Linux系统环境
[root@nginx01 ~]# cat /etc/redhat-release #==》系统版本
CentOS release 6.7 (Final)
[root@nginx01 ~]# uname –r #==》内核版本
2.6.32-573.el6.x86_64
[root@nginx01 ~]# uname -m #==》系统架构
x86_64
[root@nginx01 ~]# echo $LANG #==》系统字符集
en_US.UTF-8
[root@lamp ~]# mysql -uroot -p123456 #==》mysql版本
Server version: 5.5.32 MySQL Community Server (GPL)
[root@lnmp ~]# /application/nginx/sbin/nginx -v #==》nginx版本
nginx version: nginx/1.16.0
[root@lnmp ~]# /application/php/bin/php –v #==》PHP版本
PHP 5.3.27 (cli) (built: Jul 9 2019 14:54:53)
PHP配置文件(Lnmp)
提示:/application/php是 PHP安装目录
/application/php/lib/php.ini #==》PHP主配置文件php.ini,适用于apache和nginx
/application/php/etc/php-fpm.conf #==》适合php-fpm.conf适合nginx+fcgi配置
/application/php/sbin/php-fpm #==》PHP的FastCGI二进制启动命令
/application/php/bin/phpize #==》编译PHP插件前需运行此命令扩建PHP模块
/application/php/bin/php-config #==》编译PHP插件需要指定的PHP编译文件
一、PHP.ini配置文件
#==》/application/php是PHP程序目录
[root@nginx01 ~]# vim /application/php/lib/php.ini
338行:php安全模式(建议On开启)
#==》php的安全模式是个非常重要的php内嵌的安全机制,能够控制一些php中的函数执行,比如system(),同时把很多文件操作的函数进行了权限控制
; Safe Mode
; [http://php.net/safe-mode](http://php.net/safe-mode)#==》官方说明
safe_mode = On #==》默认情况下是Off关闭,需要On启动
344行:用户组安全(建议Off关闭)**
#==》当safe_mode打开时,safe_mode_gid被关闭,那么php脚本能够对文件进行访问,而且相同组的用户也能够打开文件进行访问,建议设置为safe_mode_gid=Off
; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
; [http://php.net/safe-mode-gid](http://php.net/safe-mode-gid) #==》官方说明
safe_mode_gid = Off** #==》默认情况是Off关闭
385行:关闭危险函数(建议设置相关控制)
#==》如果打开了安全模式,那么函数禁止是可以不需要的,但是我们为了安全还是考虑进去。比如,我们觉得不希望执行包括system()等在那的能够执行命令的php函数,或者能够查看php信息的phpinfo()等函数,可以模仿以下参数配置
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; [http://php.net/disable-functions](http://php.net/disable-functions) #==》官方说明
#==》默认设置为空
disable_functions = system,passthru,exec,shell_exec,popen,phpinfo
#==》以上只列了部分常用的文件处理函数,可以结合以下的命令函数,能够成抵制大部分phpshell,建议设置以下命令函数需慎重,否则影响开发人员
;disable_function=chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir,rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown
435行:关闭PHP版本信息在http_header头中的显示(建议Off关闭)
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; [http://php.net/expose-php](http://php.net/expose-php) #==》官方说明
expose_php = Off** #==》默认是On开启,建议Off关闭
703行:关闭注册全局变量(建议Off关闭)
#==》在PHP中提交变量,包括使用POST或者GET提交的变量,都将自动注册为全局变量,能够直接访问,这是对服务器非常不安全的,所以我们不能让它注册为全局变量,就把注册全局变量选择关闭,需要告知PHP程序员此参数设置问题
; Whether or not to register the EGPCS variables as global variables. You may
; want to turn this off if you don't want to clutter your scripts' global scope
; with user data.
; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
; [http://php.net/register-globals](http://php.net/register-globals) #==》官方说明
register_globals = Off** #==》默认是Off关闭
756行:开启magic_quotes_gpc防止SQL注入(建议On开启)
#==》SQL注入是非常危险的问题,轻则网站后台被入侵,重则整个服务器沦陷,所以,一定要小心。这个默认是关闭,如果打开后将自动把用户提交的sql的查询进行转换,比如把单引号’转为\’等,这对防止sql注入有重大作用,建议设置On开启
; Magic quotes are a preprocessing feature of PHP where PHP will attempt to
; escape any character sequences in GET, POST, COOKIE and ENV data which might
; otherwise corrupt data being placed in resources such as databases before
; making that data available to you. Because of character encoding issues and
; non-standard SQL implementations across many databases, it's not currently
; possible for this feature to be 100% accurate. PHP's default behavior is to
; enable the feature. We strongly recommend you use the escaping mechanisms
; designed specifically for the database your using instead of relying on this
; feature. Also note, this feature has been deprecated as of PHP 5.3.0 and is
; scheduled removed in PHP 5.4.
; Default Value: On
; Development Value: Off
; Production Value: Off
; [http://php.net/magic-quotes-gpc](http://php.net/magic-quotes-gpc) #==》官方说明
magic_quotes_gpc = On** #==》默认是Off关闭,建议On开启
538行:错误信息控制(建议Off关闭)
#==》一般php在没有连接到数据库或者其他情况下会有提示错误,一般错误信息中包含php脚本当前的路径信息或者查询SQL语句等信息,这类信息提供给黑客查看到,是不安全的,服务器一般建议禁止错误提示
;是否将错误信息作为输出一部分显示给终端用户,应用调试时,可以打开,方便查看错误
;在最终发布web站点上,强烈建议你关掉这个特性,并使用错误日志代替
;在最终发布的web站点打开这个特性可能暴露一些安全信息
;例如你的web服务上的文件路径、数据库路径或别的信息
; This directive controls whether or not and where PHP will output errors,
; notices and warnings too. Error output is very useful during development, but
; it could be very dangerous in production environments. Depending on the code
; which is triggering the error, sensitive information could potentially leak
; out of your application such as database usernames and passwords or worse.
; It's recommended that errors be logged on production servers rather than
; having the errors sent to STDOUT.
; Possible Values:
; Off = Do not display any errors
; stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
; On or stdout = Display errors to STDOUT
; Default Value: On
; Development Value: On
; Production Value: Off
; [http://php.net/display-errors](http://php.net/display-errors) #==》官方说明
display_errors = Off** #==》默认关闭,如果你确定要显示错误信息,一定要设置显示错误的级别,比如只显示警告以上的信息:
error_reporting = E_WARNING & E_ERROR
559行:错误日志开启(建开启错误日志功能后指定错误日志路径)
#==》建议在关闭display_errors后能够把错误信息记录下来,便于查找服务器运行原因
; Besides displaying errors, PHP can also log errors to locations such as a
; server-specific log, STDERR, or a location specified by the error_log
; directive found below. While errors should not be displayed on productions
; servers they should still be monitored and logging is a great way to do that.
; Default Value: Off
; Development Value: On
; Production Value: On
; [http://php.net/log-errors](http://php.net/log-errors) #==》官方说明
log_errors = On **#==》默认On开启
643行:指定错误日志存放路径(此功能前提先On开启错误日志功能后此功能才生效)
; Log errors to specified file. PHP's default behavior is to leave this value
; empty.
; [http://php.net/error-log](http://php.net/error-log) #==》官方说明
; Example:
error_log = /app/logs/php_errors.log** #==》/app/logs此目录要存在
; Log errors to syslog (Event Log on NT, not valid in Windows 95).
;error_log = syslog
444行:设置每个脚本运行的最长时间
#==》当无法上传较大的文件或者后台备份数据经常超时,此时需要调整如下设置:
;每个脚本最大允许执行时间(秒),0表示没有限制
;这个参数有助于阻止劣质脚本无何止的占用服务器资源
;该指令仅影响脚本本身的运行时间,任何其它花费在脚本运行之外的时间
;如用system()sleep函数的使用、数据库查询、文件上传等,都不包括在内
;在安全模式下,你不能用int_set()在运行时该变这个设置
; Maximum execution time of each script, in seconds
; [http://php.net/max-execution-time](http://php.net/max-execution-time) #==》官方说明
; Note: This directive is hardcoded to 0 for the CLI SAPI
max_execution_time = 30
465行:每个脚本使用的最大内存
;一个脚本所能够申请到的最大内存字节数(可以使用K和M作为单位)
;这有助于防止劣质脚本消耗完服务器上的所有内存
;要能够使用该指令必须在编译时使用”—enable-memory-limit”配置选项
;如果要取消内存限制 ,则必须设置为-1
;设置了该指令后,memory_get_usage()函数将变为可用
; Maximum amount of memory a script may consume (128MB)
; [http://php.net/memory-limit](http://php.net/memory-limit) #==》官方说明memory_limit = 32M** #==》默认值为128M,建议设置小一些
454行:每个腰带等待输入数据最长时间
;每个脚本解析输入数据(POST,GET,upload)的最大允许时间(秒)
;-1表示不限制
; Maximum amount of time each script may spend parsing request data. It's a good
; idea to limit this time on productions servers in order to eliminate unexpectedly
; long running scripts.
; Note: This directive is hardcoded to -1 for the CLI SAPI
; Default Value: -1 (Unlimited)
; Development Value: 60 (60 seconds)
; Production Value: 60 (60 seconds)
; http://php.net/max-input-time
max_input_time = 60
891行:上传文件的最大许可大小
; Maximum allowed size for uploaded files.
; [http://php.net/upload-max-filesize](http://php.net/upload-max-filesize) #==》官方说明
upload_max_filesize = 2M #==》默认2M,根据需求调整
902行:禁止(通过phpshell等方式)打开远程地址
; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
; http://php.net/allow-url-fopen
allow_url_fopen = On
网友评论