注:以下所有操作均在CentOS 6.5 x86_64位系统下完成。
#准备工作#@H_403_8@
前段时间PHP官方发布了一个重要的安全升级公告,修复了两个unserialize函数的严重漏洞,目前受影响的版本有:
- <5.4.36
- <5.5.20
- <5.6.4
这里我们直接下载5.6.4的版本进行安装配置,并且在这之前需要先把MysqL和Apache已经安装好,最好Nginx也先安装好.
开始下载PHP并进行编译安装:
# wget@H_403_8@ http://@H_403_8@cn2.PHP.net/distributions/PHP-5.6.4.tar.gz@H_403_8@
# tar@H_403_8@ zxf PHP-5.6@H_403_8@.4@H_403_8@.tar@H_403_8@.gz
# cd PHP@H_403_8@-4@H_403_8@
# export LD_LIBRARY_PATH@H_403_8@=/usr/local/MysqL/lib
# .@H_403_8@/configure --prefix=/usr/local/PHP-4@H_403_8@ --with-config-file@H_403_8@-path=/usr/local/PHP-4@H_403_8@/etc --with-MysqL=/usr/local/MysqL --with-pdo-MysqL=/usr/local/MysqL --with-MysqLi=/usr/local/MysqL/bin/MysqL_config --with-apxs2=/usr/local/apache/bin/apxs --enable-fpm --enable-shared --enable-zip@H_403_8@ --with-bz2 --enable-ftp@H_403_8@ --with-jpeg-dir@H_403_8@ --with-png-dir@H_403_8@ --with-freetype-dir@H_403_8@ --with-libxml-dir@H_403_8@ --with-xmlrpc --with-zlib-dir@H_403_8@ --with-gd --with-gmp --enable-gd-native-ttf --with-curl --with-regex=PHP --with-pic --with-xsl --enable-wddx --with-iconv --with-gettext --with-pear --enable-ctype --enable-calendar --enable-mbstring --enable-bcmath --enable-sockets --enable-exif --disable-rpath --with-mcrypt --with-mhash --with-openssl --enable-sysvsem --enable-sigchild --enable-sysvshm --enable-soap --disable-fileinfo --enable-opcache=no
...
Thank you @H_403_8@for@H_403_8@ using PHP.
config.status: creating PHP5.spec
config.status: creating main@H_403_8@/build-defs.h
config.status: creating scripts@H_403_8@/PHPize
config.status: creating scripts@H_403_8@/man1/PHPize.1@H_403_8@
config.status: creating scripts@H_403_8@/PHP-config
config.status: creating scripts@H_403_8@/man1/PHP-config.
config.status: creating sapi@H_403_8@/cli/PHP.
config.status: creating sapi@H_403_8@/fpm/PHP-fpm.conf
config.status: creating sapi@H_403_8@/fpm/init.d.PHP-fpm
config.status: creating sapi@H_403_8@/fpm/PHP-fpm.service
config.status: creating sapi@H_403_8@/fpm/PHP-fpm.8@H_403_8@
config.status: creating sapi@H_403_8@/fpm/status.html
config.status: creating sapi@H_403_8@/cgi/php-cgi.
config.status: creating ext@H_403_8@/phar/phar.
config.status: creating ext@H_403_8@/phar/phar.phar.
config.status: creating main@H_403_8@/PHP_config.h
config.status: executing default commands
# @H_403_8@make@H_403_8@
...
Build complete.
Don@H_403_8@'@H_403_8@t forget to run @H_403_8@'@H_403_8@make@H_403_8@ test.@H_403_8@
# @H_403_8@make@H_403_8@ install@H_403_8@
...
Installing PHP SAPI module: apache2handler
@H_403_8@/usr/local/apache-2.4@H_403_8@.10@H_403_8@/build/instdso.sh@H_403_8@ SH_LIBTOOL=/usr/local/apr/build-1/libtool@H_403_8@'@H_403_8@ libPHP5.la /usr/local/apache-10@H_403_8@/modules
@H_403_8@/usr/local/apr/build-1@H_403_8@/libtool --mode=install@H_403_8@ install@H_403_8@ libPHP5.la /usr/local/apache-10@H_403_8@/modules/
install@H_403_8@ .libs/libPHP5.so /usr/local/apache-10@H_403_8@/modules/libPHP5.so
@H_403_8@install@H_403_8@ .libs/libPHP5.lai /usr/local/apache-libPHP5.la
libtool: @H_403_8@install@H_403_8@: warning: remember to run `libtool --finish /usr/local/src/PHP-4@H_403_8@/libs'
@H_403_8@chmod@H_403_8@ 755@H_403_8@ /usr/local/apache-libPHP5.so
[activating module `PHP5@H_403_8@ in /usr/local/apache-2.4.10/conf/httpd.conf]@H_403_8@
Installing PHP CLI binary: /usr/local/PHP-4@H_403_8@/bin/
Installing PHP CLI @H_403_8@man@H_403_8@ page: /usr/local/PHP-4@H_403_8@/PHP/man@H_403_8@/man1/
Installing PHP FPM binary: @H_403_8@/usr/local/PHP-4@H_403_8@/sbin/
Installing PHP FPM config: @H_403_8@/usr/local/PHP-4@H_403_8@/etc/
Installing PHP FPM @H_403_8@man@H_403_8@/man8/
Installing PHP FPM status page: @H_403_8@/usr/local/PHP-4@H_403_8@/PHP/fpm/
Installing PHP CGI binary: @H_403_8@/usr/local/PHP-
Installing PHP CGI @H_403_8@
Installing build environment: @H_403_8@/usr/local/PHP-4@H_403_8@/lib/PHP/build/
Installing header files: @H_403_8@/usr/local/PHP-4@H_403_8@/include/PHP/
Installing helper programs: @H_403_8@/usr/local/PHP-
program: PHPize
program: PHP@H_403_8@-config
Installing @H_403_8@man@H_403_8@ pages: /usr/local/PHP-
page: PHPize.@H_403_8@
page: PHP@H_403_8@-config.
Installing PEAR environment: @H_403_8@/usr/local/PHP-4@H_403_8@/lib/PHP/
[PEAR] Archive_Tar @H_403_8@- installed: 1.3@H_403_8@.12@H_403_8@
[PEAR] Console_Getopt @H_403_8@- installed:
[PEAR] Structures_Graph@H_403_8@- installed: 1.0@H_403_8@.
[PEAR] XML_Util @H_403_8@- installed: 1.2@H_403_8@.3@H_403_8@
[PEAR] PEAR @H_403_8@- installed: 1.9@H_403_8@.5@H_403_8@
Wrote PEAR system config @H_403_8@file@H_403_8@ at: /usr/local/PHP-pear.conf
You may want to add: @H_403_8@/usr/local/PHP-4@H_403_8@/lib/PHP to your PHP.ini include_path
@H_403_8@/usr/local/src/PHP-4@H_403_8@/build/shtool install@H_403_8@ -c ext/phar/phar.phar /usr/local/PHP-4@H_403_8@/bin
@H_403_8@ln@H_403_8@ -s -f /usr/local/PHP-4@H_403_8@/bin/phar.phar /usr/local/PHP-phar
Installing PDO headers: @H_403_8@/usr/local/PHP-4@H_403_8@/include/PHP/ext/pdo/
# @H_403_8@ln@H_403_8@ -s /usr/local/PHP-4@H_403_8@/ /usr/local/PHP
至此,PHP已经安装完毕。
自PHP-5.3.3开始,PHP源码中包含了PHP-fpm,不需要再单独通过布丁的方式来安装PHP-fpm,在编译的时候加入参数--enable-fpm即可。
FPM(FastCGI Process Manager)用于替换PHP FastCGI的大部分附加功能,对于高负载网站非常有用。
首先将bin/PHP-fpm加入到系统PATH中:
# vim /etc/profile
export PHP_HOME@H_403_8@=/usr/local/PHP
export PATH@H_403_8@=$PATH:$PHP_HOME/bin:$PHP_HOME/sbin
$ source @H_403_8@/etc/profile
$ PHP @H_403_8@-version
PHP @H_403_8@4@H_403_8@ (cli) (built: Jan 3@H_403_8@ 2015@H_403_8@ 11@H_403_8@:16@H_403_8@:17@H_403_8@)
Copyright (c) @H_403_8@1997@H_403_8@-2014@H_403_8@ The PHP Group
Zend Engine v2.@H_403_8@6.0@H_403_8@,Copyright (c) 1998@H_403_8@-2014@H_403_8@ Zend Technologies
然后复制默认的配置文件:
# cp@H_403_8@ /usr/local/src/PHP-4@H_403_8@/PHP.ini-production /usr/local/PHP-PHP.ini
# @H_403_8@cp@H_403_8@ /usr/local/PHP-4@H_403_8@/etc/PHP-fpm.conf.default /usr/local/PHP-4@H_403_8@/etc/PHP-fpm.conf
# vim /usr/local/PHP/etc/PHP.ini @H_403_8@date@H_403_8@.timezone = Asia/Shanghai # vim @H_403_8@/usr/local/PHP/etc/PHP-fpm.conf [global] pid @H_403_8@= /usr/local/PHP-4@H_403_8@/var/run/PHP-fpm.pid error_log @H_403_8@= /usr/local/PHP-4@H_403_8@/var/log/PHP-fpm.log log_level @H_403_8@= error [www] user @H_403_8@= www group @H_403_8@= www listen @H_403_8@= 127.0@H_403_8@.0.1@H_403_8@:9000@H_403_8@ listen.owner @H_403_8@= www listen.group @H_403_8@= www listen.mode @H_403_8@= 0666@H_403_8@
添加启动脚本,之后可以使用service来启动PHP-fpm程序,并且设置开机自启动:
# 4@H_403_8@/sapi/fpm/init.d.PHP-fpm /etc/init.d/PHP-fpm
# @H_403_8@chmod@H_403_8@ +x /etc/init.d/PHP-fpm
# service PHP@H_403_8@-fpm
Usage: @H_403_8@/etc/init.d/PHP-fpm {start|stop|force-quit|restart|reload|status}
# chkconfig PHP-fpm on
启动PHP-fpm:
如果启动的时候出现错误(实际操作中发现存在该情况):
Starting PHP-fpm /usr/local/PHP-4@H_403_8@/sbin/PHP-fpm: error while@H_403_8@ loading shared libraries: libMysqLclient.so.18@H_403_8@: cannot open shared object@H_403_8@ file@H_403_8@: No such file@H_403_8@ or directory Failed@H_403_8@
再来重新启动PHP,这次启动成功。
现在来编辑Nginx.conf以支持PHP解析,查看当前PHP环境是否可以正常运行:
# vim /usr/local/Nginx/conf/Nginx.conf http { server { listen @H_403_8@80@H_403_8@; server_name localhost; root html; index index.html index.PHP; location @H_403_8@~ \.PHP$ { try_files $uri @H_403_8@= 404@H_403_8@; include fastcgi.conf; fastcgi_pass @H_403_8@; fastcgi_index index.PHP; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } }@H_403_8@
# vim /usr/local/Nginx-1.6@H_403_8@.2@H_403_8@/html/PHPinfo.PHP @H_403_8@<?PHP PHPinfo(); @H_403_8@?>chown@H_403_8@ -R www:www /usr/local/Nginx-2@H_403_8@
启动Nginx,并打开浏览器访问地址http://youripaddress/PHPinfo.PHP应该可以看到:
很多时候我们还需要给PHP安装各种扩展支持,比如memcache、redis、mongodb等,下面用几个例子来说明下。
1、安装memcache扩展:
# pecl.PHP.net/get/memcache-2.2.7.tgz@H_403_8@
# tar@H_403_8@ zxf memcache-2.2@H_403_8@.7@H_403_8@.tgz
# cd memcache@H_403_8@-
# @H_403_8@/usr/local/PHP-PHPize
# .@H_403_8@/configure --with-PHP-config=/usr/local/PHP-4@H_403_8@/bin/PHP-config
# @H_403_8@make@H_403_8@ &&
Installing shared extensions: @H_403_8@/usr/local/PHP-4@H_403_8@/lib/PHP/extensions/no-debug-zts-20131226@H_403_8@/
2、安装memcached扩展(支持SASL):
1)首先可以使用yum安装SASL环境:
2)然后下载并安装libmemecached:
# wget@H_403_8@ https:launchpad.net/libmemcached/1.0/1.0.18/+download/libmemcached-1.0.18.tar.gz@H_403_8@
# tar@H_403_8@ zxf libmemcached-18@H_403_8@..gz
# cd libmemcached@H_403_8@-18@H_403_8@
# .@H_403_8@/configure --prefix=/usr/local/libmemcached-18@H_403_8@ --enable-sasl
# @H_403_8@install@H_403_8@
3)最后再安装memcached扩展:
# pecl.PHP.net/get/memcached-2.2.0.tgz@H_403_8@
# tar@H_403_8@ zxf memecached-0@H_403_8@.tgz
# cd memecached@H_403_8@-4@H_403_8@/bin/PHP-config --with-libmemcached-dir@H_403_8@=/usr/local/libmemcached-18@H_403_8@ --enable-memcached-20131226@H_403_8@/
注:前面安装的libmemcached必须支持SASL,否则可能出现如下错误:
configure: error: no,libmemcached sasl support is not enabled. Run configure with --disable-memcached-sasl to disable this check
3、安装redis扩展:
# pecl.PHP.net/get/redis-2.2.7.tgz@H_403_8@
# tar@H_403_8@ zxf redis-.tgz
# cd redis@H_403_8@-20131226@H_403_8@/
# vim /usr/local/PHP-PHP.ini extension@H_403_8@=memcache.so extension@H_403_8@=memcached.so extension@H_403_8@=redis.so
1、控制脚本访问权限。由于PHP默认配置允许PHP脚本程序访问服务器上的任意文件,为避免PHP脚本访问不该访问的文件,需要设置PHP只能访问网站目录或其他必须可访问的目录。比如:
# vim /usr/local/PHP/etc/PHP.ini open_basedir@H_403_8@=/data/PHP/uploads:/data/www/proj1:/data/www/proj2
2、禁止使用PHP危险函数,这些函数都是PHP木马常用的,比如:
# vim /usr/local/PHP/etc/PHP.ini disable_functions @H_403_8@= dl,assert,exec,popen,system,passthru,shell_exec,proc_close,proc_open,pcntl_exec
3、关闭注册全局变量(PHP-5.3.*和PHP-5.4.*中已废除)
register_globals = Off
4、开启magic_quotes_gpc(PHP-5.3.*和PHP-5.4.*中已废除),由于magic_quotes_gpc会把引用的数据中包含单引号'和双引号"以及反斜线 \自动加上反斜线,自动转译符号,确保数据操作的正确运行,magic_quotes_gpc的设定值将会影响通过Get/Post/Cookies获得的数据,可以有效的防止sql注入漏洞。
magic_quotes_gpc = On
5、关闭错误信息提示,因为这些错误信息可能泄漏服务器的路径信息和数据库信息等。
display_errors = Off
6、开启错误日志记录,可以考虑跟Web服务器的日志放在一起,比如:
7、禁止访问远程文件,因为访问URL远程资源使得程序的漏洞变得更加容易被利用,关闭之,如果要访问远程服务器建议采用其他方式比如libcurl库。
allow_url_fopen = Off
allow_url_include @H_403_8@= Off
8、开启PHP安全模式(PHP-5.3.*和PHP-5.4.*中已废除)
safe_mode = On
cgi.fix_pathinfo = 0@H_403_8@
10、确保PHP(FastCGI)以非root权限启动。如果是php-cgi进程,需要su道普通用户再启动;PHP-fpm进程默认已是非root用户进行,配置中配置即可,不能修改为root运行。比如这里:
root 28953@H_403_8@ 0.0@H_403_8@ 1.1@H_403_8@ 196060@H_403_8@ 5736@H_403_8@ ? Ss 12@H_403_8@:21@H_403_8@ 0@H_403_8@:00@H_403_8@ PHP-fpm: master process (/usr/local/PHP-4@H_403_8@/etc/PHP-fpm.conf)
www @H_403_8@28954@H_403_8@ 1.0@H_403_8@ 5504@H_403_8@ ? S 00@H_403_8@ PHP-fpm: pool www
www @H_403_8@28955@H_403_8@ fpm: pool www
root @H_403_8@28974@H_403_8@ 0.1@H_403_8@ 103252@H_403_8@ 836@H_403_8@ pts/0@H_403_8@ S+ 22@H_403_8@ 00@H_403_8@ grep@H_403_8@ PHP-fpm
注:这里只有master是root用户权限,其他两个pool中的进程都是www用户,这是正确的。
性能配置主要是为了让PHP能够运行得更好,这里很多时候需要根据业务的需求和当前系统的配置来设置,以下的配置只作为参考作用。
# vim /usr/local/PHP/etc/PHP.ini file_uploads @H_403_8@= On upload_tmp_dir @H_403_8@= /data/PHP/upload upload_max_filesize @H_403_8@= 5M post_max_size @H_403_8@= 8M max_execution_time @H_403_8@= 30@H_403_8@ max_input_time @H_403_8@= 60@H_403_8@ memory_limit @H_403_8@= 32M
2、使用阿里云的OCS(memcache)来代替文件作为session的存储(这里需要前面安装memcached的扩展库,并且支持SASL),比如:
# vim /usr/local/PHP/etc/PHP.ini ;session.save_handler @H_403_8@= files ;session.save_path @H_403_8@= "@H_403_8@/tmp@H_403_8@"@H_403_8@ ;session.save_path @H_403_8@= /data/PHP/session@H_403_8@ ;session.gc_maxlifetime @H_403_8@= 1440@H_403_8@ session.save_handler @H_403_8@= memcached session.save_path @H_403_8@= something.m.cnszalist3pub001.ocs.aliyuncs.com:11211@H_403_8@ session.gc_maxlifetime @H_403_8@= 3600@H_403_8@ [memcached] memcached.use_sasl @H_403_8@= On memcached.sess_binary @H_403_8@= On memcached.sess_sasl_username @H_403_8@= yourusername@H_403_8@ memcached.sess_sasl_password @H_403_8@= yourpassword@H_403_8@ memcached.sess_locking @H_403_8@= Off memcached.sess_prefix @H_403_8@= memc.sess.key.@H_403_8@"@H_403_8@
注:使用其他的诸如memcache或redis缓存也是类似上面的配置。
# vim ocs.PHP
@H_403_8@<?PHP
$mem @H_403_8@= new Memcached(ocs@H_403_8@);
$mem@H_403_8@->setOption(Memcached::OPT_COMPRESSION,false@H_403_8@);
$mem@H_403_8@->setOption(Memcached::OPT_BINARY_PROTOCOL,255)">true@H_403_8@);
$mem@H_403_8@->addServer(something.m.cnszalist3pub001.ocs.aliyuncs.com@H_403_8@"@H_403_8@,11211@H_403_8@);
$mem@H_403_8@->setSaslAuthData();
$key @H_403_8@= key@H_403_8@;
$mem@H_403_8@->set($key,0)">ocs cache value@H_403_8@);
$cache @H_403_8@= $mem->get($key);
@H_403_8@if@H_403_8@ (empty($cache)) {
@H_403_8@echo@H_403_8@ Oh,No!@H_403_8@;
} @H_403_8@else@H_403_8@ {
@H_403_8@Thanks God,the cache value is '{$cache}'@H_403_8@;
}
@H_403_8@?>