Linux下APACHE MYSQL PHP FCgid Suexec 自动安装脚本V2.1
1、增加了PHP –enable-bcmath 参数,支持高精度函数库
2、增加了ncurses MYSQL的一个依赖库
3、增加了apache –enable-so 参数
sunboyu-amp-fastcgi-suexec-v21-alpha
此脚本在Centos4.7ServerCD 最小安装,root账户下执行完全正常。
linux+apache+php+mysql+fcgid+suexec 高效安全主机配置
最近一直在研究web服务器的配置和安全配置,基本搞完了
window2003下
iis+php(isapi)
apache+php(mod)
linux下
apache+php(mod)
apache+php(fastcgi)
四种安装方式的安全设置。其中涉及一些性能方面的调整,但没有实际的环境来测试,所以只涉及方法,不涉及具体的应用,而在安全方面下了很大的功夫。
底下我针对比较复杂的一种安装模式apache+php(fastcgi)进行详细讲解,来介绍如何配置一个安全的虚拟主机系统。
调试环境:
CentOS5
Apache2.2.9
Mysql5.0.22
PHP5.2.6
Fcgid2.4.6
需要的脚本 sunboyu-amp-fastcgi-suexec-v20-alpha
首先用脚本 unboyu-amp-fastcgi-v20-fcgid-suexec-alpha.txt 进行安装。
注:我在我的服务器上做了一个源,如果你感觉较慢的话,可以先吧软件下载到本地,然后修改一下脚本进行安装。
整体运行完后,apache是能成功运行的,但访问的话显示权限错误,底下主要是配置权限
过程用命令来显示,比较符合技术人员的习惯
1、vi /opt/httpd-2.2.9/conf/httpd.conf
修改 User daemon
Group daemon
为 User apache
Group apache
去掉 #Include conf/extra/httpd-vhosts.conf 前边的#,使其生效
2、增加一个虚拟站点的账户
groupadd www
useradd -g www www
现在应该有个目录 /home/www
3、vi /opt/httpd-2.2.9/conf/extra/httpd-vhost.conf
屏蔽或直接删除原来的站点信息
SuexecUserGroup www www #这里一定要弄清楚是做什么用的
ServerAdmin sunboyu@gmail.com
DocumentRoot “/home/www/php-cgi”
ServerName 192.168.0.5 #我测试的ip是这个,实际应该为你的域名
ServerAlias www.dummy-host.example.com #别名
ErrorLog “logs/dummy-host.example.com-error_log” #日志,用独立的名字
CustomLog “logs/dummy-host.example.com-access_log” common
SetHandler fcgid-script #我在编译完apache,附加了两个模块,fastcgi和fcgid,后一个是国人开发的,比fastcgi更稳定和易用
FCGIWrapper /home/www/php/php-cgi .php # php-cgi 是站点下的一个文件,下边建立
Options ExecCGI
allow from all
然后: x 即可
4、建立脚本 /home/www/php/php-cgi
vi /home/www/php/php-cgi
内容为
#!/bin/sh
export PHPRC=/home/www/php-cgi
export PHP_FCGI_CHILDREN=5 #创建的fcgi进程
export PHP_FCGI_MAX_REQUESTS=5000 #最大连接数
/opt/php-5.2.6/bin/php-cgi #php-cgi程序的位置
: x
5、创建独立的php.ini配置文件
cp /opt/php-5.2.6/lib/php.ini /home/www/php-cgi/php.ini
6、修改PHP的open_basedir
在/home/www/php-cgi/php.ini中找到
open_basedir , 修改为
open_basedir = /home/www/php
注:safe_mode_exec_dir 之类的参数如果从比较变态的安全设置来说,也是应该来设定的,但我还不变态
7、配置权限
chgrp root /opt/httpd-2.2.9/bin/suexec
chmod 4751 /opt/httpd-2.2.9/bin/suexec
chown www:www -R /home/www
chmod 755 -R /home/www
chmod 700 -R /home/www/php-cgi/php-cgi
8、重启
server httpd restart
9、如果你能看到成功页面,然后就传一个PHP木马上去测试一下权限和安全的问题.
如果连启动都启动不了,那就得查httpd的error_log ,suexec_log,然后去google一下,看看是哪的权限问题。
总结:本人教懒,整个过程调通后,也没写文档,但看到网上此类资料不多,而且有一些都没有命中要害,比如一些权限的配置和相对详尽的说明。我的注释只是把一些网上没有的解释而我弄明白后的理解写在了上边,但真正要想明白,估计还得搬着手册和google去一条条查。而且,我不是边做边写的,而是根据原来的配置盲写了一遍,估计会不少错误,总比没有强。如果有谁发现这个安全依然有问题,可以帮我提出,因为在安全方面我对自己要求很高。
如果有什么需要讨论的,可以加入这个MSN群 lampper@live.cn (加为msn好友即可)
基本都配置完毕了,但整体流程没有彻底自动化,适当的时候会作出stable版本。
# author:sunboyu@gmail.com
# qq:176300676 msn:sunboyu@gmail.com
# http://www.sunboyu.cn
#!/bin/sh
h_path = “/root/”
url=”http://www.sunboyu.cn/sourse/”
install_dir=”/opt/”
mkdir $install_dir
termcap_sourse_name=”termcap-1.3.1″
mysql_sourse_name=”mysql-5.0.22″
mysql_install_dir=$install_dir$mysql_sourse_name
openssl_sourse_name=”openssl-0.9.8g”
openssl_install_dir=$install_dir$openssl_sourse_name
httpd_sourse_name=”httpd-2.2.9″
httpd_install_dir=$install_dir$httpd_sourse_name
fastcgi_sourse_name=”mod_fastcgi-2.4.6″
fastcgi_install_dir=$install_dir$fastcgi_sourse_name
fcgid_sourse_name=”mod_fcgid.2.2″
libxml2_sourse_name=”libxml2-2.6.30″
libxml2_install_dir=$install_dir$libxml2_sourse_name
zlib_sourse_name=”zlib-1.2.3″
jpeg_sourse_name=”jpegsrc.v6b”
jpeg_install_dir=$install_dir$jpeg_sourse_name
libpng_sourse_name=”libpng-1.2.29″
libpng_install_dir=$install_dir$libpng_sourse_name
freetype_sourse_name=”freetype-2.3.7″
freetype_install_dir=$install_dir$freetype_sourse_name
php_sourse_name=”php-5.2.6″
php_install_dir=$install_dir$php_sourse_name
gd_sourse_name=”gd-2.0.36RC1″
gd_install_dir=$install_dir$gd_sourse_name
###MYSQL依赖库
wget ${url}${termcap_sourse_name}”.tar.gz”
tar -zxvf $termcap_sourse_name”.tar.gz”
cd $termcap_sourse_name
./configure
make && make install
cd ..
#rm -rf ${termcap_sourse_name}*
###openssl
wget ${url}${openssl_sourse_name}”.tar.gz”
tar -zxvf $openssl_sourse_name”.tar.gz”
cd $openssl_sourse_name
./Configure –prefix=$openssl_install_dir
make && make install
cd ..
#rm -rf ${openssl_sourse_name}*
###libxml
wget ${url}${libxml2_sourse_name}”.tar.gz”
tar -zxvf $libxml2_sourse_name”.tar.gz”
cd $libxml2_sourse_name
./configure –prefix=$libxml2_install_dir
make && make install
cd ..
#rm -rf ${libxml2_sourse_name}*
###zlib
wget ${url}${zlib_sourse_name}”.tar.gz”
tar -zxvf $zlib_sourse_name”.tar.gz”
cd $zlib_sourse_name
./configure
make && make install
cd ..
cp /usr/lib/libz.so.1 /usr/lib/libz.so
#rm -rf ${zlib_sourse_name}*
###jpeg
wget ${url}${jpeg_sourse_name}”.tar.gz”
tar -zxvf $jpeg_sourse_name”.tar.gz”
cd jpeg-6b
./configure
mkdir /usr/local/man/
mkdir /usr/local/man/man1/
mkdir /usr/local/man/man1/cjpeg/
make && make install
cp /usr/lib/libjpeg.so.62 /usr/lib/libjpeg.so
cp jpeglib.h /usr/include/jpeglib.h
cp jconfig.h /usr/include/jconfig.h
cp jmorecfg.h /usr/include/jmorecfg.h
cp jerror.h /usr/include/jerror.h
cd ..
#rm -rf ${jpeg_sourse_name}.tar.gz
#rm -rf jpeg-6b
###png
wget ${url}${libpng_sourse_name}”.tar.gz”
tar -zxvf $libpng_sourse_name”.tar.gz”
cd $libpng_sourse_name
./configure –prefix=$libpng_install_dir
make && make install
cp png* /usr/include/
cd ..
#rm -rf ${libpng_sourse_name}*
###freetype
wget ${url}${freetype_sourse_name}”.tar.gz”
tar -zxvf $freetype_sourse_name”.tar.gz”
cd $freetype_sourse_name
./configure –prefix=$freetype_install_dir
make && make install
cd ..
#rm -rf ${freetype_sourse_name}*
###GD2
wget ${url}${gd_sourse_name}”.tar.gz”
tar -zxvf $gd_sourse_name”.tar.gz”
cd $gd_sourse_name
./configure –prefix=$gd_install_dir –with-png=/opt/libpng-1.2.29 –with-freetype=/opt/freetype-2.3.7 –with-jpeg=/usr/lib/libjpeg.so
make && make install
cd ..
#rm -rf ${gd_sourse_name}*
###MYSQL
groupadd mysql
useradd -g mysql mysql
wget ${url}${mysql_sourse_name}”.tar.gz”
tar -zxvf $mysql_sourse_name”.tar.gz”
cd $mysql_sourse_name
./configure –prefix=$mysql_install_dir –without-debug –with-unix-socket-path=/tmp/mysql.sock –with-client-ldflags=-all-static –with-mysqld-ldflags=-all-static –enable-local-infile –enable-largefile –with-charset=utf8 –with-pic –with-mysqld-libs –with-comment –with-query-cache –with-bench –with-big-tables –with-innodb –with-mysqld-use=mysql
make && make install
cp ./support-files/my-medium.cnf /etc/my.cnf
cp ./support-files/mysql.server /etc/init.d/mysqld
cd ..
#mkdir $mysql_install_dir/var/
#$mysql_install_dir/bin/mysql_install_db –user=mysql &
#$mysql_install_dir/bin/mysqld_safe –user=mysql &
echo ${mysql_install_dir}”/bin/mysqld_safe –user=mysql &”>>/etc/rc.local
#rm -rf ${mysql_sourse_name}*
###APACHE
wget ${url}${httpd_sourse_name}”.tar.gz”
tar -zxvf $httpd_sourse_name”.tar.gz”
cd $httpd_sourse_name
./configure –prefix=$httpd_install_dir –enable-authz-dbm –enable-log-config –enable-headers –enable-setenvif –with-ssl=$openssl_install_dir –enable-static-ab –enable-http –enable-mime –enable-status –enable-suexec –enable-vhost-alias –enable-dir –enable-rewrite –with-mpm=worker
make && make install
cd ..
ln -s $httpd_install_dir/bin/apachectl /etc/init.d/httpd
echo $httpd_install_dir/bin/apachectl start>>/etc/rc.local
chkconfig –level 345 httpd on
#rm -rf ${httpd_sourse_name}*
###fastcgi
wget ${url}${fastcgi_sourse_name}”.tar.gz”
tar -zxvf $fastcgi_sourse_name”.tar.gz”
cd $fastcgi_sourse_name
sed ’s/\/usr\/local\/apache2/\/opt\/httpd-2.2.9\//g’ Makefile.AP2 > Makefile
make && make install
cd ..
###fcgid
wget ${url}${fcgid_sourse_name}”.tgz”
tar -zxvf $fcgid_sourse_name”.tgz”
cd $fcgid_sourse_name
mv Makefile Makefile.AP2
sed ’s/\/usr\/local\/apache2/\/opt\/httpd-2.2.9\//g’ Makefile.AP2 > Makefile
make && make install
cd ..
echo LoadModule fcgid_module modules/mod_fcgid.so>>$httpd_install_dir/conf/httpd.conf
echo AddHandler fcgid-script .php>>$httpd_install_dir/conf/httpd.conf
echo “FCGIWrapper “${php_install_dir}”/bin/php-cgi .php”>>$httpd_install_dir/conf/httpd.conf
#rm -rf ${fastcgi_sourse_name}*
###PHP
wget ${url}${php_sourse_name}”.tar.gz”
tar -zxvf $php_sourse_name”.tar.gz”
cd $php_sourse_name
cp php.ini-dist php.ini
./configure –prefix=$php_install_dir –with-libxml-dir=$libxml2_install_dir –enable-cli –enable-cgi –enable-fastcgi –enable-force-cgi-redirect –enable-discard-path –enable-path-info-check –with-openssl –with-pcre-regex –enable-calendar –enable-dom –enable-ftp –with-openssl-dir=/usr/local/ssl –enable-gd-jis-conv –enable-hash –with-iconv –enable-json –enable-mbstring –enable-mbregex –enable-pdo –enable-posix –enable-libxml=$xml2_install_dir –enable-simplexml –with-sqlite –enable-tokenizer –enable-xmlreader –enable-xmlwriter –with-zlib –with-freetype-dir=$freetype_install_dir –with-gd=$gd_install_dir –with-jpeg-dir=/usr/lib/libjpeg.so –with-libpng-dir=/opt/libpng-1.2.29/lib/libpng12.so –with-zlib-dir=/usr/lib/libz.so –with-mime-magic –with-mysql=$mysql_install_dir –with-zlib-dir=/usr/lib/libz.so –with-pdo-mysql=$mysql_install_dir –with-pdo-sqlite –enable-posix –enable-soap
make && make install
cp php.ini $php_install_dir/lib/
cd ..
$mysql_install_dir/bin/mysql_install_db –user=mysql &
service httpd start
service mysqld start
这次是使用的mod_fastcgi的一个替代品:fcgid http://fastcgi.coremail.cn/ 在功能上完全可以取代fastcgi,在性能和稳定性上还优于fastcgi(据说),不过配置起来也比fastcgi的简单,只需要加上 loadmodule fcgid_module SetHandler fcgid-script
FCGIWrapper /usr/local/bin/php-cgi .php 即可。
权限方面,呵呵,还没有测试。留档,加到我的amp的shell里。
LoadModule fcgid_module modules/mod_fcgid.so
AddHandler fcgid-script .php
FCGIWrapper /opt/php5/bin/php-cgi .php
apache部分
先安装openssl
./configure –enable-authz-dbm –enable-log-config –enable-headers –enable-setenvif –with-ssl=/usr/local/ssl –enable-static-ab –enable-http –enable-mime –enable-status –enable-suexec –enable-vhost-alias –enable-dir –enable-rewrite –with-mpm=worker
fastcgi
cp Makefile.AP2 Makefile
make make install
安装环境:centos5.0 基本系统+开发工具
安装xml组件
yum install libxml2 libxml2-devel
编译安装 php
./configure –enable-fastcgi –enable-force-cgi-redirect
make && make install
————————————————————————–
[root@localhost php-5.2.5]# make install
Installing PHP SAPI module: cgi
Installing PHP CGI binary: /usr/local/bin/
Installing PHP CLI binary: /usr/local/bin/
Installing PHP CLI man page: /usr/local/man/man1/
Installing build environment: /usr/local/lib/php/build/
Installing header files: /usr/local/include/php/
Installing helper programs: /usr/local/bin/
program: phpize
program: php-config
Installing man pages: /usr/local/man/man1/
page: phpize.1
page: php-config.1
Installing PEAR environment: /usr/local/lib/php/
[PEAR] Console_Getopt – installed: 1.2.3
[PEAR] Archive_Tar – installed: 1.3.2
[PEAR] Structures_Graph- installed: 1.0.2
pear/PEAR can optionally use package “pear/XML_RPC” (version >= 1.4.0)
[PEAR] PEAR – installed: 1.6.1
Wrote PEAR system config file at: /usr/local/etc/pear.conf
You may want to add: /usr/local/lib/php to your php.ini include_path
Installing PDO headers: /usr/local/include/php/ext/pdo/
————————————————————————–
make test
yum安装mysql
yum install mysql mysql-devel mysql-server
复制spawn-fcgi 至 /usr/local/bin/
chmod +x spawn-fcgi
/usr/sbin/groupadd www -g 48
/usr/sbin/useradd -u 48 -g www www
使用spawn-fcgi监听127.0.0.1的10080端口 进程10 用户www
————————————————————————–
[root@localhost bin]# spawn-fcgi -a 127.0.0.1 -p 10080 -C 10 -u www -f php-cgi
X-Powered-By: PHP/5.2.5
Content-type: text/html
spawn-fcgi.c.211: child exited with: 0, Success
————————————————————————–
[root@localhost bin]# spawn-fcgi -a 127.0.0.1 -p 10080 -C 10 -u www -f php-cgi
spawn-fcgi.c.190: child spawned successfully: PID: 27936
————————————————————————–
安装pcre
yum install pcre pcre-devel
编译安装 nginx
./configure –user=www –group=www
————————————————————————–
Configuration summary
+ threads are not used
+ using system PCRE library
+ OpenSSL library is not used
+ md5 library is not used
+ sha1 library is not used
+ using system zlib library
nginx path prefix: “/usr/local/nginx”
nginx binary file: “/usr/local/nginx/sbin/nginx”
nginx configuration file: “/usr/local/nginx/conf/nginx.conf”
nginx pid file: “/usr/local/nginx/logs/nginx.pid”
nginx error log file: “/usr/local/nginx/logs/error.log”
nginx http access log file: “/usr/local/nginx/logs/access.log”
nginx http client request body temporary files: “/usr/local/nginx/client_body_temp”
nginx http proxy temporary files: “/usr/local/nginx/proxy_temp”
nginx http fastcgi temporary files: “/usr/local/nginx/fastcgi_temp”
————————————————————————–
make && make install
touche /usr/local/nginx/conf/fcgi.conf
内容为
————————————————————————–
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with –enable-force-cgi-redirect
#fastcgi_param REDIRECT_STATUS 200;
————————————————————————–
启动 nginx
ulimit -SHn 51200
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
配置开机自动启动Nginx + PHP
vi /etc/rc.local
在末尾增加以下内容:
ulimit -SHn 51200
/usr/local/bin/spawn-fcgi -a 127.0.0.1 -p 10080 -C 64 -u www -f /usr/local/bin/php-cgi
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
优化Linux内核参数
vi /etc/sysctl.conf
在末尾增加以下内容:
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.ip_local_port_range = 5000 65000
使配置立即生效:
/sbin/sysctl -p
在不停止Nginx服务的情况下平滑变更Nginx配置
修改/usr/local/nginx/conf/nginx.conf配置文件后,请执行以下命令检查配置文件是否正确:
/usr/local/webserver/nginx/sbin/nginx -t
这时,输入以下命令查看Nginx主进程号:
ps -ef | grep “nginx: master process” | grep -v “grep” | awk -F ‘ ‘ ‘{print $2}’
至于日常维护,还不太清楚,咱们下次分解
—————————————————–
Nginx的编译参数如下:
[root@localhost]#./configure –prefix=/usr/local/server/nginx –with-openssl=/usr/include \
–with-pcre=/usr/include/pcre/ –with-http_stub_status_module –without-http_memcached_module \
–without-http_fastcgi_module –without-http_rewrite_module –without-http_map_module \
–without-http_geo_module –without-http_autoindex_module
