PHP.ini optimization,,, PHP-FPM

Tag: Group DMI operation port for data COM info address

Both Apache and Nginx,php.ini are appropriate. and php-fpm.conf is suitable for nginx+fcgi configuration.

1) Open the Safe mode of PHP

PHP security mode is a very important security mechanism embedded in PHP, to control some of the functions in PHP, such as System (), while the many file operations of the functions of the control of permissions. Safe_mode = off opens, PHP checks whether the owner of the current script is the same as the owner of the file being manipulated Safe_mode = On

2) User Group security

When Safe_mode is turned on, Safe_mode_gid is turned off, and the PHP script is able to access the file, and the same group of users can access the file. Recommended setting to: Safe_mode_gid = Off
If we do not set up, we may not be able to operate the files in our server web directory, such as when we need to operate the file. php5.3.27 default to Off

3) Close Hazard function

If the security mode is turned on, then the function block is unnecessary, but for security reasons, for example, we do not want to execute a PHP function that includes system () to execute the command, or be able to view PHP
Phpinfo () functions such as information, then we can prohibit them:

Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo

4) Close the PHP version information in the HTTP header leak
expose_php = On
Recommended setting to: Safe_mode_gid
expose_php = Off

5) Close Registered global variables
Variables submitted in PHP, including those using post or get commits, are automatically registered as global variables and can be accessed directly, which is very insecure for the server
Register_globals = Off

6) Prevent SQL injection
MAGIC_QUOTES_GPC = Off
This is turned off by default, and if it is turned on, it will automatically convert the user to the SQL query, such as ' turn to \ ' and so on, which has a significant effect on preventing SQL injection.
MAGIC_QUOTES_GPC = On

7) Error Message control
Display_errors = Off
If you are sure you want to display the error message, be sure to set the level at which the error is displayed, such as displaying only the information above the warning
Error_reporting

8) Error Log
It is recommended to log the error message after closing the display_errors to find out why the server is running.
Log_errors = On
Also to set the error log directory, it is recommended to store Apache logs together
Error_log =/app/logs/php_error.log
The file must allow Apache users and groups to have write permissions.

9) Partial resource limit parameter optimization
9.1) Set the maximum time for each script to run
When a large file cannot be uploaded or background backup data often times out:
Max_execution_time = 30
Maximum allowable execution time per script (seconds), 0 means no limit.
This parameter helps prevent inferior scripts from endlessly consuming server resources.
This directive only affects the run time of the script itself, and any other time that is spent outside of the script running.
such as the use of System ()/sleep () functions, database queries, file uploads, etc., are not included.
In Safe mode, you cannot change this setting at run time with Ini_set ().

9.2) maximum memory used by each script
Memory_limit = 128M
The maximum number of bytes of memory that a script can request (using K and M as units).
This helps prevent inferior scripts from consuming all the memory on the server.
To be able to use the directive, you must use the "--enable-memory-limit" configuration option at compile time.
If you want to cancel the memory limit, you must set it to-1.
When the directive is set, the Memory_get_usage () function becomes available.

9.3) Maximum time for each script to wait for input data
Max_input_time =-1
Maximum allowable time (in seconds) for each script parsing input data (post,get,upload)
-1 means no limit
Set to:
Max_input_time = 60

9.4) maximum license size for uploaded files
When uploading large files, you need to adjust the following parameters:
Upload_max_filesize = 2M;
Upload the maximum license size of the file, change it yourself, some picture forums need this larger value.

10) Partial Safety parameter optimization
10.1) Prohibit open remote address, the vulnerability of PHP include is to include the variable in a PHP program
, the intruder can use this control server to execute a remote PHP program locally, such as Phpshell
So to close
Allow_url_fopen = Off

10.2) Prevent Nginx file type Error parsing vulnerability
Cgi.fix_pathinfo=0

11) Adjust PHP sesson information storage type and location
Session.save_handler = Files
The processor name that stores and retrieves the data associated with the session. The default is file "files"
If you want to use a custom processor (such as a database-based processor), "User" is available
Set to "Memcache" to use Memcache as the session processor (requires "--enable-memcache-session")
Session.save_path= "/tmp"
The parameters passed to the storage processor. For files processors, this value is the path to the creation of the session data file

Web cluster session shared storage settings:
The type and configuration path of the session in the default php.ini:
#session. Save_handler = Files
#session. Save_path = "/tmp"
Modify the configuration as follows:
Session.save_handler = Memcache
Session.save_path = "tcp://192.168.1.1:1234"
Tips:
1) 192.168.1.1:1234 is the IP and port of the memcached database cache.
2) The above is suitable for lnmp,lamp environment.
3) memcached server can also be multiple units via hash dispatch.

For the PHP-FPM parameter tuning, you can view the files inside the machine.

PID =/app/logs/php-fpm.pid
Error_log =/app/logs/php-fpm.log
Log_level = Error
Rlimit_files = 32768
Events.mechanism = Epoll
Listen.owner = Nginx
Listen.group = Nginx
Pm.max_children = 1024
Pm.start_servers = 16
Pm.min_spare_servers = 5
Pm.max_spare_servers = 20
Pm.process_idle_timeout = 15s;
Pm.max_requests = 2048
; Access.format =%R-%u%t "%m%r%q%q"%s%f%{mili}d%{kilo}m%c%%
Slowlog =/app/logs/$pool. Log.slow
Request_slowlog_timeout = 10
Php_admin_value[sendmail_path] =/usr/sbin/sendmail-t-i-f [email protected]

PHP.ini optimization,,, PHP-FPM