Nginx Virtual Host anti-Webshell perfect version _nginx

Let's look at the nginx.conf first.

Server
{
Listen 80;
server_name www.a.com;
Index index.html index.htm index.php;
root/data/htdocs/www.a.com/;

#limit_conn crawler 20;

Location ~. *\. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}

}

Server
{
Listen 80;
server_name www.b.com;
Index index.html index.htm index.php;
root/data/htdocs/www.b.com/;

#limit_conn crawler 20;

Location ~. *\. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}

}

Nginx after receiving the access request on port 80, the request is forwarded to the 9000-port php-cgi for processing

And if you modify the php.ini open_basedir=. /.. /.. /.. /.. /, for two different websites, www.a.com, www.b.com will send the request to 9000 processing, and if first visit www.a.com then. /.. /.. /.. /.. /will become the root of a Web site address, then this time if you visit www.b.com, then Open_basedir is still the root of a site, but for B, is not allowed to access, so it caused the second site opened will appear no input files, So what's the solution?

We can send different virtual hosts to different php-cgi ports for processing, of course, the response of the PHP-FPM configuration file in the Open_basedir is also different. Let's take a look at how to configure.

First, the nginx.conf configuration is as follows

Server
{
Listen 80;
server_name www.a.com;
Index index.html index.htm index.php;
root/data/htdocs/www.a.com/;

#limit_conn crawler 20;

Location ~. *\. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}

}

Server
{
Listen 80;
server_name www.b.com;
Index index.html index.htm index.php;
root/data/htdocs/www.b.com/;

#limit_conn crawler 20;

Location ~. *\. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9001;
Fastcgi_index index.php;
Include fcgi.conf;
}

}

Note: www.a.com requests are sent to Port 9000, www.b.com requests are sent to port 9001, and so on

Nginx configuration modified, relative, php-fpm.conf also want to modify

Each site to build a conf

A site

#cp/usr/local/webserver/php/etc/php-fpm.conf/usr/local/webserver/php/etc/www.a.com.conf

#vi/usr/local/webserver/php/etc/www.a.com.conf

Find Php_defines, add

<value name= "Open_basedir" >/data/htdocs/www.a.com:/tmp:/var/tmp</value>

b site

#cp/usr/local/webserver/php/etc/php-fpm.conf/usr/local/webserver/php/etc/www.b.com.conf

#vi/usr/local/webserver/php/etc/www.b.com.conf

Find Php_defines, add

<value name= "Open_basedir" >/data/htdocs/www.b.com:/tmp:/var/tmp</value>

Find listen_address, Fix it

<value name= "listen_address" >127.0.0.1:9001</value> Note the port number here

Finally, to modify the PHP-FPM startup script

#vi/USR/LOCAL/WEBSERVER/PHP/SBIN/PHP-FPM

Comment out the original # $php _fpm_bin--fpm $php _opts, add

$php _fpm_bin--fpm--fpm-config/usr/local/webserver/php/etc/www. a.com.conf

$php _fpm_bin--fpm--fpm-config/usr/local/webserver/php/etc/www. b.com.conf

Start a service

#/usr/local/webserver/php/sbin/php-fpm restart

View ports

#netstat-tln

Opened 9000 9001 to handle two site requests separately

Two php-cgi main process loaded with different conf files, which solves the problem that the virtual host Webshell can cross catalog

Of course, before starting to remember the Max_children in the Conf, open the number of php-cgi process, the corresponding need to reduce some, so as not to cause insufficient memory

Article source: DoDo ' s Blog
Original address: http://www.sectop.com/post/35.html