Summary of LNMP Virtual Host Security configuration in Linux

Nginx is actually just a reverse proxy server that receives the request to see if the current request is a. php file and, if so, to the php-fpm for processing, and then to the user after the result is obtained. So there are two permissions to consider: The first is Nginx permissions, and the second is PHP-FPM permissions. The following figure, Nginx and php-fpm, read this file, so permission assignment is an important consideration.

Defense across the station to defend the three points, the first is to prevent other users list the site directory, to prevent some of their own sensitive file names are seen and access; second, to prevent other users from reading their own files, to prevent the disclosure of configuration information; Third is to prevent other users from writing shell in their own directory

PHP also clearly takes this into account, and the Open_basedir in its configuration file is a list of directories that allow PHP to access only the directories given therein. By setting this open_basedir we are able to defend against PHP reading and writing files other than the Web directory, such as/etc/passwd.

But the problem now is that Open_basedir is a profile written in php.ini, and all virtual hosts use PHP in the same PHP, we can prevent PHP from accessing files outside the Web directory, but we can't prevent "virtual Host 1" accessing "Virtual Host 2" files, Because both are in the Web directory. Even a bigger problem is that many versions of PHP's open_basedir are not reliable and can be easily bypassed.

This is the problem that is now encountered. The workaround is to have each virtual host start php-fpm separately with different users.

In order to implement the above method, we need to make some changes to the installed LNMP. (I am using a more extensive "lnmp-one-button installation package").

0x01 LNMP Reinforcement

For example, our server has two virtual host game01.com and game02.com, the directory is/home/wwwroot/game01/and/home/wwwroot/game02/.

Here, the new version of the LNMP one-button installation package has its own anti-stop function, because after PHP 5.3.3, you can add the following statement at the end of PHP.ini:

<code>[host=www.vpser.net]
open_basedir=/home/wwwroot/www.vpser.net/:/tmp/
[Path=/home/wwwroot/www.vpser.net]
open_basedir=/home/wwwroot/www.vpser.net/:/tmp/
</code>
You can give different open_basedir to different host. But we do not use this method, the first limit PHP version in 5.3.3, the second open_basedir is also limited and loopholes, can not rely entirely on this thing. So, after the virtual host has been created, come to/usr/local/php/etc/php.ini to comment out the content. (annotation character;)

First, let the different virtual machines run with different php-fpm:

First, create php-fpm.pid files for each site

<code>cd/usr/local/php5/var/run
Touch Php-fpm-game01.pid
Touch Php-fpm-game02.pid
</code>
Second, create php-fpm.conf files for each site

<code>cd/usr/local/php5/etc/
CP php-fpm.conf php-fpm-game01.conf
CP php-fpm.conf php-fpm-game02.conf
</code>
III. create php-cgi.sock files for each site

<code>touch/tmp/php-cgi-game01.sock #建立php-cgi.sock File
Chown Www.www/tmp/php-cgi-game01.sock #设置文件所有者为www (must be consistent with Nginx users)
Touch/tmp/php-cgi-game02.sock
Chown Www.www/tmp/php-cgi-game02.sock
</code>
Iv. modification of relevant documents

<code>vi/usr/local/php5/etc/php-fpm-game01.conf
PID = Run/php-fpm-game01.pid
Listen =/tmp/php-cgi-game01.sock;

Vi/usr/local/php5/etc/php-fpm-game02.conf
PID = Run/php-fpm-game02.pid
Listen =/tmp/php-cgi-game02.sock;

vi/etc/init.d/php-fpm
Vhost=$2
php_fpm_conf=${prefix}/etc/php-fpm-$vhost. CONF
php_fpm_pid=${prefix}/var/run/php-fpm-$vhost. PID
Php_opts= "-D open_basedir=/home/wwwroot/$vhost/:/tmp/--fpm-config $php _fpm_conf"
</code>
The last line above is the php-fpm execution parameter where we set the Open_basedir to the/home/wwwroot/$vhost/:/tmp/, $vhost is the second parameter $ (GAME01 or GAME02) passed in at runtime.

Continue to modify

<CODE>VI/USR/LOCAL/NGINX/CONF/VHOST/GAME01.COM.CONF # configuration file name may not be the same, to change according to the actual situation
Fastcgi_pass Unix:/tmp/php-cgi-game01.sock;
Vi/usr/local/nginx/conf/vhost/game02.com.conf
Fastcgi_pass Unix:/tmp/php-cgi-game02.sock;
</code>
Five. Increase the boot boot

<code>vi/home/start.sh
#!/bin/bash
AUTO=$1/BIN/BASH/ETC/RC.D/INIT.D/PHP-FPM $auto game01/bin/bash/etc/rc.d/init.d/php-fpm $auto game02
chmod +x/home/start.sh
</code>
Then edit/etc/rc.local to add start.sh to the startup entry. In this case, different virtual hosts will run different php-fpm. We also need to run with a different user identity.

<code>groupadd game01 Groupadd Game02
Useradd game01-m-s/sbin/nologin-g game01
Useradd game02-m-s/sbin/nologin-g GAME02
</code>
GAME01.GAME01 and GAME02.GAME02 two users were added. Modify/usr/local/php/etc/php-fpm-game01.conf:

<code>listen.owner = game01
Listen.group = game01
User=game01
Group=game01
</code>
Game02 with empathy. So we let PHP-FPM run with different users.

Then came/home/wwwroot/:

<code>cd/home/wwwroot/
Chown Game01.game01-r game01
Chown Game02.game02-r GAME02
</code>
The GAME01 and GAME02 folders are given to users game01 and GAME02 respectively.

Again, our nginx is run by the WWW user by default, so it is unable to read game01, game02 user files, if the file permissions set to 777, and can not prevent game01 read game02 files.

Therefore, we should add the WWW users to the game01, GAME02 group, and then the GAME01, GAME02 files set to 750 permissions, so you can allow the WWW to read GAME01/GAME02 files (because in the same group, and group permissions are 5,5 enough), It also prevents Game01 from reading GAME02 files.

Linux allows a user to be added to more than one group, so the operation is as follows:

<code>usermod-ag game01 www
Usermod-ag Game02 www
</code>
When Our defenses actually have two floors.

01. Different PHP-FPM run two virtual host of PHP programs, they have their own open_basedir, so that it can not cross the directory.

02. Even if Open_basedir is bypassed, PHP-FPM, which runs as a GAME01 user, cannot write to and read GAME02 files because all file permissions for GAME02 are 750. No other user has any permissions (0).

After everything is set up, say how to use it.

How to use 0x02

First kill the existing PHP-FPM, and then restart the Nginx, and then/home/start.sh start a new php-fpm can.

<CODE>/ETC/INIT.D/PHP-FPM start game01 Individual boot game01
/ETC/INIT.D/PHP-FPM start game02 Individual boot game02
/ETC/INIT.D/PHP-FPM stop game01 start alone game01
/ETC/INIT.D/PHP-FPM stop game02 start alone GAME02
</code>
The above is a piece of method that I pieced together, may not be the best method (I am not familiar with the nginx mechanism, perhaps there are simpler ways to solve this problem), so I also hope that Daniel can share his own way of operation and point out my shortcomings.