Let's take a look at nginx. conf.
Server
{
Listen 80;
SERVER_NAME www.a.com;
Index index.html index.htm index. php;
Root/data/htdocs/www.a.com /;
# Limit_conn crawler 20;
Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
}
Server
{
Listen 80;
SERVER_NAME www. B .com;
Index index.html index.htm index. php;
Root/data/htdocs/www. B .com /;
# Limit_conn crawler 20;
Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
}
After nginx receives the access request on port 80, it will forward the request to PHP-CGI on port 9000 for processing.
If you modify PHP. open_basedir = .. /.. /.. /.. /.. /, for two different websites, www.a.com and www. B .com will send the request to 9000 for processing. If you access www.a.com first, then .. /.. /.. /.. /.. /becomes the root directory address of website a. If you access www. B .com at this time, open_basedir is still the root directory of website a, but B is not allowed to access it, therefore, no input files will appear after the second site is opened. What solution is there?
We can send different virtual hosts to different PHP-CGI ports for processing. Of course, the open_basedir in the PHP-FPM configuration file in the response is also different .. Let's see how to configure it ..
First, configure nginx. conf as follows:
Server
{
Listen 80;
SERVER_NAME www.a.com;
Index index.html index.htm index. php;
Root/data/htdocs/www.a.com /;
# Limit_conn crawler 20;
Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
}
Server
{
Listen 80;
SERVER_NAME www. B .com;
Index index.html index.htm index. php;
Root/data/htdocs/www. B .com /;
# Limit_conn crawler 20;
Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9001;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
}
Note: requests sent from www.a.com are sent to port 9000,Www. B .comRequests sent to port 9001, and so on
Nginx configuration modified, relative, php-fpm.conf also need to modify
Create a CONF file for each site
Site
# Cp/usr/local/webserver/PHP/etc/php-fpm.conf/usr/local/webserver/PHP/etc/www.a.com. conf
# Vi/usr/local/webserver/PHP/etc/www.a.com. conf
Find php_defines and add
<Value name = "open_basedir">/data/htdocs/www.a.com:/tmp:/var/tmp </value>
Site B
# Cp/usr/local/webserver/PHP/etc/php-fpm.conf/usr/local/webserver/PHP/etc/www. B .com. conf
# Vi/usr/local/webserver/PHP/etc/www. B .com. conf
Find php_defines and add
<Value name = "open_basedir">/data/htdocs/www. B .com:/tmp:/var/tmp </value>
Locate listen_address and change it
<Value name = "listen_address"> 127.0.0.1:9001</Value>Note the port number here
Finally, modify the PHP-fpm startup script.
# Vi/usr/local/webserver/PHP/sbin/PHP-FPM
Comment out the original # $ php_fpm_bin -- FPM $ php_opts and add
$ Php_fpm_bin -- FPM-config/usr/local/webserver/PHP/etc/www.A. Com. conf
$ Php_fpm_bin -- FPM-config/usr/local/webserver/PHP/etc/www.B. Com. conf
Start the service
#/Usr/local/webserver/PHP/sbin/PHP-FPM restart
View port
# Netstat-TLN
Opened 9000 9001 to process two site requests respectively
The two main PHP-CGI processes load different conf files, which perfectly solves the problem of cross-directory webshell on the virtual host.
Before starting, remember max_children in conf to enable the number of PHP-CGI sub-processes. Reduce the number to avoid insufficient memory.
ArticleSource: Dodo's blog
Address: http://www.sectop.com/post/35.html