Nginx虚拟主机防webshell0
apache因为有php_admin_value open_basedir 可以限制webshell跨目录,可是nginx目前没有这样的模块支持。先来看两份配置文件的部分,只跟大家讲原理,省略了和主题无关的部分,请勿复制就用,明白了原理,就知道该怎么做了。
php.ini
; open_basedir, if set, limits all file operations to the defined directory
; and below.This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = "/myserver/:/tmp/:/var/tmp/"
nginx.conf
http
{
server
{
listen 80;
server_namehost1.com;
root /myserver/host1;
location ~ .*\.(php|php5)?$
{
#fastcgi_passunix:/tmp/php-cgi.sock;
fastcgi_pass127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
}
server
{
listen 80;
server_namehost2.com;
root /myserver/host2;
location ~ .*\.(php|php5)?$
{
#fastcgi_passunix:/tmp/php-cgi.sock;
fastcgi_pass127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
}
server
{
listen 80;
server_namehost3.com;
root /myserver/host3;
location ~ .*\.(php|php5)?$
{
#fastcgi_passunix:/tmp/php-cgi.sock;
fastcgi_pass127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
}
}
配置的基本情况是 运行3个网站 host1.comhost2.com host3.com,php.ini的配置,限制php脚本只能在这三个网站目录的父目录 /myserver/ 下面执行。
这时候我们知道,如果在某一个站点上上传了一个php木马,那么这个木马将可以访问其他两个站点的文件。nignx 没有apache那样能够单独设置每个网站的php只能在本目录下访问的功能。这时候我们就要用一点取巧的办法了。
来看这个php.ini的配置。
open_basedir = "/myserver/:/tmp/:/var/tmp/"
其实这个路径也支持 (.) [一个点] 和 (..) [两个点],也就是当前目录、父目录。于是有下面的配置方法
open_basedir = ".:/tmp/:/var/tmp/"把php文件限制在当前目录,的确,这样确实是访问不到别的两个网站的目录了,但是访问某些页面会出现 No input file specified. 。
为什么呢,因为上面的这个限制,当你运行或者引用了网站目录下的子目录(或者子目录的子目录....)里的php文件(假定为/myserver/host1/dir1/myphp.php),而这个子目录文件又要访问上级目录里的文件(/myserver/host1/config.php),这时候问题就来了,php.ini里设置了myphp.php只能访问该本级目录(/myserver/host1/dir1/)以下的文件,而不能访问/myserver/host1下的直接文件,于是提示:No input file specified.
现在解决办法来了
再看两个配置文件:
下面的这个 /subX1/subX2/subX3/..........(N层) ,N为你网站上最底层的php文件嵌套级数,如果你网站最多有5级子目录下有php文件,那么就嵌套5层以上。
php.ini
; open_basedir, if set, limits all file operations to the defined directory
; and below.This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = "../../.......(N层):/tmp/:/var/tmp/"
nginx.conf
http
{
server
{
listen 80;
server_namehost1.com;
root /myserver/subA1/subA2/subA3/..........(N层)/host1;
location ~ .*\.(php|php5)?$
{
#fastcgi_passunix:/tmp/php-cgi.sock;
fastcgi_pass127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
}
server
{
listen 80;
server_namehost2.com;
root /myserver/subB1/subB2/subB3/..........(N层)/host2;
location ~ .*\.(php|php5)?$
{
#fastcgi_passunix:/tmp/php-cgi.sock;
fastcgi_pass127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
}
server
{
listen 80;
server_namehost3.com;
root /myserver/subC1/subC2/subC3/..........(N层)/host3;
location ~ .*\.(php|php5)?$
{
#fastcgi_passunix:/tmp/php-cgi.sock;
fastcgi_pass127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}
}
}
举例N等于5....运行,当访问最底层的php文件 /myserver/subA1/subA2/subA3/subA4/subA5/host1/dir1/dir2/dir3/dir4/myphp.php,这个php文件所能访问的上级层到 /myserver/subA1/subA2/subA3/subA4/subA5/host1,当访问 /myserver/subA1/subA2/subA3/subA4/subA5/host1/myphp2.php 文件时候,它所能最多访问到的上级层 /myserver/subA1 ,不能跃出访问到其他站目录里的文件
这样就限制了该站目录下的php程序不能访问别的网站,而对自己网站的访问又充分不受限制。很简单,到此结束。
页:
[1]