/ 中存储网

使用chroot设置Nginx防跨站保护LNMP环境安全

2014-03-18 16:07:01 来源:itjs.cn
lnmp发展到今日,已经相当稳定,大部分程序也都可以平滑从apache移到nginx环境下。网上流行的lnmp一键包使很多Linux初学者可以非常方便地搭建自己的网站服务器。但随着建立的网站越来越多,安全性越来越成为威胁,由于没有将用户空间进行隔离,可以很轻松的进行跨站攻击。

在php5.4之前可以启用安全模式和目录权限防范跨站的问题,另外也可以通过配置PHP.ini进行防范,参考:LNMP下防跨站、跨目录安全设置,仅支持PHP 5.3.3以上版本

php5.4之后没有了安全模式,这里提供一个解决方案,动手能力较好的朋友可以动手试试。提供了比较完善的安全环境,设置了shell chroot、隔离php执行身份、目录权限等。默认为每个用户设置了open_basedir,因为做了chroot,所以没有禁用php的函数。

特点:

1、高效的http请求处理能力,系统负载低

2、安全的SSH环境,php执行权限分离,各用户间互不影响

架构的简单说明

1、由Nginx处理http请求,nginx运行属主身份为www:www,执行php代理到后端php-fpm,php-fpm负责管理各用户间的php进程,用户运行php的组权限为nobody

2、默认为每个用户提供了SSH,方便用户直接进行管理。限定各SSH用户只能访问家目录的文件,访问系统级命令和访问其他非属主身份的路径显示为无权限。

3、关于用户目录权限的说明,建立的用户属主身份为user:nobody,家目录自身权限:drwxr-x--x,其创建的目录权限设置为drwx---r-x,文件权限设定为-rw----r--。(user为当前用户)

4、通过设定系统umask及ftp服务umask,确保用户家目录下创建的文件权限为-rw----r--,目录权限为drwx---r-x

基本信息:

用户家目录为/home/chroot/home/$user,软链接至/home/$user

nginx 路径:/usr/local/nginx

php 路径:/usr/local/php5.4

php-fpm全局配置:/usr/local/php5.4/etc/php-fpm.conf

php-fpm pools配置:/usr/local/php5.4/etc/fpm.d/php-fpm-$user.conf

mysql 路径:/usr/local/mysql

mysql Data路径:/usr/local/mysql/data

pureftpd 路径:/usr/local/pureftpd

Modify路径:/usr/local/sbin/Modify #创建用户、域名、数据库直接运行脚本Modify

以Centos 6.3 64bit为例,按照下述过程编译

如果是安装在小内存的VPS上,建议增加swap空间,以免后面编译php时出现内存不足的问题

dd if=/dev/zero of=/var/swapfile bs=1024 count=512000

/sbin/mkswap /var/swapfile

/sbin/swapon /var/swapfile

echo "/var/swapfile    swap           swap    defaults        0 0" >> /etc/fstab

先安装必备的开发库,这里我一股脑把后面所需的软件包都安装了,最后再进行无依赖包的清理工作。

yum -y install gcc gcc-c++ file bison patch unzip mlocate flex wget diffutils automake autoconf kernel-devel lsof gd cpp readline-devel openssl openssl-devel vim-minimal nano sendmail libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel libtidy libtidy-devel zlib zlib-devel glibc glibc-devel libc-client libc-client-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel libidn libidn-devel openldap openldap-devel openldap-clients openldap-servers net-snmp net-snmp-devel nss_ldap gettext gettext-devel expat-devel libcap libcap-devel libtool libtool-ltdl-devel pam-devel pcre-devel ncurses-devel subversion bind-utils rsync libxslt groff pkgconfig

一、编译autoconf、libiconv、libmcrypt、mhash、mcrypt等

cd /usr/local/src

wget -c http://ftp.gnu.org/gnu/autoconf/autoconf-2.69.tar.gz

wget -c http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz

wget -c http://dl.icodex.org/lnamp-1.0/src/libmcrypt-2.5.8.tar.bz2/mirror

wget -c http://dl.icodex.org/lnamp-1.0/src/mhash-0.9.9.9.tar.bz2/mirror

wget -c http://dl.icodex.org/lnamp-1.0/src/mcrypt-2.6.8.tar.gz/mirror

cd /usr/local/src

tar -zxvf autoconf-2.69.tar.gz

cd autoconf-2.69/

./configure

make && make install

cd /usr/local/src

tar -zxvf libiconv-1.14.tar.gz

cd libiconv-1.14/

./configure

make && make install

cd /usr/local/src

tar -jxvf libmcrypt-2.5.8.tar.bz2

cd libmcrypt-2.5.8/

./configure

make && make install

/sbin/ldconfig

cd libltdl/

./configure --enable-ltdl-install

make && make install

cd /usr/local/src

tar -jxvf mhash-0.9.9.9.tar.bz2

cd mhash-0.9.9.9/

./configure

make && make install

ln -s /usr/local/lib/libmcrypt.la /usr/lib/libmcrypt.la

ln -s /usr/local/lib/libmcrypt.so /usr/lib/libmcrypt.so

ln -s /usr/local/lib/libmcrypt.so.4 /usr/lib/libmcrypt.so.4

ln -s /usr/local/lib/libmcrypt.so.4.4.8 /usr/lib/libmcrypt.so.4.4.8

ln -s /usr/local/lib/libmhash.a /usr/lib/libmhash.a

ln -s /usr/local/lib/libmhash.la /usr/lib/libmhash.la

ln -s /usr/local/lib/libmhash.so /usr/lib/libmhash.so

ln -s /usr/local/lib/libmhash.so.2 /usr/lib/libmhash.so.2

ln -s /usr/local/lib/libmhash.so.2.0.1 /usr/lib/libmhash.so.2.0.1

cd /usr/local/src

tar -zxvf mcrypt-2.6.8.tar.gz

cd mcrypt-2.6.8/

/sbin/ldconfig

./configure

make && make install

if [ `getconf WORD_BIT` = '32' ] && [ `getconf LONG_BIT` = '64' ] ; then

ln -s /usr/local/lib/libiconv.so.2.5.0 /lib64/libiconv.so.2

fi

二、安装数据库。这里启用了Google 开发的“google-perftools”中的TCMalloc,以增加数据库在高并发下的性能,降低系统负载。同时TCMalloc也同样适用于nginx,因此我们先安装TCMalloc库。以下是安装步骤

1、64位操作系统请先安装libunwind库,32位操作系统不要安装。libunwind库为基于64位CPU和操作系统的程序提供了基本的堆栈辗转开解功能,其中包括用于输出堆栈跟踪的API、用于以编程方式辗转开解堆栈的API以及支持C++异常处理机制的API。

cd /usr/local/src/

wget http://mirror.yongbok.net/nongnu/libunwind/libunwind-1.0.1.tar.gz

cd /usr/local/src/

tar -zxvf libunwind-1.0.1.tar.gz

cd libunwind-1.0.1/

CFLAGS=-fPIC ./configure

make CFLAGS=-fPIC

make CFLAGS=-fPIC install

2、安装google-perftools:

cd /usr/local/src/

wget http://gperftools.googlecode.com/files/gperftools-2.0.tar.gz

tar -zxvf gperftools-2.0.tar.gz

cd gperftools-2.0

./configure --enable-frame-pointers

make && make install

3、修改增加动态链接库

echo "/usr/local/lib" > /etc/ld.so.conf.d/usr_local_lib.conf

/sbin/ldconfig

4、修改MariaDB启动脚本(这个步骤我们在后面编译好MariaDB之后再增加)

然后安装最新版开源MariaDB。从MySQL/MariaDB 5.5开始,源码编译构建工具从GUN Autotools换成跨平台的cmake。

1、首先编译安装cmake,当前最新版本为2.8.9

rpm -e cmake

cd /usr/local/src/

wget http://www.cmake.org/files/v2.8/cmake-2.8.9.tar.gz

tar -zxvf cmake-2.8.9.tar.gz

cd cmake-2.8.9;

./bootstrap

make

make install

cd /usr/local/src/

wget http://ftp.gnu.org/gnu/bison/bison-2.7.1.tar.gz

tar -zxvf bison-2.7.1.tar.gz

cd bison-2.7.1

./configure

make

make install

2、编译MariaDB,当前版本号为5.5.31

首先新建MariaDB运行用户(组)

/usr/sbin/groupadd -g 27 -o -r mysql

/usr/sbin/useradd -M -g mysql -o -r -d /usr/local/mysql/data -s /bin/false -c "MariaDB Server" -u 27 mysql

cd /usr/local/src/

wget -O mariadb-5.5.31.tar.gz http://mirror.yongbok.net/mariadb/mariadb-5.5.31/kvm-tarbake-jaunty-x86/mariadb-5.5.31.tar.gz

tar -zxf mariadb-5.5.31.tar.gz

cd mariadb-5.5.31.tar.gz

CFLAGS="-O3" CXX=gcc

CXXFLAGS="-O3 -felide-constructors -fno-exceptions -fno-rtti"

cmake -DCMAKE_INSTALL_PREFIX=/usr/local/mysql -DMYSQL_DATADIR=/usr/local/mysql/data -DMYSQL_TCP_PORT=3306 -DMYSQL_UNIX_ADDR=/tmp/mysql.sock -DWITH_EMBEDDED_SERVER=0 -DWITH_INNOBASE_STORAGE_ENGINE=1 -DWITH_ARCHIVE_STORAGE_ENGINE=1 -DWITH_BLACKHOLE_STORAGE_ENGINE=1 -DWITH_PERFSCHEMA_STORAGE_ENGINE=1 -DWITH_PARTITION_STORAGE_ENGINE=1 -DWITH_FEDERATEDX_STORAGE_ENGINE=1 -DWITH_ARIA_STORAGE_ENGINE=1 -DWITH_XTRADB_STORAGE_ENGINE=1 -DDEFAULT_CHARSET=utf8 -DDEFAULT_COLLATION=utf8_general_ci -DENABLED_LOCAL_INFILE=1 -DWITH_EXTRA_CHARSETS=all -DWITH_READLINE=1 -DWITH_LIBWRAP=1 -DWITH_SSL=system -DWITH_ZLIB=system

make && make install

这里我把大部分数据库引擎都添加了,并设置默认字符集为utf8_general_ci,更多cmake选项,可以执行cmake . -LH|more进行查看。对于多核处理器,可以在make时增加-j选项,如8个核心:make -j 8

3、创建一些目录

mkdir -p /usr/local/mysql/InnoDB/redoLogs; mkdir -p /usr/local/mysql/InnoDB/undoLogs

chown -R mysql /usr/local/mysql/data

chgrp -R mysql /usr/local/mysql

mkdir /usr/local/mysql/logs /usr/local/mysql/tmp

chown mysql.mysql /usr/local/mysql/tmp

chown mysql.mysql /usr/local/mysql/logs

这里数据库data目录为/usr/local/mysql/data,为了方便习惯,也可以做个软连接到/var/lib/mysql

ln -s /usr/local/mysql/data /var/lib/mysql

chown -R mysql /var/lib/mysql

4、初始化第一个数据库mysql,这里存储了mysql用户表、权限表等

cd /usr/local/mysql

./scripts/mysql_install_db --user=mysql --datadir=/usr/local/mysql/data

5、设置修改配置文件my.cnf和init开机启动脚本

/usr/bin/install -m 755 /usr/local/mysql/support-files/my-innodb-heavy-4G.cnf /etc/my.cnf

/usr/bin/install -m 755 /usr/local/mysql/support-files/mysql.server /etc/rc.d/init.d/mysqld

chkconfig --add mysqld

sed -i '69 s/max_connections = 100/max_connections = 1000/' /etc/my.cnf

sed -i '181 s/default-storage-engine = MYISAM/default-storage-engine = innodb/' /etc/my.cnf

sed -i '/myisam_recover/askip-name-resolvenskip-external-lockingnskip-host-cache' /etc/my.cnf

小内存机器建议修改innodb缓冲池大小,否则启动mysql后innodb将显示无法使用或无法启动服务

sed -i '368 s/innodb_buffer_pool_size = 2G/innodb_buffer_pool_size = 256M/' /etc/my.cnf

6、修改开机启动脚本,在/etc/rc.d/init.d/mysqld第46行、47行指定路径,直接用sed修改

sed -i '46 s#basedir=#basedir=/usr/local/mysql#'  /etc/rc.d/init.d/mysqld

sed -i '47 s#datadir=#datadir=/usr/local/mysql/data#'  /etc/rc.d/init.d/mysqld

7、修改MySQL启动脚本mysqld_safe,以支援TCMalloc,编辑文件/usr/local/mysql/bin/mysqld_safe,在# executing mysqld_safe的下一行,增加:#export LD_PRELOAD=/usr/local/lib/libtcmalloc.so 这里直接用sed修改了

sed -i '/# executing mysqld_safe/aexport LD_PRELOAD=/usr/local/lib/libtcmalloc.so' /usr/local/mysql/bin/mysqld_safe

8、收尾工作

echo 'PATH=$PATH:$HOME/bin:/usr/local/bin:/usr/local/mysql/bin' >> ~/.bashrc

source ~/.bash_profile

echo "/usr/local/mysql/lib" > /etc/ld.so.conf.d/mysql.conf

ldconfig

if [ `getconf WORD_BIT` = '32' ] && [ `getconf LONG_BIT` = '64' ] ; then

cd /usr/local/mysql

ln -s lib lib64

chown -R root.mysql lib64

fi

修改mysql root密码,这里使用生成的16位随机数,并将密码保存到/root/.my.cnf,这样管理员通过终端可直接跳过输入密码管理mysql服务(生产环境请不要这样做)。

service mysqld start

mysqlroot_passwd=`cat /dev/urandom | head -1 | md5sum | head -c 16`

echo $mysqlroot_passwd

/usr/local/mysql/bin/mysql -uroot -p

mysql<<EOF

use mysql;

update `mysql`.`user` set `password`=PASSWORD('$mysqlroot_passwd') where `User`='root';

flush privileges;

EOF

cat > /root/.my.cnf<<EOF

[client]

user=root

password=$mysqlroot_passwd

EOF

service mysqld stop

chmod 750 /usr/local/mysql /usr/local/mysql/data

chmod 640 /etc/my.cnf

chmod 600 /root/.my.cnf

三、安装Jailkit,Jailkit可以限制普通用户执行SSH时的家目录,旧版本会有一些问题,但最近这两年相当稳定,因此我在很多服务器都将其作为chroot必备的组件。后面php-fpm进行chroot设置时,也可以直接套用在这个基础上,因此这里先安装Jailkit。

1、安装最新版Jailkit,当前版本为2.16

cd /usr/local/src

wget -c http://olivier.sessink.nl/jailkit/jailkit-2.16.tar.gz

tar -zxf jailkit-2.16.tar.gz

cd jailkit-2.16

./configure

#sed -i '41 s#IBS =#IBS = -pthread#' src/Makefile

make && make install

设置开机启动

/usr/bin/install -m 755 extra/jailkit /etc/init.d/jailkit

chkconfig jailkit on

service jailkit start

2、创建chroot工作目录并设置权限,这里设置为/home/chroot

mkdir /home/chroot

chown root:root /home/chroot

chmod 751 /home/chroot

jk_init -v -j /home/chroot sftp scp jk_lsh extshellplusnet

jk_cp -v /home/chroot /usr/bin/id

jk_cp -v /home/chroot /usr/bin/unzip

jk_cp -v /home/chroot /usr/bin/zip

jk_cp -v /home/chroot /usr/bin/curl

jk_cp -v /home/chroot /etc/pki

jk_cp -v /home/chroot /usr/lib/libssh2.so.1

jk_cp -v /home/chroot /usr/lib/libcurl.so

jk_cp -v /home/chroot /usr/lib/libsoftokn3.so

jk_cp -v /home/chroot /usr/lib/libnssdbm3.so

jk_cp -v /home/chroot /usr/lib/libnss3.so

jk_cp -v /home/chroot /usr/lib/libnssckbi.so

jk_cp -v /home/chroot /usr/lib/libnsspem.so

jk_cp -v /home/chroot /usr/lib/libsmime3.so

jk_cp -v /home/chroot /usr/lib/libssl3.so

jk_cp -v /home/chroot /usr/lib64/libssh2.so.1

jk_cp -v /home/chroot /usr/lib64/libcurl.so

jk_cp -v /home/chroot /usr/lib64/libsoftokn3.so

jk_cp -v /home/chroot /usr/lib64/libnssdbm3.so

jk_cp -v /home/chroot /usr/lib64/libnss3.so

jk_cp -v /home/chroot /usr/lib64/libnssckbi.so

jk_cp -v /home/chroot /usr/lib64/libnsspem.so

jk_cp -v /home/chroot /usr/lib64/libsmime3.so

jk_cp -v /home/chroot /usr/lib64/libssl3.so

jk_cp -v /home/chroot /usr/bin/certutil

jk_cp -v /home/chroot /usr/bin/cmsutil

jk_cp -v /home/chroot /usr/bin/crlutil

jk_cp -v /home/chroot /usr/bin/modutil

jk_cp -v /home/chroot /usr/bin/pk12util

jk_cp -v /home/chroot /usr/bin/signtool

jk_cp -v /home/chroot /usr/bin/signver

jk_cp -v /home/chroot /usr/bin/ssltap

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/atob

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/btoa

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/derdump

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/ocspclnt

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/pp

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/selfserv

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/strsclnt

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/symkeyutil

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/tstclnt

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/vfychain

jk_cp -v /home/chroot /usr/lib/nss/unsupported-tools/vfyserv

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/atob

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/btoa

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/derdump

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/ocspclnt

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/pp

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/selfserv

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/strsclnt

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/symkeyutil

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/tstclnt

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/vfychain

jk_cp -v /home/chroot /usr/lib64/nss/unsupported-tools/vfyserv

mkdir -p {/home/chroot/opt,/home/chroot/tmp,/home/chroot/var/www}

chmod -R 755 /home/chroot/opt /home/chroot/var/www

chmod 1777 /home/chroot/tmp

echo "nobody:x:99:" >> /home/chroot/etc/group

echo "www:x:999:" >> /home/chroot/etc/group

echo "www:x:999:999::/home/www:/bin/nologin" >> /home/chroot/etc/passwd

chmod 644 /home/chroot/etc/group

chmod 644 /home/chroot/etc/passwd

3、修改监听chroot下的日志输出,方便debug

CentOS 5.x

service syslog stop

syslogd -a /home/chroot/dev/log

service syslog restart

CentOS 6.x

service rsyslog stop

rsyslogd -a /home/chroot/dev/log

service rsyslog restart

4、安装mini_sendmail,chroot环境下使用

#must install glibc-static under RHEL 6

yum install -y glibc-static

cd /usr/local/src

wget -c http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz

tar -zxf mini_sendmail-1.3.6.tar.gz

cd mini_sendmail-1.3.6

wget -c http://dl.icodex.org/mini_sendmail_1.3.6.patch.tar.gz

tar -zxf mini_sendmail_1.3.6.patch.tar.gz

patch -p0 < mini_sendmail_1.3.6.patch

make

/usr/bin/install -m 755 mini_sendmail /home/chroot/usr/sbin/sendmail

四、编译PHP,这里选择了最新版本5.4.15。

1、首先创建用户

/usr/sbin/groupadd -g 999 -o -r www

/usr/sbin/useradd -M -g www -o -r -d /var/www/html -s /bin/false -c "Web Server" -u 999 www

2、开始编译

yum -y install libc-client-devel net-snmp net-snmp-devel libtidy-devel

cd /usr/local/src

wget http://www.php.net/get/php-5.4.15.tar.bz2/from/hk2.php.net/mirror

tar -jxf php-5.4.15.tar.bz2

cd php-5.4.15/

if [ `getconf WORD_BIT` = '32' ] && [ `getconf LONG_BIT` = '64' ] ; then withlib="--with-libdir=lib64" ; else withlib="--with-libdir=lib" ; fi

./configure --prefix=/usr/local/php5.4 --with-config-file-path=/usr/local/php5.4/etc --with-iconv-dir --with-freetype-dir --with-jpeg-dir --with-png-dir --with-libxml-dir --with-pcre-regex --enable-xml --disable-phar --disable-rpath --enable-calendar --enable-bcmath --enable-calendar --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl --with-curlwrappers --enable-mbregex --with-ldap --with-ldap-sasl --enable-exif --enable-soap --enable-fpm --with-fpm-user=www --with-fpm-group=www --enable-soap --with-snmp --enable-wddx --enable-mbstring --with-mcrypt --enable-ftp --with-gd --enable-gd-native-ttf --enable-gd-jis-conv --with-openssl --with-mhash --with-mysql=/usr/local/mysql --with-mysql-sock=/tmp/mysql.sock --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-mysqlnd --with-pdo-mysql=/usr/local/mysql --enable-pdo --with-sqlite3 --with-pdo-sqlite --enable-pcntl --enable-sockets --with-xmlrpc --with-imap --with-imap-ssl --with-kerberos --with-tidy --with-bz2 --enable-zip --with-zlib --with-zlib-dir --without-pear --with-gettext --disable-ipv6 --disable-debug $withlib

make ZEND_EXTRA_LIBS='-liconv'

make install

3、设置开机启动脚本

/usr/bin/install -m 755 sapi/fpm/init.d.php-fpm /etc/rc.d/init.d/php-fpm

sed -i '/### END INIT INFO/aumask 072' /etc/rc.d/init.d/php-fpm # 该项是为了使chroot环境下php进程创建的文件(包括临时文件、上传的文件等)符合基本安全权限进行的设置

/sbin/chkconfig --add php-fpm

/sbin/chkconfig php-fpm on

4、安装pear,新版本编译安装时都没pear了

cd /usr/local/src

wget http://pear.php.net/go-pear.phar

/usr/local/php5.4/bin/php go-pear.phar

5、设置php.ini和常用的两个软链接

/bin/cp php.ini-production  /usr/local/php5.4/etc/php.ini

ln -s /usr/local/php5.4/bin/php /usr/bin/php

ln -s /usr/local/php5.4/bin/phpize /usr/bin/phpize

6、创建php-fpm配置文件

mkdir /usr/local/php5.4/etc/fpm.d

cat >/usr/local/php5.4/etc/php-fpm.conf <<EOF

include=etc/fpm.d/*.conf

[global]

pid = run/php-fpm.pid

error_log = log/php-fpm.log

log_level = warning

emergency_restart_threshold = 10

emergency_restart_interval = 1m

process_control_timeout = 5s

process.max = 500

daemonize = yes

rlimit_files = 51200

rlimit_core = 0

events.mechanism = epoll

EOF

设置第一个php-fpm pool,文件名default.conf,没有开启chroot。

cat >/usr/local/php5.4/etc/fpm.d/default.conf <<EOF

[www]

listen = 127.0.0.1:9001

;listen = /usr/local/php5.4/var/run/php-fpm-www.sock

listen.allowed_clients = 127.0.0.1

listen.mode = 0666

listen.owner = www

listen.group = nobody

user = www

group = nobody

;chroot = /home/chroot

; Choose how the process manager will control the number of child processes.

pm = dynamic

pm.max_children = 5

pm.start_servers = 1

pm.min_spare_servers = 1

pm.max_spare_servers = 5

pm.max_requests = 1000

request_terminate_timeout = 30s

; Pass environment variables

env[HOSTNAME] = $HOSTNAME

env[PATH] = /usr/local/bin:/bin

env[TMP] = /var/www/tmp

env[TMPDIR] = /var/www/tmp

env[TEMP] = /var/www/tmp

; Specific php ini settings here

php_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f [email protected]"

php_admin_value[open_basedir] = ".:/var/www:/proc:/tmp"

php_value[include_path] = ".:/var/www:/var/www/include"

php_value[axis2.log_path] = "/var/www/tmp"

php_value[session_pgsql.sem_file_name] = "/var/www/tmp/php_session_pgsql"

php_value[soap.wsdl_cache_dir] = "/var/www/tmp"

php_value[uploadprogress.file.filename_template] = "/var/www/tmp/upt_%s.txt"

php_value[xdebug.output_dir] = "/var/www/tmp"

php_value[xdebug.profiler_output_dir] = "/var/www/tmp"

php_value[xdebug.trace_output_dir] = "/var/www/tmp"

php_admin_value[disable_functions] = "exec,system,passthru,shell_exec,ini_alter,dl,proc_open,proc_exec,proc_close,chroot,scandir,chgrp,chown,ini_restore,dbmopen,dbase_open,curl_multi_exec,multi_exec,gzinflate,parse_ini_file,show_source,escapeshellarg,escapeshellcmd,stream_socket_server,popepassthru,pfsockopen,set_time_limit"

; UPLOAD

php_admin_flag[file_uploads] = On

php_admin_value[upload_tmp_dir] = "/var/www/tmp"

;Maximum allowed size for uploaded files.

php_admin_value[upload_max_filesize] = "50M"

php_admin_value[max_input_time] = "120"

php_admin_value[post_max_size] = "50M"

; LOGS

php_admin_value[error_log] = "/var/www/logs/error.log"

php_admin_value[log_errors] = On

php_admin_value[display_errors] = Off

php_admin_value[html_errors] = Off

php_admin_value[display_startup_errors] = Off

php_admin_value[define_syslog_variables] = "1"

php_value[error_reporting] = "6143"

; Maximum execution time of each script, in seconds (30)

php_value[max_input_time] = "120"

; Maximum amount of time each script may spend parsing request data

php_value[max_execution_time] = "300"

; Maximum amount of memory a script may consume (8MB)

php_value[memory_limit] = "128M"

; Sessions: IMPORTANT reactivate garbage collector on Debian!!!

php_value[session.gc_maxlifetime] = "3600"

php_admin_value[session.gc_probability] = "1"

php_admin_value[session.gc_divisor] = "100"

; SECURITY

php_admin_value[session.auto_start] = Off

php_admin_value[mbstring.http_input] = pass

php_admin_value[mbstring.http_output] = pass

php_admin_value[mbstring.encoding_translation] = Off

php_admin_value[expose_php] = Off

php_admin_value[allow_url_fopen] = On

php_admin_value[variables_order] = PGCSE

; enforce filling PATH_INFO & PATH_TRANSLATED

; and not only SCRIPT_FILENAME

php_admin_value[cgi.fix_pathinfo] = "1"

; 1: will use PATH_TRANSLATED instead of SCRIPT_FILENAME

php_admin_value[cgi.discard_path] = "0"

EOF

mkdir -p {/var/www/tmp,/var/www/html,/var/www/logs}

chown -R www.www /var/www

chmod 751 /var/www /var/www/html /var/www/logs

设置fpm.d目录权限,防止被其他用户访问到

chmod 750 /usr/local/php5.4/etc/fpm.d

7、杂项,安装php扩展库和设置php.ini

cd /usr/local/src

wget http://pecl.php.net/get/memcache-3.0.6.tgz

tar -zxf memcache-3.0.6.tgz

cd memcache-3.0.6

/usr/local/php5.4/bin/phpize

./configure --with-php-config=/usr/local/php5.4/bin/php-config

make && make install

cat >>/usr/local/php5.4/etc/php.ini ; Memcache Setting

extension="memcache.so"

memcache.allow_failover="1"

memcache.max_failover_attempts="20"

memcache.chunk_size="32768"

memcache.default_port="11211"

memcache.hash_strategy="standard"

memcache.hash_function="crc32"

EOF

cd /usr/local/src

wget http://pecl.php.net/get/APC-3.1.13.tgz

#wget http://dl.icodex.org/files/APC-3.1.13.tgz

tar -zxf APC-3.1.13.tgz

cd APC-3.1.13

/usr/local/php5.4/bin/phpize

./configure --enable-apc --enable-apc-mmap --enable-apc-spinlocks --disable-apc-pthreadmutex --enable-apc-memprotect --with-php-config=/usr/local/php5.4/bin/php-config --with-libdir=/usr/local/php5.4/lib/php

make && make install

cat >>/usr/local/php5.4/etc/php.ini ; APC Setting

extension="apc.so"

;apc.enabled="1"

;apc.shm_segments="1"

;apc.shm_size="32M"

;apc.num_files_hint="4096"

;apc.ttl="7200"

;apc.user_ttl="7200"

;apc.gc_ttl="0"

;apc.cache_by_default="1"

;apc.filters=""

;apc.mmap_file_mask="/tmp/apc.XXXXXX"

;apc.slam_defense="0"

;apc.file_update_protection="2"

;apc.enable_cli="0"

;apc.max_file_size="10M"

;apc.stat="1"

;apc.write_lock="1"

;apc.report_autofilter="0"

;apc.include_once_override="0"

;;apc.rfc1867="0"

;;apc.rfc1867_prefix="upload_"

;;apc.rfc1867_name="APC_UPLOAD_PROGRESS"

;;apc.rfc1867_freq="0"

;;apc.rfc1867_ttl="7200"

;apc.localcache="0"

;apc.localcache.size="512"

;apc.coredump_unmap="0"

;apc.stat_ctime="0"

;apc.preload_path=""

;apc.file_md5="0"

;apc.canonicalize="0"

;apc.lazy_functions="1"

;apc.lazy_classes="0"

EOF

cd /usr/local/src/

wget -c http://dl.icodex.org/files/ZendGuardLoader-70429-PHP-5.4-linux-glibc23-x86_64.tar.gz

tar -zxf ZendGuardLoader-70429-PHP-5.4-linux-glibc23-x86_64.tar.gz

cp ZendGuardLoader-70429-PHP-5.4-linux-glibc23-x86_64/php-5.4.x/ZendGuardLoader.so /usr/local/php5.4/include/php/Zend/

cat >>/usr/local/php5.4/etc/php.ini [ZendGuardLoader]

zend_extension="/usr/local/php5.4/include/php/Zend/ZendGuardLoader.so"

zend_loader.enable=1

zend_loader.disable_licensing=0

zend_loader.obfuscation_level_support=3

zend_loader.license_path=

EOF

sed -i 's#; extension_dir = "./"#extension_dir = "/usr/local/php5.4/lib/php/extensions/no-debug-non-zts-20100525/"#' /usr/local/php5.4/etc/php.ini

sed -i 's#;include_path = ".:/php/includes"#include_path = ".:/usr/local/php5.4/lib/php/:/usr/local/php5.4/share/pear"#g' /usr/local/php5.4/etc/php.ini

sed -i 's/post_max_size = 8M/post_max_size = 50M/g' /usr/local/php5.4/etc/php.ini

sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 50M/g' /usr/local/php5.4/etc/php.ini

sed -i 's#;upload_tmp_dir =#upload_tmp_dir = /tmp/#g' /usr/local/php5.4/etc/php.ini

#sed -i 's/disable_functions =/disable_functions = exec,system,passthru,shell_exec,escapeshellcmd,ini_alter,dl,proc_open,proc_exec,proc_close,chown,ini_restore,dbmopen,dbase_open,curl_multi_exec,multi_exec,gzinflate,parse_ini_file,show_source,escapeshellarg,escapeshellcmd,stream_socket_server,popepassthru,pfsockopen,set_time_limit/g' /usr/local/php5.4/etc/php.ini

sed -i 's/;date.timezone =/date.timezone = PRC/g' /usr/local/php5.4/etc/php.ini

sed -i 's/short_open_tag = Off/short_open_tag = On/g' /usr/local/php5.4/etc/php.ini

sed -i 's/max_execution_time = 30/max_execution_time = 300/g' /usr/local/php5.4/etc/php.ini

五、编译nginx,引入两个模块,因基本缓存需要而增加了ngx_cache_purge,因rewrite的需要而增加pcre库。

1、编译最新版nginx,加入SPDY模块和ngx_pagespeed模块

rpm -Uvh http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-11.ius.el6.noarch.rpm

yum install git gcc-c++ make pcre-devel openssl-devel libxslt-devel gd-devel zlib-devel geoip-devel yum-plugin-replace

yum replace openssl --replace-with=openssl10 --enablerepo=ius-testing

cd /usr/local/src

wget -c http://nginx.org/download/nginx-1.4.1.tar.gz

wget -c http://labs.frickle.com/files/ngx_cache_purge-2.1.tar.gz

wget -c http://sourceforge.net/projects/pcre/files/pcre/8.32/pcre-8.32.tar.gz/download

wget -c http://wiki.nginx.org/images/5/51/Nginx-accesskey-2.0.3.tar.gz

svn checkout http://substitutions4nginx.googlecode.com/svn/trunk/ substitutions4nginx-read-only

tar -zxf Nginx-accesskey-2.0.3.tar.gz

tar -zxf pcre-8.32.tar.gz

tar -zxf ngx_cache_purge-2.1.tar.gz

tar -zxf nginx-1.4.1.tar.gz

git clone git://github.com/pagespeed/ngx_pagespeed.git

cd ngx_pagespeed/

wget -c https://dl.google.com/dl/page-speed/psol/1.5.27.3.tar.gz

tar -zxvf 1.5.27.3.tar.gz

#git pull git://github.com/pagespeed/ngx_pagespeed.git master #FOR UPDATE

cd /usr/local/src/nginx-1.4.1

./configure --user=www --group=www --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_sub_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_addition_module --with-google_perftools_module --add-module=/usr/local/src/substitutions4nginx-read-only --add-module=/usr/local/src/nginx-accesskey-2.0.3 --add-module=/usr/local/src/ngx_cache_purge-2.1 --add-module=/usr/local/src/ngx_pagespeed --with-pcre=/usr/local/src/pcre-8.32 --with-debug

make && make install

mkdir /usr/local/nginx/conf/vhosts

2、创建开机启动init脚本

cat >/etc/rc.d/init.d/nginx <<EOF

#! /bin/sh

ulimit -SHn 51200

if [ ! -d '/var/cache/nginx' ]; then

mkdir -p {/var/cache/nginx/cached,/var/cache/nginx/ngx_pagespeed_cache}

chown -R www.www /var/cache/nginx

chmod -R 700 /var/cache/nginx

fi

# Description: Startup script for nginx

# chkconfig: 2345 55 25

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

DESC="nginx daemon"

NAME=nginx

DAEMON=/usr/sbin/$NAME

CONFIGFILE=/usr/local/nginx/conf/nginx.conf

PIDFILE=/var/log/nginx/$NAME.pid

SCRIPTNAME=/etc/init.d/$NAME

set -e

[ -x "$DAEMON" ] || exit 0

do_start() {

$DAEMON -c $CONFIGFILE || echo -n "nginx already running"

}

do_stop() {

kill -INT `cat $PIDFILE` || echo -n "nginx not running"

}

waitforexit() {

count=${2:-30}

while [ 0$count -gt 0 ]

do

PIDS=`ps -C$NAME --no-heading e | grep $DAEMON` || break

PIDS=`echo "$PIDS" | awk '{print $1}' | tr 'n' ' '`

echo Remaining processes: $PIDS

do_stop

sleep 2

count=`expr $count - 1`

done

if [ 0$count -eq 0 ];

then

echo Remaining processes: $PIDS

return 1

fi

return 0

}

do_reload() {

kill -HUP `cat $PIDFILE` || echo -n "nginx can't reload"

}

case "$1" in

start)

echo -n "Starting $DESC: $NAME"

do_start

echo "."

;;

stop)

echo -n "Stopping $DESC: $NAME"

do_stop

echo "."

;;

reload|graceful)

echo -n "Reloading $DESC configuration..."

do_reload

echo "."

;;

restart)

echo -n "Restarting $DESC: $NAME"

waitforexit "nginx" 20

do_start

echo "."

;;

*)

echo "Usage: $SCRIPTNAME {start|stop|reload|restart}" >&2

exit 3

;;

esac

exit 0

EOF

chmod +x /etc/rc.d/init.d/nginx

chkconfig --add nginx

chkconfig nginx on

service nginx start

3、设置nginx配置文件和几个在运行中可能引入的配置

cat >/usr/local/nginx/conf/fcgi.inc <<EOF

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;

fastcgi_param  SERVER_SOFTWARE    "nginx";

fastcgi_param  QUERY_STRING       $query_string;

fastcgi_param  REQUEST_METHOD     $request_method;

fastcgi_param  CONTENT_TYPE       $content_type;

fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;

fastcgi_param  REQUEST_URI        $request_uri;

fastcgi_param  DOCUMENT_URI       $document_uri;

fastcgi_param  DOCUMENT_ROOT      $document_root;

fastcgi_param  SERVER_PROTOCOL    $server_protocol;

fastcgi_param  REMOTE_ADDR        $remote_addr;

fastcgi_param  REMOTE_PORT        $remote_port;

fastcgi_param  SERVER_ADDR        $server_addr;

fastcgi_param  SERVER_PORT        $server_port;

fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect

fastcgi_param  REDIRECT_STATUS    200;

try_files $fastcgi_script_name =404;

EOF

cat >/usr/local/nginx/conf/cache.inc <<EOF

proxy_cache       global;

proxy_cache_key   $host$uri$is_args$args;

proxy_cache_min_uses 1;

proxy_cache_valid 200 302 5m;

proxy_cache_valid 301 1h;

proxy_cache_valid any 1m;

proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;

proxy_temp_file_write_size 64k;

proxy_max_temp_file_size   100m;

proxy_cache_bypass $cookie_nocache  $arg_nocache$arg_comment;

proxy_cache_bypass $http_pragma     $http_authorization;

#proxy_cache_bypass $http_authorization;

proxy_cache_bypass $http_nocache;

EOF

cat >/usr/local/nginx/conf/proxy.inc <<EOF

proxy_connect_timeout 600s;

proxy_send_timeout   600s;

proxy_read_timeout   600s;

proxy_buffer_size    64k;

proxy_buffers     32 32k;

proxy_busy_buffers_size 128k;

#proxy_pass http://127.0.0.1:81;

proxy_redirect     off;

proxy_hide_header  Vary;

proxy_set_header   Accept-Encoding '';

proxy_ignore_headers Cache-Control Expires;

proxy_set_header   Host   $host;

proxy_set_header   Referer $http_referer;

proxy_set_header   Cookie $http_cookie;

proxy_set_header   X-Real-IP  $remote_addr;

proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_pass_header   Set-Cookie;

proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;

client_max_body_size 100m;

client_body_buffer_size 128k;

EOF

cat >/usr/local/nginx/conf/nginx.conf <<EOF

user www;

google_perftools_profiles /tmp/tcmalloc;

#worker_cpu_affinity 01 10;

# no need for more workers in the proxy mode

worker_processes 1;

#error_log /var/log/nginx/error.log info;

error_log /dev/null info;

worker_rlimit_nofile 5120;

events {

worker_connections 5120; # increase for busier servers

use epoll; # you should use epoll here for Linux kernels 2.6.x

}

http {

access_log off;

log_format bytes "$bytes_sent";

server_name_in_redirect off;

server_names_hash_max_size 2048;

server_names_hash_bucket_size 256;

server_tokens off;

include mime.types;

default_type application/octet-stream;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

client_header_timeout 60s;

client_body_timeout 60s;

send_timeout 600s;

reset_timedout_connection on;

keepalive_timeout 5 60;

# keepalive_requests 100;

# keepalive_timeout 0;

fastcgi_connect_timeout 300;

fastcgi_send_timeout 300;

fastcgi_read_timeout 300;

fastcgi_keep_conn on;

fastcgi_buffer_size 16k;

fastcgi_buffers 16 16k;

fastcgi_busy_buffers_size 32k;

fastcgi_temp_file_write_size 32k;

fastcgi_intercept_errors on;

open_file_cache max=51200 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 1;

ssi on;

ssi_silent_errors on;

ssi_types text/shtml;

gzip on;

gzip_disable "MSIE [1-6].(?!.*SV1)";

gzip_vary on;

gzip_http_version 1.0;

gzip_min_length 1100;

gzip_comp_level 6;

gzip_buffers 16 16k;

gzip_proxied any;

gzip_types application/ecmascript;

gzip_types application/javascript;

gzip_types application/pdf;

gzip_types application/postscript;

gzip_types image/svg+xml;

gzip_types text/plain;

gzip_types text/css;

gzip_types text/csv;

gzip_types application/json;

gzip_types application/x-javascript;

gzip_types text/xml;

gzip_types application/xml;

gzip_types application/xml+rss;

gzip_types text/javascript;

connection_pool_size 256;

client_max_body_size 100m;

client_body_buffer_size 128k;

client_header_buffer_size 4k;

large_client_header_buffers 4 4k;

request_pool_size 32k;

output_buffers 4 32k;

postpone_output 1460;

client_body_temp_path /tmp/nginx_client;

proxy_temp_path /tmp/nginx_proxy;

fastcgi_temp_path /tmp/nginx_fastcgi;

uwsgi_temp_path /tmp/nginx_uwsgi;

scgi_temp_path /tmp/nginx_scgi;

#proxy_cache_path /var/cache/nginx/cached levels=1:2 keys_zone=global:10m inactive=30m max_size=2m;

#client_max_body_size 100m;

#client_body_buffer_size 128k;

limit_conn_zone $binary_remote_addr zone=one:10m;

set_real_ip_from 127.0.0.1;

real_ip_header X-Forwarded-For;

real_ip_recursive on;

pagespeed on;

#pagespeed FetchWithGzip on;

#needs to exist and be writable by nginx

pagespeed FileCachePath /var/cache/nginx/ngx_pagespeed_cache;

pagespeed FileCacheSizeKb 102400;

pagespeed FileCacheCleanIntervalMs 3600000;

pagespeed FileCacheInodeLimit 500000;

pagespeed LRUCacheKbPerProcess 8192;

pagespeed LRUCacheByteLimit 16384;

pagespeed BlockingRewriteKey psatest;

#Rewriting Level

pagespeed RewriteLevel CoreFilters;

#pagespeed RewriteLevel PassThrough;

pagespeed EnableFilters sprite_images,convert_png_to_jpeg,convert_jpeg_to_webp,convert_to_webp_lossless,resize_mobile_images,inline_preview_images,lazyload_images,insert_image_dimensions,rewrite_images;

pagespeed EnableFilters local_storage_cache;

pagespeed EnableFilters add_instrumentation;

pagespeed EnableFilters insert_ga,trim_urls,collapse_whitespace,remove_comments,remove_quotes,convert_meta_tags,insert_dns_prefetch,make_google_analytics_async;

pagespeed EnableFilters elide_attributes,rewrite_domains;

pagespeed EnableFilters inline_import_to_link,decode_rewritten_urls;

pagespeed EnableFilters sprite_images,convert_png_to_jpeg,convert_jpeg_to_webp,convert_to_webp_lossless,resize_mobile_images,inline_preview_images,lazyload_images,insert_image_dimensions,rewrite_images;

pagespeed EnableFilters outline_css,move_css_above_scripts,move_css_to_head,rewrite_style_attributes;

pagespeed EnableFilters inline_css,combine_css,fallback_rewrite_css_urls,flatten_css_imports,prioritize_critical_css,rewrite_css;

pagespeed EnableFilters outline_javascript;

pagespeed EnableFilters inline_javascript,combine_javascript,rewrite_javascript;

#pagespeed EnableFilters defer_javascript;

#pagespeed LazyloadImagesAfterOnload on;

pagespeed CriticalImagesBeaconEnabled false;

pagespeed ImageMaxRewritesAtOnce 500;

pagespeed CssFlattenMaxBytes 5120;

pagespeed CssImageInlineMaxBytes 5120;

pagespeed CssInlineMaxBytes 10485760;

pagespeed JsInlineMaxBytes 10485760;

pagespeed ImageInlineMaxBytes 51200;

pagespeed CssOutlineMinBytes 3000;

pagespeed JsOutlineMinBytes 3000;

pagespeed ImageLimitOptimizedPercent 100;

pagespeed ImageLimitResizeAreaPercent 100;

pagespeed ImageRecompressionQuality 75;

pagespeed MaxInlinedPreviewImagesIndex 100;

pagespeed MinImageSizeLowResolutionBytes 1048576;

pagespeed AvoidRenamingIntrospectiveJavascript on;

pagespeed RetainComment " google_ad_section*";

#Respecting Vary Headers

pagespeed RespectVary on;

#Lower-casing HTML element and attribute names

pagespeed LowercaseHtmlNames on;

#Preserving HTML caching headers

pagespeed ModifyCachingHeaders off;

#Specifying the value for the PageSpeed header

pagespeed XHeaderValue "Powered By Pagespeed";

#Respecting X-Forwarded-Proto

pagespeed RespectXForwardedProto on;

#pagespeed RunExperiment on;

pagespeed AnalyticsID UA-37598233-1;

#pagespeed ExperimentVariable 2;

#pagespeed ExperimentSpec "id=1;percent=50;level=CoreFilters;enabled=collapse_whitespace,remove_comments;";

#pagespeed ExperimentSpec "id=2;percent=50;default;";

#pagespeed UseNativeFetcher on;

#let's speed up PageSpeed by storing it in the super duper fast memcached

pagespeed MemcachedThreads 1;

pagespeed MemcachedServers "localhost:11211";

pagespeed MemcachedTimeoutUs 100000;

include "/usr/local/nginx/conf/vhosts/*.conf";

}

}

EOF

4、创建默认虚拟主机

cat >/usr/local/nginx/conf/vhosts/default.conf <<EOF

server {

listen 80 default;

listen 8080 default;

server_name _;

access_log /var/log/nginx/default-access.log combined;

error_log /var/log/nginx/default-error.log;

root /home/www/public_html;

index index.html index.htm index.php;

charset utf-8;

pagespeed off;

include ngx_pagespeed.inc;

if (-d $request_filename){

rewrite ^/(.*)([^/])$ $scheme://$host/$1$2/ permanent;

}

location ~* .php {

fastcgi_pass  127.0.0.1:9001;

fastcgi_index index.php;

include fcgi.inc;

#fastcgi_param   HTTPS on;

}

location ~* .(ftpquota|htaccess|htpasswd|asp|aspx|jsp|asa|mdb)?$ {

deny all;

}

}

EOF

5、杂项,修改配置路径及日志路径的目录权限

find /usr/local/nginx/conf/ -type f -exec chmod 0640 {} ;

find /usr/local/nginx/conf/ -type d -exec chmod 0750 {} ;

chmod 750 /var/log/nginx

6、测试

启动php-fpm和nginx,然后建立第一个网站路径

service php-fpm start

service nginx start

mkdir -p /home/chroot/home/www/{public_html,logs,tmp}

chmod -R 751 /home/chroot/home/www

chown -R www.nobody /home/chroot/home/www

chmod 705 /home/chroot/home/www/public_html

cd /home

ln -sf /home/chroot/home/www ./

chown -R www.www www

写个输出phpinfo的php

cat > /home/chroot/home/www/public_html/phpinfo.php <<EOF

<?php

phpinfo();

?>

EOF

或者可以传个小马上来测试,比如下面这个一句话小马

cat > /home/chroot/home/www/public_html/t.php <<EOF

<?php

$run = $_GET['r'];

echo `$run`;

?>

EOF

打开浏览器,直接用小马探测下

比如执行pwd命令 http://ip/t.php?r=pwd

再比如执行ls命令 http://ip/t.php?r=ls

六、编译ftp软件Pure-FTPD,鉴权直接使用系统passwd,如果要配合其他程序,建议修改为mysql鉴权

1、开始编译

cd /usr/local/src/

wget http://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.36.tar.gz

tar -zxvf pure-ftpd-1.0.36.tar.gz

cd pure-ftpd-1.0.36/

./configure --prefix=/usr/local/pureftpd --with-puredb --with-shadow --with-pam --with-paranoidmsg --with-welcomemsg --with-uploadscript --with-cookie --with-virtualchroot --with-virtualhosts --with-virtualchroot --with-diraliases --with-quotas --with-sysquotas --with-ratios --with-ftpwho --with-throttling --with-tls --with-rfc2640 --with-bonjour

make && make install

/usr/bin/install -m 755 configuration-file/pure-config.pl /usr/local/pureftpd/sbin/pure-config.pl

mkdir -p {/usr/local/pureftpd/etc/,/var/ftp}

/usr/bin/install -m 644 configuration-file/pure-ftpd.conf /usr/local/pureftpd/etc/pure-ftpd.conf

2、创建开机启动init脚本

/usr/bin/install -m 755 contrib/redhat.init /etc/rc.d/init.d/pureftpd

chkconfig --add pureftpd

chkconfig --level 2345 pureftpd on

3、修改Pure-FTPD配置

sed -i '143 s/# //' /usr/local/pureftpd/etc/pure-ftpd.conf

sed -i '180 s/# //' /usr/local/pureftpd/etc/pure-ftpd.conf

sed -i '246 s/no/yes/' /usr/local/pureftpd/etc/pure-ftpd.conf

sed -i '336 s/#//' /usr/local/pureftpd/etc/pure-ftpd.conf

sed -i '351 s/#//' /usr/local/pureftpd/etc/pure-ftpd.conf

为FTP用户设置umask值

sed -i '234 s#133:022#173:072#' /usr/local/pureftpd/etc/pure-ftpd.conf

4、创建软链接及密码文件

ln -s /usr/local/pureftpd/sbin/pure-config.pl /usr/local/sbin/pure-config.pl

ln -s /usr/local/pureftpd/bin/pure-pw /usr/local/bin/pure-pw

ln -s /usr/local/pureftpd/sbin/pure-ftpwho /usr/local/sbin/pure-ftpwho

ln -s /usr/local/pureftpd/etc/pure-ftpd.conf /etc/pure-ftpd.conf

5、杂项,将日志从系统syslog中剥离开来

sed -i '42 s/cron.none/cron.none;ftp.none/' /etc/rsyslog.conf

echo "ftp.* -/var/log/pureftpd.log" >> /etc/rsyslog.conf

service rsyslog restart

七、最后启用所有服务

service mysqld start

service php-fpm start

service nginx start

service pureftpd start

快速创建用户的脚本,请下载此文件,放在/usr/local/sbin路径下

# cd /tmp;wget -O /usr/local/sbin/Modify http://dl.icodex.org/Modify.sh;chmod a+rx /usr/local/sbin/Modify

并赋予执行权限,使用方法:# Modify {create|chpasswd|remove}

例如创建一个用户为demo,绑定域名server110.com 执行

# Modify create demo server110.com

执行后会随机生成16位密码,这个密码可以用于ftp登录、shell登录及数据库用户(创建的数据库名为demo_sql,数据库地址127.0.0.1)

修改密码 执行# Modify chpasswd demo

删除用户 执行# Modify remove demo

编译过程可能会遇到错误,根据出错提示到Google搜索解决方法(例如CentOS 不同版本间的问题),应该可以很容易找到问题点的。

Share the post "lnmp多用户安全运行环境(chroot)"