Nginx virtual host protection webshell perfect Edition

Let's take a look at nginx. conf.

Server
{
Listen 80;
SERVER_NAME www.a.com;
Index index.html index.htm index. php;
Root/data/htdocs/www.a.com /;

# Limit_conn crawler 20;

Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}

}

Server
{
Listen 80;
SERVER_NAME www. B .com;
Index index.html index.htm index. php;
Root/data/htdocs/www. B .com /;

# Limit_conn crawler 20;

Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}

}

After nginx receives the access request on port 80, it will forward the request to PHP-CGI on port 9000 for processing.

If you modify PHP. open_basedir = .. /.. /.. /.. /.. /, for two different websites, www.a.com and www. B .com will send the request to 9000 for processing. If you access www.a.com first, then .. /.. /.. /.. /.. /becomes the root directory address of website a. If you access www. B .com at this time, open_basedir is still the root directory of website a, but B is not allowed to access it, therefore, no input files will appear after the second site is opened. What solution is there?

We can send different virtual hosts to different PHP-CGI ports for processing. Of course, the open_basedir in the PHP-FPM configuration file in the response is also different .. Let's see how to configure it ..

First, configure nginx. conf as follows:

Server
{
Listen 80;
SERVER_NAME www.a.com;
Index index.html index.htm index. php;
Root/data/htdocs/www.a.com /;

# Limit_conn crawler 20;

Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}

}

Server
{
Listen 80;
SERVER_NAME www. B .com;
Index index.html index.htm index. php;
Root/data/htdocs/www. B .com /;

# Limit_conn crawler 20;

Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9001;
Fastcgi_index index. php;
Fcinclude gi. conf;
}

}

Note: requests sent from www.a.com are sent to port 9000,Www. B .comRequests sent to port 9001, and so on

Nginx configuration modified, relative, php-fpm.conf also need to modify

Create a CONF file for each site

Site

# Cp/usr/local/webserver/PHP/etc/php-fpm.conf/usr/local/webserver/PHP/etc/www.a.com. conf

# Vi/usr/local/webserver/PHP/etc/www.a.com. conf

Find php_defines and add

<Value name = "open_basedir">/data/htdocs/www.a.com:/tmp:/var/tmp </value>

Site B

# Cp/usr/local/webserver/PHP/etc/php-fpm.conf/usr/local/webserver/PHP/etc/www. B .com. conf

# Vi/usr/local/webserver/PHP/etc/www. B .com. conf

Find php_defines and add

<Value name = "open_basedir">/data/htdocs/www. B .com:/tmp:/var/tmp </value>

Locate listen_address and change it

<Value name = "listen_address"> 127.0.0.1:9001</Value>Note the port number here

Finally, modify the PHP-fpm startup script.

# Vi/usr/local/webserver/PHP/sbin/PHP-FPM

Comment out the original # $ php_fpm_bin -- FPM $ php_opts and add

$ Php_fpm_bin -- FPM-config/usr/local/webserver/PHP/etc/www.A. Com. conf

$ Php_fpm_bin -- FPM-config/usr/local/webserver/PHP/etc/www.B. Com. conf

Start the service

#/Usr/local/webserver/PHP/sbin/PHP-FPM restart

View port

# Netstat-TLN

Opened 9000 9001 to process two site requests respectively

The two main PHP-CGI processes load different conf files, which perfectly solves the problem of cross-directory webshell on the virtual host.

Before starting, remember max_children in conf to enable the number of PHP-CGI sub-processes. Reduce the number to avoid insufficient memory.

ArticleSource: Dodo's blog
Address: http://www.sectop.com/post/35.html