Configuration usage of chroot functionality in the nginx php fpm environment
- 2020-05-06 12:18:45
- OfStack
nginx+ php-fpm is one of the most popular combinations to configure an php environment today. nginx is favored by many people for its strong concurrency, light weight and fast speed. Es7en-fpm is the best combination of nginx and php because of its security and fast processing speed. Es11en-fpm provides a very important function chroot, which can completely limit the specified website in a directory, can play a good isolation effect on the system and other virtual machines, which is undoubtedly a lot of security for the system, the following is how to configure.
. We assume that the domain name for www jb51 net, web root directory is/home/chroot/www jb51. net/web, need to limit in this site/home chroot/www jb51. net.
Es37en-fpm.conf is configured with
Open php - fpm. conf file, the chroot changed to chroot = / home chroot/www jb51. net
ii. nginx is configured with
We put the above www. jb51. net site has limited/home/chroot/www jb51. net, so for php - fpm, this site is the root directory has become/web, so we need to change the site nginx to php - fpm root directory address.
Find fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; , changed to fastcgi_param SCRIPT_FILENAME /web$fastcgi_script_name;
3. Some directories create
cd /home/chroot/www.jb51.net/
mkdir -p tmp etc bin usr/sbin lib dev/
mknod -m 0666 dev/null c 1 3
mknod -m 0666 dev/random c 1 8
mknod -m 0666 dev/urandom c 1 9
mknod -m 0666 dev/zero c 1 5
chmod 1777 tmp4. Fix and parse
The www. jb51. net php completely limit in a directory, caused the php cannot resolve domain name, in a 32-bit system, for example (64 - bit library file location for lib64) here is repair steps,
cd /home/chroot/www.jb51.net/
cp /etc/hosts /etc/resolv.conf /etc/nsswitch.conf etc/
cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libnss_dns.so.2,libnss_files.so.2,libresolv.so.2,libtermcap.so.2} lib/Then php can resolve the domain name.
5. Repair sendmail function
Also after chroot directory, the mail cannot be sent, we use mini_sendmail to send the mail. Take a 32-bit system as an example.
cd /home/chroot/www.jb51.net/
cp -P /bin/bash /bin/sh bin
cp /etc/passwd /etc/group etc
cd /tmp
wget http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz
tar xzf mini_sendmail-1.3.6.tar.gz
cd mini_sendmail-1.3.6
make
cp mini_sendmail /home/chroot/www.jb51.net/usr/sbin/sendmail
6. What are the advantages of Chroot over disabled functions?
The disabled function is for the entire PHP program, and all files that need to be parsed by the PHP program are set to the disabled function. Website procedures are different, then it is possible to need different functions, different virtual host can not be set separately. Chroot can be set according to different virtual hosts. For programs that need to use special functions, you can close Chroot to ensure the normal operation of website programs; The program does not need to call a special program, can open Chroot mode; If you only want to enable one or two specific programs, you can add functions as follows. For example, when we turn on Chroot, PHP cannot use the sendmail() function to send messages. We can use mini_sendmail instead of sendmail to fix the message.
cd /home/wwwroot/www.ixiqin.com/
cp -P /bin/bash /bin/sh bin
cp /etc/passwd /etc/group etc
cd /tmp
wget http://centos.googlecode.com/files/mini_sendmail-1.3.6.tar.gz
tar xzf mini_sendmail-1.3.6.tar.gz
cd mini_sendmail-1.3.6
make
cp mini_sendmail /home/wwwroot/www.ixiqin.com/usr/sbin/sendmail
The above code is compiled in the /tmp directory mini_sendmail, and then the generated executable file is copied to the corresponding location in the chroot directory to ensure the normal operation of the sending system.
What should I pay attention to?
Tips One: in Chroot mode, various probes, such as jaheet probe, will fail and report an error.
Tips Two:Chroot mode can be used as an online shell simulator, safe and true.
Based on the above analysis, I suggest that instead of using a rigid disabled function, why not try the better Chroot?