lnmp架构下php安全配置分享-php手册-php.cn

Home

php教程

php手册

lnmp架构下php安全配置分享

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 08:11 PM

lamp lnmp php share Safety Architecture net Configuration

以往的lamp网站向着lnmp发展, 笔者工作环境使用lnmp多年, 在这里很高兴和大家分享一下多年的lnmp网站的php安全配置，至于lamp安全后续与大家分享，其实内容上八成相同，这边着重讲php安全配置，看内容. 1. 使用open_basedir限制虚拟主机跨目录访问 [HOST=www

以往的lamp网站向着lnmp发展, 笔者工作环境使用lnmp多年, 在这里很高兴和大家分享一下多年的lnmp网站的php安全配置，至于lamp安全后续与大家分享，其实内容上八成相同，这边着重讲php安全配置，看内容.

1. 使用open_basedir限制虚拟主机跨目录访问

[HOST=www.ttlsa.com]
open_basedir=/data/site/www.ttlsa.com/:/tmp/
[HOST=test.ttlsa.com]
open_basedir=/data/site/test.ttlsa.com/:/tmp/

Copy after login

如上配置的意思是www.ttlsa.com下的php程序被限制在open_basedir配置的两个目录下, 不可以访问到其他目录。如果没有做以上的配置，那么test.ttlsa.com与www.ttlsa.com的程序可以互相访问.
如果其中一个站点有漏洞被黑客植入了webshell，那么他可以通过这个站点拿下同一台服务器的其他站点，最后挂木马.

注意：目录最后一定要加上/. 比如你写/tmp，你的站点同时存在/tmp123等等以/tmp开头的目录，那么黑客也可以访问到这些目录，另外, php5.3以上支持这个写法，5.2不支持。

2. 禁用不安全PHP函数

disable_functions = show_source,system,shell_exec,passthru,exec,popen,proc_open,proc_get_status,phpinfo

Copy after login

禁止php执行以上php函数,以上php程序可以执行linux命令, 比如可以执行ping、netstat、mysql等等.如果你的系统有提权bug,后果你懂得.

3. 关注软件安全资讯

积极关注linux内核、php安全等信息并及时采取错误

4. php用户只读

这个方法是我最推崇的方法，但是执行之前一定要和php工程师商量. 为什么？例如站点www.ttlsa.com根目录用户与组为nobody，而运行php的用户和组为phpuser。目录权限为755，文件权限为 644. 如此，php为只读，无法写入任何文件到站点目录下。也就是说用户不能上传文件，即使有漏洞, 黑客也传不了后门, 更不可能挂木马. 这么干之前告知程序员将文件缓存改为nosql内存缓存（例如memcached、redis等），上传的文件通过接口传到其他服务器（静态服务器）。

备注：程序生成本地缓存是个非常糟糕的习惯，使用文件缓存速度缓慢、浪费磁盘空间、最重要一点是一般情况下服务器无法横向扩展

5. 关闭php错误日志

display_errors = On
改为
display_errors = Off

Copy after login

程序一旦出现错误，详细错误信息便立刻展示到用户眼前，其中包含路径、有的甚至是数据库账号密码. 注入渗透密码基本上都是通过这个报错来猜取。生产环境上强烈关闭它

6. php上传分离

将文件上传到远程服务器，例如nfs等。当然也可以调用你们写好的php接口. 即使有上传漏洞，那么文件也被传到了静态服务器上。木马等文件根本无法执行.

举个例子：
php站点www.ttlsa.com，目录/data/site/www.ttlsa.com
静态文件站点static.ttlsa.com，目录/data/site/static.ttlsa.com

文件直接被传到了/data/site/static.ttlsa.com，上传的文件无法通过www.ttlsa.com来访问，只能使用static.ttlsa.com访问，但是static.ttlsa.com不支持php.

7. 关闭php信息

expose_php = On
改为
expose_php = Off

Copy after login

不轻易透露自己php版本信息，防止黑客针对这个版本的php发动攻击.

8. 禁止动态加载链接库

disable_dl = On;
改为
enable_dl = Off;

Copy after login

9. 禁用打开远程url

allow_url_fopen = On
改为
allow_url_fopen = Off

Copy after login

其实这点算不上真正的安全, 并不会导致web被入侵等问题,但是这个非常影响性能, 笔者认为它属于狭义的安全问题.

以下方法将无法获取远程url内容

$data = file_get_contents("http://www.baidu.com/")；

Copy after login

以下方法可以获取本地文件内容

$data = file_get_contents("1.txt");

Copy after login

如果你的站点访问量不大、数据库也运行良好，但是web服务器负载出奇的高，请你直接检查下是否有这个方法。笔者遇到过太多这个问题，目前生产环境已全线禁用，如果php工程师需要获取远程web的内容，建议他们使用curl.

10.结束

今天lnmp站点的php安全暂时讲到这里,有问题后续将继续补充.小抱怨下,发到自己博客上,百度总是不收录,还是oschina靠谱.

原文地址：lnmp架构下php安全配置分享, 感谢原作者分享。

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks ago By DDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How to fix KB5055612 fails to install in Windows 10?

3 weeks ago By DDD

Nordhold: Fusion System, Explained

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Mandragora: Whispers Of The Witch Tree - How To Unlock The Grappling Hook

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1665

CakePHP Tutorial

1423

Laravel Tutorial

1321

PHP Tutorial

1269

C# Tutorial

1249

Related knowledge

PHP and Python: Comparing Two Popular Programming Languages Apr 14, 2025 am 12:13 AM

PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.

PHP in Action: Real-World Examples and Applications Apr 14, 2025 am 12:19 AM

PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.

PHP: A Key Language for Web Development Apr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

The Enduring Relevance of PHP: Is It Still Alive? Apr 14, 2025 am 12:12 AM

PHP is still dynamic and still occupies an important position in the field of modern programming. 1) PHP's simplicity and powerful community support make it widely used in web development; 2) Its flexibility and stability make it outstanding in handling web forms, database operations and file processing; 3) PHP is constantly evolving and optimizing, suitable for beginners and experienced developers.

PHP vs. Python: Understanding the Differences Apr 11, 2025 am 12:15 AM

PHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.

PHP and Python: Code Examples and Comparison Apr 15, 2025 am 12:07 AM

PHP and Python have their own advantages and disadvantages, and the choice depends on project needs and personal preferences. 1.PHP is suitable for rapid development and maintenance of large-scale web applications. 2. Python dominates the field of data science and machine learning.

PHP vs. Other Languages: A Comparison Apr 13, 2025 am 12:19 AM

PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.

PHP and Python: Different Paradigms Explained Apr 18, 2025 am 12:26 AM

PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.

See all articles