Let's take a look at nginx. conf.
 
 
 
Server
{
Listen 80;
SERVER_NAME www.a.com;
Index index.html index.htm index. php;
Root/data/htdocs/www.a.com /;
 
 
 
# Limit_conn crawler 20;
 
 
 
Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
 
 
 
}
 
 
 
Server
{
Listen 80;
SERVER_NAME www. B .com;
Index index.html index.htm index. php;
Root/data/htdocs/www. B .com /;
 
 
 
# Limit_conn crawler 20;
 
 
 
Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
 
 
 
}
 
 
After nginx receives the access request on port 80, it will forward the request to PHP-CGI on port 9000 for processing.
 
 
 
If you modify PHP. open_basedir = .. /.. /.. /.. /.. /, for two different websites, www.a.com and www. B .com will send the request to 9000 for processing. If you access www.a.com first, then .. /.. /.. /.. /.. /becomes the root directory address of website a. If you access www. B .com at this time, open_basedir is still the root directory of website a, but B is not allowed to access it, therefore, no input files will appear after the second site is opened. What solution is there?
 
 
 
We can send different virtual hosts to different PHP-CGI ports for processing. Of course, the open_basedir in the PHP-FPM configuration file in the response is also different .. Let's see how to configure it ..
 
 
 
First, configure nginx. conf as follows:
 
 
 
Server
{
Listen 80;
SERVER_NAME www.a.com;
Index index.html index.htm index. php;
Root/data/htdocs/www.a.com /;
 
 
 
# Limit_conn crawler 20;
 
 
 
Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9000;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
 
 
 
}
 
 
Server
{
Listen 80;
SERVER_NAME www. B .com;
Index index.html index.htm index. php;
Root/data/htdocs/www. B .com /;
 
 
 
# Limit_conn crawler 20;
 
 
 
Location ~ . * \. (PhP | PhP5 )? $
{
# Fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1: 9001;
Fastcgi_index index. php;
Fcinclude gi. conf;
}
 
 
 
}
 
 
 
Note: requests sent from www.a.com are sent to port 9000,Www. B .comRequests sent to port 9001, and so on
 
 
 
Nginx configuration modified, relative, php-fpm.conf also need to modify
 
 
 
Create a CONF file for each site
 
 
 
 
 
 
Site
 
 
 
# Cp/usr/local/webserver/PHP/etc/php-fpm.conf/usr/local/webserver/PHP/etc/www.a.com. conf
 
 
# Vi/usr/local/webserver/PHP/etc/www.a.com. conf
 
 
 
Find php_defines and add
 
 
 
<Value name = "open_basedir">/data/htdocs/www.a.com:/tmp:/var/tmp </value>
 
 
 
 
 
 
 
 
 
 
Site B
 
 
 
# Cp/usr/local/webserver/PHP/etc/php-fpm.conf/usr/local/webserver/PHP/etc/www. B .com. conf
 
 
 
# Vi/usr/local/webserver/PHP/etc/www. B .com. conf
 
 
 
Find php_defines and add
 
 
 
<Value name = "open_basedir">/data/htdocs/www. B .com:/tmp:/var/tmp </value>
 
 
 
 
 
 
 
 
 
Locate listen_address and change it
 
 
<Value name = "listen_address"> 127.0.0.1:9001</Value>Note the port number here
 
 
 
 
 
 
 
 
 
Finally, modify the PHP-fpm startup script.
 
 
 
# Vi/usr/local/webserver/PHP/sbin/PHP-FPM
 
 
 
 
 
 
Comment out the original # $ php_fpm_bin -- FPM $ php_opts and add
 
 
 
$ Php_fpm_bin -- FPM-config/usr/local/webserver/PHP/etc/www.A. Com. conf
 
 
 
$ Php_fpm_bin -- FPM-config/usr/local/webserver/PHP/etc/www.B. Com. conf
 
 
 
Start the service
 
 
 
#/Usr/local/webserver/PHP/sbin/PHP-FPM restart
 
 
 
View port
 
 
 
# Netstat-TLN
 
 
 
 
 
 
 
Opened 9000 9001 to process two site requests respectively
 
 
 
The two main PHP-CGI processes load different conf files, which perfectly solves the problem of cross-directory webshell on the virtual host.
 
 
Before starting, remember max_children in conf to enable the number of PHP-CGI sub-processes. Reduce the number to avoid insufficient memory.
 
 
 
ArticleSource: Dodo's blog
Address: http://www.sectop.com/post/35.html