近日,80Sec 爆出Nginx具有严重的0day漏洞,详见《Nginx文件类型错误解析漏洞》。只要用户拥有上传图片权限的Nginx+PHP服务器,就有被入侵的可能。生产中的服务器使用的php-fpm-0.5都存在这个漏洞,而我使用的测试环境使用的php-fpm-0.6没有这个漏洞,所以整理了一下安装的过程,分享给大家,推荐大家使用php-fpm-0.6为php打补丁。
安装步骤:
系统要求:Linux 2.6+ 内核,本文中的Linux操作系统为REHL 5.5,另在centos 5.5上也安装成功
比前一个版本更新的内容
(1)使用php-fpm-0.6编译php-5.2-13(没有nginx文件类型错误解析漏洞)
(2)使用Tcmalloc优化Nginx和Mysql性能
(3)增加了eaccelerator-0.9.6和ZendOptimizer-3.3.9加速PHP
(4)使用tmpfs加速PHP缓存
(5)其他软件的更新和优化
一、获取相关开源程序:
所需软件:
eaccelerator-0.9.6.tar.bz2
gd-2.0.35.tar.gz
mysql-5.1.45.tar.gz
php-5.2.13.tar.bz2
php-fpm-0.6~5.2.11.tar.gz
autoconf-2.13.tar.gz
ZendOptimizer-3.3.9-linux-glibc23-i386.tar.gz
nginx-0.7.65.tar.gz
pcre-8.02.tar.gz
google-perftools-1.5.tar.gz
libevent-1.4.13-stable.tar.gz
libiconv-1.13.1.tar.gz
PDO_MYSQL-1.0.2.gz
===========================
安装之前要确保系统中安装了以下这些包。
我们可以用rpm -qa |grep 来查看系统是否装
bzip2-devel
zlib-devel
libjpeg-devel
libpng-devel
libtiff-devel
freetype-devel
openssl-devel
libxml2-devel
gettext-devel
这些包一般都安了,除了最后一个,我们可以在光盘里找到用rpm -ivh 来安装上.
二、安装MYSQL
# tar -zxvf mysql-5.1.45.tar.gz
# cd mysql-5.1.45
# groupadd mysql
# useradd -g mysql -s /sbin/nologin -M mysql
# ./configure --prefix=/usr/local/www/mysql --enable-assembler --with-charset=gbk --with-extra-charsets=all --enable-thread-safe-client --with-mysqld-user=mysql --with-big-tables --without-debug --localstatedir=/var/data
# make && make install
# cp support-files/my-large.cnf /etc/my.cnf
# chown -R mysql.mysql /usr/local/www/mysql/
# /usr/local/www/mysql/bin/mysql_install_db --user=mysql
# chown -R root.root /usr/local/www/mysql/
# chown -R mysql.mysql /var/data
启动数据库服务
# /usr/local/www/mysql/bin/mysqld_safe --user=mysql &
加入自动启动服务队列:
# cp support-files/mysql.server /etc/rc.d/init.d/mysqld
# chmod 755 /etc/rc.d/init.d/mysqld
# chkconfig --add mysqld
# chkconfig mysqld on
添加root密码
# /usr/local/www/mysql/bin/mysqladmin -u root password "123456"
配置库文件搜索路径
# echo "/usr/local/www/mysql/lib/mysql">>/etc/ld.so.conf
# ldconfig
# ldconfig -v
# echo "export PATH=$PATH:/usr/local/www/mysql/bin">>/etc/profile
# source /etc/profile
三、安装GD2
# tar -jxvf gd-2.0.35.tar.bz2
# cd gd-2.0.35
# ./configure --prefix=/usr/local/www/gd --with-png --with-freetype --with-jpeg --with-zlib --with-fontconfig
# make
#如果GD报错:configure.ac:64: warning: macro `AM_ICONV' not found in library
安装一下gettext gettext-devel这两个包
# make install
四、安装PHP
先安装一下autoconf2.13,一定是2.13版本的,要不php执行buildconf的时候会出错
# tar -zxvf autoconf-2.13.tar.gz
# cd autoconf-2.13
# ./configure --prefix=/usr/local/www/autoconf
# make
# make install
# export PHP_AUTOCONF=/usr/local/www/autoconf/bin/autoconf
# export PHP_AUTOHEADER=/usr/local/www/autoconf/bin/autoheader
# tar zxvf libevent-1.4.13-stable.tar.gz
# cd libevent-1.4.13-stable/
# ./configure --prefix=/usr/local/www/libevent
# make && make install
# tar zxvf libiconv-1.13.1.tar.gz
# cd libiconv-1.13.1/
# ./configure --prefix=/usr/local/www/libiconv
# make && make install
# groupadd www
# useradd -g www -s /sbin/nologin -M www
# tar -jxvf php-5.2.13.tar.bz2
# tar -zxvf php-fpm-0.6~5.2.11.tar.gz
# php-fpm-0.6-5.2.11/generate-fpm-patch
# cd php-5.2.13/
# patch -p1 < ../fpm.patch
# rm -rf configure
# ./buildconf --force
# ./configure --prefix=/usr/local/www/php --with-mysql=/usr/local/www/mysql/
--with-mysqli=/usr/local/www/mysql/bin/mysql_config
--with-config-file-path=/usr/local/www/php
--with-gd=/usr/local/www/gd --enable-gd-native-ttf --enable-gd-jis-conv
--with-jpeg-dir --with-png-dir --with-freetype-dir --with-zlib-dir --with-xpm-dir
--enable-xml --with-curl --with-curlwrappers --with-zlib --enable-exif
--with-zlib-dir --with-bz2 --with-libxml-dir
--enable-mbstring --enable-sockets --enable-zip --enable-ftp
--with-iconv-dir=/usr/local/www/libiconv --with-iconv
--disable-rpath --enable-bcmath --enable-shmop --enable-sysvsem
--enable-inline-optimization --enable-mbregex
--with-libevent=/usr/local/www/libevent/
--with-fpm --enable-fastcgi --enable-force-cgi-redirect
# make
# make install
# cp php.ini-dist /usr/local/www/php/php.ini
# vi /etc/php-fpm.conf
(1)<value name="listen_address">127.0.0.1:9000</value>
修改为<value name="listen_address">IP:9000</value> //本机就用默认的127.0.0.1
(2)下面这两行去掉注释并修改
<value name="sendmail_path">/usr/sbin/sendmail -t -i</value>
<value name="display_errors">1</value>
(3)<value name="user">nobody</value> //去注释
(4)<value name="group">nobody</value> //去注释
(5)<value name="allowed_clients">127.0.0.1</value> //允许连接的PC,本机就用127.0.0.1
(6)<value name="max_children">128</value>
(7)<value name="StartServers">20</value>
(8)<value name="MinSpareServers">5</value>
(9)<value name="MaxSpareServers">35</value>
(10)<value name="rlimit_files">51200</value>
(11)<value name="max_requests">102400</value>
启动php-fpm
# ulimit -SHn 51200
# /usr/local/www/php/bin/php-fpm start
注:/usr/local/www/php/sbin/php-fpm还有其他参数,包括:start|stop|quit|restart|reload|logrotate,修改php.ini后不重启php-cgi,重新加载配置文件使用reload。
添加到自启动
# echo "ulimit -SHn 51200">>/etc/rc.local
# echo "/usr/local/www/php/sbin/php-fpm start">>/etc/rc.local
通过命令查看服务器上一共开了多少的 php-cgi 进程
# ps -fe |grep "php" | grep -v "grep" | wc -l
使用如下命令查看已经有多少个php-cgi进程用来处理tcp请求
# netstat -anop | grep "php" | grep -v "grep" | wc -l
接近配置文件中设置的数值,表明worker进程数设置太少
五、安装nginx
1.Tcmalloc 优化Nginx性能
64位操作系统请先安装libunwind库,32位操作系统不要安装。libunwind库为基于64位CPU和操作系统的程序提供了基本的堆栈辗转开解功能,其中包括用于输出堆栈跟踪的API、用于以编程方式辗转开解堆栈的API以及支持C++异常处理机制的API。
# tar zxvf libunwind-0.99-alpha.tar.gz
# cd libunwind-0.99-alpha/
# CFLAGS=-fPIC ./configure
# make CFLAGS=-fPIC
# make CFLAGS=-fPIC install
2、安装google-perftools:
# tar zxvf google-perftools-0.97.tar.gz
# cd google-perftools-0.97/
# ./configure
# make && make install
# echo "/usr/local/lib" > /etc/ld.so.conf.d/usr_local_lib.conf
# /sbin/ldconfig
3.安装 pcre
# tar jxvf pcre-8.02.tar.bz2
# cd pcre-8.02
# ./configure
# make && make install
4、安装nginx
# tar zxvf nginx-0.7.62.tar.gz
# cd nginx-0.7.62
# ./configure --with-http_stub_status_module --with-google_perftools_module --prefix=/usr/local/www/nginx --prefix=/usr/local/www/nginx --user=www --group=www
# make && make install
修改nginx的配置文件
我这里是把原先的重命名然后新建了一个nginx.conf
user www;
worker_processes 8;
pid logs/nginx.pid;
google_perftools_profiles /var/tmp/tcmalloc;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
}
http{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 8m;
sendfile on;
tcp_nopush on;
keepalive_timeout 60;
fastcgi_connect_timeout 180;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
#fastcgi_cache_path /usr/local/webserver/nginx/fastcgi_cache levels=1:2 keys_zone=TEST:10m inactive=5m;
#fastcgi_cache TEST;
#fastcgi_cache_valid 200 302 1h;
#fastcgi_cache_valid 301 1d;
#fastcgi_cache_valid any 1m;
#fastcgi_cache_min_uses 1;
#fastcgi_cache_use_stale error timeout invalid_header http_500;
open_file_cache max=204800 inactive=20s;
open_file_cache_min_uses 1;
open_file_cache_valid 30s;
tcp_nodelay on;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_proxied any;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
include vhost/*.conf;
}
vhost/www.test.com.conf的内容
server
{
listen 80;
server_name localhost;
index index.html index.htm index.php;
root /var/www/bbs/;
location /nginx {
stub_status on;
auth_basic "NginxStatus";
access_log off;
}
location ~ .*\.(php|php5)?$ {
root html;
#fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/bbs$fastcgi_script_name;
include fastcgi_params;
}
location ~* \.(jpg|jpeg|gif|png|swf|htm|html|js|)$ {
if (-f $request_filename) {
root /var/www/bbs/;
expires 30d;
break;
}
}
log_format access '$remote_addr - $remote_user [$time_local] "$request"'
'$status $body_bytes_sent "$http_referer"'
'"$http_user_agent" $http_x_forwarded_for';
access_log logs/www.test.com_access.log access;
}
启动 nginx
# /usr/local/www/nginx/sbin/nginx
然后我们用IE测试一下 http://IP地址或域名 就可以看到nginx的默认的页面证明nginx已经启动
关闭 nginx
# kill -QUIT `cat /usr/local/www/nginx/logs/nignx.pid`
重启 nginx
# kill -HUP `cat /usr/local/www/nginx/logs/nignx.pid`
然后在目录中建一个文件用来测试php情况
在htdocs目录下建一个测试页
# vi index.php
<?php
phpinfo();
?>
如需转载请注明:转载自: 风往北吹的IT博客 [http://blog.yahunet.com/]
本文链接地址:http://blog.yahunet.com/post-64.html