0 package fails when WordPress attempts to connect. Your mileage may vary and of course other RDBMS (Relational Database Management Systems) will also work. I’m a former Sybase DBA and I absolutely love Sybase for what it’s good at… I digress.. Ok, on to the packages…

First, run “pkg update” to fetch the latest package list for your Jail. Next, run “pkg upgrade” to upgrade any deployed package and the Jail software itself (Note, this may take a while if you run on an old Jail). There is another command needed to upgrade to another release (i.e. 11.2 to 11.3 release of FreeNAS) which I’ll leave to the reader.

Execute the following command to download the packages

pkg install nginx php73 mysql57-server mysql57-client php73-xml php73-dom php73-curl php73-ctype php73-json php73-ftp php73-hash php73-session php73-pecl-imagick php73-pecl-memcached php73-tokenizer php73-mbstring php73-fileinfo php73-exif php73-openssl php73-filter php73-zip php73-zlib php73-mysqli php73-iconv php73-gd

It’ll pull in many other dependencies; it became 98 packages on my test machine, 669 MiB. Select “Y” to download and install. PHP packaging is *very* modular in general. If you forget a required package like let’s say php73-ctype and then continue, you’ll eventually get Jetpack connection errors that will have you pulling your hair out for a day until you realize (this happened to me!).

3) Create and Mount Your Datasets

Personally, I like to put software in the Jails and keep data on datasets outside of the Jails. This way I can create or upgrade software components away from the data for no-tears upgrades. I created 2 datasets on my FreeNAS pool named ssl and var. SSL like the description says is all things SSL certs and intermediate certs and CSR’s etc. I keep it separate from the Jails and separate from other datasets as I’ll want to use this with other services (Minecraft minos for instance). Var is for all things Variable that includes logs, WWW root and database backups.

Back at the command line to my WordPress Jail, I changed directory back to the /mnt directory and added two directories for the ssl dataset and the var dataset

Stop the WordPress Jail in the FreeNAS web GUI (in the Jails section). When it is stopped, select Mountpoints to add the mount points you just created.

Next, add the two mount points to the Jail you named WordPress. You will need to do this one at a time and select the source at the top to be the dataset you just created and the destination in the bottom pane which is the directory you created in your Jail. You can use different directory names; just remember what you used.

After you add the 2 mounts, you can go back to the Jails interface in FreeNAS and restart your WordPress jail.

4) Configure your Services to Autostart

Use that jls and jexec process (from end of Step 1) to ssh back into your WordPress Jail. You should notice that the JID number has incremented by 1 (this is expected). Check to make sure the /mnt/ssl and /mnt/var filesystems are mounted and writeable. You can touch a file in each directory and see if it’s written to the appropriate place.

Then type “grep rcvar /usr/local/etc/rc.d/*” to see what the enable configs are for all your services. In this example they are php_fpm_enable, nginx_enable and mysql_enable. Then vi the /etc/rc.conf file to add those configurations and enable them.

You of course can use whichever editor you like. I’m a vi person, emacs looks cool but vi works everywhere. Add those 3 entries at the bottom and save the file. Don’t start any services yet.

5) Configure php-fpm (Note: I have no idea what fpm means, I will speculate freebsd package mgmt)

Back in the ssh command line for your WordPress instance. Run the following command to copy the distributed php.ini (config) file to your instance.

root@wordpress:~ # cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Next, edit the php-fpm.conf file

root@wordpress:~ # vi /usr/local/etc/php-fpm.conf
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; All relative paths in this configuration file are relative to PHP's install
; prefix (/usr/local). This prefix can be dynamically changed by using the
; '-p' argument from the command line.

;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;

[global]
; Pid file
; Note: the default prefix is /var
; Default Value: none
pid = run/php-fpm.pid

; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written
; into a local file.
; Note: the default prefix is /var
; Default Value: log/php-fpm.log
;error_log = log/php-fpm.log

; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
;syslog.facility = daemon

; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
;syslog.ident = php-fpm

; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
;log_level = notice

; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
;emergency_restart_threshold = 0

; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated.  This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;emergency_restart_interval = 0

; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;process_control_timeout = 0

; The maximum number of processes FPM will fork. This has been designed to control
; the global number of processes when using dynamic PM within a lot of pools.
; Use it with caution.
; Note: A value of 0 indicates no limit
; Default Value: 0
; process.max = 128

; Specify the nice(2) priority to apply to the master process (only if set)
; The value can vary from -19 (highest priority) to 20 (lowest priority)
; Note: - It will only work if the FPM master process is launched as root
;       - The pool process will inherit the master process priority
;         unless specified otherwise
; Default Value: no set
; process.priority = -19

; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
;daemonize = yes

; Set open file descriptor rlimit for the master process.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit for the master process.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Specify the event mechanism FPM will use. The following is available:
; - select     (any POSIX os)
; - poll       (any POSIX os)
; - epoll      (linux >= 2.5.44)
; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
; - /dev/poll  (Solaris >= 7)
; - port       (Solaris >= 10)
; Default Value: not set (auto detection)
events.mechanism = kqueue

; When FPM is built with systemd integration, specify the interval,
; in seconds, between health report notification to systemd.
; Set to 0 to disable.
; Available Units: s(econds), m(inutes), h(ours)
; Default Unit: seconds
; Default value: 10
;systemd_interval = 10

;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;

; Multiple pools of child processes may be started with different listening
; ports and different management options.  The name of the pool will be
; used in logs and stats. There is no limitation on the number of pools which
; FPM can handle. Your system will tell you anyway :)

; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
; Relative path can also be used. They will be prefixed by:
;  - the global prefix if it's been set (-p argument)
;  - /usr/local otherwise
include=/usr/local/etc/php-fpm.d/*.conf

Edit the file /usr/local/etc/php-fpm.d/www.conf

root@www:~ # vi /usr/local/etc/php-fpm.d/www.conf
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]

; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr/local) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = www
group = www

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
;                            a specific port;
;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses
;                            (IPv6 and IPv4-mapped) on a specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000

; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
listen.backlog = -1

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
;listen.owner = www
;listen.group = www
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =

; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
listen.allowed_clients = 127.0.0.1

; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
;       - The pool processes will inherit the master process priority
;         unless it specified otherwise
; Default Value: no set
; process.priority = -19

; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes

; Choose how the process manager will control the number of child processes.
; Possible Values:
;   static  - a fixed number (pm.max_children) of child processes;
;   dynamic - the number of child processes are set dynamically based on the
;             following directives. With this process management, there will be
;             always at least 1 children.
;             pm.max_children      - the maximum number of children that can
;                                    be alive at the same time.
;             pm.start_servers     - the number of children created on startup.
;             pm.min_spare_servers - the minimum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is less than this
;                                    number then some children will be created.
;             pm.max_spare_servers - the maximum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is greater than this
;                                    number then some children will be killed.
;  ondemand - no children are created at startup. Children will be forked when
;             new requests will connect. The following parameter are used:
;             pm.max_children           - the maximum number of children that
;                                         can be alive at the same time.
;             pm.process_idle_timeout   - The number of seconds after which
;                                         an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic

; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2

; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3

; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;

; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500

; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
;   pool                 - the name of the pool;
;   process manager      - static, dynamic or ondemand;
;   start time           - the date and time FPM has started;
;   start since          - number of seconds since FPM has started;
;   accepted conn        - the number of request accepted by the pool;
;   listen queue         - the number of request in the queue of pending
;                          connections (see backlog in listen(2));
;   max listen queue     - the maximum number of requests in the queue
;                          of pending connections since FPM has started;
;   listen queue len     - the size of the socket queue of pending connections;
;   idle processes       - the number of idle processes;
;   active processes     - the number of active processes;
;   total processes      - the number of idle + active processes;
;   max active processes - the maximum number of active processes since FPM
;                          has started;
;   max children reached - number of times, the process limit has been reached,
;                          when pm tries to start more children (works only for
;                          pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
;   pool:                 www
;   process manager:      static
;   start time:           01/Jul/2011:17:53:49 +0200
;   start since:          62636
;   accepted conn:        190460
;   listen queue:         0
;   max listen queue:     1
;   listen queue len:     42
;   idle processes:       4
;   active processes:     11
;   total processes:      15
;   max active processes: 12
;   max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
;   http://www.foo.bar/status
;   http://www.foo.bar/status?json
;   http://www.foo.bar/status?html
;   http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
;   http://www.foo.bar/status?full
;   http://www.foo.bar/status?json&full
;   http://www.foo.bar/status?html&full
;   http://www.foo.bar/status?xml&full
; The Full status returns for each process:
;   pid                  - the PID of the process;
;   state                - the state of the process (Idle, Running, ...);
;   start time           - the date and time the process has started;
;   start since          - the number of seconds since the process has started;
;   requests             - the number of requests the process has served;
;   request duration     - the duration in µs of the requests;
;   request method       - the request method (GET, POST, ...);
;   request URI          - the request URI with the query string;
;   content length       - the content length of the request (only with POST);
;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
;   script               - the main script called (or '-' if not set);
;   last request cpu     - the %cpu the last request consumed
;                          it's always 0 if the process is not in Idle state
;                          because CPU calculation is done when the request
;                          processing has terminated;
;   last request memory  - the max amount of memory the last request consumed
;                          it's always 0 if the process is not in Idle state
;                          because memory calculation is done when the request
;                          processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
;   ************************
;   pid:                  31330
;   state:                Running
;   start time:           01/Jul/2011:17:53:49 +0200
;   start since:          63087
;   requests:             12808
;   request duration:     1250261
;   request method:       GET
;   request URI:          /test_mem.php?N=10000
;   content length:       0
;   user:                 -
;   script:               /home/fat/web/docs/php/test_mem.php
;   last request cpu:     0.00
;   last request memory:  0
;
; Note: There is a real-time FPM status monitoring sample web page available
;       It's available in: /usr/local/share/php/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status

; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping

; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong

; The access log file
; Default: not set
;access.log = log/$pool.access.log

; The access log format.
; The following syntax is allowed
;  %%: the '%' character
;  %C: %CPU used by the request
;      it can accept the following format:
;      - %{user}C for user CPU only
;      - %{system}C for system CPU only
;      - %{total}C  for user + system CPU (default)
;  %d: time taken to serve the request
;      it can accept the following format:
;      - %{seconds}d (default)
;      - %{miliseconds}d
;      - %{mili}d
;      - %{microseconds}d
;      - %{micro}d
;  %e: an environment variable (same as $_ENV or $_SERVER)
;      it must be associated with embraces to specify the name of the env
;      variable. Some exemples:
;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
;  %f: script filename
;  %l: content-length of the request (for POST request only)
;  %m: request method
;  %M: peak of memory allocated by PHP
;      it can accept the following format:
;      - %{bytes}M (default)
;      - %{kilobytes}M
;      - %{kilo}M
;      - %{megabytes}M
;      - %{mega}M
;  %n: pool name
;  %o: output header
;      it must be associated with embraces to specify the name of the header:
;      - %{Content-Type}o
;      - %{X-Powered-By}o
;      - %{Transfert-Encoding}o
;      - ....
;  %p: PID of the child that serviced the request
;  %P: PID of the parent of the child that serviced the request
;  %q: the query string
;  %Q: the '?' character if query string exists
;  %r: the request URI (without the query string, see %q and %Q)
;  %R: remote IP address
;  %s: status (response code)
;  %t: server time the request was received
;      it can accept a strftime(3) format:
;      %d/%b/%Y:%H:%M:%S %z (default)
;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
;  %T: time the log has been written (the request has finished)
;      it can accept a strftime(3) format:
;      %d/%b/%Y:%H:%M:%S %z (default)
;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
;  %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"

; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow

; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0

; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20

; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0

; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
;       possible. However, all PHP paths will be relative to the chroot
;       (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =

; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www

; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes

; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no

; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7

; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
;   php_value/php_flag             - you can set classic ini defines which can
;                                    be overwritten from PHP call 'ini_set'.
;   php_admin_value/php_admin_flag - these directives won't be overwritten by
;                                     PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.

; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.

; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr/local)

; Default Value: nothing is defined by default except the values in php.ini and
;                specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

php_admin_value[memory_limit] = 512M
php_admin_value[cgi.fix_pathinfo] = 0
php_admin_value[post_max_size] = 13M
php_admin_value[upload_max_filesize] = 13M
php_admin_value[date.timezone] = "America/Chicago"

6) Configure Nginx Web Server

We are getting close; please hang in there! For this section we will create a series of config files for Nginx web server. We will default it to use SSL encryption (you will need to supply your own SSL certs). I can give you the steps to create a self signed SSL cert to test, but you’ll want to get a proper SSL cert (which costs $$$) from your domain registrar or another location.

Create and edit the following configuration files:

  • /usr/local/etc/nginx/php_handlers.conf: This config file directs where all the php scripts will be handled.
  • /usr/local/etc/nginx/conf.d/redirect.conf: This config file that redirects all the HTTP requests to HTTPS. 
  • /usr/local/etc/nginx/ssl.conf: This config file has all the settings defined to enable SSL on the web sever.
  • /usr/local/etc/nginx/conf.d/www.conf: This is the default wordpress server config file 
  • /usr/local/etc/nginx/nginx.conf: This is the main config file for the nginx webserver.

Create the server hosts configuration directory /usr/local/etc/nginx/conf.d

root@wordpress:~ # mkdir -p /usr/local/etc/nginx/conf.d

Create the /usr/local/etc/nginx/php_handlers.conf configuration file.

root@wordpress:~ # vi /usr/local/etc/nginx/php_handlers.conf
# PHP Handlers

# WordPress
upstream php_wp {
        # This should match value of the "listen" directive in php-fpm pool for www
        # localhost and port 9000
        server 127.0.0.1:9000;
}

Create and edit the /usr/local/etc/nginx/conf.d/redirect.conf file

root@wordpress:~ # vi /usr/local/etc/nginx/conf.d/redirect.conf
server {
    listen 80 default_server;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

Create and edit the /usr/local/etc/nginx/conf.d/www.conf

root@wordpress:~ # vi /usr/local/etc/nginx/conf.d/www.conf
# www - public server
server {
   listen       443 ssl http2;
   server_name  www.example.com example.com;

   root    /mnt/var/www/wordpress;
   index  index.php;

   # php max upload limit cannot be larger than this size
   client_max_body_size 13m;

   # SSL Configuration
   include /usr/local/etc/nginx/ssl.conf;

   location / {
       try_files $uri $uri/ /index.php?$args;
   }

   location ~ \.php$ {
        include        fastcgi_params;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $request_filename;
        fastcgi_pass   php_wp;  # php handler for www
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
   }

   location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        access_log off;
        log_not_found off;
   }

} # End of www server block

Edit the file /usr/local/etc/nginx/nginx.conf

root@wordpress:~ # ee /usr/local/etc/nginx/nginx.conf
# Load Modules
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

user www;
worker_processes auto;

error_log  /var/run/error.log;
#
# service start script is looking here for the pid. don't move it.
pid        /var/run/nginx.pid;

events {
  worker_connections 1024;
}

http {

  # Basic settings
  # ----------

  sendfile on;
  tcp_nopush on;
  keepalive_timeout 65;
  #server_tokens off;

  # Common limits
  # ----------

  include mime.types;
  default_type application/octet-stream;

  # Logs format
  # ----------

  log_format main '$remote_addr - $host [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"'
                  'rt=$request_time ut=$upstream_response_time '
                  'cs=$upstream_cache_status';

  log_format cache '$remote_addr - $host [$time_local] "$request" $status '
                   '$body_bytes_sent "$http_referer" '
                   'rt=$request_time ut=$upstream_response_time '
                   'cs=$upstream_cache_status';

  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log warn;

  # GZip config
  # ----------

  gzip on;

  # Cache config
  # ----------

  # PHP Handlers
  # ----------
  include /usr/local/etc/nginx/php_handlers.conf;


  # Virtual host config
  # ----------
  # Only virtual host with the *.conf will be included.
  include /usr/local/etc/nginx/conf.d/*.conf; 

}  # End of http block

7) Configure SSL for Nginx

Create a self-signed SSL certificate using openssl.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /mnt/ssl/private/selfsigned.key -out /mnt/ssl/certs/selfsigned.crt

This will only be useful for your testing purposes. All guests to your web server will be prompted with a fun little message that this site cannot be trusted. It’s fine for this tutorial though, you will need to procure your own SSL certificate from your domain registrar or another reputable source. Note that I saved that keyfile and the cert into our mount point for the SSL dataset we created in a previous step.

Create and edit the /usr/local/etc/nginx/ssl.conf file

# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate

ssl_certificate           /mnt/ssl/certs/selfsigned.crt; # self signed cert
ssl_certificate_key       /mnt/ssl/private/selfsigned.key; # self signed Key

#ssl_verify_client on;

# more secure ssl settings
ssl_protocols             TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers  on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRS
A+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";


## verify chain of trust (if needed)
#ssl_trusted_certificate    /mnt/ssl/certs/cacert.pem;


8) Configure mysql database

WordPress leverages a database for much of the dynamic content (posts, users, pages, comments, etc). You’ll need to do a very small amount of configuration prior to first usage of WordPress. First and foremost you’ll need to start up the mysql server.

service mysql-server start

If you receive no errors then your mysql server should be running. you can check by running “netstat -an | grep 3306” and you should see a row starting with tcp4 and ending with LISTEN. If nothing is returned from the above command your mysql server is not running and you’ll need to troubleshoot that.

Next, you will need to run a script to secure the mysql installation. The first step is to login to mysql as root. The root password is either blank (i.e. nothing) or a special file called .mysql_secret in the root home directory that contains the password

mysql_secure_installation

Set the new root password, disable anonymous logins and root logins from external and remove the temp database. You can set password requirements, but if you do then it’ll only allow high strength passwords in WordPress. When the script is done login as root and create the WordPress database.

mysql –u root –p
create database wordpress;
grant all privileges on wordpress.* to 'wpuser'@'localhost' identified by 'wppassword';
flush privileges;
exit

If you made it this far you really deserve a break; maybe a nice cup of camomile tea? Literally this took me like 2 nights to get this far…

9) Download WordPress Installation

WordPress is essentially a bunch of php files, some css and some other files. You can download the latest tarball (i.e a tar.gz archive) from http://www.wordpress.org (don’t mistakenly go to the .com version!). Hit the “Get WordPress” bottom and click the download .tar.gz link. You should scp the tar.gz file from your pc to the FreeNAS server. You should save it in your /var dataset which you mounted in a previous step. Mine is located in /mnt/PavPool/var, so the command from my pc would be:

rich@somecomputer# scp rich@kidney:/mnt/PavPool/var ~/Downloads/Wordpress-5.3.2.tar .

Create a directory called www and extract the WordPress archive there. Make sure the directory structure matches the path you set in www.conf in Step 6. If your jail is expecting /mnt/var/wordpress then the workpress software must be extracted into a folder called wordpress. Make sure the files are directory structure are readable and writeable by your nginx server process.

10) Now Restart everything and Try to Connect

You need to reload and restart all your components to load the configurations files. You will get an error if the configuration files are

root@wordpress:/ # service php-fpm reload

Performing sanity check on php-fpm configuration:
[19-Apr-2020 15:06:35] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Make sure your php-fpm.conf file passes the validation check. Now restart PHP

root@wordpress:/ # service php-fpm restart

Performing sanity check on php-fpm configuration:
[19-Apr-2020 15:10:18] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Stopping php_fpm.
Waiting for PIDS: 57658.
Performing sanity check on php-fpm configuration:
[19-Apr-2020 15:10:18] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Now reload nginx webe server and restart it. Again, make sure the reload validation step passes (it doesn’t mean that it will functionally work but at least you don’t have typos in your config files.).

root@wordpress:/ # service nginx reload

Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

root@wordpress:/ # service nginx restart

Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Stopping nginx.
Waiting for PIDS: 7244.
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.

Remember the IP address for your wordpress jail that you wrote down from step 1? Well, type that IP address into a web browser. If you are greeted by a webpage by WordPress to initialize your site for the first time then Success.

root@wordpress:/ # netstat -an | grep -i "LISTEN"
tcp4       0      0 *.443                  *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.9000         *.*                    LISTEN
tcp4       0      0 127.0.0.1.3306         *.*                    LISTEN
root@wordpress:/ # 

Run a quick netstat check to see if you are listening on the ports you configured in the previous steps: 80 is http traffic (unencrypted) which will foward to 443 which is SSL encrypted by nginx, 9000 is php-fpm, and 3306 is mysql.

11) Configure port forwarding on your wifi router

You are in the home stretch now. Connect to wifi router and login as an admin account. Typically in the WAN section there is a series of options for port fowarding. If any external requests come into your External IP address for port 80 or port 443 you shoudl configure that to redirect or port forward those to the IP address for your wordpress Jail. Make sure your wifi router is configured with your dynamic DNS provider of choice; for example DynDNS. Ultimately traffic to yourdomain.com will be redirected by your dynamic DNS service provider to your externally visiable IP address that is issued to your wifi router (usually thru DHCP) which will then port forward anything on port 80 or 443 to your jail internal NAT-ed (Network Address Translation) IP for WordPress which is where nginx is running. When you initialize your site USE YOUR external domain name in the wordpress config and not the internal IP address. If you mess this up and use your internal IP address then WordPress will look fine for you inside your network where your FreeNAS box is but the formatting will be missing or corrupted for everyone else outside your network that views your site. You can very easily drop your Mysql WordPress database if you chose any of the wrong options and re-create it to reinitilize your site. I hope this was useful to you; it’s a long read but utltimately I’m very happy with the setup!