lnmp多用户安全运行环境(chroot)(5)
chroot = /home/chroot
; Choose how the process manager will control the number of child processes.
pm = static
pm.max_children = 1
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 1
pm.max_requests = 1000
request_terminate_timeout = 120s
; Pass environment variables
env[HOSTNAME] = \$HOSTNAME
env[PATH] = /usr/local/bin:/bin
env[TMP] = /var/www/tmp
env[TMPDIR] = /var/www/tmp
env[TEMP] = /var/www/tmp
; Specific php ini settings here
php_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f noreply@evlit.com"
php_admin_value[open_basedir] = ".:/var/www:/proc:/tmp"
php_value[include_path] = ".:/var/www:/var/www/include"
php_value[axis2.log_path] = "/var/www/tmp"
php_value[session_pgsql.sem_file_name] = "/var/www/tmp/php_session_pgsql"
php_value[soap.wsdl_cache_dir] = "/var/www/tmp"
php_value[uploadprogress.file.filename_template] = "/var/www/tmp/upt_%s.txt"
php_value[xdebug.output_dir] = "/var/www/tmp"
php_value[xdebug.profiler_output_dir] = "/var/www/tmp"
php_value[xdebug.trace_output_dir] = "/var/www/tmp"
;php_admin_value[disable_functions] = "exec,system,passthru,shell_exec,ini_alter,dl,proc_open,proc_exec,proc_close,chroot,scandir,chgrp,chown,ini_restore,dbmopen,dbase_open,curl_multi_exec,multi_exec,gzinflate,parse_ini_file,show_source,escapeshellarg,escapeshellcmd,stream_socket_server,popepassthru,pfsockopen,set_time_limit"
; UPLOAD
php_admin_flag[file_uploads] = On
php_admin_value[upload_tmp_dir] = "/var/www/tmp"
;Maximum allowed size for uploaded files.
php_admin_value[upload_max_filesize] = "50M"
php_admin_value[max_input_time] = "120"
php_admin_value[post_max_size] = "50M"
; LOGS
php_admin_value[error_log] = "/var/www/logs/error.log"
php_admin_value[log_errors] = On
php_admin_value[display_errors] = Off
php_admin_value[html_errors] = Off
php_admin_value[display_startup_errors] = Off
php_admin_value[define_syslog_variables] = "1"
php_value[error_reporting] = "6143"
; Maximum execution time of each script, in seconds (30)
php_value[max_input_time] = "120"
; Maximum amount of time each script may spend parsing request data
php_value[max_execution_time] = "300"
; Maximum amount of memory a script may consume (8MB)
php_value[memory_limit] = "128M"
; Sessions: IMPORTANT reactivate garbage collector on Debian!!!
php_value[session.gc_maxlifetime] = "3600"
php_admin_value[session.gc_probability] = "1"
php_admin_value[session.gc_divisor] = "100"
; SECURITY
php_admin_value[session.auto_start] = Off
php_admin_value[mbstring.http_input] = pass
php_admin_value[mbstring.http_output] = pass
php_admin_value[mbstring.encoding_translation] = Off
php_admin_value[expose_php] = Off
php_admin_value[allow_url_fopen] = On
php_admin_value[variables_order] = PGCSE
; enforce filling PATH_INFO & PATH_TRANSLATED
; and not only SCRIPT_FILENAME
php_admin_value[cgi.fix_pathinfo] = "1"
; 1: will use PATH_TRANSLATED instead of SCRIPT_FILENAME
php_admin_value[cgi.discard_path] = "0"
EOF
mkdir -p {/var/www/tmp,/var/www/html,/var/www/logs}
chown -R www.www /var/www
chmod 751 /var/www /var/www/html /var/www/logs
mv /var/www /home/chroot/var/www
rm -rf /var/www
ln -s /home/chroot/var/www /var/www
设置fpm.d目录权限,防止被其他用户访问到
chmod 750 /usr/local/php5.4/etc/fpm.d
7、杂项,安装php扩展库和设置php.ini
cd /usr/local/src
wget http://pecl.php.net/get/memcache-3.0.6.tgz
tar -zxf memcache-3.0.6.tgz
cd memcache-3.0.6
/usr/local/php5.4/bin/phpize
./configure --with-php-config=/usr/local/php5.4/bin/php-config
make && make install
cat >>/usr/local/php5.4/etc/php.ini < <EOF
; Memcache Setting
extension="memcache.so"
memcache.allow_failover="1"
memcache.max_failover_attempts="20"
memcache.chunk_size="32768"
memcache.default_port="11211"
memcache.hash_strategy="standard"
memcache.hash_function="crc32"
EOF
cd /usr/local/src/
wget -c http://dl.icodex.org/files/ZendGuardLoader-70429-PHP-5.4-linux-glibc23-x86_64.tar.gz
tar -zxf ZendGuardLoader-70429-PHP-5.4-linux-glibc23-x86_64.tar.gz
cp ZendGuardLoader-70429-PHP-5.4-linux-glibc23-x86_64/php-5.4.x/ZendGuardLoader.so /usr/local/php5.4/include/php/Zend/
cat >>/usr/local/php5.4/etc/php.ini< <EOF
[ZendGuardLoader]
zend_extension="/usr/local/php5.4/include/php/Zend/ZendGuardLoader.so"
zend_loader.enable=1
zend_loader.disable_licensing=0
zend_loader.obfuscation_level_support=3
zend_loader.license_path=
EOF
- 上一篇:Linux下时钟同步ntpd服务配置方法汇总
- 下一篇:查看CentOS版本方法
