Enabling multiple virtual machine websites in Nginx is the primary task. Versions earlier than PHP5.3 do not support open_basedir. You can only control the PHP-cgi process and Directory user permissions, prevents cross-site access.
First, let's take a look at the user and directory permissions used for normal website operation:
Nginx process run User: receive user requests, process static files, if PHP is transferred to the PHP-CGI for processing, the site directory has read permission.
PHP-cgi process User: processes PHP files. The website directory has read permission, and write permission is required for some directories.
Let each website use a separate PHP-CGI process, create a PHP-FPM profile, and modify the following:
The code is as follows: |
Copy code |
<Value name = "pid_file">/usr/local/php/logs/php-fpm.pid </value> <Value name = "error_log">/usr/local/php/logs/php-fpm.log </value> <Value name = "listen_address">/tmp/wwww.111cn.net. sock </value> <Value name = "user"> www.111cn.net </value> # PHP-CGI run user group <Value name = "group"> www.111cn.net </value> |
Start the PHP-CGI process:
The code is as follows: |
Copy code |
/Usr/local/php/bin/php-cgi -- fpm-config/usr/local/php/etc/www.111cn.net. conf |
Set the website directory permission and set the Nginx running user to www:
The code is as follows: |
Copy code |
Chown-R www.111cn.net: www/home/wwwroot/www.111cn.net Chmod-R 550/home/wwwroot/www.111cn.net Chmod 701/home/wwwroot/ |
Then modify the Nginx website configuration file, parse the PHP-CGI process used by PHP:
The code is as follows: |
Copy code |
Location ~ . *. (Php | php5 )? $ { Fastcgi_pass unix:/tmp/www.111cn.net. sock; Fastcgi_index index. php; Fcinclude GI. conf; } |
Php-cgi process simple management script:
The code is as follows: |
Copy code |
#! /Bin/sh # Chkconfig: 2345 55 25 # Http://www.111cn.net Cgi =/usr/local/php/bin/php-cgi Case "$1" in Start) For conf in 'ls/usr/local/php/etc/*. Conf' Do $ Cgi -- fpm-config $ conf Done ;; Stop) For pid in 'ls/usr/local/php/logs/*. Pid' Do Kill-TERM 'cat $ pid' Done ;; Restart) $0 stop $0 start ;; *) Echo "Usage: $0 {start | stop | restart }" Exit 1 ;; Esac |
Method 2: If you are using PHP 5.3.3 or laterFor more information, see the following method.
The HOST configuration has been added above 5.3.3 to prevent cross-site and cross-directory issues. If you are a PHP version 5.3.3 or later, you can modify/usr/local/php/etc/php. ini and add the following to the end:
Vi/etc/php. ini # Edit the php. ini configuration file, add the following code at the end, and change the open_basedir directory to the site path
The code is as follows: |
Copy code |
[HOST = www.111cn.net] Open_basedir =/var/wwwroot/www.111cn.net/:/tmp/ [PATH =/var/wwwroot/www.111cn.net] Open_basedir =/var/wwwroot/www.111cn.net/:/tmp/ # Auto_prepend_file = security. php // file to be accessed [HOST = blog.rekfan.com] Open_basedir =/var/wwwroot/blog.rekfan.com/:/tmp/ [PATH =/var/wwwroot/blog.rekfan.com] Open_basedir =/var/wwwroot/blog.rekfan.com/:/tmp/ # Auto_prepend_file = security. php |
Method 3: Anti-WEBshell cross-site
The author needs to change the php source program and re-compile the php program. When using fpm for installation, php files will be modified during Patching. Therefore, you need to modify the php source program after completing the fpm patch.
The code is as follows: |
Copy code |
Tar zxvf php-5.2.14.tar.gz Gzip-cd php-5.2.14-fpm-0.5.14.diff.gz | patch-d php-5.2.14-p1 Cd php-5.2.14/ Vi main/fopen_wrappers.c /* {Php_check_open_basedir */ PHPAPI int php_check_open_basedir_ex (const char * path, int warn TSRMLS_DC) { /* Only check when open_basedir is available */ If (PG (open_basedir) & * PG (open_basedir )){ Char * pathbuf; Char * ptr; Char * end;
// The added content starts. Char * env_document_root = sapi_getenv ("DOCUMENT_ROOT", sizeof ("DOCUMENT_ROOT")-1 TSRMLS_CC ); If (php_check_specific_open_basedir (ptr, path TSRMLS_CC) = 0 ){ Efree (env_document_root ); Return 0; } // The added content ends. Pathbuf = estrdup (PG (open_basedir )); Ptr = pathbuf; While (ptr & * ptr ){ End = strchr (ptr, DEFAULT_DIR_SEPARATOR ); If (end! = NULL ){ * End = ''; End ++; } If (php_check_specific_open_basedir (ptr, path TSRMLS_CC) = 0 ){ Efree (pathbuf ); Return 0; } Ptr = end; } If (warn ){ Php_error_docref (NULL TSRMLS_CC, E_WARNING, "open_basedir restriction in effect. file (% s) is not within the allowed path (s): (% s) ", path, PG (open_basedir )); } Efree (pathbuf ); Errno = EPERM;/* we deny permission to open it */ Return-1; } /* Nothing to check ...*/ Return 0; } |