PHP engine php. ini and fastcti optimization
1.1 php engine cache optimization acceleration
1) eaccelerator
2) Zend
3) xcache
1.2 Use tmpfs as the cache accelerated file directory
[Root @ LNMP ~] # Mount-t tmpfs/dev/shm-o size = 256 m
[Root @ LNMP ~] # Mount-t tmpfs/dev/shm // tmp/eaccelerator/
Tip:
1. Upload the image thumbnails processed Directory
2. other temporary accelerator directories, such as tmp/eaccelerator
1.3 php. ini parameter optimization
Both Apache and nginx, php. ini are suitable, while php-fpm.conf is suitable for nginx + fcgi configuration. First, select the php. ini (php. ini-production) of the product environment)
/Home/oldboy/tools/php-5.3.27/php. ini-development
/Home/oldboy/tools/php-5.3.27/php. ini-production
1.3.1 enable php Security mode
The security mode of php is a very important security mechanism embedded in php. it can control the execution of some php functions, such as system (), and control the permissions of many file-operated functions.
This parameter is configured as follows:
Safe_mode = Off
Whether to enable the security mode.
When the script is enabled, PHP checks whether the owner of the current script is the same as the owner of the operated file,
1.3.3 disable dangerous functions
If the security mode is enabled, the function is not required, but we still need to consider it for security. for example, we do not want to execute system () if a php function that can execute commands or a phpinfo () function that can view php information is used there, we can disable them as follows:
Disable_functions = system, passthru, exec, shell_exec, popen, phpinfo
If you want to disable operations on any files and directories, you can disable many file operations.
Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp, chmod, chown
The above lists some file processing functions that are not commonly used. you can combine the preceding command functions with this function to resist most phpshells. the default value of this parameter is disable_functions =
1.3.4 disable PHP version information leakage in the http header
To prevent hackers from obtaining the php version information of the server, we can disable the information in the http header. The default configuration of this parameter is as follows:
Expose_php = On
; Whether to expose the fact that php is installed on the server (add its label to the http header)
It does not directly threaten security, but it makes the client know that php is installed on the server.
Recommended settings:
Expose_php = Off
In this way, when hackers Telnet ucode.blog.51cto.com 80, they will not be able to see the php information.
1.3.6 open magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem. if the website background is compromised, the entire server is compromised.
So be careful. Php. ini has a setting:
Magic_quotes_gpc = Off
This is disabled by default. if it is enabled, it will automatically convert the SQL query submitted by the user, for example, converting 'to \', which plays a major role in preventing SQL injection, therefore, we recommend the following settings:
Magic_quotes_gpc = Off
1.3.7 error message control
An error is prompted When php is not connected to the database or in other cases. the error message may contain the current path information of the php script or the queried SQL statement, this type of information is insecure when it is provided to hackers. Therefore, we recommend that you disable the following error message on the server:
Display_errors = Off
1.3.8 error log
We recommend that you record the error information after you disable display_errors to find out the reason for running the server:
Log_errors = On
You also need to set the directory for storing error logs. we recommend that you store the logs with Apache:
Error_log =/app/logs/php_error.log
Note: You must allow both Apache users and groups to write files.
1.3.9 optimization of some resource restriction parameters
1.3.9.1 set the maximum running time of each script
When you cannot upload large files or back-end backup data often times out, you need to adjust the following settings:
Max_exxcution_time = 30
; The maximum execution time (in seconds) for each script. 0 indicates no limit
This parameter helps prevent bad scripts from occupying server resources endlessly
; This command only affects the running time of the script.
Such as the use of the system ()/sleep () function, database query, and file upload, are not included.
In security mode, you cannot use ini_set () to change this setting at runtime.
1.3.9.2 maximum memory used by each script
Memory_limit = 128 M
The maximum number of memory bytes that a script can apply for (K and M can be used as units)
; This helps prevent bad scripts from occupying all the memory on the server endlessly
To use this command, you must use the "-- enable-memory-limit" configuration option during compilation.
To cancel the memory limit, you must set it to-1.
; After this command is set, the memory_get_usage () function will become available
1.3.9.3 maximum time for each script to wait for input data
Max_input_time =-1
; The maximum allowed time (in seconds) for each script to parse input data (POST, GET, upload)
;-1 indicates no restriction
Set:
Max_input_time = 60;
1.3.9.4 maximum file upload license size
When the file to be uploaded is large, you need to adjust the following parameters:
Upload_max_filesize = 2 M;
; Maximum file upload license size, defined by yourself. Generally, this value needs to be modified in image forums. the default value is 2 MB.
How many files can be uploaded through one request?
Max_file_uploads = 20
1.3.10 security parameter optimization
1. disable remote access. do you remember the latest php include vulnerability that included variables in a php program, attackers can use this control server to execute a remote php program locally. For example, phpshell, so we need to close this
Allow_url_fopen = Off
2. settings: cgi. fix_pathinfo = 0
; Prevents Nginx file type error parsing vulnerability
1.3.11 adjust the php session information storage type and location
Session. save_handler = files
The name of the processor that stores and retrieves the data associated with the session. the default value is file ("files ")
If you want to use a custom processor (such as a database-based processor), you can use "user"
If it is set to "memcache", you can use memcache as the session processor (you need to specify the "-- enable-memcache-session" compilation option ).
; Session. save_path = "/tmp"
The parameter passed to the storage processor. for the files processor, this value is the path for creating the session data file.
Web Cluster session shared storage settings:
Default session type and configuration path in php. ini:
# Session. save_handler = files
# Session. save_path = "/tmp"
Modify the configuration as follows:
Session. save_handler = memcache
Session. save_path = "tcp: // 10.0.0.18: 11211"
Tip:
1) 10.0.0.18: 11211 is the IP address and port of the memcache database cache.
2) The above is suitable for LAMP and LNMP environments.
3) multiple memcache servers can also use hash scheduling.