说明:
站点1:bbs.osyunwei.com 程序所在目录/data/osyunwei/bbs
站点2:sns.osyunwei.com 程序所在目录/data/osyunwei/sns
系统运维 www.osyunwei.com 温馨提醒:qihang01原创内容©版权所有,转载请注明出处及原文链接
相关配置文件目录:
nginx主配置文件:/usr/local/nginx/conf/nginx.conf
php安装目录:/usr/local/php5/
站点1虚拟主机配置配置文件:/usr/local/nginx/conf/vhost/bbs.conf
站点2虚拟主机配置配置文件:/usr/local/nginx/conf/vhost/sns.conf
实现目的:
1、可以对站点1和站点2单独启动、停止php-fpm
2、站点1和站点2的php运行权限相互隔离,不能跨目录浏览,即站点1内的php木马不能访问站点2中的内容,
同理,站2内的php木马不能访问站点1中的内容。
实现方法:
一、为每个站点创建php-fpm.pid文件
cd /usr/local/php5/var/run
touch php-fpm-bbs.pid
touch php-fpm-sns.pid
二、为每个站点创建php-fpm.conf文件
cd /usr/local/php5/etc/
cp php-fpm.conf php-fpm-bbs.conf
cp php-fpm.conf php-fpm-sns.conf
三、为每个站点建立php-cgi.sock文件
touch /tmp/php-cgi-bbs.sock #建立php-cgi.sock文件
chown www.www /tmp/php-cgi-bbs.sock #设置文件所有者为www(必须与nginx的用户一致)
touch /tmp/php-cgi-sns.sock
chown www.www /tmp/php-cgi-sns.sock
四、编辑相关文件
vi /usr/local/php5/etc/php-fpm-bbs.conf
pid = run/php-fpm-bbs.pid
listen =/tmp/php-cgi-bbs.sock;
vi /usr/local/php5/etc/php-fpm-sns.conf
pid = run/php-fpm-sns.pid
listen =/tmp/php-cgi-sns.sock;
vi /etc/rc.d/init.d/php-fpm
vhost=$2
php_fpm_CONF=${prefix}/etc/php-fpm-$vhost.conf
php_fpm_PID=${prefix}/var/run/php-fpm-$vhost.pid
php_opts="-d open_basedir=/data/osyunwei/$vhost/:/tmp/ --fpm-config $php_fpm_CONF"
vi /usr/local/nginx/conf/vhost/bbs.conf
fastcgi_pass unix:/tmp/php-cgi-bbs.sock;
vi /usr/local/nginx/conf/vhost/sns.conf
fastcgi_pass unix:/tmp/php-cgi-sns.sock;
cd /home
vi start.sh #编辑开机启动脚本
#!/bin/bash
auto=$1
/bin/bash /etc/rc.d/init.d/php-fpm $auto bbs
/bin/bash /etc/rc.d/init.d/php-fpm $auto sns
chmod +x start.sh #添加脚本执行权限
vi /etc/rc.local #编辑开机启动文件
sh /home/start.sh start #加入开机启动
service nginx start
/etc/rc.d/init.d/php-fpm start bbs #单独启动站点bbs.osyunwei.com
/etc/rc.d/init.d/php-fpm start sns
系统运维 www.osyunwei.com 温馨提醒:qihang01原创内容©版权所有,转载请注明出处及原文链接
/etc/rc.d/init.d/php-fpm stop bbs #单独停止站点sns.osyunwei.com
/etc/rc.d/init.d/php-fpm stop sns
五、相关配置文件内容
/usr/local/nginx/conf/nginx.conf
user www www;
worker_processes 2;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
use epoll;
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 300m;
sendfile on;
tcp_nopush on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 128k;
#keepalive_timeout 0;
keepalive_timeout 60;
tcp_nodelay on;
server_tokens off;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
server
{
listen 80 default;
server_name _;
location / {
root html;
return 404;
}
location ~ /.ht {
deny all;
}
}
server
{
listen 80;
#server_name localhost;
index index.php default.php index.html index.htm default.html default.htm ;
location /status {
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
access_log off;
}
include vhost/*.conf;
}
vi /usr/local/nginx/conf/vhost/bbs.conf
server
{
listen 80;
server_name bbs.osyunwei.com;
index index.php index.html index.htm default.html default.htm default.php;
root /data/osyunwei/bbs;
location ~ .*\.(php|php5)?$
{
fastcgi_pass unix:/tmp/php-cgi-bbs.sock;
fastcgi_index index.php;
include fcgi.conf;
}
location /status {
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
access_log off;
}
vi /usr/local/nginx/conf/vhost/sns.conf
server
{
listen 80;
server_name sns.osyunwei.com;
index index.php index.html index.htm default.html default.htm default.php;
root /data/osyunwei/sns;
location ~ .*\.(php|php5)?$
{
fastcgi_pass unix:/tmp/php-cgi-sns.sock;
fastcgi_index index.php;
include fcgi.conf;
}
location /status {
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
access_log off;
}
vi /usr/local/nginx/conf/fcgi.conf
fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; # PHP only, required if PHP was built with --enable-force-cgi-redirect fastcgi_param REDIRECT_STATUS 200;
②190706903 ③203744115
博主 能请教一个问题吗? 我想成为一个系统运维,一定要考个证的话,那考什么证呢?
红帽的认证,还是什么?
思科
华为
软考网工
或者Redhat认证
以考促学吧
博主 看你很多文章了,非常佩服您的博学,请教一个问题,上面这样设置之后,websheel还能用吗,或者说 他还能访问 如/var 这些目录下的吗, 谢谢
另外可以写一篇apache下面如何防止webshell的文章吗,非常感谢,站点安全是个很重要的问题
设置之后,php文件执行权限限制在当前站点,不能访问其他站点的内容,当然也不能访问服务器上面的其他文件!
CentOS Linux系统下Apache防止php木马跨站设置| 系统运维
http://www.osyunwei.com/archives/795.html
谢谢博主的回复,关于你写的Apache的方法,我以前测试过,因为我用的CMS,有后台管理功能,设定这个之后 php_admin_value open_basedir “/usr/local/apache/htdocs/www/:/tmp/” 后台就不能用了,我也通过禁用php函数,webshell也不能生效了了 ,但是后台功能也不能用了,求解答,谢谢。