Research on nginx+php of virtual host Directory access control

Nginx's users have recently become more and more, and many large Web sites have migrated from Apache or other platforms to Nginx. But there is one problem that I have not solved in the process of using nginx is how to restrict the directory permissions of nginx+php.
We know that in Apache you can easily control the permissions of the virtual directory, such as:
Program Code Program code

ServerAdmin xiaopb@live.com
documentroot/usr/www/xpb/
ServerName www.xpb.cn:80
Serveralias www.xpb.cn
ErrorLog Logs/default-error_log
Php_admin_value Open_basedir "/tmp/:/usr/www/xpb/"

The key is the Php_admin_value, which limits the PHP operations directory to the/tmp/and/usr/www/xpb/directories. For the Apache virtual host, this setting is very useful, combined in the php.ini to disable some PHP functions, can almost eliminate the PHP Trojan to other sites and the system harm. Although I did not specialize in Linux under the virtual host, but I believe that the major virtual host business is doing so.
It seems that the best way for Apache is to use the "Disable some dangerous PHP functions in php.ini and configure Php_admin_value in the Apache virtual host" to do the security of the virtual host.
About Nginx configuration file, reference a lot of information, as if it is not support Php_admin_value Open_basedir, that is, Nginx temporarily do not have Apache php_myadmin_value such settings. If you use Nginx to do the virtual host, the Directory security control between the users how to do it. A lot of people on the internet say, limit upload file type, do good program security not just. Yes, this is perfectly OK for your site. But if the virtual host is for others to use, and given the FTP permissions, the total must not let people upload php file it. Refer to above, if use Nginx to do the virtual host, now appears the Safe configuration method is:
1. Run Nginx with low privilege account.
2, disable the dangerous function in the php.ini. such as: System,passthru,shell_exec,exec,popen,proc_open,chroot,scandir,chgrp,chown, but the ban on too many functions may affect the normal operation of some PHP programs.
3, in the php.ini set Open_basedir, such as: Open_basedir = "/usr/local/webserver/nginx/html/www.xpb.cn_7da347bc1a9fd621/:/usr/ local/webserver/nginx/html/www2.xpb.cn_7da347bc1a9fd621/"
4, each virtual host user placed in the directory not easy to guess, such as: www.xpb.cn_7da347bc1a9fd621, www2.xpb.cn_7da347bc1a9fd621
5, oneself find a PHP trojan, self test server security.
6, "July 17, 2009 update" according to some of the information on the Internet, in the run spawn-fcgi with the parameter-D open_basedir can be, for example:/usr/sbin/spawn-fcgi-a 127.0.0.1-p 10080-c 20-u Www-f "/usr/sbin/php-cgi-d open_basedir=/var/www/wwwroot/:/tmp/"
7, see below Rainy Fox gives the solution.
This method has not done test verification for a time reason, we can try, if possible, relative to the above several, should be a better solution.
In addition, the temporary has not been found specifically for the nginx of the virtual host management software, if any know can be trouble to say.
It seems that on the virtual host or Apache is kingly, almost all the virtual host provider of professional PHP virtual host still use Apache. Look forward to Nginx can quickly improve this aspect of the functional settings. If you have a better solution, please let us know.
By the way, it's not safe with Apache, it's not Linux. Use Apache under Windows, be sure to configure the Open_basedir, even Apache run permissions, because the default Apache is running with system privileges, if the site once uploaded Trojan, it will be very dangerous, of course, under the Linux also to set up, Trust familiar with Linux should be familiar with, no longer repeat.
Referencing content reference content
The following references are from author: Rainy Fox Source: http://www.key0.cn/:
First look at the two parts of the configuration file, only to talk about the principle, omitted and the topic is not related to the part, do not copy to use, understand the principle, you know how to do.
Ini
; Open_basedir, if set, limits all file operations to the defined directory
; and below. This is directive makes most sense if used in a per-directory
; or per-virtualhost Web server configuration file. This directive is
; *not* affected by whether Safe Mode was turned on or off.
Open_basedir = "/myserver/:/tmp/:/var/tmp/"
Nginx.conf
http
{
Server
{
Listen 80;
server_name host1.com;
Root/myserver/host1;
Location ~. * * *. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}
}
Server
{
Listen 80;
server_name host2.com;
Root/myserver/host2;
Location ~. * * *. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}
}
Server
{
Listen 80;
server_name host3.com;
Root/myserver/host3;
Location ~. * * *. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}
}
}
The basics of configuration are running 3 Web sites host1.com host2.com host3.com, php.ini configuration, limiting PHP scripts can only be performed under the parent directory/myserver/of these three site directories.
At this time we know that if you upload a PHP trojan on a site, then this Trojan will be able to access the other two sites of files. NIGNX does not have Apache as the ability to individually set up PHP for each Web site only to access it in this directory. We're going to use a little trickery at this time.
Look at this php.ini configuration.
Open_basedir = "/myserver/:/tmp/:/var/tmp/"
In fact, this path also supports (.) [One point] and (..) [Two points], which is the current directory, the parent directory. So there are the following configuration methods
Open_basedir = ".:/ tmp/:/var/tmp/"Limit the PHP file to the current directory, indeed, it is not access to the other two Web site directory, but access to some pages will appear no input file specified." 。
Why, because of this limitation, when you run or refer to the PHP file in the subdirectory (or subdirectory of the subdirectory ...) in the Site directory (assuming/myserver/host1/dir1/myphp.php), and the subdirectory file accesses the files in the parent directory ( /myserver/host1/config.php), this time the problem comes, php.ini set up myphp.php can only access the files below this level of the directory (/MYSERVER/HOST1/DIR1/), and cannot access/myserver/ Host1 directly under the file, then prompted: No input file specified.
Now the solution is here.
Look at two more profiles:
The following/subx1/subx2/subx3/... (n layer), N for your site on the bottom of the php file nesting level, if your site has a maximum of 5 subdirectories under the PHP file, then nested 5 layers above.
Ini
; Open_basedir, if set, limits all file operations to the defined directory
; and below. This is directive makes most sense if used in a per-directory
; or per-virtualhost Web server configuration file. This directive is
; *not* affected by whether Safe Mode was turned on or off.
Open_basedir = ".. /.. /... (n layer):/tmp/:/var/tmp/"
Nginx.conf
http
{
Server
{
Listen 80;
server_name host1.com;
Root/myserver/suba1/suba2/suba3/... (n-layer)/host1;
Location ~. * * *. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}
}
Server
{
Listen 80;
server_name host2.com;
Root/myserver/subb1/subb2/subb3/... (n-layer)/host2;
Location ~. * * *. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}
}
Server
{
Listen 80;
server_name host3.com;
Root/myserver/subc1/subc2/subc3/... (n-layer)/host3;
Location ~. * * *. (PHP|PHP5)? $
{
#fastcgi_pass Unix:/tmp/php-cgi.sock;
Fastcgi_pass 127.0.0.1:9000;
Fastcgi_index index.php;
Include fcgi.conf;
}
}
}
Example n equals 5 .... Run, when accessing the bottommost PHP file/myserver/suba1/suba2/suba3/suba4/suba5/host1/dir1/dir2/dir3/dir4/ myphp.php, this PHP file can access the superior layer to/myserver/suba1/suba2/suba3/suba4/suba5/host1, when accessing/myserver/suba1/suba2/suba3/suba4/ suba5/host1/myphp2.php file, it can access up to the parent layer/myserver/suba1, can not jump out of access to other stations directory files
This limits the station directory in the PHP program can not access other sites, and access to their own site is fully unrestricted. It's easy, it's over.
About Nginx:
1. Introduction
Nginx ("Engine X") is a high-performance HTTP and reverse proxy server and a IMAP/POP3/SMTP proxy server. Nginx was developed by Igor Sysoev, the second rambler.ru site for Russian traffic, which has run over 4.5 at the site. Igor releases the source code in the form of a BSD-like license. Although still beta, Nginx has been known for its stability, rich feature sets, sample configuration files, and low system resource consumption. For more, see official wiki:http://wiki.codemongers.com/.
2, the advantages of Nginx
Nginx as an HTTP server, with the following basic features:
1 process static file, index file and auto index; Open file descriptor buffering.
2 non-cached reverse proxy acceleration, simple load balancing and fault tolerance.
3 FastCGI, simple load balancing and fault tolerance.
4 Modular structure. Includes gzipping, byte ranges, chunked responses, and Ssi-filter et. Such as
If multiple SSI exists on a single page by a fastcgi or other proxy server, the processing can run in parallel without waiting for each other.
5 supports SSL and TLS SNI.
Nginx is designed for performance optimization, performance is its most important consideration, the implementation of very focused on efficiency. It supports the kernel poll model, which can withstand high load, and reports indicate that it can support up to 50,000 concurrent connections.
The Nginx has a high stability. Other HTTP servers, when they encounter spikes in access, or when someone maliciously initiates a slow connection, are likely to cause the server to run out of physical memory for frequent swapping, losing response, and restarting the server. For example, when Apache is up to more than 200 processes at the moment, the Web response is significantly slower. Nginx has adopted a phased resource allocation technique, which makes its CPU and memory occupancy rate very low. Nginx officially maintains 10,000 inactive connections, which only account for 2.5M of memory, so attacks like DOS are essentially useless for nginx. As far as stability is concerned, nginx is better than lighthttpd.
Nginx supports hot deployment. It's very easy to start, and it's almost 7*24 uninterrupted, even if it's running for a few months and doesn't need to be restarted. You will also be able to upgrade the software version with uninterrupted service.
Using the Master-slave model, Nginx can take advantage of SMP and reduce the latency of worker processes blocking disk I/O. When a Select ()/poll () invocation is used, you can also limit the number of connections per process.
Nginx code quality is very high, code is very standard, the technique is mature, the module expands also very easy. Particularly worth mentioning is the powerful upstream and the filter chain. Upstream provides a good basis for writing such as reverse proxy and other server communication modules. And the coolest part of the filter chain is that each filter does not have to wait for the previous filter to finish executing. It can make the output of the previous filter the input of the current filter, which is a bit like a Unix pipeline. This means that a module can begin compressing requests sent from a back-end server and can transfer the compression to the client before the module receives the entire request from the backend server.
Nginx uses some of the latest features provided by the OS, such as support for Sendfile (Linux 2.2+), Accept-filter (FreeBSD 4.1+), Tcp_defer_accept (Linux 2.4+), which greatly improves performance.
From: http://www.xpb.cn/blog/665.html
Related comments:
Online has nginx virtual host Webshell Perfect version of the article is also used Angelstar method more set PHP-FPM can be resolved
With Phpinfo () you can view the values of the Open_basedir, exposing the paths of each virtual host. or a Web site program just wrong, just show the path, will also be exposed.
It appears that Phpinfo () is also disabled.