Chinaunix首页 | 论坛 | 博客
  • 博客访问: 133519
  • 博文数量: 11
  • 博客积分: 171
  • 博客等级: 入伍新兵
  • 技术积分: 387
  • 用 户 组: 普通用户
  • 注册时间: 2012-01-18 20:43
文章分类

全部博文(11)

文章存档

2013年(3)

2012年(8)

我的朋友

分类: 网络与安全

2012-02-16 15:56:53

  现在网站的动态程序越来越多,从一方面来说,程序为我们工作的自动化提供了方便,但简便是需要代价的。网站上的动态程序多了,便容易给入侵者利用,通过WEBSHELL控制网站。
  如果网站动态程序主要是用PHP语言编写的,我们可以通过设置php-cgi锁定某个目录,这样,PHP-CGI便只能在这个目录下运行,就算网站被入侵者用webshell控制了,也无法跳转出这个目录。
  假设网站目录为/home/www/,进入/usr/local/php/etc,增加一个文件
vi ,输入如下代码:
  1. All relative paths in this config are relative to php's install prefix
  2. Pid file
  3. /usr/local/php/logs/php-fpm.pid
  4. Error log file
  5. /usr/local/php/logs/php-fpm.log
  6. Log level
  7. notice
  8. When this amount of php processes exited with SIGSEGV or SIGBUS ...
  9. 10
  10. ... in a less than this interval of time, a graceful restart will be initiated.
  11. Useful to work around accidental curruptions in accelerator's shared memory.
  12. 1m
  13. Time limit on waiting child's reaction on signals from master
  14. 5s
  15. Set to 'no' to debug fpm
  16. yes
  17. Name of pool. Used in logs and stats.
  18. default
  19. Address to accept fastcgi requests on.
  20. Valid syntax is 'ip.ad.re.ss:port' or just 'port' or '/path/to/unix/socket'
  21. 127.0.0.1:9000
  22. Set listen(2) backlog
  23. -1
  24. Set permissions for unix socket, if one used.
  25. In Linux read/write permissions must be set in order to allow connections from web server.
  26. Many BSD-derrived systems allow connections regardless of permissions.
  27. 0644
  28. Additional php.ini defines, specific to this pool of workers.
  29. /home/www/:/tmp/:/var/tmp/
  30. Unix user of processes
  31. www
  32. Unix group of processes
  33. www
  34. Process manager settings
  35. Sets style of controling worker process count.
  36. Valid values are 'static' and 'apache-like'
  37. apache-like
  38. Sets the limit on the number of simultaneous requests that will be served.
  39. Equivalent to Apache MaxClients directive.
  40. Equivalent to PHP_FCGI_CHILDREN environment in original php.fcgi
  41. Used with any pm_style.
  42. 32
  43. Settings group for 'apache-like' pm style
  44. Sets the number of server processes created on startup.
  45. Used only when 'apache-like' pm_style is selected
  46. 20
  47. Sets the desired minimum number of idle server processes.
  48. Used only when 'apache-like' pm_style is selected
  49. 5
  50. Sets the desired maximum number of idle server processes.
  51. Used only when 'apache-like' pm_style is selected
  52. 35
  53. The timeout (in seconds) for serving a single request after which the worker process will be terminated
  54. Should be used when 'max_execution_time' ini option does not stop script execution for some reason
  55. '0s' means 'off'
  56. 30s
  57. The timeout (in seconds) for serving of single request after which a php backtrace will be dumped to slow.log file
  58. '0s' means 'off'
  59. 0s
  60. The log file for slow requests
  61. logs/slow.log
  62. Set open file desc rlimit
  63. 1024
  64. Set max core size rlimit
  65. 0
  66. Chroot to this directory at the start, absolute path
  67. Chdir to this directory at the start, absolute path
  68. Redirect workers' stdout and stderr into main error log.
  69. If not set, they will be redirected to /dev/null, according to FastCGI specs
  70. yes
  71. How much requests each process should execute before respawn.
  72. Useful to work around memory leaks in 3rd party libraries.
  73. For endless request processing please specify 0
  74. Equivalent to PHP_FCGI_MAX_REQUESTS
  75. 1024
  76. Comma separated list of ipv4 addresses of FastCGI clients that allowed to connect.
  77. Equivalent to FCGI_WEB_SERVER_ADDRS environment in original php.fcgi (5.2.2+)
  78. Makes sense only with AF_INET listening socket.
  79. 127.0.0.1
  80. Pass environment variables like LD_LIBRARY_PATH
  81. All $VARIABLEs are taken from current environment
  82. $HOSTNAME
  83. /usr/local/bin:/usr/bin:/bin
  84. /tmp
  85. /tmp
  86. /tmp
  87. $OSTYPE
  88. $MACHTYPE
  89. 2
其中“127.0.0.1:9000”表示给这个php-cgi进程指定的端口,“/home/www/:/tmp/:/var/tmp/”表示这个端口的php-cgi进程只运行这几个目录以下的PHP程序。然后在/usr/local/php/sbin/php-fpm文件中加入一行代码"$php_fpm_BIN --fpm --fpm-config /usr/local/php/etc/",如下
  1. #! /bin/sh
  2. php_fpm_BIN=/usr/local/php/bin/php-cgi
  3. php_fpm_PID=/usr/local/php/logs/php-fpm.pid
  4. $php_fpm_BIN --fpm --fpm-config /usr/local/php/etc/
  5. ......

  重启php-cgi进程,然后再在nginx.conf中配置这个网站对应的php-cig端口9000,即完成了这个php-cgi进程只运行指定目录下的PHP程序。

阅读(3609) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~