4.50 - Nginx负载均衡
什么是负载均衡?
负载均衡就是,把请求均衡地分发到后端的各个机器上面。
比如,A B C D 四台WEB服务器,现在E要访问这4台服务器,F为Nginx反向代理服务器,可以让F把E的请求均衡地发送到
A B C D 4台服务器上。
配置:
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
####################
upstream apelearn
{
ip_hash;
server 115.159.51.96:80 weight=100;
server 47.104.7.242:80;
}
server
{
listen 80;
server_name www.apelearn.com;
location /
{
proxy_pass http://apelearn;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
4.51 - Nginx SSL
Nginx的SSL
让Nginx实现用https来访问网站。http是80端口,https是443端口。
https其实就是一种加密的http。
为什么要加密
举例:咱们要在网上银行汇款,在你汇款过程当中,你会输入银行卡的密码。如果不加密,这些数据在传输过程中就有可能被人
截获。
如果使用了https,那么数据在传输过程中是会加密的。即使抓到了数据包,但是无法破解出来。
知识点:
http 1.1 http 2 (https)
申请证书:
网站:www.wosign.com (沃通)
免费的:freessl.org
注册账号,输入域名,开始申请,在这个过程中需要去加一条TXT的记录
配置:
ssl on;
ssl_certificate /path/to/xxx.crt;
ssl_certificate_key /path/to/xxx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
curl访问https
curl -k -H "host:bbs.aminglinux.cc" https://192.168.222.128/index.php
扩展链接:
https://github.com/aminglinux/nginx/tree/master/ssl
5.52-5.53 - PHP-FPM配置1/2
PHP-FPM配置文件路径:
/usr/local/php-fpm/etc/php-fpm.conf
包含了一个目录 php-fpm.d/*.conf
www.conf 就是其中子配置文件
www.conf配置讲解
pool 名字: [www] 可以自定义,启动后,ps aux |grep php-fpm 看最右侧,就是pool的名字
listen 指定监听的IP:port或者socket地址
这个地址需要和nginx配置文件里面的那个fastcgi_pass所制定的地址一致,否则就会502
如果监听的是socket文件,那么要保证nginx服务用户(nginx)对该socket文件有读写权限,否则502
listen.mode 指定socket文件的权限
pm = dynamic 动态模式
pm.max_children = 5 最大进程数
pm.start_servers = 2 启动几个子进程
pm.min_spare_servers = 1 空闲时,最少不能少于几个子进程
pm.max_spare_servers = 3 空闲时,最多不能多于几个子进程
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
配置slow 日志
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
配置open_basedir
php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp
配置多个pool
定义多个配置文件,在配置文件中指定不同的listen地址 不同的 [pool_name]
[blog]
user = php-fpm
group = php-fpm
listen = /tmp/blog.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp
[bbs]
user = php-fpm
group = php-fpm
listen = /tmp/bbs.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = on
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/bbs.aminglinux.cc:/tmp
查看php.ini路径:
1) /usr/local/php-fpm/bin/php -i |head
2)用phpinfo
补充:
curl -k -H "host:bbs.aminglinux.cc" https://127.0.0.1/phpinfo.php
代码:
nginx负载均衡
108
[root@test02 ~]# cd /etc/nginx/conf.d/
[root@test02 conf.d]# ls
bbs.champin.top.conf default.conf
[root@test02 conf.d]# vi qq.com.conf
upstream apelearn
{
ip_hash;
server 115.159.51.96:80;
server 47.104.7.242:80;
}
server
{
listen 80;
server_name www.apelearn.com;
location /
{
proxy_pass http://apelearn;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
定义权重的话这么写
server 115.159.51.96:80 weight=100; 最高100最小0
server 47.104.7.242:80 weight=10;
因为是虚拟机模拟,要定义一下windows的hosts 192.168.229.129 www.qq.com www.apelearn.com
[root@test02 conf.d]# nginx -t && nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Nginx的SSL
到freessl.cn申请一个免费一年的证书
107
[root@test01 ~]# cd /etc/nginx/
[root@test01 nginx]# ls
conf.d koi-utf mime.types nginx.conf user_passwd win-utf
fastcgi_params koi-win modules scgi_params uwsgi_params
[root@test01 nginx]# mkdir ssl
[root@test01 nginx]# cd ssl
[root@test01 ssl]# vi ca
[root@test01 ssl]# vi bbs.crt
[root@test01 ssl]# vi bbs.key
[root@test01 nginx]# vi conf.d/bbs.champin.top.conf
server {
listen 443 ssl;
server_name bbs.champin.top;
ssl on;
ssl_certificate /etc/nginx/ssl/bbs.crt;
ssl_certificate_key /etc/nginx/ssl/bbs.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
[root@test01 nginx]# systemctl restart nginx 重启一下
[root@test01 nginx]# netstat -ltnp 查看一下有没有443端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4773/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1066/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1645/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4773/nginx: master
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1106/php-fpm: maste
tcp6 0 0 :::3306 :::* LISTEN 1319/mysqld
tcp6 0 0 :::22 :::* LISTEN 1066/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1645/master
[root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent 防火墙还没有加上443端口,添加一下
FirewallD is not running
[root@test01 nginx]# systemctl start firewalld
[root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent
success
[root@test01 nginx]# iptables -nvL |grep 80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
[root@test01 nginx]# iptables -nvL |grep 443 查看一下添加
[root@test01 nginx]# firewall-cmd --reload
success
[root@test01 nginx]# iptables -nvL |grep 443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
还要再本机hosts上192.168.28.107添加bbs.champin.top
然后浏览器输入https://bbs.champin.top
还可以在另外一台机器访问。
108
[root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php -I可以不加-I
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@test02 conf.d]# curl -k -H "host:bbs.champin.top" https://192.168.28.107/index.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 25 Feb 2019 10:01:00 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=ue3eKcLQ; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1551085260; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure
Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
Set-Cookie: eCL1_2132_lastact=1551088860%09index.php%09; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
Set-Cookie: eCL1_2132_onlineusernum=1; expires=Mon, 25-Feb-2019 10:06:00 GMT; Max-Age=300; path=/; secure
Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
[root@test02 conf.d]#
php-fpm配置
[root@test01 conf.d]# vi bbs.champin.top.conf 把php端口改成9001
[root@test01 conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 conf.d]# nginx -s reload
用浏览器打开bbs.champin.top 会显示502
[root@test01 conf.d]# !vi
vi bbs.champin.top.conf
[1]+ 已停止 vi bbs.champin.top.conf
[root@test01 conf.d]# tail /var/log/nginx/error.log 看nginx的错误日志也可以看出来。
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/qmenu.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/nv_a.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/search.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/pt_item.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:42:18 [notice] 5138#5138: signal process started
2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top"
[root@test01 conf.d]# cd /usr/local/php-fpm/etc/
[root@test01 etc]# ls
pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini
[root@test01 etc]# vi php-fpm.conf查看一下
[root@test01 etc]# cd php-fpm.d/
[root@test01 php-fpm.d]# ls
www.conf www.conf.default
[root@test01 php-fpm.d]# vi www.conf
[1]+ 已停止 vi www.conf
[root@test01 php-fpm.d]# ps aux |grep php-fpm
root 1106 0.0 0.6 230772 6200 ? Ss 07:06 0:02 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 1116 0.0 1.5 248088 15612 ? S 07:06 0:02 php-fpm: pool www
php-fpm 1117 0.0 1.8 331084 18788 ? S 07:06 0:03 php-fpm: pool www
root 5153 0.0 0.0 112728 976 pts/1 R+ 20:50 0:00 grep --color=auto php-fpm
[root@test01 php-fpm.d]# fg
vi www.conf
;listen = 127.0.0.1:9000 改成这个样子
listen = /tmp/www.socket
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[25-Feb-2019 20:54:57] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# ls /tmp/www.socket 看看有没有这样一个粉红色的文件
/tmp/www.socket
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf 在nginx配置使用这个socket文件
location ~ \.php$ {
root /data/wwwroot/bbs.champin.top;
# fastcgi_pass 127.0.0.1:9001; 这两行修改一下
fastcgi_pass unix:/tmp/www.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/bbs.champin.top$fastcgi_script_name;
include fastcgi_params;
}
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# nginx -reload
用浏览器刷新HTTPS://bbs.champin.top还是502
[root@test01 php-fpm.d]# !tail 看一看nginx的错误日志
tail /var/log/nginx/error.log
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:42:18 [notice] 5138#5138: signal process started
2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top"
2019/02/25 20:47:02 [notice] 5145#5145: signal process started
2019/02/25 20:54:20 [notice] 5158#5158: signal process started
2019/02/25 21:03:57 [notice] 5187#5187: signal process started
2019/02/25 21:04:06 [crit] 5188#5188: *154 connect() to unix:/tmp/www.socket failed (13: Permission denied) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/www.socket:", host: "bbs.champin.top"
Permission denied 日志里有这类的,多半是权限不到位等
[root@test01 php-fpm.d]# ls -l /tmp/www.socket
srw-rw----. 1 root root 0 2月 25 20:55 /tmp/www.socket
[root@test01 php-fpm.d]# vi www.conf
listen.mode = 0666 定义一下权限改成0666
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[25-Feb-2019 21:12:54] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# nginx -s reload
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
reload 不行,需要重启一下,它会先删除掉tmp下的socket在生成
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# vim www.conf 演示一下
php_flag[display_errors] = on 去掉分号,off改成on
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# vi /data/wwwroot/bbs.champin.top/forum.php 写入错误的代码
用浏览器打开论坛会直接显示第几行代码出错
正确做法。
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log 打开错误日志
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# touch /var/log/fpm-php.www.log
[root@test01 php-fpm.d]# chmod 777 !$
chmod 777 /var/log/fpm-php.www.log
[root@test01 php-fpm.d]# cat /var/log/fpm-php.www.log
[25-Feb-2019 13:50:51 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:53 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:53 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 错误日志就能显示出哪里出错了
php.ini
[root@test01 php-fpm.d]# ls /usr/local/php-fpm/etc/ php.ini路径
pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini
[root@test01 php-fpm.d]# /usr/local/php-fpm/bin/php -i |head 如果不知道路径可以这么查看
phpinfo()
PHP Version => 7.3.1
System => Linux test01 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64
Build Date => Jan 26 2019 00:40:10
Configure Command => './configure' '--prefix=/usr/local/php-fpm' '--with-config-file-path=/usr/local/php-fpm/etc' '--enable-fpm' '--with-fpm-user=php-fpm' '--with-fpm-group=php-fpm' '--with-mysql=/usr/local/mysql5.7' '--with-mysqli=/usr/local/mysql5.7/bin/mysql_config' '--with-pdo-mysql=/usr/local/mysql5.7' '--with-mysql-sock=/tmp/mysql.sock' '--with-libxml-dir' '--with-gd' '--with-jpeg-dir' '--with-png-dir' '--with-freetype-dir' '--with-iconv-dir' '--with-zlib-dir' '--with-mcrypt' '--enable-soap' '--enable-gd-native-ttf' '--enable-ftp' '--enable-mbstring' '--enable-exif' '--with-pear' '--with-curl' '--with-openssl'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/php-fpm/etc
Loaded Configuration File => /usr/local/php-fpm/etc/php.ini
还有以下一种方法可以,也可以用来测试php能不能解析,用浏览器访问
[root@test01 php-fpm.d]# ls /data/wwwroot/bbs.champin.top/
admin.php archiver crossdomain.xml forum.php index.php member.php portal.php source uc_client
api config data group.php install misc.php robots.txt static uc_server
api.php connect.php favicon.ico home.php m plugin.php search.php template
[root@test01 php-fpm.d]# vim /data/wwwroot/bbs.champin.top/phpinfo.php
<?php
phpinfo();
?>
可以用浏览器打开 bbs.champin.top/phpinfo.php的页面,可以查看到版本,路径,配置参数等,可以拿这个测试能不能解析,但是比较的危险,如果被黑客看到。配置信息一览无余
可以禁用掉
[root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini
找到disable_functions
disable_functions = phpinfo
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload 重新启动一下或者加载一下。
Reload service php-fpm done
重新刷新一下phpinfo.php页面就打不开了。
[root@test01 php-fpm.d]# tail /var/log/fpm-php.www.log 看错误日志是有记录的
[25-Feb-2019 14:56:53 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:56:56 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:57:02 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:58:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[root@test01 php-fpm.d]# vim www.conf
php_flag[display_errors] = on 把显示错误日志打开,调式看看
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# !curl
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php -I 用curl 200 浏览器打开白页
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 25 Feb 2019 15:04:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
[root@test01 php-fpm.d]# curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php 加上I就显示200.不加就会显示出错误信息。
<br />
<b>Warning</b>: phpinfo() has been disabled for security reasons in <b>/data/wwwroot/bbs.champin.top/phpinfo.php</b> on line <b>2</b><br />
[root@test01 php-fpm.d]# vim www.conf 先改成on
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# vim www.conf
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
配置slow日志(针对php-fpm)
[root@test01 php-fpm.d]# vim www.conf
slowlog = /tmp/php.slow 这个用来定义php脚本执行慢的日志路径(正常生产环境中不应放在tmp下。)
request_slowlog_timeout = 1 这个用来定义超时时间 2秒为佳
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini 先打开phpinfo
disable_functions =
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload 再次重载
Reload service php-fpm done
[root@test01 php-fpm.d]# cd /data/wwwroot/bbs.champin.top/
[root@test01 bbs.champin.top]# ls
admin.php config favicon.ico index.php misc.php robots.txt template
api connect.php forum.php install phpinfo.php search.php uc_client
api.php crossdomain.xml group.php m plugin.php source uc_server
archiver data home.php member.php portal.php static
[root@test01 bbs.champin.top]# vi phpinfo.php
<?php
phpinfo();
sleep (2);
echo 11112;
?>
[root@test01 bbs.champin.top]# !curl 实际会停顿2秒钟。可能感觉不明显
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php
[root@test01 bbs.champin.top]# cat /tmp/php.slow 再去看slow日志
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[root@test01 bbs.champin.top]# vi phpinfo.php
<?php
echo 1;
sleep (5);
echo 11112;
?>
[root@test01 bbs.champin.top]# !curl 停顿了5秒才显示出来
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php
11112[root@test01 bbs.champin.top]#
[root@test01 bbs.champin.top]# !cat
cat /tmp/php.slow
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:31:14] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3 会显示那个脚本的哪一行执行的慢
[root@test01 bbs.champin.top]# date
2019年 02月 25日 星期一 23:32:44 CST
[root@test01 bbs.champin.top]# rm -rvf phpinfo.php 测试机上可以用,生产环境中坚决避免使用phpinfo
已删除"phpinfo.php"
[root@test01 bbs.champin.top]# vim forum.php 中间增加sleep (10);
sleep (10);
用浏览器打开http://bbs.champin.top/forum.php,会等待10秒才会打开,平常用户打开网页也会出现这种情况,当出现这种情况时,排查就要借助slowlog用这种方法去排查
[root@test01 bbs.champin.top]# !cat 再看一下日志,我刷新了两次,所以记录的两条慢日志
cat /tmp/php.slow
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:31:14] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:37:41] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/forum.php
[0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22
[25-Feb-2019 23:37:49] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/forum.php
[0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22
[root@test01 bbs.champin.top]# !vi 去掉sleep (10);
vim forum.php
配置open_basedir
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = /home:/root
[root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload
Reload service php-fpm done
用浏览器访问https://bbs.champin.top 出现No input file specified.
先看看错误日志
[root@test01 bbs.champin.top]# tail /var/log/fpm-php.www.log
[25-Feb-2019 14:56:56 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:57:02 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:58:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:01:58 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:04:42 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:04:55 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:05:01 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:31:13 UTC] PHP Warning: Use of undefined constant echo1 - assumed 'echo1' (this will throw an Error in a future version of PHP) in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
在这
[25-Feb-2019 15:56:44 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/bbs.champin.top/forum.php) is not within the allowed path(s): (/home:/root) in Unknown on line 0
[25-Feb-2019 15:56:44 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload
Reload service php-fpm done
现在用浏览器访问https://bbs.champin.top 可以打开了。但访问www.champin.top就502了
先解决一下www.champin.top的502问题
[root@test01 bbs.champin.top]# vi /etc/nginx/conf.d/www.champin.top.conf
location ~ \.php$ {
root /data/wwwroot/www.champin.top;
#fastcgi_pass 127.0.0.1:9001;
fastcgi_pass unix:/tmp/www.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/www.champin.top$fastcgi_script_name;
include fastcgi_params;
}
用浏览器访问www.champin.top 也是是出现No input file specified 因为openbesedir没定义www.champin.top的路径
可以在php.ini中 open_basedir里混合定义这两个网站的路径,这样如果其中一个网站被攻击,那么两个网站都会有安全风险。
另外一种方法就是不在php.ini的open_basedir中定义,到php-fpm里面去定义
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = 取消
[root@test01 bbs.champin.top]# cd /usr/local/php-fpm/etc/php-fpm.d/
[root@test01 php-fpm.d]# vim www.conf
[root@test01 php-fpm.d]# vim www.conf
先定义好一个
php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 php-fpm.d]# grep -v '^;' www.conf |grep -v '^$'
[www]
user = php-fpm
group = php-fpm
listen = /tmp/www.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 php-fpm.d]# vi blog.conf
[blog]
user = php-fpm
group = php-fpm
listen = /tmp/blog.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/www.champin.top:/tmp
[root@test01 php-fpm.d]# mv www.conf bbs.conf 为了更好的区分pool,改成bbs。pool的名字也改成bbs
[root@test01 php-fpm.d]# vi bbs.conf
[www]改成[bbs]
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[26-Feb-2019 00:28:05] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# ls /tmp/ 多了一个blog.socket文件
blog.socket systemd-private-4dd844f49c7d42aaa3d0ecd231f21905-vmtoolsd.service-wBwXw9
html systemd-private-844c61e19fa44725ac7e2901678bb6b6-vmtoolsd.service-fqEuo8
inittab.txt systemd-private-f76438af452340deb845a63bbbbbba43-vmtoolsd.service-UA99YA
mysql.sock www.socket
passwd.txt yum_save_tx.2019-02-14.23-03.I5mpYO.yumtx
php.slow
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 改成bbs.socket
listen = /tmp/bbs.socket
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf 这里也要改成bbs.socket
fastcgi_pass unix:/tmp/bbs.socket;
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 这里也要改成blog.socket
fastcgi_pass unix:/tmp/blog.socket;
[root@test01 php-fpm.d]# ps aux |grep php-fpm 一个pool一个站点。独立开来
root 5492 0.0 0.6 230780 6332 ? Ss 00:28 0:00 php-fpm: master process (/usr/local/php-fp/etc/php-fpm.conf)
php-fpm 5493 0.0 0.7 230772 7028 ? S 00:28 0:00 php-fpm: pool bbs
php-fpm 5494 0.0 0.7 230772 7028 ? S 00:28 0:00 php-fpm: pool bbs
php-fpm 5495 0.0 0.6 230772 6320 ? S 00:28 0:00 php-fpm: pool blog
php-fpm 5496 0.0 0.6 230772 6320 ? S 00:28 0:00 php-fpm: pool blog
root 5509 0.0 0.0 112728 976 pts/1 R+ 00:37 0:00 grep --color=auto php-fpm
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# nginx -s reload
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done