Chroot execution environment for PHP-FPM

In the PHP-FPM to set up chroot, has a good isolation function, improve the system security, but to establish a reasonable PHP-FPMChroot environment is a little difficult, than the use of debootstrap and other tools to build more trouble, this article

In the PHP-FPM to set up chroot, has a good isolation function, improve the security of the system, but to establish a reasonable PHP-FPM Chroot environment is a little difficult, than the use of debootstrap and other tools to build more trouble, this article

In the PHP-FPM to set up chroot, has a good isolation function, improve the security of the system, but to establish a reasonable PHP-FPM Chroot environment is a little difficult, than the use of debootstrap and other tools to build more trouble, the following by referring to the relevant information, the PHP-FPM Chroot execution environment, to share with you.

This article takes Ubuntu 14.04.2 as an example, php-fpm uses ppa: ondrej/PHP5.6 version provided by the php5-5.6, it should be consistent with the php-fpm and system directory structure of the system's built-in and Debian systems. Adjust CentOS by yourself.

The chroot environment configuration of php-fpm is not associated with the front-end of the used server, nor does it require Apache/Nginx to perform chroot. Of course, this is more secure-and more complex.

1. Create a directory structure

Select/var/www/chroot as the chroot directory, and place the page files in/var/www/chroot/public.

Run the following command to create a basic directory structure:

Bashmkdir-p/var/www/chroot/cd/var/www/chrootmkdir-p public bin dev tmp usr/sbin/usr/share/zoneinfo/var/run/nscd/var /lib/php5/sessions var/wwwcp-a/dev/zero/dev/urandom/dev/null dev/# Note 3 chmod -- reference =/tmp/chmod -- reference = /var/lib/php5/sessions var/lib/php5/sessions # Note 4 chown-R root: root. # Note 2 chown-R www-data: www-data public/# Note 2cd var/wwwln-s .. /.. chroot # Note 1

The following is the directory structure, and some new things will be added later:

/Var/www/chroot/── bin ├ ── dev │ ├ ── null │ ├ ── urandom │ zero ── public ├ ── tmp ── usr │ ── sbin │ └ ── share │ └ ── zoneinfo └ ── var ├ ── lib │ └ ── php5 │ └ ── sessions ── run │ └ ── nscd ── www └ ── chroot-> .. /.. # Note 1

Note 1: This soft connection is used to solve the problem that SCRIPT_FILENAME sent from Apache/nginx to php-fpm cannot find the File after entering chroot ("File not found" is returned when accessing the php page.

For nginx, we usually set SCRIPT_FILENAME to $ document_root $ fastcgi_script_name. The script path passed to php-fpm is/var/www/chroot/public/index. php. Because php-fpm is in the chroot environment, the path it tries to access becomes/var/www/chroot +/var/www/chroot/public/index. of course, php does not exist.

Therefore, if you use a soft connection to link/var/www/chroot In the chroot environment to the root directory, you can access the script normally.

You can also set SCRIPT_FILENAME to/public $ fastcgi_script_name. However, such hard encoding is not conducive to configuration migration. It can only be used in the chroot environment. If you switch back to a non-chroot environment, you need to modify the configuration. We do not recommend that you do this. (By the way, the $ document_root is not used in many old tutorials, and the root directory is hard-coded directly. Of course, this is also not desirable)

Note 2: The chroot environment is not 100% secure. Since the execution permission of php-fpm In the chroot environment is www-data, we recommend that you set the owner of unnecessary directories to root to reduce unnecessary access permissions. Chroot is not equal to security. Refer to the principles listed in chroot best practices. From a more secure perspective, we 'd better remove the read and write permissions of the bin, lib, sbin, and other directories, leaving only executable permissions, but there is no big difference ......

NOTE 3: In addition to copying the file content, cp-a also copies information such as the permission and mode of the file, you can easily copy the Key Device Files zero, urandom, and null. Mknod seems to be a more secure method, but cp-a seems okay for me.

Note 4: chmod -- reference = XXX will refer to the permission settings of XXX. Tmp is not mentioned. The key is that var/lib/php5/sessions is the directory where php stores session files, and www-data must have the read and write permissions. We recommend that you take a look at the settings. Of course there will be tests later.

2. configuration of PHP-FPM

Create a new php-fpm execution pool to build the chroot environment. It is not recommended to directly modify the php-fpm.conf, because it takes effect globally and will share a chroot environment if there are multiple php sites.

In fact, many php-fpm tutorials ignore the pool configuration of php-fpm. As a result, many people share a set of configurations for all sites on one server, especially a set of php. ini configuration is actually unreasonable. The pool should be created separately based on the site requirements and the parameters should be adjusted.

Create chroot. conf under/etc/php5/fpm/pool. d/(note that you must end with. conf to be called by the php-fpm.conf ):

[Chroot] user = www-prop roup = www-datalisten =/var/run/php-chroot.socklisten.owner = www-datalisten.group = www-datapm = dynamicpm. max_children = 5. start_servers = 1. min _spare_servers = 1. max_spare_servers = 3 chroot =/var/www/chrootchdir =/public; security. limit_extensions =. phpphp_flag [display_errors] = onphp_value [date. timezone] = Asia/Hong_Kong; php_admin_value [session. gc_probability] = 1; php_admin_value [open_basedir] = "/tmp/:/public/:/var/www/chroot/public /"

The preceding parameters are familiar. You only need to simply set chroot as the configured environment root directory to enable chroot. After you perform a php5-fpm-t test, use the service php5-fpm reload to enable the new pool. Of course, the backend must be set in the configuration corresponding to Apache/nginx.

The last few lines are mentioned. Display_errors is enabled in the last row, so that you can test the php function under chroot. After the test is complete, remember to comment out the function.

Set session. gc_probability to allow the php process to delete and recycle the session. Under normal circumstances, the session is cleared by the cron task added by php, but it seems that php does not automatically clean the session in the chroot environment. Of course, you can also add automatically executed scripts under cron. d to clear the script, so you do not need to enable this option.

3. Fixed various PHP functions in the Chroot environment.

Create a test. php file under/var/www/chroot/public and write the following content:

The Code is as follows:

Php
<? Php
Session_start ();
Header ("Content-Type: text/plain ");
Echo (gethostbyname ("localhost"). "\ n ");
Print_r (getdate ());
Mail ("your @ address", "subject", "message ");

Here we mainly test the functions: session, DNS resolution, time and date, mail () function.

When you access the test page above, the system prompts No such directory or file or Permission denied, indicating that the session configuration is incorrect. If gethostbyname does not return 127.0.0.1 or: 1, DNS resolution does not take effect. The prompt timezone database is upt indicates that the time and date are incorrect. Mail () also has a variety of error prompts.

The session is not mentioned, and the directory permission setting is no problem. Mainly deal with the following three problems, which are also the main content to be processed in the php chroot environment.

3.1 domain name resolution/Time Zone

The solution for mail () is similar, and post-interview. Here are two solutions to the previous domain name resolution and other problems. Method 1 is a simple method for reference to Kienzl, and method 2 is the method used in most tutorials.

Method 1: Use nscd