4.50 - Nginx負載均衡php
什麼是負載均衡?html
負載均衡就是,把請求均衡地分發到後端的各個機器上面。 好比,A B C D 四臺WEB服務器,如今E要訪問這4臺服務器,F爲Nginx反向代理服務器,可讓F把E的請求均衡地發送到 A B C D 4臺服務器上。
配置:mysql
upstream qq_com { ip_hash; server 61.135.157.156:80; server 125.39.240.113:80; } server { listen 80; server_name www.qq.com; location / { proxy_pass http://qq_com; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } #################### upstream apelearn { ip_hash; server 115.159.51.96:80 weight=100; server 47.104.7.242:80; } server { listen 80; server_name www.apelearn.com; location / { proxy_pass http://apelearn; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
4.51 - Nginx SSLlinux
Nginx的SSLnginx
讓Nginx實現用https來訪問網站。http是80端口,https是443端口。 https其實就是一種加密的http。
爲何要加密git
舉例:我們要在網上銀行匯款,在你匯款過程中,你會輸入銀行卡的密碼。若是不加密,這些數據在傳輸過程當中就有可能被人 截獲。 若是使用了https,那麼數據在傳輸過程當中是會加密的。即便抓到了數據包,可是沒法破解出來。
知識點:github
http 1.1 http 2 (https)
申請證書:sql
網站:www.wosign.com (沃通) 免費的:freessl.org 註冊帳號,輸入域名,開始申請,在這個過程當中須要去加一條TXT的記錄
配置:vim
ssl on; ssl_certificate /path/to/xxx.crt; ssl_certificate_key /path/to/xxx.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; }
curl訪問httpswindows
curl -k -H "host:bbs.aminglinux.cc" https://192.168.222.128/index.php
擴展連接:
https://github.com/aminglinux/nginx/tree/master/ssl
5.52-5.53 - PHP-FPM配置1/2
PHP-FPM配置文件路徑:
/usr/local/php-fpm/etc/php-fpm.conf 包含了一個目錄 php-fpm.d/*.conf www.conf 就是其中子配置文件
pool 名字: [www] 能夠自定義,啓動後,ps aux |grep php-fpm 看最右側,就是pool的名字 listen 指定監聽的IP:port或者socket地址 這個地址須要和nginx配置文件裏面的那個fastcgi_pass所制定的地址一致,不然就會502 若是監聽的是socket文件,那麼要保證nginx服務用戶(nginx)對該socket文件有讀寫權限,不然502 listen.mode 指定socket文件的權限 pm = dynamic 動態模式 pm.max_children = 5 最大進程數 pm.start_servers = 2 啓動幾個子進程 pm.min_spare_servers = 1 空閒時,最少不能少於幾個子進程 pm.max_spare_servers = 3 空閒時,最多不能多於幾個子進程 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL
配置slow 日誌
slowlog = /tmp/php.slow request_slowlog_timeout = 1
配置open_basedir
php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp
配置多個pool
定義多個配置文件,在配置文件中指定不一樣的listen地址 不一樣的 [pool_name] [blog] user = php-fpm group = php-fpm listen = /tmp/blog.socket listen.mode = 0666 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 slowlog = /tmp/php.slow request_slowlog_timeout = 1 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp [bbs] user = php-fpm group = php-fpm listen = /tmp/bbs.socket listen.mode = 0666 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 slowlog = /tmp/php.slow request_slowlog_timeout = 1 php_flag[display_errors] = on php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL php_admin_value[open_basedir] = /data/wwwroot/bbs.aminglinux.cc:/tmp
查看php.ini路徑:
1) /usr/local/php-fpm/bin/php -i |head 2)用phpinfo
補充:
curl -k -H "host:bbs.aminglinux.cc" https://127.0.0.1/phpinfo.php
代碼:
nginx負載均衡 108 [root@test02 ~]# cd /etc/nginx/conf.d/ [root@test02 conf.d]# ls bbs.champin.top.conf default.conf [root@test02 conf.d]# vi qq.com.conf upstream apelearn { ip_hash; server 115.159.51.96:80; server 47.104.7.242:80; } server { listen 80; server_name www.apelearn.com; location / { proxy_pass http://apelearn; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } 定義權重的話這麼寫 server 115.159.51.96:80 weight=100; 最高100最小0 server 47.104.7.242:80 weight=10; 由於是虛擬機模擬,要定義一下windows的hosts 192.168.229.129 www.qq.com www.apelearn.com [root@test02 conf.d]# nginx -t && nginx -s reload nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful Nginx的SSL 到freessl.cn申請一個免費一年的證書 107 [root@test01 ~]# cd /etc/nginx/ [root@test01 nginx]# ls conf.d koi-utf mime.types nginx.conf user_passwd win-utf fastcgi_params koi-win modules scgi_params uwsgi_params [root@test01 nginx]# mkdir ssl [root@test01 nginx]# cd ssl [root@test01 ssl]# vi ca [root@test01 ssl]# vi bbs.crt [root@test01 ssl]# vi bbs.key [root@test01 nginx]# vi conf.d/bbs.champin.top.conf server { listen 443 ssl; server_name bbs.champin.top; ssl on; ssl_certificate /etc/nginx/ssl/bbs.crt; ssl_certificate_key /etc/nginx/ssl/bbs.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; [root@test01 nginx]# systemctl restart nginx 重啓一下 [root@test01 nginx]# netstat -ltnp 查看一下有沒有443端口 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4773/nginx: master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1066/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1645/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4773/nginx: master tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1106/php-fpm: maste tcp6 0 0 :::3306 :::* LISTEN 1319/mysqld tcp6 0 0 :::22 :::* LISTEN 1066/sshd tcp6 0 0 ::1:25 :::* LISTEN 1645/master [root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent 防火牆尚未加上443端口,添加一下 FirewallD is not running [root@test01 nginx]# systemctl start firewalld [root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent success [root@test01 nginx]# iptables -nvL |grep 80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW [root@test01 nginx]# iptables -nvL |grep 443 查看一下添加 [root@test01 nginx]# firewall-cmd --reload success [root@test01 nginx]# iptables -nvL |grep 443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW 還要再本機hosts上192.168.28.107添加bbs.champin.top 而後瀏覽器輸入https://bbs.champin.top 還能夠在另一臺機器訪問。 108 [root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. [root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php -I能夠不加-I curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. [root@test02 conf.d]# curl -k -H "host:bbs.champin.top" https://192.168.28.107/index.php -I HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Mon, 25 Feb 2019 10:01:00 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive X-Powered-By: PHP/7.3.1 Set-Cookie: eCL1_2132_saltkey=ue3eKcLQ; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure; HttpOnly Set-Cookie: eCL1_2132_lastvisit=1551085260; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure Set-Cookie: eCL1_2132_lastact=1551088860%09index.php%09; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure Set-Cookie: eCL1_2132_onlineusernum=1; expires=Mon, 25-Feb-2019 10:06:00 GMT; Max-Age=300; path=/; secure Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure [root@test02 conf.d]# php-fpm配置 [root@test01 conf.d]# vi bbs.champin.top.conf 把php端口改爲9001 [root@test01 conf.d]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@test01 conf.d]# nginx -s reload 用瀏覽器打開bbs.champin.top 會顯示502 [root@test01 conf.d]# !vi vi bbs.champin.top.conf [1]+ 已中止 vi bbs.champin.top.conf [root@test01 conf.d]# tail /var/log/nginx/error.log 看nginx的錯誤日誌也能夠看出來。 2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/qmenu.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/nv_a.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/search.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/pt_item.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 20:42:18 [notice] 5138#5138: signal process started 2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top" 2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top" [root@test01 conf.d]# cd /usr/local/php-fpm/etc/ [root@test01 etc]# ls pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini [root@test01 etc]# vi php-fpm.conf查看一下 [root@test01 etc]# cd php-fpm.d/ [root@test01 php-fpm.d]# ls www.conf www.conf.default [root@test01 php-fpm.d]# vi www.conf [1]+ 已中止 vi www.conf [root@test01 php-fpm.d]# ps aux |grep php-fpm root 1106 0.0 0.6 230772 6200 ? Ss 07:06 0:02 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf) php-fpm 1116 0.0 1.5 248088 15612 ? S 07:06 0:02 php-fpm: pool www php-fpm 1117 0.0 1.8 331084 18788 ? S 07:06 0:03 php-fpm: pool www root 5153 0.0 0.0 112728 976 pts/1 R+ 20:50 0:00 grep --color=auto php-fpm [root@test01 php-fpm.d]# fg vi www.conf ;listen = 127.0.0.1:9000 改爲這個樣子 listen = /tmp/www.socket [root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t [25-Feb-2019 20:54:57] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@test01 php-fpm.d]# ls /tmp/www.socket 看看有沒有這樣一個粉紅色的文件 /tmp/www.socket [root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf 在nginx配置使用這個socket文件 location ~ \.php$ { root /data/wwwroot/bbs.champin.top; # fastcgi_pass 127.0.0.1:9001; 這兩行修改一下 fastcgi_pass unix:/tmp/www.socket; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/bbs.champin.top$fastcgi_script_name; include fastcgi_params; } [root@test01 php-fpm.d]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@test01 php-fpm.d]# nginx -reload 用瀏覽器刷新HTTPS://bbs.champin.top仍是502 [root@test01 php-fpm.d]# !tail 看一看nginx的錯誤日誌 tail /var/log/nginx/error.log 2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top" 2019/02/25 20:42:18 [notice] 5138#5138: signal process started 2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top" 2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top" 2019/02/25 20:47:02 [notice] 5145#5145: signal process started 2019/02/25 20:54:20 [notice] 5158#5158: signal process started 2019/02/25 21:03:57 [notice] 5187#5187: signal process started 2019/02/25 21:04:06 [crit] 5188#5188: *154 connect() to unix:/tmp/www.socket failed (13: Permission denied) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/www.socket:", host: "bbs.champin.top" Permission denied 日誌裏有這類的,多半是權限不到位等 [root@test01 php-fpm.d]# ls -l /tmp/www.socket srw-rw----. 1 root root 0 2月 25 20:55 /tmp/www.socket [root@test01 php-fpm.d]# vi www.conf listen.mode = 0666 定義一下權限改爲0666 [root@test01 php-fpm.d]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t [25-Feb-2019 21:12:54] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@test01 php-fpm.d]# nginx -s reload [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload Reload service php-fpm done reload 不行,須要重啓一下,它會先刪除掉tmp下的socket在生成 [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@test01 php-fpm.d]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done [root@test01 php-fpm.d]# vim www.conf 演示一下 php_flag[display_errors] = on 去掉分號,off改爲on [root@test01 php-fpm.d]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done [root@test01 php-fpm.d]# vi /data/wwwroot/bbs.champin.top/forum.php 寫入錯誤的代碼 用瀏覽器打開論壇會直接顯示第幾行代碼出錯 正確作法。 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log 打開錯誤日誌 php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL [root@test01 php-fpm.d]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done [root@test01 php-fpm.d]# touch /var/log/fpm-php.www.log [root@test01 php-fpm.d]# chmod 777 !$ chmod 777 /var/log/fpm-php.www.log [root@test01 php-fpm.d]# cat /var/log/fpm-php.www.log [25-Feb-2019 13:50:51 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 [25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 [25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 [25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 [25-Feb-2019 13:50:53 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 [25-Feb-2019 13:50:53 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 錯誤日誌就能顯示出哪裏出錯了 php.ini [root@test01 php-fpm.d]# ls /usr/local/php-fpm/etc/ php.ini路徑 pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini [root@test01 php-fpm.d]# /usr/local/php-fpm/bin/php -i |head 若是不知道路徑能夠這麼查看 phpinfo() PHP Version => 7.3.1 System => Linux test01 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 Build Date => Jan 26 2019 00:40:10 Configure Command => './configure' '--prefix=/usr/local/php-fpm' '--with-config-file-path=/usr/local/php-fpm/etc' '--enable-fpm' '--with-fpm-user=php-fpm' '--with-fpm-group=php-fpm' '--with-mysql=/usr/local/mysql5.7' '--with-mysqli=/usr/local/mysql5.7/bin/mysql_config' '--with-pdo-mysql=/usr/local/mysql5.7' '--with-mysql-sock=/tmp/mysql.sock' '--with-libxml-dir' '--with-gd' '--with-jpeg-dir' '--with-png-dir' '--with-freetype-dir' '--with-iconv-dir' '--with-zlib-dir' '--with-mcrypt' '--enable-soap' '--enable-gd-native-ttf' '--enable-ftp' '--enable-mbstring' '--enable-exif' '--with-pear' '--with-curl' '--with-openssl' Server API => Command Line Interface Virtual Directory Support => disabled Configuration File (php.ini) Path => /usr/local/php-fpm/etc Loaded Configuration File => /usr/local/php-fpm/etc/php.ini 還有如下一種方法能夠,也能夠用來測試php能不能解析,用瀏覽器訪問 [root@test01 php-fpm.d]# ls /data/wwwroot/bbs.champin.top/ admin.php archiver crossdomain.xml forum.php index.php member.php portal.php source uc_client api config data group.php install misc.php robots.txt static uc_server api.php connect.php favicon.ico home.php m plugin.php search.php template [root@test01 php-fpm.d]# vim /data/wwwroot/bbs.champin.top/phpinfo.php <?php phpinfo(); ?> 能夠用瀏覽器打開 bbs.champin.top/phpinfo.php的頁面,能夠查看到版本,路徑,配置參數等,能夠拿這個測試能不能解析,可是比較的危險,若是被黑客看到。配置信息盡收眼底 能夠禁用掉 [root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini 找到disable_functions disable_functions = phpinfo [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload 從新啓動一下或者加載一下。 Reload service php-fpm done 從新刷新一下phpinfo.php頁面就打不開了。 [root@test01 php-fpm.d]# tail /var/log/fpm-php.www.log 看錯誤日誌是有記錄的 [25-Feb-2019 14:56:53 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 14:56:56 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 14:57:02 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 14:58:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [root@test01 php-fpm.d]# vim www.conf php_flag[display_errors] = on 把顯示錯誤日誌打開,調式看看 [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@test01 php-fpm.d]# !curl curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php -I 用curl 200 瀏覽器打開白頁 HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Mon, 25 Feb 2019 15:04:42 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive X-Powered-By: PHP/7.3.1 [root@test01 php-fpm.d]# curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php 加上I就顯示200.不加就會顯示出錯誤信息。 <br /> <b>Warning</b>: phpinfo() has been disabled for security reasons in <b>/data/wwwroot/bbs.champin.top/phpinfo.php</b> on line <b>2</b><br /> [root@test01 php-fpm.d]# vim www.conf 先改爲on [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@test01 php-fpm.d]# vim www.conf [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload Reload service php-fpm done 配置slow日誌(針對php-fpm) [root@test01 php-fpm.d]# vim www.conf slowlog = /tmp/php.slow 這個用來定義php腳本執行慢的日誌路徑(正常生產環境中不該放在tmp下。) request_slowlog_timeout = 1 這個用來定義超時時間 2秒爲佳 [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload Reload service php-fpm done [root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini 先打開phpinfo disable_functions = [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload 再次重載 Reload service php-fpm done [root@test01 php-fpm.d]# cd /data/wwwroot/bbs.champin.top/ [root@test01 bbs.champin.top]# ls admin.php config favicon.ico index.php misc.php robots.txt template api connect.php forum.php install phpinfo.php search.php uc_client api.php crossdomain.xml group.php m plugin.php source uc_server archiver data home.php member.php portal.php static [root@test01 bbs.champin.top]# vi phpinfo.php <?php phpinfo(); sleep (2); echo 11112; ?> [root@test01 bbs.champin.top]# !curl 實際會停頓2秒鐘。可能感受不明顯 curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php [root@test01 bbs.champin.top]# cat /tmp/php.slow 再去看slow日誌 [25-Feb-2019 23:22:31] [pool www] pid 5392 script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php [0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3 [root@test01 bbs.champin.top]# vi phpinfo.php <?php echo 1; sleep (5); echo 11112; ?> [root@test01 bbs.champin.top]# !curl 停頓了5秒才顯示出來 curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php 11112[root@test01 bbs.champin.top]# [root@test01 bbs.champin.top]# !cat cat /tmp/php.slow [25-Feb-2019 23:22:31] [pool www] pid 5392 script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php [0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3 [25-Feb-2019 23:31:14] [pool www] pid 5393 script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php [0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3 會顯示那個腳本的哪一行執行的慢 [root@test01 bbs.champin.top]# date 2019年 02月 25日 星期一 23:32:44 CST [root@test01 bbs.champin.top]# rm -rvf phpinfo.php 測試機上能夠用,生產環境中堅定避免使用phpinfo 已刪除"phpinfo.php" [root@test01 bbs.champin.top]# vim forum.php 中間增長sleep (10); sleep (10); 用瀏覽器打開http://bbs.champin.top/forum.php,會等待10秒纔會打開,日常用戶打開網頁也會出現這種狀況,當出現這種狀況時,排查就要藉助slowlog用這種方法去排查 [root@test01 bbs.champin.top]# !cat 再看一下日誌,我刷新了兩次,因此記錄的兩條慢日誌 cat /tmp/php.slow [25-Feb-2019 23:22:31] [pool www] pid 5392 script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php [0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3 [25-Feb-2019 23:31:14] [pool www] pid 5393 script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php [0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3 [25-Feb-2019 23:37:41] [pool www] pid 5392 script_filename = /data/wwwroot/bbs.champin.top/forum.php [0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22 [25-Feb-2019 23:37:49] [pool www] pid 5393 script_filename = /data/wwwroot/bbs.champin.top/forum.php [0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22 [root@test01 bbs.champin.top]# !vi 去掉sleep (10); vim forum.php 配置open_basedir [root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini open_basedir = /home:/root [root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload Reload service php-fpm done 用瀏覽器訪問https://bbs.champin.top 出現No input file specified. 先看看錯誤日誌 [root@test01 bbs.champin.top]# tail /var/log/fpm-php.www.log [25-Feb-2019 14:56:56 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 14:57:02 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 14:58:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 15:01:58 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 15:04:42 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 15:04:55 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 15:05:01 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 [25-Feb-2019 15:31:13 UTC] PHP Warning: Use of undefined constant echo1 - assumed 'echo1' (this will throw an Error in a future version of PHP) in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2 在這 [25-Feb-2019 15:56:44 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/bbs.champin.top/forum.php) is not within the allowed path(s): (/home:/root) in Unknown on line 0 [25-Feb-2019 15:56:44 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 [root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini open_basedir = /data/wwwroot/bbs.champin.top:/tmp [root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload Reload service php-fpm done 如今用瀏覽器訪問https://bbs.champin.top 能夠打開了。但訪問www.champin.top就502了 先解決一下www.champin.top的502問題 [root@test01 bbs.champin.top]# vi /etc/nginx/conf.d/www.champin.top.conf location ~ \.php$ { root /data/wwwroot/www.champin.top; #fastcgi_pass 127.0.0.1:9001; fastcgi_pass unix:/tmp/www.socket; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/wwwroot/www.champin.top$fastcgi_script_name; include fastcgi_params; } 用瀏覽器訪問www.champin.top 也是是出現No input file specified 由於openbesedir沒定義www.champin.top的路徑 能夠在php.ini中 open_basedir裏混合定義這兩個網站的路徑,這樣若是其中一個網站被攻擊,那麼兩個網站都會有安全風險。 另一種方法就是不在php.ini的open_basedir中定義,到php-fpm裏面去定義 [root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini open_basedir = 取消 [root@test01 bbs.champin.top]# cd /usr/local/php-fpm/etc/php-fpm.d/ [root@test01 php-fpm.d]# vim www.conf [root@test01 php-fpm.d]# vim www.conf 先定義好一個 php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp [root@test01 php-fpm.d]# grep -v '^;' www.conf |grep -v '^$' [www] user = php-fpm group = php-fpm listen = /tmp/www.socket listen.mode = 0666 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 slowlog = /tmp/php.slow request_slowlog_timeout = 1 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp [root@test01 php-fpm.d]# vi blog.conf [blog] user = php-fpm group = php-fpm listen = /tmp/blog.socket listen.mode = 0666 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 slowlog = /tmp/php.slow request_slowlog_timeout = 1 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL php_admin_value[open_basedir] = /data/wwwroot/www.champin.top:/tmp [root@test01 php-fpm.d]# mv www.conf bbs.conf 爲了更好的區分pool,改爲bbs。pool的名字也改爲bbs [root@test01 php-fpm.d]# vi bbs.conf [www]改爲[bbs] [root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t [26-Feb-2019 00:28:05] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful [root@test01 php-fpm.d]# /etc/init.d/php-fpm restart Gracefully shutting down php-fpm . done Starting php-fpm done [root@test01 php-fpm.d]# ls /tmp/ 多了一個blog.socket文件 blog.socket systemd-private-4dd844f49c7d42aaa3d0ecd231f21905-vmtoolsd.service-wBwXw9 html systemd-private-844c61e19fa44725ac7e2901678bb6b6-vmtoolsd.service-fqEuo8 inittab.txt systemd-private-f76438af452340deb845a63bbbbbba43-vmtoolsd.service-UA99YA mysql.sock www.socket passwd.txt yum_save_tx.2019-02-14.23-03.I5mpYO.yumtx php.slow [root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 改爲bbs.socket listen = /tmp/bbs.socket [root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf 這裏也要改爲bbs.socket fastcgi_pass unix:/tmp/bbs.socket; [root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 這裏也要改爲blog.socket fastcgi_pass unix:/tmp/blog.socket; [root@test01 php-fpm.d]# ps aux |grep php-fpm 一個pool一個站點。獨立開來 root 5492 0.0 0.6 230780 6332 ? Ss 00:28 0:00 php-fpm: master process (/usr/local/php-fp/etc/php-fpm.conf) php-fpm 5493 0.0 0.7 230772 7028 ? S 00:28 0:00 php-fpm: pool bbs php-fpm 5494 0.0 0.7 230772 7028 ? S 00:28 0:00 php-fpm: pool bbs php-fpm 5495 0.0 0.6 230772 6320 ? S 00:28 0:00 php-fpm: pool blog php-fpm 5496 0.0 0.6 230772 6320 ? S 00:28 0:00 php-fpm: pool blog root 5509 0.0 0.0 112728 976 pts/1 R+ 00:37 0:00 grep --color=auto php-fpm [root@test01 php-fpm.d]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@test01 php-fpm.d]# nginx -s reload [root@test01 php-fpm.d]# /etc/init.d/php-fpm reload Reload service php-fpm done