NGINX+PHP-FPM is one of the most popular combinations of PHP environments now configured. Nginx with its ability to concurrency, lightweight, fast and favored by a lot of people, php-fpm to its security, processing PHP fast and become the best combination of nginx. PHP-FPM provides a very important feature chroot, it can put the designated site completely limited to a directory, can be very good for the system and other virtual machine isolation effect, this system security is undoubtedly enhanced a lot, the following describes how to configure.
We assume that the domain name for www.jb51.net, the site root directory for/home/chroot/www.jb51.net/web, you need to limit this site to/home/chroot/www.jb51.net.
First, php-fpm.conf configuration
Open the php-fpm.conf file and change the chroot to Chroot =/home/chroot/www.jb51.net
Second, nginx configuration
We have restricted the Www.jb51.net site to the/home/chroot/www.jb51.net, so for php-fpm, the root directory of this site has become/web, so we need to change the site root address Nginx passes to PHP-FPM.
Find Fastcgi_param script_filename $document _root$fastcgi_script_name; change to Fastcgi_param Script_filename/web$fastcgi_ Script_name;
Third, some directory creation
Copy Code code as follows:
cd/home/chroot/www.jb51.net/
Mkdir-p tmp etc Bin Usr/sbin Lib dev/
Mknod-m 0666 dev/null C 1 3
Mknod-m 0666 dev/random C 1 8
Mknod-m 0666 dev/urandom C 1 9
Mknod-m 0666 Dev/zero C 1 5
CHMOD 1777 tmp
Iv. Repair and resolution
Www.jb51.net PHP is completely limited to a directory, resulting in PHP can not resolve the domain name, with 32-bit system as an example (64-bit library file location is lib64) below is the repair steps,
Copy Code code as follows:
cd/home/chroot/www.jb51.net/
Cp/etc/hosts/etc/resolv.conf/etc/nsswitch.conf etc/
Cp/lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libnss_dns.so.2,libnss_files.so.2,libresolv.so.2,libtermcap.so.2} lib/
So that PHP can resolve the domain name.
V. Repair SendMail function
The same chroot directory, you can not send mail, we use Mini_sendmail to send mail. Also take 32-bit systems as an example.
Copy Code code as follows:
cd/home/chroot/www.jb51.net/
Cp-p/bin/bash/bin/sh Bin
Cp/etc/passwd/etc/group etc
Cd/tmp
wget http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz
Tar xzf mini_sendmail-1.3.6.tar.gz
CD mini_sendmail-1.3.6
Make
CP Mini_sendmail/home/chroot/www.jb51.net/usr/sbin/sendmail
What are the advantages of chroot compared to disabling functions?
Disabling functions are for the entire PHP program, all the files that need to be parsed through the PHP program will be set by the disabled function. Web site program is different, then there may be a different function, different virtual host can not be set separately. And chroot can be based on different virtual host, the specificity of the settings. For programs that need to use special functions, you can turn off chroot to ensure the normal operation of the Web site program; The program does not need to invoke a special program, you can open the chroot mode; If you only want to enable one or two specific programs, you can add functions in the following procedure. For example, when we open chroot, the PHP program is unable to use the SendMail () function to send letters, we can use Mini_sendmail replacement sendmail to repair the letter.
Copy Code code as follows:
cd/home/wwwroot/www.ixiqin.com/
Cp-p/bin/bash/bin/sh Bin
Cp/etc/passwd/etc/group etc
Cd/tmp
wget http://centos.googlecode.com/files/mini_sendmail-1.3.6.tar.gz
Tar xzf mini_sendmail-1.3.6.tar.gz
CD mini_sendmail-1.3.6
Make
CP Mini_sendmail/home/wwwroot/www.ixiqin.com/usr/sbin/sendmail
The above code, compile mini_sendmail in/tmp directory, and then copy the resulting executable file to the corresponding location in the Chroot directory to ensure the normal operation of the outgoing system.
What should we pay attention to?
Tips one:chroot mode, a variety of probes, such as the black probe will be ineffective, error.
Tips Two:chroot model can be used for online shell simulator, safe and real.
In combination with the above analysis, I suggest that instead of using the rigid disabling function, why don't we try a more useful chroot.