Configuration usage method for nginx php fpm environment chroot functionality
- 2020-05-10 23:11:13
- OfStack
nginx+ php-fpm is one of the most popular combinations to configure the php environment today. nginx is favored by many people because of its strong concurrency, light weight and fast speed. php-fpm is the best combination of nginx and nginx because of its security and fast processing speed of php. php-fpm provides a very important function, chroot, which can completely limit the specified website to one directory, can play a very good isolation effect between the system and other virtual machines, which undoubtedly enhances the security of the system. The following is how to configure it.
. We assume that the domain name for www ofstack com, web root directory is/home/chroot/www ofstack. com/web, need to limit in this site/home chroot/www ofstack. com.
1. php - fpm. conf configuration
Open php - fpm. conf file, the chroot changed to chroot = / home chroot/www ofstack. com
2. nginx configuration
We put the above www. ofstack. com site has limited/home/chroot/www ofstack. com, so for php - fpm, this site is the root directory has become/web, so we need to change the site nginx to php - fpm root directory address.
Find fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; , changed to fastcgi_param SCRIPT_FILENAME /web$fastcgi_script_name;
3.1 create some directories
cd /home/chroot/www.ofstack.com/
mkdir -p tmp etc bin usr/sbin lib dev/
mknod -m 0666 dev/null c 1 3
mknod -m 0666 dev/random c 1 8
mknod -m 0666 dev/urandom c 1 9
mknod -m 0666 dev/zero c 1 5
chmod 1777 tmp4. Repair and parse
The php of www.ofstack.com was completely restricted to one directory, resulting in the inability of php to resolve the domain name. Taking the 32-bit system as an example (the 64-bit library file location is lib64), the following steps are to fix it.
cd /home/chroot/www.ofstack.com/
cp /etc/hosts /etc/resolv.conf /etc/nsswitch.conf etc/
cp /lib/{ld-linux.so.2,libc.so.6,libdl.so.2,libnss_dns.so.2,libnss_files.so.2,libresolv.so.2,libtermcap.so.2} lib/Then php can resolve the domain name.
5. Fix sendmail function
Also, after the chroot directory, we cannot send the mail. We use mini_sendmail to send the mail. Take a 32-bit system as an example.
cd /home/chroot/www.ofstack.com/
cp -P /bin/bash /bin/sh bin
cp /etc/passwd /etc/group etc
cd /tmp
wget http://www.acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz
tar xzf mini_sendmail-1.3.6.tar.gz
cd mini_sendmail-1.3.6
make
cp mini_sendmail /home/chroot/www.ofstack.com/usr/sbin/sendmail
6. What are the advantages of Chroot over disabled functions?
The disabled function is for the entire PHP program, and all files that need to be parsed through the PHP program will be set with the disabled function. Website procedures are different, so it is possible to need different functions, different virtual host can not be set alone. Chroot can be set according to different virtual hosts. For programs that need to use special functions, you can close Chroot to ensure the normal operation of the website program; The program does not need to call a special program, can open Chroot mode; If you only want to enable one or two specific programs, you can add functions as follows. For example, when we turn on Chroot, PHP cannot send a message using the sendmail() function. Instead of sendmail, we can use mini_sendmail to fix the message.
cd /home/wwwroot/www.ixiqin.com/
cp -P /bin/bash /bin/sh bin
cp /etc/passwd /etc/group etc
cd /tmp
wget http://centos.googlecode.com/files/mini_sendmail-1.3.6.tar.gz
tar xzf mini_sendmail-1.3.6.tar.gz
cd mini_sendmail-1.3.6
make
cp mini_sendmail /home/wwwroot/www.ixiqin.com/usr/sbin/sendmail
For the above code, compile mini_sendmail in the /tmp directory, and then copy the generated executable file to the corresponding location in the chroot directory, so as to ensure the normal operation of the sending system.
7. What should I pay attention to?
Tips One: in Chroot mode, various probes, such as the black probe, will fail and report an error.
Tips Two:Chroot mode can be used as online shell emulator, safe and real.
Taking the above analysis into account, I suggest that, instead of using a rigid disabled function, we try a more user-friendly Chroot.