4.50 - Nginx負載均衡 4.51 - Nginx SSL 5.52-5.53 - PHP-FPM配置1/2
4.50 - Nginx負載均衡php
什麼是負載均衡?html
負載均衡就是,把請求均衡地分發到後端的各個機器上面。 好比,A B C D 四臺WEB服務器,如今E要訪問這4臺服務器,F爲Nginx反向代理服務器,可讓F把E的請求均衡地發送到 A B C D 4臺服務器上。
配置:mysql
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
####################
upstream apelearn
{
ip_hash;
server 115.159.51.96:80 weight=100;
server 47.104.7.242:80;
}
server
{
listen 80;
server_name www.apelearn.com;
location /
{
proxy_pass http://apelearn;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
4.51 - Nginx SSLlinux
Nginx的SSLnginx
讓Nginx實現用https來訪問網站。http是80端口,https是443端口。 https其實就是一種加密的http。
爲何要加密git
舉例:我們要在網上銀行匯款,在你匯款過程中,你會輸入銀行卡的密碼。若是不加密,這些數據在傳輸過程當中就有可能被人 截獲。 若是使用了https,那麼數據在傳輸過程當中是會加密的。即便抓到了數據包,可是沒法破解出來。
知識點:github
http 1.1 http 2 (https)
申請證書:sql
網站:www.wosign.com (沃通) 免費的:freessl.org 註冊帳號,輸入域名,開始申請,在這個過程當中須要去加一條TXT的記錄
配置:vim
ssl on;
ssl_certificate /path/to/xxx.crt;
ssl_certificate_key /path/to/xxx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
curl訪問httpswindows
curl -k -H "host:bbs.aminglinux.cc" https://192.168.222.128/index.php
擴展連接:
https://github.com/aminglinux/nginx/tree/master/ssl
5.52-5.53 - PHP-FPM配置1/2
PHP-FPM配置文件路徑:
/usr/local/php-fpm/etc/php-fpm.conf 包含了一個目錄 php-fpm.d/*.conf www.conf 就是其中子配置文件
pool 名字: [www] 能夠自定義,啓動後,ps aux |grep php-fpm 看最右側,就是pool的名字 listen 指定監聽的IP:port或者socket地址 這個地址須要和nginx配置文件裏面的那個fastcgi_pass所制定的地址一致,不然就會502 若是監聽的是socket文件,那麼要保證nginx服務用戶(nginx)對該socket文件有讀寫權限,不然502 listen.mode 指定socket文件的權限 pm = dynamic 動態模式 pm.max_children = 5 最大進程數 pm.start_servers = 2 啓動幾個子進程 pm.min_spare_servers = 1 空閒時,最少不能少於幾個子進程 pm.max_spare_servers = 3 空閒時,最多不能多於幾個子進程 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL
配置slow 日誌
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
配置open_basedir
php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp
配置多個pool
定義多個配置文件,在配置文件中指定不一樣的listen地址 不一樣的 [pool_name] [blog] user = php-fpm group = php-fpm listen = /tmp/blog.socket listen.mode = 0666 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 slowlog = /tmp/php.slow request_slowlog_timeout = 1 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp [bbs] user = php-fpm group = php-fpm listen = /tmp/bbs.socket listen.mode = 0666 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 slowlog = /tmp/php.slow request_slowlog_timeout = 1 php_flag[display_errors] = on php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL php_admin_value[open_basedir] = /data/wwwroot/bbs.aminglinux.cc:/tmp
查看php.ini路徑:
1) /usr/local/php-fpm/bin/php -i |head 2)用phpinfo
補充:
curl -k -H "host:bbs.aminglinux.cc" https://127.0.0.1/phpinfo.php
代碼:
nginx負載均衡
108
[root@test02 ~]# cd /etc/nginx/conf.d/
[root@test02 conf.d]# ls
bbs.champin.top.conf default.conf
[root@test02 conf.d]# vi qq.com.conf
upstream apelearn
{
ip_hash;
server 115.159.51.96:80;
server 47.104.7.242:80;
}
server
{
listen 80;
server_name www.apelearn.com;
location /
{
proxy_pass http://apelearn;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
定義權重的話這麼寫
server 115.159.51.96:80 weight=100; 最高100最小0
server 47.104.7.242:80 weight=10;
由於是虛擬機模擬,要定義一下windows的hosts 192.168.229.129 www.qq.com www.apelearn.com
[root@test02 conf.d]# nginx -t && nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Nginx的SSL
到freessl.cn申請一個免費一年的證書
107
[root@test01 ~]# cd /etc/nginx/
[root@test01 nginx]# ls
conf.d koi-utf mime.types nginx.conf user_passwd win-utf
fastcgi_params koi-win modules scgi_params uwsgi_params
[root@test01 nginx]# mkdir ssl
[root@test01 nginx]# cd ssl
[root@test01 ssl]# vi ca
[root@test01 ssl]# vi bbs.crt
[root@test01 ssl]# vi bbs.key
[root@test01 nginx]# vi conf.d/bbs.champin.top.conf
server {
listen 443 ssl;
server_name bbs.champin.top;
ssl on;
ssl_certificate /etc/nginx/ssl/bbs.crt;
ssl_certificate_key /etc/nginx/ssl/bbs.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
[root@test01 nginx]# systemctl restart nginx 重啓一下
[root@test01 nginx]# netstat -ltnp 查看一下有沒有443端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4773/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1066/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1645/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4773/nginx: master
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1106/php-fpm: maste
tcp6 0 0 :::3306 :::* LISTEN 1319/mysqld
tcp6 0 0 :::22 :::* LISTEN 1066/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1645/master
[root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent 防火牆尚未加上443端口,添加一下
FirewallD is not running
[root@test01 nginx]# systemctl start firewalld
[root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent
success
[root@test01 nginx]# iptables -nvL |grep 80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
[root@test01 nginx]# iptables -nvL |grep 443 查看一下添加
[root@test01 nginx]# firewall-cmd --reload
success
[root@test01 nginx]# iptables -nvL |grep 443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
還要再本機hosts上192.168.28.107添加bbs.champin.top
而後瀏覽器輸入https://bbs.champin.top
還能夠在另一臺機器訪問。
108
[root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php -I能夠不加-I
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@test02 conf.d]# curl -k -H "host:bbs.champin.top" https://192.168.28.107/index.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 25 Feb 2019 10:01:00 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=ue3eKcLQ; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1551085260; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure
Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
Set-Cookie: eCL1_2132_lastact=1551088860%09index.php%09; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
Set-Cookie: eCL1_2132_onlineusernum=1; expires=Mon, 25-Feb-2019 10:06:00 GMT; Max-Age=300; path=/; secure
Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
[root@test02 conf.d]#
php-fpm配置
[root@test01 conf.d]# vi bbs.champin.top.conf 把php端口改爲9001
[root@test01 conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 conf.d]# nginx -s reload
用瀏覽器打開bbs.champin.top 會顯示502
[root@test01 conf.d]# !vi
vi bbs.champin.top.conf
[1]+ 已中止 vi bbs.champin.top.conf
[root@test01 conf.d]# tail /var/log/nginx/error.log 看nginx的錯誤日誌也能夠看出來。
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/qmenu.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/nv_a.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/search.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/pt_item.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:42:18 [notice] 5138#5138: signal process started
2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top"
[root@test01 conf.d]# cd /usr/local/php-fpm/etc/
[root@test01 etc]# ls
pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini
[root@test01 etc]# vi php-fpm.conf查看一下
[root@test01 etc]# cd php-fpm.d/
[root@test01 php-fpm.d]# ls
www.conf www.conf.default
[root@test01 php-fpm.d]# vi www.conf
[1]+ 已中止 vi www.conf
[root@test01 php-fpm.d]# ps aux |grep php-fpm
root 1106 0.0 0.6 230772 6200 ? Ss 07:06 0:02 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 1116 0.0 1.5 248088 15612 ? S 07:06 0:02 php-fpm: pool www
php-fpm 1117 0.0 1.8 331084 18788 ? S 07:06 0:03 php-fpm: pool www
root 5153 0.0 0.0 112728 976 pts/1 R+ 20:50 0:00 grep --color=auto php-fpm
[root@test01 php-fpm.d]# fg
vi www.conf
;listen = 127.0.0.1:9000 改爲這個樣子
listen = /tmp/www.socket
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[25-Feb-2019 20:54:57] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# ls /tmp/www.socket 看看有沒有這樣一個粉紅色的文件
/tmp/www.socket
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf 在nginx配置使用這個socket文件
location ~ \.php$ {
root /data/wwwroot/bbs.champin.top;
# fastcgi_pass 127.0.0.1:9001; 這兩行修改一下
fastcgi_pass unix:/tmp/www.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/bbs.champin.top$fastcgi_script_name;
include fastcgi_params;
}
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# nginx -reload
用瀏覽器刷新HTTPS://bbs.champin.top仍是502
[root@test01 php-fpm.d]# !tail 看一看nginx的錯誤日誌
tail /var/log/nginx/error.log
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:42:18 [notice] 5138#5138: signal process started
2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top"
2019/02/25 20:47:02 [notice] 5145#5145: signal process started
2019/02/25 20:54:20 [notice] 5158#5158: signal process started
2019/02/25 21:03:57 [notice] 5187#5187: signal process started
2019/02/25 21:04:06 [crit] 5188#5188: *154 connect() to unix:/tmp/www.socket failed (13: Permission denied) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/www.socket:", host: "bbs.champin.top"
Permission denied 日誌裏有這類的,多半是權限不到位等
[root@test01 php-fpm.d]# ls -l /tmp/www.socket
srw-rw----. 1 root root 0 2月 25 20:55 /tmp/www.socket
[root@test01 php-fpm.d]# vi www.conf
listen.mode = 0666 定義一下權限改爲0666
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[25-Feb-2019 21:12:54] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# nginx -s reload
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
reload 不行,須要重啓一下,它會先刪除掉tmp下的socket在生成
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# vim www.conf 演示一下
php_flag[display_errors] = on 去掉分號,off改爲on
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# vi /data/wwwroot/bbs.champin.top/forum.php 寫入錯誤的代碼
用瀏覽器打開論壇會直接顯示第幾行代碼出錯
正確作法。
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log 打開錯誤日誌
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# touch /var/log/fpm-php.www.log
[root@test01 php-fpm.d]# chmod 777 !$
chmod 777 /var/log/fpm-php.www.log
[root@test01 php-fpm.d]# cat /var/log/fpm-php.www.log
[25-Feb-2019 13:50:51 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:53 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:53 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 錯誤日誌就能顯示出哪裏出錯了
php.ini
[root@test01 php-fpm.d]# ls /usr/local/php-fpm/etc/ php.ini路徑
pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini
[root@test01 php-fpm.d]# /usr/local/php-fpm/bin/php -i |head 若是不知道路徑能夠這麼查看
phpinfo()
PHP Version => 7.3.1
System => Linux test01 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64
Build Date => Jan 26 2019 00:40:10
Configure Command => './configure' '--prefix=/usr/local/php-fpm' '--with-config-file-path=/usr/local/php-fpm/etc' '--enable-fpm' '--with-fpm-user=php-fpm' '--with-fpm-group=php-fpm' '--with-mysql=/usr/local/mysql5.7' '--with-mysqli=/usr/local/mysql5.7/bin/mysql_config' '--with-pdo-mysql=/usr/local/mysql5.7' '--with-mysql-sock=/tmp/mysql.sock' '--with-libxml-dir' '--with-gd' '--with-jpeg-dir' '--with-png-dir' '--with-freetype-dir' '--with-iconv-dir' '--with-zlib-dir' '--with-mcrypt' '--enable-soap' '--enable-gd-native-ttf' '--enable-ftp' '--enable-mbstring' '--enable-exif' '--with-pear' '--with-curl' '--with-openssl'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/php-fpm/etc
Loaded Configuration File => /usr/local/php-fpm/etc/php.ini
還有如下一種方法能夠,也能夠用來測試php能不能解析,用瀏覽器訪問
[root@test01 php-fpm.d]# ls /data/wwwroot/bbs.champin.top/
admin.php archiver crossdomain.xml forum.php index.php member.php portal.php source uc_client
api config data group.php install misc.php robots.txt static uc_server
api.php connect.php favicon.ico home.php m plugin.php search.php template
[root@test01 php-fpm.d]# vim /data/wwwroot/bbs.champin.top/phpinfo.php
<?php
phpinfo();
?>
能夠用瀏覽器打開 bbs.champin.top/phpinfo.php的頁面,能夠查看到版本,路徑,配置參數等,能夠拿這個測試能不能解析,可是比較的危險,若是被黑客看到。配置信息盡收眼底
能夠禁用掉
[root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini
找到disable_functions
disable_functions = phpinfo
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload 從新啓動一下或者加載一下。
Reload service php-fpm done
從新刷新一下phpinfo.php頁面就打不開了。
[root@test01 php-fpm.d]# tail /var/log/fpm-php.www.log 看錯誤日誌是有記錄的
[25-Feb-2019 14:56:53 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:56:56 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:57:02 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:58:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[root@test01 php-fpm.d]# vim www.conf
php_flag[display_errors] = on 把顯示錯誤日誌打開,調式看看
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# !curl
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php -I 用curl 200 瀏覽器打開白頁
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 25 Feb 2019 15:04:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
[root@test01 php-fpm.d]# curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php 加上I就顯示200.不加就會顯示出錯誤信息。
<br />
<b>Warning</b>: phpinfo() has been disabled for security reasons in <b>/data/wwwroot/bbs.champin.top/phpinfo.php</b> on line <b>2</b><br />
[root@test01 php-fpm.d]# vim www.conf 先改爲on
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# vim www.conf
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
配置slow日誌(針對php-fpm)
[root@test01 php-fpm.d]# vim www.conf
slowlog = /tmp/php.slow 這個用來定義php腳本執行慢的日誌路徑(正常生產環境中不該放在tmp下。)
request_slowlog_timeout = 1 這個用來定義超時時間 2秒爲佳
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini 先打開phpinfo
disable_functions =
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload 再次重載
Reload service php-fpm done
[root@test01 php-fpm.d]# cd /data/wwwroot/bbs.champin.top/
[root@test01 bbs.champin.top]# ls
admin.php config favicon.ico index.php misc.php robots.txt template
api connect.php forum.php install phpinfo.php search.php uc_client
api.php crossdomain.xml group.php m plugin.php source uc_server
archiver data home.php member.php portal.php static
[root@test01 bbs.champin.top]# vi phpinfo.php
<?php
phpinfo();
sleep (2);
echo 11112;
?>
[root@test01 bbs.champin.top]# !curl 實際會停頓2秒鐘。可能感受不明顯
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php
[root@test01 bbs.champin.top]# cat /tmp/php.slow 再去看slow日誌
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[root@test01 bbs.champin.top]# vi phpinfo.php
<?php
echo 1;
sleep (5);
echo 11112;
?>
[root@test01 bbs.champin.top]# !curl 停頓了5秒才顯示出來
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php
11112[root@test01 bbs.champin.top]#
[root@test01 bbs.champin.top]# !cat
cat /tmp/php.slow
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:31:14] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3 會顯示那個腳本的哪一行執行的慢
[root@test01 bbs.champin.top]# date
2019年 02月 25日 星期一 23:32:44 CST
[root@test01 bbs.champin.top]# rm -rvf phpinfo.php 測試機上能夠用,生產環境中堅定避免使用phpinfo
已刪除"phpinfo.php"
[root@test01 bbs.champin.top]# vim forum.php 中間增長sleep (10);
sleep (10);
用瀏覽器打開http://bbs.champin.top/forum.php,會等待10秒纔會打開,日常用戶打開網頁也會出現這種狀況,當出現這種狀況時,排查就要藉助slowlog用這種方法去排查
[root@test01 bbs.champin.top]# !cat 再看一下日誌,我刷新了兩次,因此記錄的兩條慢日誌
cat /tmp/php.slow
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:31:14] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:37:41] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/forum.php
[0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22
[25-Feb-2019 23:37:49] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/forum.php
[0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22
[root@test01 bbs.champin.top]# !vi 去掉sleep (10);
vim forum.php
配置open_basedir
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = /home:/root
[root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload
Reload service php-fpm done
用瀏覽器訪問https://bbs.champin.top 出現No input file specified.
先看看錯誤日誌
[root@test01 bbs.champin.top]# tail /var/log/fpm-php.www.log
[25-Feb-2019 14:56:56 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:57:02 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:58:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:01:58 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:04:42 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:04:55 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:05:01 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:31:13 UTC] PHP Warning: Use of undefined constant echo1 - assumed 'echo1' (this will throw an Error in a future version of PHP) in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
在這
[25-Feb-2019 15:56:44 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/bbs.champin.top/forum.php) is not within the allowed path(s): (/home:/root) in Unknown on line 0
[25-Feb-2019 15:56:44 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload
Reload service php-fpm done
如今用瀏覽器訪問https://bbs.champin.top 能夠打開了。但訪問www.champin.top就502了
先解決一下www.champin.top的502問題
[root@test01 bbs.champin.top]# vi /etc/nginx/conf.d/www.champin.top.conf
location ~ \.php$ {
root /data/wwwroot/www.champin.top;
#fastcgi_pass 127.0.0.1:9001;
fastcgi_pass unix:/tmp/www.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/www.champin.top$fastcgi_script_name;
include fastcgi_params;
}
用瀏覽器訪問www.champin.top 也是是出現No input file specified 由於openbesedir沒定義www.champin.top的路徑
能夠在php.ini中 open_basedir裏混合定義這兩個網站的路徑,這樣若是其中一個網站被攻擊,那麼兩個網站都會有安全風險。
另一種方法就是不在php.ini的open_basedir中定義,到php-fpm裏面去定義
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = 取消
[root@test01 bbs.champin.top]# cd /usr/local/php-fpm/etc/php-fpm.d/
[root@test01 php-fpm.d]# vim www.conf
[root@test01 php-fpm.d]# vim www.conf
先定義好一個
php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 php-fpm.d]# grep -v '^;' www.conf |grep -v '^$'
[www]
user = php-fpm
group = php-fpm
listen = /tmp/www.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 php-fpm.d]# vi blog.conf
[blog]
user = php-fpm
group = php-fpm
listen = /tmp/blog.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/www.champin.top:/tmp
[root@test01 php-fpm.d]# mv www.conf bbs.conf 爲了更好的區分pool,改爲bbs。pool的名字也改爲bbs
[root@test01 php-fpm.d]# vi bbs.conf
[www]改爲[bbs]
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[26-Feb-2019 00:28:05] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# ls /tmp/ 多了一個blog.socket文件
blog.socket systemd-private-4dd844f49c7d42aaa3d0ecd231f21905-vmtoolsd.service-wBwXw9
html systemd-private-844c61e19fa44725ac7e2901678bb6b6-vmtoolsd.service-fqEuo8
inittab.txt systemd-private-f76438af452340deb845a63bbbbbba43-vmtoolsd.service-UA99YA
mysql.sock www.socket
passwd.txt yum_save_tx.2019-02-14.23-03.I5mpYO.yumtx
php.slow
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 改爲bbs.socket
listen = /tmp/bbs.socket
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf 這裏也要改爲bbs.socket
fastcgi_pass unix:/tmp/bbs.socket;
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 這裏也要改爲blog.socket
fastcgi_pass unix:/tmp/blog.socket;
[root@test01 php-fpm.d]# ps aux |grep php-fpm 一個pool一個站點。獨立開來
root 5492 0.0 0.6 230780 6332 ? Ss 00:28 0:00 php-fpm: master process (/usr/local/php-fp/etc/php-fpm.conf)
php-fpm 5493 0.0 0.7 230772 7028 ? S 00:28 0:00 php-fpm: pool bbs
php-fpm 5494 0.0 0.7 230772 7028 ? S 00:28 0:00 php-fpm: pool bbs
php-fpm 5495 0.0 0.6 230772 6320 ? S 00:28 0:00 php-fpm: pool blog
php-fpm 5496 0.0 0.6 230772 6320 ? S 00:28 0:00 php-fpm: pool blog
root 5509 0.0 0.0 112728 976 pts/1 R+ 00:37 0:00 grep --color=auto php-fpm
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# nginx -s reload
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
相關文章
- 1. LNMP——nginx負載均衡/nginx配置ssl
- 2. LNMP---nginx反向代理、nginx負載均衡、配置nginx的ssl
- 3. 12-2 12 Nginx 負載均衡 ssl
- 4. [Nginx] - 負載均衡配置
- 5. Nginx負載均衡及配置SSL
- 6. Nginx負載均衡、配置SSL
- 7. nginx負載均衡、配置ssl
- 8. nginx代理,負載均衡,配置SSL
- 9. Nginx負載均衡配置
- 10. nginx負載均衡配置
- 更多相關文章...
- • Docker 安裝 Nginx - Docker教程
- • Eclipse Debug 配置 - Eclipse 教程
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
- • IDEA下SpringBoot工程配置文件沒有提示
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
