背景:使用nginx+php-5.2.17+FastCGI-0.5.14 ,存在Nginx文件类型错误解析漏洞,把FastCGI 升级到0.6,可以避免这个问题。
目的:升级FastCGI为0.6以上版本,以解决在打开PATH_INFO 路由模式(php.ini 中参数cgi.fix_pathinfo = 1;)时,nginx+php上传文件时所产生的的安全漏洞。
其他方法:http://blog.s135.com/nginx_0day/
注意事项:升级脚本(脚本见附件)必需和 memcache-2.2.5.tgz eaccelerator-0.9.6.tar.bz2 PDO_MYSQL-1.0.2.tgz ImageMagick.tar.gz imagick-2.3.0.tgz 在同一目录下。且和该处表明版本一致。
步骤:
先执行 yum -y install libevent-devel
1、root账户执行脚本 ins_php-5.2.17-fpm-0.5.14-to-0.6.sh
2、修改vim /etc/php-fpm.conf 参考原有 /usr/local/php/etc/php-fpm.conf 修改
<?xml version="1.0" ?>
<configuration>
All relative paths in this config are relative to php's install prefix
<section name="global_options">
Pid file
<value name="pid_file">/var/run/php-fpm.pid</value>
Error log file
<value name="error_log">/var/log/php-fpm.log</value>
Log level
<value name="log_level">notice</value>
When this amount of php processes exited with SIGSEGV or SIGBUS ...
<value name="emergency_restart_threshold">10</value>
... in a less than this interval of time, a graceful restart will be initiated.
Useful to work around accidental curruptions in accelerator's shared memory.
<value name="emergency_restart_interval">1m</value>
Time limit on waiting child's reaction on signals from master
<value name="process_control_timeout">5s</value>
Set to 'no' to debug fpm
<value name="daemonize">yes</value>
</section>
<workers>
<section name="pool">
Name of pool. Used in logs and stats.
<value name="name">default</value>
Address to accept fastcgi requests on.
Valid syntax is 'ip.ad.re.ss:port' or just 'port' or '/path/to/unix/socket'
<value name="listen_address">127.0.0.1:9000</value>
<value name="listen_options">
Set listen(2) backlog
<value name="backlog">-1</value>
Set permissions for unix socket, if one used.
In Linux read/write permissions must be set in order to allow connections from web server.
Many BSD-derrived systems allow connections regardless of permissions.
#以下两行修改用户和组,由nobody改为 www
<value name="owner">www</value>
<value name="group">www</value>
<value name="mode">0666</value>
</value>
Additional php.ini defines, specific to this pool of workers.
These settings overwrite the values previously defined in the php.ini.
<value name="php_defines">
#去掉以下四行注释 <!-- -->
<value name="sendmail_path">/usr/sbin/sendmail -t -i</value>
<value name="display_errors">0</value>
<value name="error_log">/var/log/php-error.log</value>
<value name="log_errors">true</value>
</value>
Unix user of processes
<value name="user">www</value> #修改用户由nobody 为 www
Unix group of processes
<value name="group">www</value> #修改组 由 nobody 为 www
Process manager settings
<value name="pm">
Sets style of controling worker process count.
Valid values are 'static' and 'apache-like'
<value name="style">static</value>
Sets the limit on the number of simultaneous requests that will be served.
Equivalent to Apache MaxClients directive.
Equivalent to PHP_FCGI_CHILDREN environment in original php.fcgi
Used with any pm_style.
<value name="max_children">128</value> #修改值由 5 改为 128
Settings group for 'apache-like' pm style
<value name="apache_like">
Sets the number of server processes created on startup.
Used only when 'apache-like' pm_style is selected
<value name="StartServers">20</value>
Sets the desired minimum number of idle server processes.
Used only when 'apache-like' pm_style is selected
<value name="MinSpareServers">5</value>
Sets the desired maximum number of idle server processes.
Used only when 'apache-like' pm_style is selected
<value name="MaxSpareServers">35</value>
</value>
</value>
The timeout (in seconds) for serving a single request after which the worker process will be terminated
Should be used when 'max_execution_time' ini option does not stop script execution for some reason
'0s' means 'off'
<value name="request_terminate_timeout">0s</value>
The timeout (in seconds) for serving of single request after which a php backtrace will be dumped to slow.log file
'0s' means 'off'
<value name="request_slowlog_timeout">3s</value> #值由0 改为 3 ,记录超过3s 的响应
The log file for slow requests
<value name="slowlog">/var/log/php-fpm.log.slow</value>
Set open file desc rlimit
<value name="rlimit_files">65535</value> #打开文件数限制,由 1024 改为 65535
Set max core size rlimit
<value name="rlimit_core">0</value>
Chroot to this directory at the start, absolute path
<value name="chroot"></value>
Chdir to this directory at the start, absolute path
<value name="chdir"></value>
Redirect workers' stdout and stderr into main error log.
If not set, they will be redirected to /dev/null, according to FastCGI specs
<value name="catch_workers_output">yes</value>
How much requests each process should execute before respawn.
Useful to work around memory leaks in 3rd party libraries.
For endless request processing please specify 0
Equivalent to PHP_FCGI_MAX_REQUESTS
<value name="max_requests">500</value>
Comma separated list of ipv4 addresses of FastCGI clients that allowed to connect.
Equivalent to FCGI_WEB_SERVER_ADDRS environment in original php.fcgi (5.2.2+)
Makes sense only with AF_INET listening socket.
<value name="allowed_clients">127.0.0.1</value>
Pass environment variables like LD_LIBRARY_PATH
All $VARIABLEs are taken from current environment
<value name="environment">
<value name="HOSTNAME">$HOSTNAME</value>
<value name="PATH">/usr/local/bin:/usr/bin:/bin</value>
<value name="TMP">/tmp</value>
<value name="TMPDIR">/tmp</value>
<value name="TEMP">/tmp</value>
<value name="OSTYPE">$OSTYPE</value>
<value name="MACHTYPE">$MACHTYPE</value>
<value name="MALLOC_CHECK_">2</value>
</value>
</section>
</workers>
</configuration>
3、cp /usr/local/php/etc/php.ini /usr/local/php-fpm/etc ,注意修改
extension_dir = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/"
为: extension_dir = "/usr/local/php-fpm/lib/php/extensions/no-debug-non-zts-20060613/"
4、/sbin/chkconfig --add php-fpm , /sbin/chkconfig php-fpm on
5、vim /etc/rc.local ,注释掉 #/usr/local/php/sbin/php-fpm start
6、 /usr/local/php/sbin/php-fpm stop ,再 /etc/init.d/php-fpm start
以下为本次升级相关的测试验证:
一、交叉依赖测试
升级后,使用0.6 版本的php-fpm ,且修改 原有/usr/local/php 路径。测试验证 /etc/ini.d/php-fpm restart 正常。网页访问正常。
二、phpinfo 区别
获取方式:
/usr/local/php/bin/php -i > /root/fpm-0.5.13
/usr/local/php-fpm/bin/php -i > /root/fpm-0.6
diff 比较 diff fpm-0.5.13 fpm-0.6
1、编译参数不同:
a、定义路径做修改,不影响原有php-fpm,且可以快速回滚到原有版本:0.5.13 版本路径为:--prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc 0.6版本路径为:--prefix=/usr/local/php-fpm --with-config-file-path=/usr/local/php-fpm/etc
b、fpm参数修改: 由 0.5.13 的--enable-fpm 改为 0.6 的 --with-fpm ,编译时,0.6 版本 fpm 需要libevent支持,新增参数 --with-libevent=shared
c、因在修改以上参数的基础上,使用原有其他编译参数编译时会报错 configure: error: cannot compute sizeof (char *), 77 ,0.6 版本需要去掉--disable-rpath #参考:http://www.linuxde.net/2011/08/662.html
2、< _SERVER["REQUEST_TIME"] 值不同,可忽略# 请求开始时的时间戳。从 PHP 5.1.0 起有效。和time函数效果一样。
3、其他的都是因路径不同,而不同。
详细diff 如下:
5,6c5,6
< Build Date => Nov 11 2011 22:46:59
< Configure Command => './configure' '--prefix=/usr/local/php' '--with-config-file-path=/usr/local/php/etc' '--with-mysql=/usr/local/mysql' '--with-mysqli=/usr/local/mysql/bin
/mysql_config' '--with-iconv-dir=/usr/local' '--with-freetype-dir' '--with-jpeg-dir' '--with-png-dir' '--with-zlib' '--with-libxml-dir=/usr' '--enable-xml' '--disable-rpath' '--
enable-discard-path' '--enable-safe-mode' '--enable-bcmath' '--enable-shmop' '--enable-sysvsem' '--enable-inline-optimization' '--with-curl' '--with-curlwrappers' '--enable-mbre
gex' '--enable-fastcgi' '--enable-fpm' '--enable-force-cgi-redirect' '--enable-mbstring' '--with-mcrypt' '--with-gd' '--enable-gd-native-ttf' '--with-openssl' '--with-mhash' '--
enable-pcntl' '--enable-sockets' '--with-ldap' '--with-ldap-sasl' '--with-xmlrpc' '--enable-zip' '--enable-soap' '--enable-ftp'
---
> Build Date => Dec 15 2011 17:45:08
> Configure Command => './configure' '--prefix=/usr/local/php-fpm' '--with-config-file-path=/usr/local/php-fpm/etc' '--with-mysql=/usr/local/mysql' '--with-mysqli=/usr/local/m
ysql/bin/mysql_config' '--with-iconv-dir=/usr/local' '--with-freetype-dir' '--with-jpeg-dir' '--with-png-dir' '--with-zlib' '--with-libxml-dir=/usr' '--enable-xml' '--enable-dis
card-path' '--enable-safe-mode' '--enable-bcmath' '--enable-shmop' '--enable-sysvsem' '--enable-inline-optimization' '--with-curl' '--with-curlwrappers' '--enable-mbregex' '--en
able-fastcgi' '--with-fpm' '--enable-force-cgi-redirect' '--enable-mbstring' '--with-mcrypt' '--with-gd' '--enable-gd-native-ttf' '--with-openssl' '--with-mhash' '--enable-pcntl
' '--enable-sockets' '--with-ldap' '--with-ldap-sasl' '--with-xmlrpc' '--enable-zip' '--enable-soap' '--enable-ftp' '--with-libevent=shared'
9,10c9,10
< Configuration File (php.ini) Path => /usr/local/php/etc
< Loaded Configuration File => /usr/local/php/etc/php.ini
---
> Configuration File (php.ini) Path => /usr/local/php-fpm/etc
> Loaded Configuration File => /usr/local/php-fpm/etc/php.ini
78c78
< include_path => .:/usr/local/php/lib/php => .:/usr/local/php/lib/php
---
> include_path => .:/usr/local/php-fpm/lib/php => .:/usr/local/php-fpm/lib/php
567c567
< _ => /usr/local/php/bin/php
---
> _ => /usr/local/php-fpm/bin/php
592c592
< _SERVER["_"] => /usr/local/php/bin/php
---
> _SERVER["_"] => /usr/local/php-fpm/bin/php
598c598
< _SERVER["REQUEST_TIME"] => 1324265322
---
> _SERVER["REQUEST_TIME"] => 1324265350
624c624
< _ENV["_"] => /usr/local/php/bin/php
---
> _ENV["_"] => /usr/local/php-fpm/bin/php
