4.50 - Nginx负载均衡 4.51 - Nginx SSL 5.52-5.53 - PHP-FPM配置1/2
4.50 - Nginx负载均衡php
什么是负载均衡?html
负载均衡就是,把请求均衡地分发到后端的各个机器上面。 好比,A B C D 四台WEB服务器,如今E要访问这4台服务器,F为Nginx反向代理服务器,可让F把E的请求均衡地发送到 A B C D 4台服务器上。
配置:mysql
upstream qq_com
{
ip_hash;
server 61.135.157.156:80;
server 125.39.240.113:80;
}
server
{
listen 80;
server_name www.qq.com;
location /
{
proxy_pass http://qq_com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
####################
upstream apelearn
{
ip_hash;
server 115.159.51.96:80 weight=100;
server 47.104.7.242:80;
}
server
{
listen 80;
server_name www.apelearn.com;
location /
{
proxy_pass http://apelearn;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
4.51 - Nginx SSLlinux
Nginx的SSLnginx
让Nginx实现用https来访问网站。http是80端口,https是443端口。 https其实就是一种加密的http。
为何要加密git
举例:我们要在网上银行汇款,在你汇款过程中,你会输入银行卡的密码。若是不加密,这些数据在传输过程当中就有可能被人 截获。 若是使用了https,那么数据在传输过程当中是会加密的。即便抓到了数据包,可是没法破解出来。
知识点:github
http 1.1 http 2 (https)
申请证书:sql
网站:www.wosign.com (沃通) 免费的:freessl.org 注册帐号,输入域名,开始申请,在这个过程当中须要去加一条TXT的记录
配置:vim
ssl on;
ssl_certificate /path/to/xxx.crt;
ssl_certificate_key /path/to/xxx.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
curl访问httpswindows
curl -k -H "host:bbs.aminglinux.cc" https://192.168.222.128/index.php
扩展连接:
https://github.com/aminglinux/nginx/tree/master/ssl
5.52-5.53 - PHP-FPM配置1/2
PHP-FPM配置文件路径:
/usr/local/php-fpm/etc/php-fpm.conf 包含了一个目录 php-fpm.d/*.conf www.conf 就是其中子配置文件
pool 名字: [www] 能够自定义,启动后,ps aux |grep php-fpm 看最右侧,就是pool的名字 listen 指定监听的IP:port或者socket地址 这个地址须要和nginx配置文件里面的那个fastcgi_pass所制定的地址一致,不然就会502 若是监听的是socket文件,那么要保证nginx服务用户(nginx)对该socket文件有读写权限,不然502 listen.mode 指定socket文件的权限 pm = dynamic 动态模式 pm.max_children = 5 最大进程数 pm.start_servers = 2 启动几个子进程 pm.min_spare_servers = 1 空闲时,最少不能少于几个子进程 pm.max_spare_servers = 3 空闲时,最多不能多于几个子进程 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL
配置slow 日志
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
配置open_basedir
php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp
配置多个pool
定义多个配置文件,在配置文件中指定不一样的listen地址 不一样的 [pool_name] [blog] user = php-fpm group = php-fpm listen = /tmp/blog.socket listen.mode = 0666 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 slowlog = /tmp/php.slow request_slowlog_timeout = 1 php_flag[display_errors] = off php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL php_admin_value[open_basedir] = /data/wwwroot/blog.aminglinux.cc:/tmp [bbs] user = php-fpm group = php-fpm listen = /tmp/bbs.socket listen.mode = 0666 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 slowlog = /tmp/php.slow request_slowlog_timeout = 1 php_flag[display_errors] = on php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on php_admin_value[error_reporting] = E_ALL php_admin_value[open_basedir] = /data/wwwroot/bbs.aminglinux.cc:/tmp
查看php.ini路径:
1) /usr/local/php-fpm/bin/php -i |head 2)用phpinfo
补充:
curl -k -H "host:bbs.aminglinux.cc" https://127.0.0.1/phpinfo.php
代码:
nginx负载均衡
108
[root@test02 ~]# cd /etc/nginx/conf.d/
[root@test02 conf.d]# ls
bbs.champin.top.conf default.conf
[root@test02 conf.d]# vi qq.com.conf
upstream apelearn
{
ip_hash;
server 115.159.51.96:80;
server 47.104.7.242:80;
}
server
{
listen 80;
server_name www.apelearn.com;
location /
{
proxy_pass http://apelearn;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
定义权重的话这么写
server 115.159.51.96:80 weight=100; 最高100最小0
server 47.104.7.242:80 weight=10;
由于是虚拟机模拟,要定义一下windows的hosts 192.168.229.129 www.qq.com www.apelearn.com
[root@test02 conf.d]# nginx -t && nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Nginx的SSL
到freessl.cn申请一个免费一年的证书
107
[root@test01 ~]# cd /etc/nginx/
[root@test01 nginx]# ls
conf.d koi-utf mime.types nginx.conf user_passwd win-utf
fastcgi_params koi-win modules scgi_params uwsgi_params
[root@test01 nginx]# mkdir ssl
[root@test01 nginx]# cd ssl
[root@test01 ssl]# vi ca
[root@test01 ssl]# vi bbs.crt
[root@test01 ssl]# vi bbs.key
[root@test01 nginx]# vi conf.d/bbs.champin.top.conf
server {
listen 443 ssl;
server_name bbs.champin.top;
ssl on;
ssl_certificate /etc/nginx/ssl/bbs.crt;
ssl_certificate_key /etc/nginx/ssl/bbs.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
[root@test01 nginx]# systemctl restart nginx 重启一下
[root@test01 nginx]# netstat -ltnp 查看一下有没有443端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4773/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1066/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1645/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4773/nginx: master
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1106/php-fpm: maste
tcp6 0 0 :::3306 :::* LISTEN 1319/mysqld
tcp6 0 0 :::22 :::* LISTEN 1066/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1645/master
[root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent 防火墙尚未加上443端口,添加一下
FirewallD is not running
[root@test01 nginx]# systemctl start firewalld
[root@test01 nginx]# firewall-cmd --add-port=443/tcp --permanent
success
[root@test01 nginx]# iptables -nvL |grep 80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
[root@test01 nginx]# iptables -nvL |grep 443 查看一下添加
[root@test01 nginx]# firewall-cmd --reload
success
[root@test01 nginx]# iptables -nvL |grep 443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
还要再本机hosts上192.168.28.107添加bbs.champin.top
而后浏览器输入https://bbs.champin.top
还能够在另一台机器访问。
108
[root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@test02 conf.d]# curl -H "host:bbs.champin.top" https://192.168.28.107/index.php -I能够不加-I
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@test02 conf.d]# curl -k -H "host:bbs.champin.top" https://192.168.28.107/index.php -I
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 25 Feb 2019 10:01:00 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
Set-Cookie: eCL1_2132_saltkey=ue3eKcLQ; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure; HttpOnly
Set-Cookie: eCL1_2132_lastvisit=1551085260; expires=Wed, 27-Mar-2019 10:01:00 GMT; Max-Age=2592000; path=/; secure
Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
Set-Cookie: eCL1_2132_lastact=1551088860%09index.php%09; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
Set-Cookie: eCL1_2132_onlineusernum=1; expires=Mon, 25-Feb-2019 10:06:00 GMT; Max-Age=300; path=/; secure
Set-Cookie: eCL1_2132_sid=NVB2Vk; expires=Tue, 26-Feb-2019 10:01:00 GMT; Max-Age=86400; path=/; secure
[root@test02 conf.d]#
php-fpm配置
[root@test01 conf.d]# vi bbs.champin.top.conf 把php端口改为9001
[root@test01 conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 conf.d]# nginx -s reload
用浏览器打开bbs.champin.top 会显示502
[root@test01 conf.d]# !vi
vi bbs.champin.top.conf
[1]+ 已中止 vi bbs.champin.top.conf
[root@test01 conf.d]# tail /var/log/nginx/error.log 看nginx的错误日志也能够看出来。
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/qmenu.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/nv_a.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/search.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *141 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/pt_item.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:42:18 [notice] 5138#5138: signal process started
2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top"
[root@test01 conf.d]# cd /usr/local/php-fpm/etc/
[root@test01 etc]# ls
pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini
[root@test01 etc]# vi php-fpm.conf查看一下
[root@test01 etc]# cd php-fpm.d/
[root@test01 php-fpm.d]# ls
www.conf www.conf.default
[root@test01 php-fpm.d]# vi www.conf
[1]+ 已中止 vi www.conf
[root@test01 php-fpm.d]# ps aux |grep php-fpm
root 1106 0.0 0.6 230772 6200 ? Ss 07:06 0:02 php-fpm: master process (/usr/local/php-fpm/etc/php-fpm.conf)
php-fpm 1116 0.0 1.5 248088 15612 ? S 07:06 0:02 php-fpm: pool www
php-fpm 1117 0.0 1.8 331084 18788 ? S 07:06 0:03 php-fpm: pool www
root 5153 0.0 0.0 112728 976 pts/1 R+ 20:50 0:00 grep --color=auto php-fpm
[root@test01 php-fpm.d]# fg
vi www.conf
;listen = 127.0.0.1:9000 改为这个样子
listen = /tmp/www.socket
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[25-Feb-2019 20:54:57] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# ls /tmp/www.socket 看看有没有这样一个粉红色的文件
/tmp/www.socket
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf 在nginx配置使用这个socket文件
location ~ \.php$ {
root /data/wwwroot/bbs.champin.top;
# fastcgi_pass 127.0.0.1:9001; 这两行修改一下
fastcgi_pass unix:/tmp/www.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/bbs.champin.top$fastcgi_script_name;
include fastcgi_params;
}
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# nginx -reload
用浏览器刷新HTTPS://bbs.champin.top仍是502
[root@test01 php-fpm.d]# !tail 看一看nginx的错误日志
tail /var/log/nginx/error.log
2019/02/25 18:01:44 [error] 4899#4899: *137 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/chart.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:44 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/titlebg.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 18:01:45 [error] 4899#4899: *138 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET /static/image/common/scrolltop.png HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:42:18 [notice] 5138#5138: signal process started
2019/02/25 20:42:55 [error] 5139#5139: *142 access forbidden by rule, client: 192.168.28.1, server: www.aaa.com, request: "GET / HTTP/1.1", host: "bbs.champin.top"
2019/02/25 20:43:09 [error] 5139#5139: *149 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "bbs.champin.top"
2019/02/25 20:47:02 [notice] 5145#5145: signal process started
2019/02/25 20:54:20 [notice] 5158#5158: signal process started
2019/02/25 21:03:57 [notice] 5187#5187: signal process started
2019/02/25 21:04:06 [crit] 5188#5188: *154 connect() to unix:/tmp/www.socket failed (13: Permission denied) while connecting to upstream, client: 192.168.28.1, server: bbs.champin.top, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/tmp/www.socket:", host: "bbs.champin.top"
Permission denied 日志里有这类的,多半是权限不到位等
[root@test01 php-fpm.d]# ls -l /tmp/www.socket
srw-rw----. 1 root root 0 2月 25 20:55 /tmp/www.socket
[root@test01 php-fpm.d]# vi www.conf
listen.mode = 0666 定义一下权限改为0666
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[25-Feb-2019 21:12:54] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# nginx -s reload
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
reload 不行,须要重启一下,它会先删除掉tmp下的socket在生成
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# vim www.conf 演示一下
php_flag[display_errors] = on 去掉分号,off改为on
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# vi /data/wwwroot/bbs.champin.top/forum.php 写入错误的代码
用浏览器打开论坛会直接显示第几行代码出错
正确作法。
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log 打开错误日志
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# touch /var/log/fpm-php.www.log
[root@test01 php-fpm.d]# chmod 777 !$
chmod 777 /var/log/fpm-php.www.log
[root@test01 php-fpm.d]# cat /var/log/fpm-php.www.log
[25-Feb-2019 13:50:51 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:52 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:53 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11
[25-Feb-2019 13:50:53 UTC] PHP Parse error: syntax error, unexpected 'define' (T_STRING) in /data/wwwroot/bbs.champin.top/forum.php on line 11 错误日志就能显示出哪里出错了
php.ini
[root@test01 php-fpm.d]# ls /usr/local/php-fpm/etc/ php.ini路径
pear.conf php-fpm.conf php-fpm.conf.default php-fpm.d php.ini
[root@test01 php-fpm.d]# /usr/local/php-fpm/bin/php -i |head 若是不知道路径能够这么查看
phpinfo()
PHP Version => 7.3.1
System => Linux test01 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64
Build Date => Jan 26 2019 00:40:10
Configure Command => './configure' '--prefix=/usr/local/php-fpm' '--with-config-file-path=/usr/local/php-fpm/etc' '--enable-fpm' '--with-fpm-user=php-fpm' '--with-fpm-group=php-fpm' '--with-mysql=/usr/local/mysql5.7' '--with-mysqli=/usr/local/mysql5.7/bin/mysql_config' '--with-pdo-mysql=/usr/local/mysql5.7' '--with-mysql-sock=/tmp/mysql.sock' '--with-libxml-dir' '--with-gd' '--with-jpeg-dir' '--with-png-dir' '--with-freetype-dir' '--with-iconv-dir' '--with-zlib-dir' '--with-mcrypt' '--enable-soap' '--enable-gd-native-ttf' '--enable-ftp' '--enable-mbstring' '--enable-exif' '--with-pear' '--with-curl' '--with-openssl'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/php-fpm/etc
Loaded Configuration File => /usr/local/php-fpm/etc/php.ini
还有如下一种方法能够,也能够用来测试php能不能解析,用浏览器访问
[root@test01 php-fpm.d]# ls /data/wwwroot/bbs.champin.top/
admin.php archiver crossdomain.xml forum.php index.php member.php portal.php source uc_client
api config data group.php install misc.php robots.txt static uc_server
api.php connect.php favicon.ico home.php m plugin.php search.php template
[root@test01 php-fpm.d]# vim /data/wwwroot/bbs.champin.top/phpinfo.php
<?php
phpinfo();
?>
能够用浏览器打开 bbs.champin.top/phpinfo.php的页面,能够查看到版本,路径,配置参数等,能够拿这个测试能不能解析,可是比较的危险,若是被黑客看到。配置信息尽收眼底
能够禁用掉
[root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini
找到disable_functions
disable_functions = phpinfo
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload 从新启动一下或者加载一下。
Reload service php-fpm done
从新刷新一下phpinfo.php页面就打不开了。
[root@test01 php-fpm.d]# tail /var/log/fpm-php.www.log 看错误日志是有记录的
[25-Feb-2019 14:56:53 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:56:56 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:57:02 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:58:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[root@test01 php-fpm.d]# vim www.conf
php_flag[display_errors] = on 把显示错误日志打开,调式看看
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# !curl
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php -I 用curl 200 浏览器打开白页
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Mon, 25 Feb 2019 15:04:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/7.3.1
[root@test01 php-fpm.d]# curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php 加上I就显示200.不加就会显示出错误信息。
<br />
<b>Warning</b>: phpinfo() has been disabled for security reasons in <b>/data/wwwroot/bbs.champin.top/phpinfo.php</b> on line <b>2</b><br />
[root@test01 php-fpm.d]# vim www.conf 先改为on
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# vim www.conf
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
配置slow日志(针对php-fpm)
[root@test01 php-fpm.d]# vim www.conf
slowlog = /tmp/php.slow 这个用来定义php脚本执行慢的日志路径(正常生产环境中不该放在tmp下。)
request_slowlog_timeout = 1 这个用来定义超时时间 2秒为佳
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
[root@test01 php-fpm.d]# vim /usr/local/php-fpm/etc/php.ini 先打开phpinfo
disable_functions =
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload 再次重载
Reload service php-fpm done
[root@test01 php-fpm.d]# cd /data/wwwroot/bbs.champin.top/
[root@test01 bbs.champin.top]# ls
admin.php config favicon.ico index.php misc.php robots.txt template
api connect.php forum.php install phpinfo.php search.php uc_client
api.php crossdomain.xml group.php m plugin.php source uc_server
archiver data home.php member.php portal.php static
[root@test01 bbs.champin.top]# vi phpinfo.php
<?php
phpinfo();
sleep (2);
echo 11112;
?>
[root@test01 bbs.champin.top]# !curl 实际会停顿2秒钟。可能感受不明显
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php
[root@test01 bbs.champin.top]# cat /tmp/php.slow 再去看slow日志
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[root@test01 bbs.champin.top]# vi phpinfo.php
<?php
echo 1;
sleep (5);
echo 11112;
?>
[root@test01 bbs.champin.top]# !curl 停顿了5秒才显示出来
curl -k -H "host:bbs.champin.top" https://127.0.0.1/phpinfo.php
11112[root@test01 bbs.champin.top]#
[root@test01 bbs.champin.top]# !cat
cat /tmp/php.slow
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:31:14] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3 会显示那个脚本的哪一行执行的慢
[root@test01 bbs.champin.top]# date
2019年 02月 25日 星期一 23:32:44 CST
[root@test01 bbs.champin.top]# rm -rvf phpinfo.php 测试机上能够用,生产环境中坚定避免使用phpinfo
已删除"phpinfo.php"
[root@test01 bbs.champin.top]# vim forum.php 中间增长sleep (10);
sleep (10);
用浏览器打开http://bbs.champin.top/forum.php,会等待10秒才会打开,日常用户打开网页也会出现这种状况,当出现这种状况时,排查就要借助slowlog用这种方法去排查
[root@test01 bbs.champin.top]# !cat 再看一下日志,我刷新了两次,因此记录的两条慢日志
cat /tmp/php.slow
[25-Feb-2019 23:22:31] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:31:14] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/phpinfo.php
[0x00007fbd9f4200a0] sleep() /data/wwwroot/bbs.champin.top/phpinfo.php:3
[25-Feb-2019 23:37:41] [pool www] pid 5392
script_filename = /data/wwwroot/bbs.champin.top/forum.php
[0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22
[25-Feb-2019 23:37:49] [pool www] pid 5393
script_filename = /data/wwwroot/bbs.champin.top/forum.php
[0x00007fbd9f41d420] sleep() /data/wwwroot/bbs.champin.top/forum.php:22
[root@test01 bbs.champin.top]# !vi 去掉sleep (10);
vim forum.php
配置open_basedir
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = /home:/root
[root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload
Reload service php-fpm done
用浏览器访问https://bbs.champin.top 出现No input file specified.
先看看错误日志
[root@test01 bbs.champin.top]# tail /var/log/fpm-php.www.log
[25-Feb-2019 14:56:56 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:57:02 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 14:58:19 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:01:58 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:04:42 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:04:55 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:05:01 UTC] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
[25-Feb-2019 15:31:13 UTC] PHP Warning: Use of undefined constant echo1 - assumed 'echo1' (this will throw an Error in a future version of PHP) in /data/wwwroot/bbs.champin.top/phpinfo.php on line 2
在这
[25-Feb-2019 15:56:44 UTC] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/bbs.champin.top/forum.php) is not within the allowed path(s): (/home:/root) in Unknown on line 0
[25-Feb-2019 15:56:44 UTC] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 bbs.champin.top]# /etc/init.d/php-fpm reload
Reload service php-fpm done
如今用浏览器访问https://bbs.champin.top 能够打开了。但访问www.champin.top就502了
先解决一下www.champin.top的502问题
[root@test01 bbs.champin.top]# vi /etc/nginx/conf.d/www.champin.top.conf
location ~ \.php$ {
root /data/wwwroot/www.champin.top;
#fastcgi_pass 127.0.0.1:9001;
fastcgi_pass unix:/tmp/www.socket;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/wwwroot/www.champin.top$fastcgi_script_name;
include fastcgi_params;
}
用浏览器访问www.champin.top 也是是出现No input file specified 由于openbesedir没定义www.champin.top的路径
能够在php.ini中 open_basedir里混合定义这两个网站的路径,这样若是其中一个网站被攻击,那么两个网站都会有安全风险。
另一种方法就是不在php.ini的open_basedir中定义,到php-fpm里面去定义
[root@test01 bbs.champin.top]# vim /usr/local/php-fpm/etc/php.ini
open_basedir = 取消
[root@test01 bbs.champin.top]# cd /usr/local/php-fpm/etc/php-fpm.d/
[root@test01 php-fpm.d]# vim www.conf
[root@test01 php-fpm.d]# vim www.conf
先定义好一个
php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 php-fpm.d]# grep -v '^;' www.conf |grep -v '^$'
[www]
user = php-fpm
group = php-fpm
listen = /tmp/www.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/bbs.champin.top:/tmp
[root@test01 php-fpm.d]# vi blog.conf
[blog]
user = php-fpm
group = php-fpm
listen = /tmp/blog.socket
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
slowlog = /tmp/php.slow
request_slowlog_timeout = 1
php_flag[display_errors] = off
php_admin_value[error_log] = /var/log/fpm-php.www.log
php_admin_flag[log_errors] = on
php_admin_value[error_reporting] = E_ALL
php_admin_value[open_basedir] = /data/wwwroot/www.champin.top:/tmp
[root@test01 php-fpm.d]# mv www.conf bbs.conf 为了更好的区分pool,改为bbs。pool的名字也改为bbs
[root@test01 php-fpm.d]# vi bbs.conf
[www]改为[bbs]
[root@test01 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[26-Feb-2019 00:28:05] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful
[root@test01 php-fpm.d]# /etc/init.d/php-fpm restart
Gracefully shutting down php-fpm . done
Starting php-fpm done
[root@test01 php-fpm.d]# ls /tmp/ 多了一个blog.socket文件
blog.socket systemd-private-4dd844f49c7d42aaa3d0ecd231f21905-vmtoolsd.service-wBwXw9
html systemd-private-844c61e19fa44725ac7e2901678bb6b6-vmtoolsd.service-fqEuo8
inittab.txt systemd-private-f76438af452340deb845a63bbbbbba43-vmtoolsd.service-UA99YA
mysql.sock www.socket
passwd.txt yum_save_tx.2019-02-14.23-03.I5mpYO.yumtx
php.slow
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 改为bbs.socket
listen = /tmp/bbs.socket
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/bbs.champin.top.conf 这里也要改为bbs.socket
fastcgi_pass unix:/tmp/bbs.socket;
[root@test01 php-fpm.d]# vi /etc/nginx/conf.d/www.champin.top.conf 这里也要改为blog.socket
fastcgi_pass unix:/tmp/blog.socket;
[root@test01 php-fpm.d]# ps aux |grep php-fpm 一个pool一个站点。独立开来
root 5492 0.0 0.6 230780 6332 ? Ss 00:28 0:00 php-fpm: master process (/usr/local/php-fp/etc/php-fpm.conf)
php-fpm 5493 0.0 0.7 230772 7028 ? S 00:28 0:00 php-fpm: pool bbs
php-fpm 5494 0.0 0.7 230772 7028 ? S 00:28 0:00 php-fpm: pool bbs
php-fpm 5495 0.0 0.6 230772 6320 ? S 00:28 0:00 php-fpm: pool blog
php-fpm 5496 0.0 0.6 230772 6320 ? S 00:28 0:00 php-fpm: pool blog
root 5509 0.0 0.0 112728 976 pts/1 R+ 00:37 0:00 grep --color=auto php-fpm
[root@test01 php-fpm.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@test01 php-fpm.d]# nginx -s reload
[root@test01 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm done
相关文章
- 1. LNMP——nginx负载均衡/nginx配置ssl
- 2. LNMP---nginx反向代理、nginx负载均衡、配置nginx的ssl
- 3. 12-2 12 Nginx 负载均衡 ssl
- 4. [Nginx] - 负载均衡配置
- 5. Nginx负载均衡及配置SSL
- 6. Nginx负载均衡、配置SSL
- 7. nginx负载均衡、配置ssl
- 8. nginx代理,负载均衡,配置SSL
- 9. Nginx负载均衡配置
- 10. nginx负载均衡配置
- 更多相关文章...
- • Docker 安装 Nginx - Docker教程
- • Eclipse Debug 配置 - Eclipse 教程
- • IntelliJ IDEA 代码格式化配置和快捷键
- • IDEA下SpringBoot工程配置文件没有提示
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
