CentOS安装PHP-5.6.4+扩展安装+安全配置+性能配置

前端之家收集整理的这篇文章主要介绍了CentOS安装PHP-5.6.4+扩展安装+安全配置+性能配置前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。


注:以下所有操作均在CentOS 6.5 x86_64位系统下完成。

#准备工作#

前段时间PHP官方发布了一个重要的安全升级公告,修复了两个unserialize函数的严重漏洞,目前受影响的版本有:

@H_301_12@
  • <5.4.36
  • <5.5.20
  • <5.6.4
  • 这里我们直接下载5.6.4的版本进行安装配置,并且在这之前需要先把MysqL和Apache已经安装好,最好Nginx也先安装好.

    #PHP的安装#

    开始下载PHP并进行编译安装:

    # wget http://cn2.PHP.net/distributions/PHP-5.6.4.tar.gz
    # tar zxf PHP-5.6.4.tar.gz
    # cd PHP-4
    # export LD_LIBRARY_PATH=/usr/local/MysqL/lib
    # ./configure --prefix=/usr/local/PHP-4 --with-config-file-path=/usr/local/PHP-4/etc --with-MysqL=/usr/local/MysqL --with-pdo-MysqL=/usr/local/MysqL --with-MysqLi=/usr/local/MysqL/bin/MysqL_config --with-apxs2=/usr/local/apache/bin/apxs --enable-fpm --enable-shared --enable-zip --with-bz2 --enable-ftp --with-jpeg-dir --with-png-dir --with-freetype-dir --with-libxml-dir --with-xmlrpc --with-zlib-dir --with-gd --with-gmp --enable-gd-native-ttf --with-curl --with-regex=PHP --with-pic --with-xsl --enable-wddx --with-iconv --with-gettext --with-pear --enable-ctype --enable-calendar --enable-mbstring --enable-bcmath --enable-sockets  --enable-exif --disable-rpath  --with-mcrypt --with-mhash  --with-openssl --enable-sysvsem --enable-sigchild --enable-sysvshm --enable-soap  --disable-fileinfo --enable-opcache=no
    ...
    Thank you for using PHP.
    
    config.status: creating PHP5.spec
    config.status: creating main/build-defs.h
    config.status: creating scripts/PHPize
    config.status: creating scripts/man1/PHPize.1
    config.status: creating scripts/PHP-config
    config.status: creating scripts/man1/PHP-config.
    config.status: creating sapi/cli/PHP.
    config.status: creating sapi/fpm/PHP-fpm.conf
    config.status: creating sapi/fpm/init.d.PHP-fpm
    config.status: creating sapi/fpm/PHP-fpm.service
    config.status: creating sapi/fpm/PHP-fpm.8
    config.status: creating sapi/fpm/status.html
    config.status: creating sapi/cgi/php-cgi.
    config.status: creating ext/phar/phar.
    config.status: creating ext/phar/phar.phar.
    config.status: creating main/PHP_config.h
    config.status: executing default commands
    
    # make
    ...
    Build complete.
    Don't forget to run 'make test.
    
    # make install
    ...
    Installing PHP SAPI module:       apache2handler
    /usr/local/apache-2.4.10/build/instdso.sh SH_LIBTOOL=/usr/local/apr/build-1/libtool' libPHP5.la /usr/local/apache-10/modules
    /usr/local/apr/build-1/libtool --mode=install install libPHP5.la /usr/local/apache-10/modules/
    install .libs/libPHP5.so /usr/local/apache-10/modules/libPHP5.so
    install .libs/libPHP5.lai /usr/local/apache-libPHP5.la
    libtool: install: warning: remember to run `libtool --finish /usr/local/src/PHP-4/libs'
    chmod 755 /usr/local/apache-libPHP5.so
    [activating module `PHP5 in /usr/local/apache-2.4.10/conf/httpd.conf]
    Installing PHP CLI binary:        /usr/local/PHP-4/bin/
    Installing PHP CLI man page:      /usr/local/PHP-4/PHP/man/man1/
    Installing PHP FPM binary:        /usr/local/PHP-4/sbin/
    Installing PHP FPM config:        /usr/local/PHP-4/etc/
    Installing PHP FPM man/man8/
    Installing PHP FPM status page:   /usr/local/PHP-4/PHP/fpm/
    Installing PHP CGI binary:        /usr/local/PHP-
    Installing PHP CGI 
    Installing build environment:     /usr/local/PHP-4/lib/PHP/build/
    Installing header files:          /usr/local/PHP-4/include/PHP/
    Installing helper programs:       /usr/local/PHP-
      program: PHPize
      program: PHP-config
    Installing man pages:             /usr/local/PHP-
      page: PHPize.
      page: PHP-config.
    Installing PEAR environment:      /usr/local/PHP-4/lib/PHP/
    [PEAR] Archive_Tar    - installed: 1.3.12
    [PEAR] Console_Getopt - installed: 
    [PEAR] Structures_Graph- installed: 1.0.
    [PEAR] XML_Util       - installed: 1.2.3
    [PEAR] PEAR           - installed: 1.9.5
    Wrote PEAR system config file at: /usr/local/PHP-pear.conf
    You may want to add: /usr/local/PHP-4/lib/PHP to your PHP.ini include_path
    /usr/local/src/PHP-4/build/shtool install -c ext/phar/phar.phar /usr/local/PHP-4/bin
    ln -s -f /usr/local/PHP-4/bin/phar.phar /usr/local/PHP-phar
    Installing PDO headers:          /usr/local/PHP-4/include/PHP/ext/pdo/
    
    # ln -s /usr/local/PHP-4/ /usr/local/PHP

    PHP的upload和session添加目录支持

    # mkdir -p /data/PHP/upload
    # mkdir -p /data/PHP/session

    至此,PHP已经安装完毕。

    #PHP-FPM的启动/关闭/重启#

    PHP-5.3.3开始,PHP源码中包含了PHP-fpm,不需要再单独通过布丁的方式来安装PHP-fpm,在编译的时候加入参数--enable-fpm即可。

    FPM(FastCGI Process Manager)用于替换PHP FastCGI的大部分附加功能,对于高负载网站非常有用。

    首先将bin/PHP-fpm加入到系统PATH中:

    # vim /etc/profile
    
    export PHP_HOME=/usr/local/PHP
    export PATH=$PATH:$PHP_HOME/bin:$PHP_HOME/sbin
    
    $ source /etc/profile
    
    $ PHP -version
    PHP 4 (cli) (built: Jan  3 2015 11:16:17)
    Copyright (c) 1997-2014 The PHP Group
    Zend Engine v2.6.0,Copyright (c) 1998-2014 Zend Technologies

    然后复制默认的配置文件

    # cp /usr/local/src/PHP-4/PHP.ini-production /usr/local/PHP-PHP.ini
    # cp /usr/local/PHP-4/etc/PHP-fpm.conf.default /usr/local/PHP-4/etc/PHP-fpm.conf

    接下来修改默认配置文件

    # vim /usr/local/PHP/etc/PHP.ini
    
    date.timezone = Asia/Shanghai
    
    # vim /usr/local/PHP/etc/PHP-fpm.conf
    
    [global]
    pid = /usr/local/PHP-4/var/run/PHP-fpm.pid
    error_log = /usr/local/PHP-4/var/log/PHP-fpm.log
    log_level = error
    
    [www]
    user = www
    group = www
    listen = 127.0.0.1:9000
    listen.owner = www
    listen.group = www
    listen.mode = 0666

    添加启动脚本,之后可以使用service来启动PHP-fpm程序,并且设置开机自启动:

    # 4/sapi/fpm/init.d.PHP-fpm /etc/init.d/PHP-fpm
    # chmod +x /etc/init.d/PHP-fpm
    # service PHP-fpm
    Usage: /etc/init.d/PHP-fpm {start|stop|force-quit|restart|reload|status}
    # chkconfig PHP-fpm on

    启动PHP-fpm:

    # service PHP-fpm start
    Starting PHP-fpm  done

    如果启动的时候出现错误(实际操作中发现存在该情况):

    Starting PHP-fpm /usr/local/PHP-4/sbin/PHP-fpm: error while loading shared libraries: libMysqLclient.so.18: cannot open shared object file: No such file or directory
     Failed

    则将MysqL的so库文件copy到系统下:

    # cp /usr/local/MysqL/lib/libMysqLclient.so.18 /usr/lib64/

    再来重新启动PHP,这次启动成功。

    #PHP+Nginx#

    现在来编辑Nginx.conf以支持PHP解析,查看当前PHP环境是否可以正常运行:

    # vim /usr/local/Nginx/conf/Nginx.conf
    
    http {
        server {
            listen       80;
            server_name  localhost;
            root         html;
            index        index.html index.PHP;
            location ~ \.PHP$ {
                try_files      $uri = 404;
                include        fastcgi.conf;
                fastcgi_pass   ;
                fastcgi_index  index.PHP;
                fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
            }
        }
    }

    然后编写一个简单的PHP文件,用来显示当前PHP环境信息:

    # vim /usr/local/Nginx-1.6.2/html/PHPinfo.PHP
    
    <?PHP
    PHPinfo();
    ?>chown -R www:www /usr/local/Nginx-2

    启动Nginx,并打开浏览器访问地址http://youripaddress/PHPinfo.PHP应该可以看到:

    至此,NginxPHP已经可以正常协同工作。

    #PHP的扩展安装#

    很多时候我们还需要给PHP安装各种扩展支持,比如memcache、redis、mongodb等,下面用几个例子来说明下。

    1、安装memcache扩展:

    # pecl.PHP.net/get/memcache-2.2.7.tgz
    # tar zxf memcache-2.2.7.tgz
    # cd memcache-
    # /usr/local/PHP-PHPize
    # ./configure --with-PHP-config=/usr/local/PHP-4/bin/PHP-config
    # make && 
    Installing shared extensions:     /usr/local/PHP-4/lib/PHP/extensions/no-debug-zts-20131226/

    2、安装memcached扩展(支持SASL):

    1)首先可以使用yum安装SASL环境:

    # yum install cyrus-sasl-plain cyrus-sasl cyrus-sasl-devel cyrus-sasl-lib

    2)然后下载并安装libmemecached:

    # wget https:launchpad.net/libmemcached/1.0/1.0.18/+download/libmemcached-1.0.18.tar.gz
    # tar zxf libmemcached-18..gz
    # cd libmemcached-18
    # ./configure --prefix=/usr/local/libmemcached-18 --enable-sasl
    # install

    3)最后再安装memcached扩展:

    # pecl.PHP.net/get/memcached-2.2.0.tgz
    # tar zxf memecached-0.tgz
    # cd memecached-4/bin/PHP-config --with-libmemcached-dir=/usr/local/libmemcached-18 --enable-memcached-20131226/

    注:前面安装的libmemcached必须支持SASL,否则可能出现如下错误

    configure: error: no,libmemcached sasl support is not enabled. Run configure with --disable-memcached-sasl to disable this check

    3、安装redis扩展:

    # pecl.PHP.net/get/redis-2.2.7.tgz
    # tar zxf redis-.tgz
    # cd redis-20131226/

    扩展安装完之后,还要打开PHP.ini文件编辑如下:

    # vim /usr/local/PHP-PHP.ini
    
    extension=memcache.so
    extension=memcached.so
    extension=redis.so

    #PHP的安全配置#

    1、控制脚本访问权限。由于PHP默认配置允许PHP脚本程序访问服务器上的任意文件,为避免PHP脚本访问不该访问的文件,需要设置PHP只能访问网站目录或其他必须可访问的目录。比如:

    # vim /usr/local/PHP/etc/PHP.ini
    
    open_basedir=/data/PHP/uploads:/data/www/proj1:/data/www/proj2

    2、禁止使用PHP危险函数,这些函数都是PHP木马常用的,比如:

    # vim /usr/local/PHP/etc/PHP.ini
    
    disable_functions = dl,assert,exec,popen,system,passthru,shell_exec,proc_close,proc_open,pcntl_exec

    3、关闭注册全局变量PHP-5.3.*和PHP-5.4.*中已废除)

    register_globals = Off

    4、开启magic_quotes_gpc(PHP-5.3.*和PHP-5.4.*中已废除),由于magic_quotes_gpc会把引用的数据中包含单引号'和双引号"以及反斜线 \自动加上反斜线,自动转译符号,确保数据操作的正确运行,magic_quotes_gpc的设定值将会影响通过Get/Post/Cookies获得的数据,可以有效的防止sql注入漏洞。

    magic_quotes_gpc = On

    5、关闭错误信息提示,因为这些错误信息可能泄漏服务器的路径信息和数据库信息等。

    display_errors = Off

    6、开启错误日志记录,可以考虑跟Web服务器的日志放在一起,比如:

    log_errors = On
    error_log = /data/logs/PHP/PHP_error.log

    7、禁止访问远程文件,因为访问URL远程资源使得程序的漏洞变得更加容易被利用,关闭之,如果要访问远程服务器建议采用其他方式比如libcurl库。

    allow_url_fopen = Off
    allow_url_include = Off

    8、开启PHP安全模式(PHP-5.3.*和PHP-5.4.*中已废除)

    safe_mode = On

    9、补上Nginx文件解析漏洞。

    cgi.fix_pathinfo = 0

    10、确保PHP(FastCGI)以非root权限启动。如果是php-cgi进程,需要su道普通用户再启动;PHP-fpm进程默认已是非root用户进行,配置中配置即可,不能修改为root运行。比如这里:

    root     28953  0.0  1.1 196060  5736 ?        Ss   12:21   0:00 PHP-fpm: master process (/usr/local/PHP-4/etc/PHP-fpm.conf)                                                        
    www      28954  1.0 5504 ?        S    00 PHP-fpm: pool www                                                                                                            
    www      28955  fpm: pool www                                                                                                               
    root     28974  0.1 103252   836 pts/0    S+   22   00 grep PHP-fpm

    注:这里只有master是root用户权限,其他两个pool中的进程都是www用户,这是正确的。

    #PHP性能配置#

    性能配置主要是为了让PHP能够运行得更好,这里很多时候需要根据业务的需求和当前系统的配置来设置,以下的配置只作为参考作用。

    1、配置上传文件大小限制(一般不超过2MB)

    # vim /usr/local/PHP/etc/PHP.ini
    
    file_uploads = On
    upload_tmp_dir = /data/PHP/upload
    upload_max_filesize = 5M
    post_max_size = 8M
    
    max_execution_time = 30
    max_input_time = 60
    memory_limit = 32M

    2、使用阿里云的OCS(memcache)来代替文件作为session的存储(这里需要前面安装memcached的扩展库,并且支持SASL),比如:

    # vim /usr/local/PHP/etc/PHP.ini
    
    ;session.save_handler = files
    ;session.save_path = "/tmp"
    ;session.save_path = /data/PHP/session
    ;session.gc_maxlifetime = 1440
    
    session.save_handler = memcached
    session.save_path = something.m.cnszalist3pub001.ocs.aliyuncs.com:11211
    session.gc_maxlifetime = 3600
    
    [memcached]
    memcached.use_sasl = On
    memcached.sess_binary = On
    memcached.sess_sasl_username = yourusername
    memcached.sess_sasl_password = yourpassword
    memcached.sess_locking = Off
    memcached.sess_prefix = memc.sess.key."

    注:使用其他的诸如memcache或redis缓存也是类似上面的配置。

    可以编写一个简单的OCS的PHP代码来进行测试,比如:

    # vim ocs.PHP
    
    <?PHP
    $mem = new Memcached(ocs);
    $mem->setOption(Memcached::OPT_COMPRESSION,false);
    $mem->setOption(Memcached::OPT_BINARY_PROTOCOL,255)">true);
    $mem->addServer(something.m.cnszalist3pub001.ocs.aliyuncs.com",11211);
    $mem->setSaslAuthData();
    
    $key = key;
    $mem->set($key,0)">ocs cache value);
    $cache = $mem->get($key);
    if (empty($cache)) {
        echo Oh,No!;
    } else {
        Thanks God,the cache value is '{$cache}';
    }
    ?>

    猜你在找的CentOS相关文章