A blog on Computer Science, Security, Programming, and more...

HeapSpray Blog » General » View Post


Written From Scratch

Written by Matt

The backend

This system runs OpenBSD, web server is a chrooted, statically compiled nginx installation, using FastCGI for PHP, which is also chrooted and compiled with -fstack-protect, the two communicate through a TCP socket, neither have access to any files, they can't even see the underlying system. The database is PostgreSQL which also communicates with FastCGI PHP through a TCP socket, using the pgsql.so module loaded from within the chroot. PostgreSQL might as well be running on another system, as it is also chrooted, but outside of FastCGI and nginx's chroot. Packet Filter disallows any connections that don't go directly into the web server port, and the kernel is in Security Level 2 on boot, which means any change in the PF rules requires physical access and a reboot, as you'd have to access the system before SSH is started through the VNC which only listens locally on the host address.

Setting this up was something else. There was absolutely nothing online that described how to link together FastCGI PHP and PostgreSQL. OpenBSD is incredibly obscure search-wise when looking for problems. The stuff I did find seemed to have been written by morons as half the directions were completely off, or they'd skip over huge steps. I've got it all running now, in a VM nonetheless. I've made a copy of it for future use, just need to change the credentials for different uses.

The blog system

Beyond that, the entire blog system was written from scratch using PHP 5.3 with suhosin (hardened PHP) and PostgreSQL. I don't really like wordpress, nor trust the security of it. Every packaged blog system either feels cheap or has too many flaws. I also wrote my own BBCode parser, which is what I use to generate the markup for these posts. Much better than just submitting raw HTML as this validates the tag pairs before they are submitted. The output validates under XHTML 1.1 strict. Keeps me from making mistakes, and it's neat in general.

Since I'll probably be posting code on here a lot I also imported Google's JS library prettify, which along with the BBCode parser makes it easy to include properly formatted and syntax highlighted code:

/* Comment Sample */
#include <stdio.h>

int main(int argc, char **argv){
  fprintf(stdout, "Hello, world!\n");
  return 0;

It's a very nice library. The only thing that's left to implement in the parser is tables, which will require some nested tag checks, but I just have to generalize it a bit more, it's already pretty flexible anyway.

Topic: General tags: sysadmin, php, nginx, OpenBSD, meta
  • Name and Email fields are optional
  • Your email will not be public, only the administrator can see it
  • You are rate limited to one comment for every 10 minutes
No.1 - Anonymous ## Administrator ##   2014-06-08 12:48
A comment.