4.50 - Nginx負載均衡 4.51 - Nginx SSL 5.52-5.53 - PHP-FPM配置1/2

4.50 - Nginx負載均衡php

什麼是負載均衡?html

負載均衡就是,把請求均衡地分發到後端的各個機器上面。
好比,A B C D 四臺WEB服務器,如今E要訪問這4臺服務器,F爲Nginx反向代理服務器,可讓F把E的請求均衡地發送到
A B C D 4臺服務器上。

配置:mysql

upstream qq_com 
    {
	ip_hash; 
	server 61.135.157.156:80; 
	server 125.39.240.113:80;
    }
    server
    {
	listen 80;
	server_name www.qq.com;
	location /
	{
	    proxy_pass http://qq_com;
	    proxy_set_header Host $host;
	    proxy_set_header X-Real-IP $remote_addr;
	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
    }

####################
    upstream apelearn
    {
        ip_hash;
        server 115.159.51.96:80 weight=100;
        server 47.104.7.242:80;

    }
    server
    {
        listen 80;
        server_name www.apelearn.com;
        location /
        {
            proxy_pass http://apelearn;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }

4.51 - Nginx SSLlinux

Nginx的SSLnginx

讓Nginx實現用https來訪問網站。http是80端口,https是443端口。
https其實就是一種加密的http。

爲何要加密git

舉例:我們要在網上銀行匯款,在你匯款過程中,你會輸入銀行卡的密碼。若是不加密,這些數據在傳輸過程當中就有可能被人
	截獲。

若是使用了https,那麼數據在傳輸過程當中是會加密的。即便抓到了數據包,可是沒法破解出來。

知識點:github

http 1.1    http 2 (https)

申請證書:sql

網站:www.wosign.com (沃通)
免費的:freessl.org 
註冊帳號,輸入域名,開始申請,在這個過程當中須要去加一條TXT的記錄

配置:vim

ssl on;
    ssl_certificate /path/to/xxx.crt;
    ssl_certificate_key /path/to/xxx.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

curl訪問httpswindows

curl -k -H "host:bbs.aminglinux.cc" https://192.168.222.128/index.php

擴展連接:

https://github.com/aminglinux/nginx/tree/master/ssl

5.52-5.53 - PHP-FPM配置1/2

PHP-FPM配置文件路徑:

/usr/local/php-fpm/etc/php-fpm.conf
包含了一個目錄  php-fpm.d/*.conf 
www.conf 就是其中子配置文件

www.conf配置講解

pool 名字: [www] 能夠自定義,啓動後,ps aux |grep php-fpm 看最右側,就是pool的名字
listen 指定監聽的IP:port或者socket地址
	這個地址須要和nginx配置文件裏面的那個fastcgi_pass所制定的地址一致,不然就會502
	若是監聽的是socket文件,那麼要保證nginx服務用戶(nginx)對該socket文件有讀寫權限,不然502
listen.mode 指定socket文件的權限
pm = dynamic 動態模式
pm.max_children = 5 最大進程數
pm.start_servers = 2 啓動幾個子進程
pm.min_spare_servers = 1  空閒時,最少不能少於幾個子進程
pm.max_spare_servers = 3  空閒時,最多不能多於幾個子進程

php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL

配置slow 日誌

slowlog = /tmp/php.slow
    request_slowlog_timeout = 1

配置open_basedir

php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp

配置多個pool

定義多個配置文件,在配置文件中指定不一樣的listen地址  不一樣的 [pool_name]
[blog]
user = php-fpm
group = php-fpm
listen = /tmp/blog.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp

[bbs]
user = php-fpm
group = php-fpm
listen = /tmp/bbs.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = on
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/bbs.aminglinux.cc:/tmp

查看php.ini路徑:

1) /usr/local/php-fpm/bin/php -i |head
2)用phpinfo

補充:

curl -k -H "host:bbs.aminglinux.cc" https://127.0.0.1/phpinfo.php

代碼: 

nginx負載均衡

108
[root@test02 ~]# cd /etc/nginx/conf.d/
[root@test02 conf.d]# ls
bbs.champin.top.conf  default.conf
[root@test02 conf.d]# vi qq.com.conf
 upstream apelearn
    {
        ip_hash;
        server 115.159.51.96:80; 
        server 47.104.7.242:80;
    }
    server
    {
        listen 80;
        server_name www.apelearn.com;
        location /
        {
            proxy_pass http://apelearn;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }


定義權重的話這麼寫
        server 115.159.51.96:80 weight=100;   最高100最小0 
        server 47.104.7.242:80 weight=10;

由於是虛擬機模擬,要定義一下windows的hosts 192.168.229.129 www.qq.com www.apelearn.com

[root@test02 conf.d]# nginx -t && nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful


Nginx的SSL

到freessl.cn申請一個免費一年的證書



107
[root@test01 ~]# cd /etc/nginx/
[root@test01 nginx]# ls
conf.d          koi-utf  mime.types  nginx.conf   user_passwd   win-utf
fastcgi_params  koi-win  modules     scgi_params  uwsgi_params
[root@test01 nginx]# mkdir ssl
[root@test01 nginx]# cd ssl
[root@test01 ssl]# vi ca
[root@test01 ssl]# vi bbs.crt
[root@test01 ssl]# vi bbs.key


[root@test01 nginx]# vi conf.d/bbs.champin.top.conf 

server {
    listen       443 ssl;
    server_name  bbs.champin.top;
    ssl on;
    ssl_certificate /etc/nginx/ssl/bbs.crt;
    ssl_certificate_key /etc/nginx/ssl/bbs.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

[root@test01 nginx]# systemctl restart nginx   重啓一下
[root@test01 nginx]# netstat -ltnp             查看一下有沒有443端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4773/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1066/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1645/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4773/nginx: master  
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      1106/php-fpm: maste 
tcp6       0      0 :::3306                 :::*                    LISTEN      1319/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1066/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1645/master 

[root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent   防火牆尚未加上443端口,添加一下
FirewallD is not running
[root@test01 nginx]# systemctl start firewalld
[root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent
success
[root@test01 nginx]# iptables -nvL |grep 80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
[root@test01 nginx]# iptables -nvL |grep 443   查看一下添加
[root@test01 nginx]# firewall-cmd --reload
success
[root@test01 nginx]# iptables -nvL |grep 443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW

還要再本機hosts上192.168.28.107添加bbs.champin.top
而後瀏覽器輸入https://bbs.champin.top

還能夠在另一臺機器訪問。
108
[root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php -I能夠不加-I
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[root@test02 conf.d]# curl -k -H "host:bbs.champin.top" https://192.168.28.107/index.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 25 Feb 2019 10:01:00 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=ue3eKcLQ; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1551085260; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure
Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
Set-Cookie: eCL1_2132_lastact=1551088860%09index.php%09; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
Set-Cookie: eCL1_2132_onlineusernum=1; expires=Mon, 25-Feb-2019 10:06:00 GMT; Max-Age=300; path=/; secure
Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
 
[root@test02 conf.d]# 


php-fpm配置


[root@test01 conf.d]# vi bbs.champin.top.conf   把php端口改爲9001
[root@test01 conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 conf.d]# nginx -s reload
用瀏覽器打開bbs.champin.top   會顯示502

[root@test01 conf.d]# !vi
vi bbs.champin.top.conf 

[1]+  已中止               vi bbs.champin.top.conf
[root@test01 conf.d]# tail /var/log/nginx/error.log   看nginx的錯誤日誌也能夠看出來。
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/qmenu.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/nv_a.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/search.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/pt_item.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:42:18 [notice] 5138#5138: signal process started
2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top"

[root@test01 conf.d]# cd /usr/local/php-fpm/etc/
[root@test01 etc]# ls
pear.conf  php-fpm.conf  php-fpm.conf.default  php-fpm.d  php.ini
[root@test01 etc]# vi php-fpm.conf查看一下

[root@test01 etc]# cd php-fpm.d/
[root@test01 php-fpm.d]# ls
www.conf  www.conf.default
[root@test01 php-fpm.d]# vi www.conf

[1]+  已中止               vi www.conf
[root@test01 php-fpm.d]# ps aux |grep php-fpm
root       1106  0.0  0.6 230772  6200 ?        Ss   07:06   0:02 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm    1116  0.0  1.5 248088 15612 ?        S    07:06   0:02 php-fpm: pool www
php-fpm    1117  0.0  1.8 331084 18788 ?        S    07:06   0:03 php-fpm: pool www
root       5153  0.0  0.0 112728   976 pts/1    R+   20:50   0:00 grep --color=auto php-fpm
[root@test01 php-fpm.d]# fg
vi www.conf
;listen = 127.0.0.1:9000     改爲這個樣子
listen = /tmp/www.socket



[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[25-Feb-2019 20:54:57] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

[root@test01 php-fpm.d]# ls /tmp/www.socket 看看有沒有這樣一個粉紅色的文件
/tmp/www.socket

[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf   在nginx配置使用這個socket文件
    location ~ \.php$ {
        root           /data/wwwroot/bbs.champin.top;
#        fastcgi_pass   127.0.0.1:9001;          這兩行修改一下
        fastcgi_pass   unix:/tmp/www.socket;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /data/wwwroot/bbs.champin.top$fastcgi_script_name;
        include        fastcgi_params;
    }
[root@test01 php-fpm.d]# nginx -t 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# nginx -reload 
用瀏覽器刷新HTTPS://bbs.champin.top仍是502


[root@test01 php-fpm.d]# !tail      看一看nginx的錯誤日誌
tail /var/log/nginx/error.log
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:42:18 [notice] 5138#5138: signal process started
2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top"
2019/02/25 20:47:02 [notice] 5145#5145: signal process started
2019/02/25 20:54:20 [notice] 5158#5158: signal process started
2019/02/25 21:03:57 [notice] 5187#5187: signal process started
2019/02/25 21:04:06 [crit] 5188#5188: *154 connect() to unix:/tmp/www.socket failed (13: Permission denied) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/www.socket:", host: "bbs.champin.top"

Permission denied  日誌裏有這類的,多半是權限不到位等

[root@test01 php-fpm.d]# ls -l /tmp/www.socket 
srw-rw----. 1 root root 0 2月  25 20:55 /tmp/www.socket

[root@test01 php-fpm.d]# vi www.conf
listen.mode = 0666       定義一下權限改爲0666

[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[25-Feb-2019 21:12:54] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@test01 php-fpm.d]# nginx -s reload
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

reload 不行,須要重啓一下,它會先刪除掉tmp下的socket在生成
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done


[root@test01 php-fpm.d]# vim www.conf   演示一下
php_flag[display_errors] = on           去掉分號,off改爲on

[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

[root@test01 php-fpm.d]# vi /data/wwwroot/bbs.champin.top/forum.php   寫入錯誤的代碼


用瀏覽器打開論壇會直接顯示第幾行代碼出錯

正確作法。
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log   打開錯誤日誌
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL

[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done
[root@test01 php-fpm.d]# touch /var/log/fpm-php.www.log
[root@test01 php-fpm.d]# chmod 777 !$
chmod 777 /var/log/fpm-php.www.log


[root@test01 php-fpm.d]# cat /var/log/fpm-php.www.log
[25-Feb-2019 13:50:51 UTC] PHP Parse error:  syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error:  syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error:  syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error:  syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:53 UTC] PHP Parse error:  syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:53 UTC] PHP Parse error:  syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11   錯誤日誌就能顯示出哪裏出錯了





php.ini

[root@test01 php-fpm.d]# ls /usr/local/php-fpm/etc/       php.ini路徑
pear.conf  php-fpm.conf  php-fpm.conf.default  php-fpm.d  php.ini
[root@test01 php-fpm.d]# /usr/local/php-fpm/bin/php -i |head     若是不知道路徑能夠這麼查看
phpinfo()
PHP Version => 7.3.1

System => Linux test01 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64
Build Date => Jan 26 2019 00:40:10
Configure Command =>  './configure'  '--prefix=/usr/local/php-fpm' '--with-config-file-path=/usr/local/php-fpm/etc' '--enable-fpm' '--with-fpm-user=php-fpm' '--with-fpm-group=php-fpm' '--with-mysql=/usr/local/mysql5.7' '--with-mysqli=/usr/local/mysql5.7/bin/mysql_config' '--with-pdo-mysql=/usr/local/mysql5.7' '--with-mysql-sock=/tmp/mysql.sock' '--with-libxml-dir' '--with-gd' '--with-jpeg-dir' '--with-png-dir' '--with-freetype-dir' '--with-iconv-dir' '--with-zlib-dir' '--with-mcrypt' '--enable-soap' '--enable-gd-native-ttf' '--enable-ftp' '--enable-mbstring' '--enable-exif' '--with-pear' '--with-curl' '--with-openssl'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/php-fpm/etc
Loaded Configuration File => /usr/local/php-fpm/etc/php.ini

還有如下一種方法能夠,也能夠用來測試php能不能解析,用瀏覽器訪問
[root@test01 php-fpm.d]# ls /data/wwwroot/bbs.champin.top/
admin.php  archiver     crossdomain.xml  forum.php  index.php  member.php  portal.php  source    uc_client
api        config       data             group.php  install    misc.php    robots.txt  static    uc_server
api.php    connect.php  favicon.ico      home.php   m          plugin.php  search.php  template
[root@test01 php-fpm.d]# vim /data/wwwroot/bbs.champin.top/phpinfo.php

<?php
phpinfo();
?>

能夠用瀏覽器打開 bbs.champin.top/phpinfo.php的頁面,能夠查看到版本,路徑,配置參數等,能夠拿這個測試能不能解析,可是比較的危險,若是被黑客看到。配置信息盡收眼底

能夠禁用掉
[root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini 
找到disable_functions
disable_functions = phpinfo

[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload   從新啓動一下或者加載一下。
Reload service php-fpm  done

從新刷新一下phpinfo.php頁面就打不開了。

[root@test01 php-fpm.d]# tail /var/log/fpm-php.www.log  看錯誤日誌是有記錄的
[25-Feb-2019 14:56:53 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:56:56 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:57:02 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:58:19 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2


[root@test01 php-fpm.d]# vim www.conf
php_flag[display_errors] = on     把顯示錯誤日誌打開,調式看看

[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done
[root@test01 php-fpm.d]# !curl
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php -I    用curl  200 瀏覽器打開白頁
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 25 Feb 2019 15:04:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1

[root@test01 php-fpm.d]# curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php  加上I就顯示200.不加就會顯示出錯誤信息。
<br />
<b>Warning</b>:  phpinfo() has been disabled for security reasons in <b>/data/wwwroot/bbs.champin.top/phpinfo.php</b> on line <b>2</b><br />

[root@test01 php-fpm.d]# vim www.conf   先改爲on
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

[root@test01 php-fpm.d]# vim www.conf
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

配置slow日誌(針對php-fpm)
[root@test01 php-fpm.d]# vim www.conf
slowlog = /tmp/php.slow        這個用來定義php腳本執行慢的日誌路徑(正常生產環境中不該放在tmp下。)
request_slowlog_timeout = 1     這個用來定義超時時間  2秒爲佳

[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

[root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini  先打開phpinfo
disable_functions =

[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload    再次重載
Reload service php-fpm  done

[root@test01 php-fpm.d]# cd /data/wwwroot/bbs.champin.top/
[root@test01 bbs.champin.top]# ls
admin.php  config           favicon.ico  index.php   misc.php     robots.txt  template
api        connect.php      forum.php    install     phpinfo.php  search.php  uc_client
api.php    crossdomain.xml  group.php    m           plugin.php   source      uc_server
archiver   data             home.php     member.php  portal.php   static
[root@test01 bbs.champin.top]# vi phpinfo.php 

<?php
phpinfo();
sleep (2);
echo 11112;
?>


[root@test01 bbs.champin.top]# !curl    實際會停頓2秒鐘。可能感受不明顯
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php

[root@test01 bbs.champin.top]# cat /tmp/php.slow    再去看slow日誌

[25-Feb-2019 23:22:31]  [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3


[root@test01 bbs.champin.top]# vi phpinfo.php 

<?php
echo 1;
sleep (5);
echo 11112;
?>


[root@test01 bbs.champin.top]# !curl    停頓了5秒才顯示出來
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php
11112[root@test01 bbs.champin.top]# 

[root@test01 bbs.champin.top]# !cat
cat /tmp/php.slow 

[25-Feb-2019 23:22:31]  [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3

[25-Feb-2019 23:31:14]  [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3  會顯示那個腳本的哪一行執行的慢

[root@test01 bbs.champin.top]# date
2019年 02月 25日 星期一 23:32:44 CST

[root@test01 bbs.champin.top]# rm -rvf phpinfo.php   測試機上能夠用,生產環境中堅定避免使用phpinfo
已刪除"phpinfo.php"

[root@test01 bbs.champin.top]# vim forum.php   中間增長sleep (10);
sleep (10);

用瀏覽器打開http://bbs.champin.top/forum.php,會等待10秒纔會打開,日常用戶打開網頁也會出現這種狀況,當出現這種狀況時,排查就要藉助slowlog用這種方法去排查


[root@test01 bbs.champin.top]# !cat   再看一下日誌,我刷新了兩次,因此記錄的兩條慢日誌
cat /tmp/php.slow 

[25-Feb-2019 23:22:31]  [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3

[25-Feb-2019 23:31:14]  [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3

[25-Feb-2019 23:37:41]  [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/forum.php
[0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22

[25-Feb-2019 23:37:49]  [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/forum.php
[0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22

[root@test01 bbs.champin.top]# !vi  去掉sleep (10);
vim forum.php 


配置open_basedir
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = /home:/root

[root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

用瀏覽器訪問https://bbs.champin.top  出現No input file specified.

先看看錯誤日誌
[root@test01 bbs.champin.top]# tail /var/log/fpm-php.www.log 
[25-Feb-2019 14:56:56 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:57:02 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:58:19 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:01:58 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:04:42 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:04:55 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:05:01 UTC] PHP Warning:  phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:31:13 UTC] PHP Warning:  Use of undefined constant echo1 - assumed 'echo1' (this will throw an Error in a future version of PHP) in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
在這
[25-Feb-2019 15:56:44 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/data/wwwroot/bbs.champin.top/forum.php) is not within the allowed path(s): (/home:/root) in Unknown on line 0

[25-Feb-2019 15:56:44 UTC] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0

[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini 
open_basedir = /data/wwwroot/bbs.champin.top:/tmp

[root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

如今用瀏覽器訪問https://bbs.champin.top 能夠打開了。但訪問www.champin.top就502了
先解決一下www.champin.top的502問題
[root@test01 bbs.champin.top]# vi /etc/nginx/conf.d/www.champin.top.conf 
    location ~ \.php$ {
        root           /data/wwwroot/www.champin.top;
        #fastcgi_pass   127.0.0.1:9001;
        fastcgi_pass   unix:/tmp/www.socket;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  /data/wwwroot/www.champin.top$fastcgi_script_name;
        include        fastcgi_params;
    }


用瀏覽器訪問www.champin.top  也是是出現No input file specified  由於openbesedir沒定義www.champin.top的路徑
能夠在php.ini中 open_basedir裏混合定義這兩個網站的路徑,這樣若是其中一個網站被攻擊,那麼兩個網站都會有安全風險。
另一種方法就是不在php.ini的open_basedir中定義,到php-fpm裏面去定義
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini 
open_basedir =        取消

[root@test01 bbs.champin.top]# cd /usr/local/php-fpm/etc/php-fpm.d/
[root@test01 php-fpm.d]# vim www.conf
[root@test01 php-fpm.d]# vim www.conf
先定義好一個
php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp

[root@test01 php-fpm.d]# grep -v '^;' www.conf |grep -v '^$'
[www]
user = php-fpm
group = php-fpm
listen = /tmp/www.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 php-fpm.d]# vi blog.conf
[blog]
user = php-fpm
group = php-fpm
listen = /tmp/blog.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/www.champin.top:/tmp
[root@test01 php-fpm.d]# mv www.conf bbs.conf   爲了更好的區分pool,改爲bbs。pool的名字也改爲bbs
[root@test01 php-fpm.d]# vi bbs.conf
[www]改爲[bbs]

[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[26-Feb-2019 00:28:05] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm  done

[root@test01 php-fpm.d]# ls /tmp/       多了一個blog.socket文件
blog.socket  systemd-private-4dd844f49c7d42aaa3d0ecd231f21905-vmtoolsd.service-wBwXw9
html         systemd-private-844c61e19fa44725ac7e2901678bb6b6-vmtoolsd.service-fqEuo8
inittab.txt  systemd-private-f76438af452340deb845a63bbbbbba43-vmtoolsd.service-UA99YA
mysql.sock   www.socket
passwd.txt   yum_save_tx.2019-02-14.23-03.I5mpYO.yumtx
php.slow

[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 改爲bbs.socket
listen = /tmp/bbs.socket

[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf   這裏也要改爲bbs.socket
fastcgi_pass   unix:/tmp/bbs.socket;

[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf    這裏也要改爲blog.socket
fastcgi_pass   unix:/tmp/blog.socket;

[root@test01 php-fpm.d]# ps aux |grep php-fpm      一個pool一個站點。獨立開來
root       5492  0.0  0.6 230780  6332 ?        Ss   00:28   0:00 php-fpm: master process (/usr/local/php-fp/etc/php-fpm.conf)
php-fpm    5493  0.0  0.7 230772  7028 ?        S    00:28   0:00 php-fpm: pool bbs
php-fpm    5494  0.0  0.7 230772  7028 ?        S    00:28   0:00 php-fpm: pool bbs
php-fpm    5495  0.0  0.6 230772  6320 ?        S    00:28   0:00 php-fpm: pool blog
php-fpm    5496  0.0  0.6 230772  6320 ?        S    00:28   0:00 php-fpm: pool blog
root       5509  0.0  0.0 112728   976 pts/1    R+   00:37   0:00 grep --color=auto php-fpm

[root@test01 php-fpm.d]# nginx -t 
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# nginx -s reload
[root@test01 php-fpm.d]#  /etc/init.d/php-fpm reload
Reload service php-fpm  done
相關文章
相關標籤/搜索