WEB architecture in-depth Optimization of Linux O & m php and linuxweb

WEB architecture in-depth Optimization of Linux O & m php and linuxweb

In-depth Optimization of WEB architecture PHP

I. PHP engine cache acceleration and optimization (4 types)

1. eAccelerator

2. XCache

3. APC

4. Zend

2. Use tmpfs as the cache accelerated cache directory (can be automatically mounted by rc. local or fstab)

Mount-t tmpfs-o size = 16G tmpfs/dev/shm

Mount-t tmps/dev/shm/tmp/eaccelerator

Tmpfs can be used as long as it is a temporary directory, such as uploading an image thumbnail temporary processing Directory and a temporary directory of other Accelerators

Iii. php. ini Parameter Optimization

Both Apache and Nginx are suitable for php. ini. The php-fpm.conf is suitable for nginx + fcgi configuration. You must first select the php. ini (php. ini-production) of the product environment, and then perform the following optimization.

1. Enable the php security mode.

The security mode of PHP is a very important Embedded Security Mechanism of PHP. It can control the execution of some PHP functions, such as system, at the same time, the permissions of many file-operated functions are controlled. It is disabled by default.

This parameter is configured as follows:

# 338th rows

Safe_mode = Off

# Change:

Safe_mode = On

2. User Group Security

When safe_mode is enabled, if safe_mode_gid is not disabled, php scripts can access the files and users in the same group can also access the files. Therefore, we recommend that you set it: safe_mode_gid = off. PHP5.3.27 is disabled by default and does not need to be set.

3. Disable dangerous functions

(1) If security mode is enabled, function disabling is not required. However, dangerous functions are disabled for security consideration. The method is as follows:

Disable_functions = system, passthru, exec, shell_exec, popen, phpinfo

(2) If you want to disable operations on any files and directories, you need to disable many file operations (make sure the application has called these operations)

Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink,

Delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs,

Fwrite, chgrp, chmod, chown

4. Disable PHP version information leakage in the Http header.

To prevent hackers from obtaining the PHP version information on the server, disable the display of the PHP version information in the Http header. Neither curl nor telnet displays the PHP version information.

This parameter is configured as follows:

# 435th rows

Expose_php = On

# Change:

Expose_php = Off

5. Disable registration of global variables

Variables submitted in PHP, including those submitted for POST or GET, are automatically injected as global variables for direct access, which is very convenient for program development, but it is very insecure for the server, so we should disable registration of global variables. If this parameter is enabled, intruders can bypass verification by submitting special requests. The register_globals parameter is disabled by default. It is very dangerous to enable it.

This parameter is configured as follows:

# 435th rows

Register_globals = Off

6. Enable magic_quotes_gpc to prevent SQL injection.

SQL injection is a very dangerous problem. If the website background is compromised, the entire server is compromised. Php. if magic_quotes_gpc is enabled in ini, the SQL query submitted by the user is automatically converted, for example, converting single quotation marks "'", it plays a major role in preventing SQL injection. Therefore, we recommend that you enable the magic_quotes_gpc parameter. The default value is Off.

This parameter is configured as follows:

# 756th rows

Magic_quotes_gpc = Off

# Change:

Magic_quotes_gpc = On

7. error message control

(1) Disable Error display

In general, PHP prompts an error when it is not connected to the database or in other cases. The prompt will contain the current path information of the PHP script or the queried SQL statement, which is not safe, therefore, you need to set a parameter to disable the error message. Use error logs instead on the server side. We recommend that you disable the display_errors parameter. PHP5.3.27 is Off by default.

This parameter is configured as follows:

# 538th rows

Display_errors = Off

(2) control the error display level

If you must display the error information to the client, you must set the error display level. Generally, only the warning information is displayed. The corresponding parameter is error_reporting.

This parameter is configured as follows:

# 521st rows

Error_reporting = E_ALL &~ E_DEPRECATED

# Change:

Error_reporting = E_WARNING & E_ERROR

(3) enable error logging

After the display_errors parameter is disabled, we recommend that you record the error information to find out the cause of the server error. You need to record the error in the error log file. You can open the log_errors parameter. PHP5.3.27 is enabled On by default.

This parameter is configured as follows:

# 559th rows

Log_errors = On

(4) specify an Error Log File

Specify the error_log path. PHP5.3.27 is commented out by default. The specified error log file must allow apache users and groups to have write permissions.

This parameter is configured as follows:

# Add a new row in row 646th

Error_log =/app/logs/php_errors.log

8. Resource Restriction Parameter Optimization

(1) set the maximum running time of each Script: max_execution_time

Max_execution_time is the maximum running time of each script, which can prevent the inferior script from occupying server resources endlessly. When the upload of large files or background backup data often times out, you need to adjust this setting. This parameter only affects the running time of the script. 0 indicates no restriction

This parameter is configured as follows:

# The default value is 30 seconds.

Max_execution_time = 30

(2) set the maximum memory used by each Script: memory_limit

To use the memory_limit parameter, you must use the -- enable-memory-limit configuration option during compilation. To cancel the memory limit, you must set it to-1. After this parameter is set, the memory_get_usage () function becomes available.

This parameter is configured as follows:

# The default value is 465th MB.

Memory_limit = 128 M

(3) set the maximum time for each script to wait for input data: max_input_time

The max_input_time parameter specifies the maximum allowed time for each script to parse input data (POST, GET, and upload. -1 indicates no restriction.

This parameter is configured as follows:

# 454th rows, 60 seconds by default

Max_input_time = 60

(4) set the maximum upload file license size: upload_max_filesize

Use the upload_max_filesize parameter to limit the size of the uploaded file. You can adjust it as needed.

This parameter is configured as follows:

# The default value is 2 MB for the row 891st.

Upload_max_filesize = 2 M

9. Security Parameter Optimization

(1) disabling remote access: allow_url_fopen

Do you remember the php include Vulnerability? If a variable is included in a php program, the attacker can use this control server to execute a remote php program, such as phpshell, locally. Therefore, you must disable this parameter.

This parameter is configured as follows:

# 902nd rows

Allow_url_fopen = On

# Change:

Allow_url_fopen = Off

(2) parsing vulnerability to prevent Nginx file type errors: cgi. fix_pathinfo

This parameter is configured as follows:

# 854th rows

; Cgi. fix_pathinfo = 1

# Change:

Cgi. fix_pathinfo = 0

10. Adjust the storage type and location of PHPSession Information

(1) Adjust the storage type and location of PHP Session information

By default, PHP sessions are stored in the/tmp directory of the file type. For the Server Load balancer + WEB cluster architecture, Session persistence is a problem. The solution is to use the Hash algorithm on the server Load balancer side, the Session is always sent to a Web server. Second, the Cache Server (Memcache and Redis) is used to store all Session sessions. During access, Session sessions are retrieved from the cache server to maintain Session persistence.

This parameter is configured as follows:

# 1,461st rows

Session. save_handler = files

# Change:

Session. save_handler = memcache

# 1,490th rows

; Session. save_path = "/tmp"

# Change:

Session. save_path = "tcp: // 10.0.0.18: 11211" # IP address and port of memcache, using tcp protocol

(2) Advantages and Disadvantages of storing PHPSession with Memcache

A. Advantages

(I) Reading and Writing speed is much faster than normal files

(Ii) resolve the problem of sharing sessions with multiple servers

B. Disadvantages

(I) session data is kept in memory, but persistence is not a problem for session data.

(Ii) Other Persistent systems can also be used to store sessions. Such as redis and ttserver

(Iii) in high-performance and high-concurrency scenarios, cookies are much more efficient than sessions. Therefore, many large websites use cookies to solve session sharing problems.

4. php-fpm.conf Parameter Optimization

Pm. max_children = 1024 # maximum number of child Processes

Pm. start_servers = 16 # Number of processes at startup

Pm. min_spare_servers = 5 # minimum number of spatial Processes

Pm. max_spare_servers = 20 # maximum number of spatial Processes

Pm. max_requests = 2048 # increase the maximum number of requests for each sub-process

Slowlog =/application/php/logs/$ pool. log. slow # specify the slow query log

Request_slowlog_timeout = 10 # specify the request timeout Parameter