Enabling multiple virtual machine websites in Nginx is the primary task. Versions earlier than PHP5.3 do not support open_basedir. You can only control the PHP-cgi process and Directory user permissions, prevents cross-site access.
First, let's take a look at the user and directory permissions used for normal website operation:
Nginx process run User: receive user requests, process static files, if PHP is transferred to the PHP-CGI for processing, the site directory has read permission.
PHP-cgi process User: processes PHP files. The website directory has read permission, and write permission is required for some directories.
Let each website use a separate PHP-CGI process, create a PHP-FPM profile, and modify the following:
| The code is as follows: | Copy code |
| <Value name = "pid_file">/usr/local/php/logs/php-fpm.pid </value> <Value name = "error_log">/usr/local/php/logs/php-fpm.log </value> <Value name = "listen_address">/tmp/wwww.111cn.net. sock </value> <Value name = "user"> www.111cn.net </value> # PHP-CGI run user group <Value name = "group"> www.111cn.net </value> |
|
Start the PHP-CGI process:
| The code is as follows: | Copy code |
/Usr/local/php/bin/php-cgi -- fpm-config/usr/local/php/etc/www.111cn.net. conf |
|
Set the website directory permission and set the Nginx running user to www:
| The code is as follows: | Copy code |
Chown-R www.111cn.net: www/home/wwwroot/www.111cn.net |
|
Then modify the Nginx website configuration file, parse the PHP-CGI process used by PHP:
| The code is as follows: | Copy code |
| Location ~ . *. (Php | php5 )? $ { Fastcgi_pass unix:/tmp/www.111cn.net. sock; Fastcgi_index index. php; Fcinclude GI. conf; } |
|
Php-cgi process simple management script:
| The code is as follows: | Copy code |
| #! /Bin/sh # Chkconfig: 2345 55 25 # Http://www.111cn.net Cgi =/usr/local/php/bin/php-cgi Case "$1" in Start) For conf in 'ls/usr/local/php/etc/*. Conf' Do $ Cgi -- fpm-config $ conf Done ;; Stop) For pid in 'ls/usr/local/php/logs/*. Pid' Do Kill-TERM 'cat $ pid' Done ;; Restart) $0 stop $0 start ;; *) Echo "Usage: $0 {start | stop | restart }" Exit 1 ;; Esac |
|
Method 2: If you are using PHP 5.3.3 or laterFor more information, see the following method.
The HOST configuration has been added above 5.3.3 to prevent cross-site and cross-directory issues. If you are a PHP version 5.3.3 or later, you can modify/usr/local/php/etc/php. ini and add the following to the end:
Vi/etc/php. ini # Edit the php. ini configuration file, add the following code at the end, and change the open_basedir directory to the site path
| The code is as follows: | Copy code |
[HOST = www.111cn.net] [HOST = blog.rekfan.com] Open_basedir =/var/wwwroot/blog.rekfan.com/:/tmp/ |
|
Method 3: Anti-WEBshell cross-site
The author needs to change the php source program and re-compile the php program. When using fpm for installation, php files will be modified during Patching. Therefore, you need to modify the php source program after completing the fpm patch.
| The code is as follows: | Copy code |
Tar zxvf php-5.2.14.tar.gz Vi main/fopen_wrappers.c
// The added content starts. Char * env_document_root = sapi_getenv ("DOCUMENT_ROOT", sizeof ("DOCUMENT_ROOT")-1 TSRMLS_CC ); // The added content ends. Pathbuf = estrdup (PG (open_basedir )); Ptr = pathbuf; While (ptr & * ptr ){ If (php_check_specific_open_basedir (ptr, path TSRMLS_CC) = 0 ){ Ptr = end; /* Nothing to check ...*/ |
|
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
