php-fpm跨服务器,nginx与php-fpm不同服务器部署爬坑笔记

0x00 起因

起初是因为某ctf搭建php 7.0.28环境复现opcache getshell的(以及nodejs和mongo复合环境)，然而菜到不得不逼自己翻了一些docker的手册和教程，对搭建过程做一个记录，所以这篇很水，大佬不必再看。

0x01 镜像

php官方的镜像分为三种，cli、fpm和apache，为了更改php.ini来满足条件，选择了fpm，同时配合nginx使用。

我们使用docker pull php:7.0-fpm拉取镜像。或者使用官方提供的dockerfile。

我们就可以在本地镜像列表里查到REPOSITORY为php,标签为7.0-fpm的镜像。

进入工作目录，使用docker run -p 9000:9000 --name myphp-fpm -v $PWD/html:/var/www/html -v $PWD/conf:/usr/local/etc/php -v $PWD/logs:/phplogs -d php:7.0-fpm

-p 9000:9000 :将容器的9000端口映射到主机的9000端口

--name myphp-fpm :将容器命名为myphp-fpm

-v $PWD/html:/var/www/html :将主机中当前目录下的html挂载到容器的html

-v $PWD/conf:/usr/local/etc/php ：将主机中当前目录下的conf目录挂载到容器的/usr/local/etc/php

-v $PWD/logs:/phplogs ：将主机中当前目录下的logs目录挂载到容器的/phplogs

之后可以使用docker ps查看容器状态

0x02 环境

容器启动之后，fpm就搭建好了。

更改nginx的site-available，更改配置文件：

location ~ \.php$ {

#include snippets/fastcgi-php.conf;

root /var/www/html;

fastcgi_index index.php;

fastcgi_pass 172.17.0.2:9000;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

}

fastcgi_pass部分填写容器ip和port，ip可以可以使用docker inspect name查看。

在html文件夹下初始化index.php，使用phpinfo。

复制一份php.ini到conf文件夹下。

重启fpm，即重启容器docker container restart name

注：若fpm启动失败使用docker logs name查看日志，若服务器出现问题可查阅errorlog，或使用docker exec -it id /bin/bash进入容器。

重启后查看phpinfo可看到当前的设置，之后配置opcache

删除php.ini相关配置的前;示例附在最后，添加zend_extension。

需要注意的是，file_cache指向的目录必须存在，有权限读写。

此时重启容器，在phpinfo中即可查看到opcache已经启用。

另，微服务模型的复合环境见refer2

如果nginx没有配置完整，那么nginx会在本地检查请求的文件是否存在，然后将请求转发到fpm，如果发现大部分路径都是404时，检查nginx配置文件与上文是否一致。配置原则按照nginx和php-fpm分别部署在不同服务器配置，动态文件部署在fpm服务器，静态文件部署在nginx服务器，更简单的处理办法是将本机www目录与fpm的www目录映射。

附：

; Determines if Zend OPCache is enabled

opcache.enable=1

; Determines if Zend OPCache is enabled for the CLI version of PHP

opcache.enable_cli=0

zend_extension = /usr/local/lib/php/extensions/no-debug-non-zts-20151012/opcache.so

; The OPcache shared memory storage size.

opcache.memory_consumption=64

; The amount of memory for interned strings in Mbytes.

opcache.interned_strings_buffer=4

; The maximum number of keys (scripts) in the OPcache hash table.

; Only numbers between 200 and 1000000 are allowed.

opcache.max_accelerated_files=2000

; The maximum percentage of "wasted" memory until a restart is scheduled.

opcache.max_wasted_percentage=5

; When this directive is enabled, the OPcache appends the current working

; directory to the script key, thus eliminating possible collisions between

; files with the same name (basename). Disabling the directive improves

; performance, but may break existing applications.

opcache.use_cwd=1

; When disabled, you must reset the OPcache manually or restart the

; webserver for changes to the filesystem to take effect.

opcache.validate_timestamps=1

; How often (in seconds) to check file timestamps for changes to the shared

; memory storage allocation. ("1" means validate once per second, but only

; once per request. "0" means always validate)

opcache.revalidate_freq=2

; Enables or disables file search in include_path optimization

opcache.revalidate_path=0

; If disabled, all PHPDoc comments are dropped from the code to reduce the

; size of the optimized code.

opcache.save_comments=1

; If enabled, a fast shutdown sequence is used for the accelerated code

; Depending on the used Memory Manager this may cause some incompatibilities.

opcache.fast_shutdown=0

; Allow file existence override (file_exists, etc.) performance feature.

opcache.enable_file_override=0

; A bitmask, where each bit enables or disables the appropriate OPcache

; passes

opcache.optimization_level=0x7FFFBFFF

opcache.inherited_hack=1

opcache.dups_fix=0

; The location of the OPcache blacklist file (wildcards allowed).

; Each OPcache blacklist file is a text file that holds the names of files

; that should not be accelerated. The file format is to add each filename

; to a new line. The filename may be a full path or just a file prefix

; (i.e., /var/www/x blacklists all the files and directories in /var/www

; that start with 'x'). Line starting with a ; are ignored (comments).

opcache.blacklist_filename=

; Allows exclusion of large files from being cached. By default all files

; are cached.

opcache.max_file_size=0

; Check the cache checksum each N requests.

; The default value of "0" means that the checks are disabled.

opcache.consistency_checks=1

; How long to wait (in seconds) for a scheduled restart to begin if the cache

; is not being accessed.

opcache.force_restart_timeout=180

; OPcache error_log file name. Empty string assumes "stderr".

opcache.error_log=

; All OPcache errors go to the Web server log.

; By default, only fatal errors (level 0) or errors (level 1) are logged.

; You can also enable warnings (level 2), info messages (level 3) or

; debug messages (level 4).

opcache.log_verbosity_level=1

; Preferred Shared Memory back-end. Leave empty and let the system decide.

opcache.preferred_memory_model=

; Protect the shared memory from unexpected writing during script execution.

; Useful for internal debugging only.

opcache.protect_memory=0

; Allows calling OPcache API functions only from PHP scripts which path is

; started from specified string. The default "" means no restriction

opcache.restrict_api=

; Mapping base of shared memory segments (for Windows only). All the PHP

; processes have to map shared memory into the same address space. This

; directive allows to manually fix the "Unable to reattach to base address"

; errors.

;opcache.mmap_base=

; Enables and sets the second level cache directory.

; It should improve performance when SHM memory is full, at server restart or

; SHM reset. The default "" disables file based caching.

opcache.file_cache='/tmp/cache'

; Enables or disables opcode caching in shared memory.

opcache.file_cache_only=1

; Enables or disables checksum validation when script loaded from file cache.

opcache.file_cache_consistency_checks=1

; Implies opcache.file_cache_only=1 for a certain process that failed to

; reattach to the shared memory (for Windows only). Explicitly enabled file

; cache is required.

;opcache.file_cache_fallback=1

; Enables or disables copying of PHP code (text segment) into HUGE PAGES.

; This should improve performance, but requires appropriate OS configuration.

opcache.huge_code_pages=0

; Validate cached file permissions.

opcache.validate_permission=0

; Prevent name collisions in chroot'ed environment.

opcache.validate_root=0