12.23 open_basedir

php-fpm定義open_basedir目錄概要

• vim /usr/local/php-fpm/etc/php-fpm.d/test.conf//加入以下內容

php_admin_value[open_basedir]=/data/wwwroot/aming.com:/tmp/

• 建立測試php腳本，進行測試
• 再次更改aming.conf，修改路徑，再次測試
• 配置錯誤日誌
• 再次測試
• 查看錯誤日誌

php-fpm定義open_basedir

• open_basedir 的做用是限制php在指定的目錄裏活動。
• 由於若是服務器管理多個網站，在php.ini裏定義多個open_basedir就不合適了，因此要麼在apache虛擬主機配置文件裏面定義，要麼在php-fpm配置文件裏面定義，咱們能夠針對不一樣的池子（pool）定義對應的open_basedir
  • 只須要加 下面一行配置便可

  php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/

  - 若是路徑出錯，就會沒法正常訪問，致使404頁面 curl直接連會提示「No input file specified.」

1. 針對www的pool進行配置

• 在最後一行加入配置

[root@hf-01 php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf 

[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/

2. 重啓php-fpm

[root@hf-01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@hf-01 php-fpm.d]#

3. 訪問測試

[root@hf-01 php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 22:56:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@hf-01 php-fpm.d]#

4. 若open_basedir定義錯誤，就會致使沒法訪問，造成404狀態碼，輸出curl直接連會提示「No input file specified.」
5. 定義錯誤日誌

[root@hf-01 php-fpm.d]# vi /usr/local/php-fpm/etc/php.ini

搜索 /display_errors
將display_errors = Off
搜索 /error_log，添加error_log
;error_log = php_errors.log
; Log errors to syslog (Event Log on Windows).
;error_log = syslog
error_log = /usr/local/php-fpm/var/log/php_errors.log   //這一段定義錯誤日誌
搜索error_reporting
註釋掉自帶的error_reporting
;error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
error_reporting = E_ALL  //定義錯誤日誌的級別，全部

保存退出

• display_errors = Off 正常狀況下，在線上這個是off的，別人不能經過瀏覽器看到你的錯誤信息，而是把你的錯誤信息記錄到服務器的某一個文件裏

6. 查看設置的錯誤日誌文件，並是否生成

[root@hf-01 php-fpm.d]# grep error_log /usr/local/php-fpm/etc/php.ini
; server-specific log, STDERR, or a location specified by the error_log
; Set maximum length of log_errors. In error_log information about the source is
;error_log = php_errors.log
;error_log = syslog
error_log = /usr/local/php-fpm/var/log/php_errors.log 
; OPcache error_log file name. Empty string assumes "stderr".
;opcache.error_log=
[root@hf-01 php-fpm.d]# [root@hf-01 php-fpm.d]# ls /usr/local/php-fpm/var/log/
php-fpm.log  www-slow.log
[root@hf-01 php-fpm.d]#

7. 手動生成錯誤日誌文件，並設置權限爲777，防止不可以正常寫入

[root@hf-01 php-fpm.d]# touch /usr/local/php-fpm/var/log/php_errors.log
[root@hf-01 php-fpm.d]# chmod 777 /usr/local/php-fpm/var/log/php_errors.log 
[root@hf-01 php-fpm.d]#

8. 這裏爲了方便測試，故意將/usr/local/php-fpm/etc/php-fpm.d/www.conf 中的open_basedir路徑寫錯，來方便測試
9. 重啓php-fpm

[root@hf-01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@hf-01 php-fpm.d]#

10. 訪問測試，會看到顯示404

[root@hf-01 php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php -I
HTTP/1.1 404 Not Found
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 23:35:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@hf-01 php-fpm.d]#

11. 查看錯誤日誌，會看到訪問地址有限制

[root@hf-01 php-fpm.d]# cat /usr/local/php-fpm/var/log/php_errors.log 
[09-Jan-2018 23:35:31 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/data/wwwroot/test.com/sleep.php) is not within the allowed path(s): (/data/wwwroot/111test.com:/tmp/) in Unknown on line 0
[09-Jan-2018 23:35:31 UTC] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[root@hf-01 php-fpm.d]#

12. 再將配置文件的open_basedir路徑修改過來，從新加載php-fpm，再來訪問，會看到正常顯示

[root@hf-01 php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf 
[root@hf-01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@hf-01 php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php -I
HTTP/1.1 200 OK
Server: nginx/1.12.1
Date: Tue, 09 Jan 2018 23:39:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.30

[root@hf-01 php-fpm.d]#