PHP – 第6页 – Linux系统运维日志

利用docker-compose安装lnmp(Nginx mariadb php7.0 )

对于Docker来说，最大的便利就是能快速的搭建起一个个的容器，容器之间可以通过网络和文件来进行通信。

之前我已经将自己的博客使用docker搭建起来了，这里简单记录一下docker-compose文件内容。

我的博客的架构为lnmp，依赖的容器有：

Nginx(Port:80)
mariadb(Port:3306)
wordpress+php7.0-fpm(Port:9000)
phpmyadmin(Port:8009)

docker-compose.yml文件内容如下

nginx:
    image: nginx:latest
    ports:
        - '80:80'
    volumes:
        - ./nginx:/etc/nginx/conf.d
        - ./logs/nginx:/var/log/nginx
        - ./jialeens:/var/www/html
    links:
        - wordpress
    restart: always

mysql:
    image: mariadb
    ports:
        - '3306:3306'
    volumes:
        - ./db-data:/var/lib/mysql
    environment:
        - MYSQL_ROOT_PASSWORD=******
    restart: always

wordpress:
    image: wordpress:4.8.0-php7.0-fpm
    ports:
        - '9000:9000'
    volumes:
        - ./jialeens:/var/www/html
    environment:
        - WORDPRESS_DB_NAME=***
        - WORDPRESS_TABLE_PREFIX=wp_
        - WORDPRESS_DB_HOST=mysql
        - WORDPRESS_DB_PASSWORD=*****
    links:
        - mysql
    restart: always
phpmyadmin:
  image: phpmyadmin/phpmyadmin
  links:
    - mysql
  environment:
    PMA_HOST: mysql
    PMA_PORT: 3306
  ports:
    - '8009:80'

Nginx配置文件：

jialeens.com.conf

server {
    listen 80;
    server_name jialeens.com www.jialeens.com;

    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;
    client_max_body_size 100m;
    root /var/www/html;
    index index.php;

    access_log /var/log/nginx/jialeens-access-http.log;
    error_log /var/log/nginx/jialeens-error-http.log;

    if ($host = 'jialeens.com') {
        return 301 http://www.jialeens.com$request_uri;
    }
    location ~* ^.+.(js|ico|gif|jpg|jpeg|png|html|htm)$ {
       log_not_found off;
       access_log off;
       expires 7d;
    }
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ .php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+.php)(/.+)$;
        fastcgi_pass wordpress:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PHP_VALUE "upload_max_filesize=128M n post_max_size=128M";
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}

因为流量不大，所以没做fastcgi的缓存，以后有空再弄吧。

Centos 6.5安装PDO PHP扩展

PHP 数据对象PDO扩展为PHP访问数据库定义了一个轻量级的一致接口。PDO 提供了一个数据访问抽象层，这意味着，不管使用哪种数据库，都可以用相同的函数（方法）来查询和获取数据。最近在我们的建站和OA系统交流群中，有对服务器运维不熟悉的朋友问到关于PHP的PDO扩展安装的问题。本文我们将和大家一起分享如何在服务器上安装PDO扩展。

环境

服务器系统：Centos6.5 （虚拟机演示）
PHP软件包存放目录：/data/php-5.6.14/
PHP安装目录：/usr/local/php/
mysql安装目录：/usr/local/mysql/

操作流程

通过phpinfo()函数我们可以检查服务器是否安装了PDO扩展。如果没有找到PDO扩展信息，那我们通过如下步骤来进行安装：

找到你的PHP的安装包（我的放在/data/php-5.6.14/目录下），并进入PHP扩展的pdo_mysql目录，运行下面命令：

/usr/local/php/bin/phpize

(/usr/local/php/是我的PHP安装目录，大家根据实际情况修改即可)

未分类

执行完上面命令后，我们就会发现当前pdo_msyql目录下就出现了configure文件。

未分类

然之我们执行下面命令：

./configure --with-php-config=/usr/local/php/bin/php-config --with-pdo-mysql=/usr/local/mysql/

参数说明：

–with-php-config=/usr/local/php/bin/php-config 指定安装 PHP 的时候的配置
–with-pdo-MySQL=/usr/local/mysql/ 指定 MySQL 数据库的安装目录位置
（这里具体PHP和msyql的安装目录大家根据自己实际情况而定）

继续编译安装：

make && make install

命令执行完毕，效果如下：

未分类

足以最后一行的那个目录，后面会用到，此时生成的pdo_mysql.so文件就在该目录下：

未分类

接下来我们修改PHP配置文件,打开的你的php.ini文件，并添加一行代码：

extension=/usr/local/php/lib/php/extensions/no-debug-non-zts-20131226/pdo_mysql.so

（这里是我演示的pdo_mysql.so目录，大家设置时根据自己的实际目录添加）

未分类

最后保存推出，并重启服务。然后使用phpinfo()函数检查一下PDO扩展安装是否成功，结果如下，说明PDO扩展安装成功。

未分类

本文我们和大家一起分享了如何在linux系统中，安装PHP的PDO扩展，如果大家在实际操作中有什么问题，欢迎一起交流讨论，我们共同学习，共同进步。

CentOS 7.0安装LAMP服务器(PHP+MariaDB+Apache)

1、关闭firewall：

systemctl stop firew
alld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动

2、安装iptables防火墙（#可不安装）

yum install iptables-services #安装
vi /etc/sysconfig/iptables #编辑防火墙配置文件

//配置文件：
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
//:wq! #保存退出

关闭 SELINUX

vi /etc/selinux/config
#SELINUX=enforcing #注释掉
#SELINUXTYPE=targeted #注释掉
SELINUX=disabled #增加
:wq! #保存退出
setenforce 0 #使配置立即生效

一、Apache安装

yum install httpd #根据提示，输入Y安装即可成功安装
systemctl start httpd.service #启动apache
systemctl stop httpd.service #停止apache
systemctl restart httpd.service #重启apache
systemctl enable httpd.service #设置apache开机启动

二、安装MariaDB

yum install mariadb mariadb-server 
//#询问是否要安装，输入Y即可自动安装,直到安装完成
systemctl start mariadb.service #启动MariaDB
systemctl stop mariadb.service #停止MariaDB
systemctl restart mariadb.service #重启MariaDB
systemctl enable mariadb.service #设置开机启动
cp /usr/share/mysql/my-huge.cnf /etc/my.cnf 
//拷贝配置文件（注意：如果/etc目录下面默认有一个my.cnf，直接覆盖即可）

设置密码

mysql_secure_installation
systemctl restart mariadb.service

三、安装PHP

//主程序
yum install php
//安装模块
yum install php-mysql php-gd libjpeg* php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-bcmath php-mhash
systemctl restart mariadb.service #重启MariaDB
systemctl restart httpd.service #重启apache

四、安装phpMyAdmin

//主程序
sudo yum install phpmyadmin php-mcrypt

//修改配置文件
vi /etc/httpd/conf.d/phpMyAdmin.conf 

<Directory /usr/share/phpMyAdmin/>
  AddDefaultCharset UTF-8

  <IfModule mod_authz_core.c>
   # Apache 2.4
   <RequireAny>
    #Require ip 127.0.0.1
    #Require ip ::1
    Require all granted
   </RequireAny>
  </IfModule>
  <IfModule !mod_authz_core.c>
   Order Deny,Allow
   Deny from All
   Allow from 127.0.0.1
   Allow from ::1
  </IfModule>
</Directory>

<Directory /usr/share/phpMyAdmin/setup/>
  <IfModule mod_authz_core.c>
   # Apache 2.4
   <RequireAny>
    #Require ip 127.0.0.1
    #Require ip ::1
    Require all granted
   </RequireAny>
  </IfModule>
  <IfModule !mod_authz_core.c>
   Order Deny,Allow
   Deny from All
   Allow from 127.0.0.1
   Allow from ::1
  </IfModule>
</Directory>

systemctl restart httpd #重启httpd

Ubuntu 16.04 apt安装Nginx PHP5.6 MySQL5.6

在Ubuntu 16.04中使用源安装Nginx+PHP5.6+MySQL5.6的方法。

安装Nginx

1、首先添加nginx_signing.key(必须，否则出错)

$ wget http://nginx.org/keys/nginx_signing.key

$ sudo apt-key add nginx_signing.key

2、添加]Nginx](http://nginx.org/)官方提供的源

$ echo "deb http://nginx.org/packages/ubuntu/ trusty nginx" >> /etc/apt/sources.list

$ echo "deb-src http://nginx.org/packages/ubuntu/ trusty nginx" >> /etc/apt/sources.list

3、更新源并安装Nginx

$ sudo apt-get update

$ sudo apt-get install nginx

4、安装Nginx完成后可查看版本号，输入

$ /usr/sbin/nginx -v

安装PHP5.6

1、添加PPA

$ sudo apt-get install python-software-properties software-properties-common

$ sudo add-apt-repository ppa:ondrej/php

$ sudo apt-get update

2、安装PHP5.6以及所需的一些扩展

$ sudo apt-get install php5.6-fpm php5.6-mysql php5.6-common php5.6-curl php5.6-cli php5.6-mcrypt php5.6-mbstring php5.6-dom

3、配置PHP5.6

打开php.ini配置文件:

$ sudo vim /etc/php/5.6/fpm/php.ini

找到cgi.fix_pathinfo选项，去掉注释;，然后将值设置为0:

cgi.fix_pathinfo = 0;
display_errors  =  On

location ~ .php$ {
          # include snippets/fastcgi-php.conf;
        #
          # # With php7.0-cgi alone:
        # fastcgi_pass 127.0.0.1:9000;
        # # With php7.0-fpm:
                fastcgi_param SCRIPT_FILENAME     documentroot fastcgi_script_name;
                  fastcgi_pass unix:/run/php/php5.6-fpm.sock;
                  fastcgi_index index.php;
                  include fastcgi_params;
}

安装MySQL

$ sudo apt-get install mysql-server-5.6 mysql-client-5.6

途中会提示设置MySQL的密码，安装好后：

$ mysql -uroot -p

然后输入刚刚设置的密码，能成功进入即成功安装。

Zabbix 3.2.1运行在PHP 7.1.7出现的问题解决

安装完成用admin账号登陆后，出现红色的框框显示这个：

A non well formed numeric value encountered [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CView->getOutput() → include() → make_status_of_zbx() → CFrontendSetup->checkRequirements() → CFrontendSetup->checkPhpMemoryLimit() → str2mem() in include/func.inc.php:410]
A non well formed numeric value encountered [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CView->getOutput() → include() → make_status_of_zbx() → CFrontendSetup->checkRequirements() → CFrontendSetup->checkPhpPostMaxSize() → str2mem() in include/func.inc.php:410]
A non well formed numeric value encountered [zabbix.php:21 → require_once() → ZBase->run() → ZBase->processRequest() → CView->getOutput() → include() → make_status_of_zbx() → CFrontendSetup->checkRequirements() → CFrontendSetup->checkPhpUploadMaxFilesize() → str2mem() in include/func.inc.php:410]

网上查了一下，这是因为PHP 7.1.7类型强化，处理方法是找到Zabbix WEB目录下include/func.inc.php文件，修改它

sed -i '/$last = strtolower(substr($val, -1));/a$val = substr($val,0,-1);' func.inc.php

问题依然未能解决，后来查看了一下func.inc.php代码，跳转到报错的位置#410，通过网上的解决方法分析，应该是val这个变量类型问题，在403行后添加一行$val = substr($val,0,-1); 保存修改后的文件，重新访问zabbix web界面即可。

openssl undefined reference to `SSLv2_client_method’

今天在Ubuntu 11.10编译php-5.2.17的时候出现如下的错误：

php-5.2.17/ext/openssl/xp_ssl.c:357: undefined reference to `SSLv2_server_method’
php-5.2.17/ext/openssl/xp_ssl.c:337: undefined reference to `SSLv2_client_method’
collect2: ld returned 1 exit status
make: *** [sapi/cgi/php-cgi] 错误 1

这个需要一个补丁禁用openssl的SSLv2_client_method，方法如下：

cd php-5.2.17/
wget http://devops.webres.wang/wp-content/uploads/2012/06/debian_patches_disable_SSLv2_for_openssl_1_0_0.patch
patch -p1 < debian_patches_disable_SSLv2_for_openssl_1_0_0.patch

然后再重新编译php

make clean
make && make install

配置PHP与Oracle数据库连接

首先确认你已经安装有oracle 11g，下面是在装有oracle 11g的centos-6 64位配置php与oracle连接的事例。

安装oracle即时客户端

到这里http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html下载oracle-instantclient11.2-basic，oracle-instantclient11.2-devel，oracle-instantclient11.2-sqlplus文件，开始安装：

rpm -ivh oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64.rpm oracle-instantclient11.2-devel-11.2.0.3.0-1.x86_64.rpm oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.x86_64.rpm

vi /etc/ld.so.conf.d/oracle-lib.conf

加入：

/usr/lib/oracle/11.2/client64/lib/

ldconfig

安装OCI8 PHP扩展

cd /tmp
wget http://pecl.php.net/get/oci8-1.4.7.tgz
tar xzf oci8-1.4.7.tgz
cd oci8-1.4.7
phpize
./configure –with-oci8=shared,instantclient,/usr/lib/oracle/11.2/client64/lib/
make && make install

在/etc/php.ini中加入：

extension = "oci8.so"

接着使用php -m查看模块是否已经被加载

PHP环境安全性能检查

PHP在Linux环境下安全配置是一个复杂的过程，其中涉及到很多的细节设置，在这里发出来一个脚本，通过这个脚本来检测你的PHP环境是否存在安全隐患，从而针对这些对你的PHP环境进行加固。
功能：

1.检测PHP环境安全配置

2.应禁用的功能。

3.危险的设置，可能会导致本地或远程文件包含。

4.错误处理。

5.在编译时定义的常量。

安装PHP环境后，将此三个文件脚本放在网站web目录下（audit.php php.xml style.css ）进行浏览器查看，他将在你配置的基础中通过XML文件中匹配规则检测出可能存在的配置错误，存在问题的选项它会用红色突出的颜色显示。当然还有一些东西可以根据你的要求更改。
效果如下：

audit.php

<?php
/**
* PHP Security Auditor
*/
class Audit {
static private $rules;
static private $constants;
static private $phpVer;
static public $report;
/**
* Converts settings such as 1M 1G 1K to their byte equivilent values
*
* @param string $n
* @return string
*/
static private function convertToBytes($n) {
// If n is -1 then there is no limit
if ($n == -1)
return PHP_INT_MAX;
switch (substr($n, -1)) {
case "B": return substr($n,0,-1);
case "K": return substr($n,0,-1) * 1024;
case "M": return substr($n,0,-1) * 1024 * 1024;
case "G": return substr($n,0,-1) * 1024 * 1024 * 1024;
}
return $n;
}
static private function MakeReport($type, $title) {
ksort(self::$report[$type]);
$html = ‘<h1>’ . $title . ‘</h1><table><tr class="h"><th>Setting</th><th>Current</th><th>Recomended</th><th>Description</th></tr>’;
foreach(self::$report[$type] as $key => $values)
{
if ($values[‘p’] == 1) $class="r";
else $class="v";
$html .= ‘<tr><td class="e">’ . htmlentities($key) . ‘</td>’ .
‘<td class="’. $class .’">’ . htmlentities($values[‘c’]) . ‘</td>’ .
‘<td class="’. $class .’">’ . htmlentities($values[‘r’]) . ‘</td>’ .
‘<td class="’. $class .’">’ . htmlentities($values[‘d’]) . ‘</td></tr>’;
}
$html .= ‘</table>’;
return $html;
}
static public function HTMLReport()
{
$class = "";
$html = ‘<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">’ .
‘<html><head>’ .
‘<link rel="stylesheet" type="text/css" media="all" href="style.css"/>’ .
‘</head><body>’;
$html .= self::MakeReport("ini", "PHP INI");
$html .= self::MakeReport("disabled", "PHP Disabled Functions");
$html .= self::MakeReport("const", "PHP CONST");
$html .= ‘</html>’;
echo($html . "n");
}
/**
* Adds an item to the reporting array.
*
* @param string $type – the type (ini or const)
* @param string $key – the name of the variable
* @param string $currentValue – the current ini or const value
* @param string $recomended – the recomended value
* @param string $desc – a description of the issue
* @param boolean $problem – true if not complaint, false if compliant
*/
static private function Report($type, $key, $currentValue, $recomended, $desc, $problem)
{
if (isset(self::$report[$type][$key]))
if ((self::$report[$type][$key][‘r’] < $recomended)
&& (self::$report[$type][$key[‘p’]] == 1))
return;
self::$report[$type][$key] = array(
"c" => $currentValue,
"r" => $recomended,
"d" => $desc,
"p" => $problem
);
}
/**
* Loads the rules from an XML file
*
* @param string $file
*/
static public function LoadRules($file = "php.xml")
{
if (!defined(‘PHP_VERSION_ID’))
{
$version = explode(".", PHP_VERSION);
self::$phpVer = ($version[0] * 10000 + $version[1] * 100 + $version[2]);
} else
self::$phpVer = PHP_VERSION_ID;
self::$constants = get_defined_constants();
self::$rules = simplexml_load_file($file);
}
/**
* Processes the XML ruleset against const and ini values found in PHP
*
*/
static public function ProcessXML() {
foreach(self::$rules as $null => $entry) {
$ruleID = $entry->attributes()->id;
// Check the version of PHP the rule applies to
$version = (string)$entry->version;
if ($version != "") {
$op = (string)$entry->version->attributes()->op;
switch ($op) {
case ‘before’:
if ($version < self::$phpVer)
continue 2;
break;
}
}
// Evaluate the rule as we are sure it applys to the version of PHP running
switch((string)$entry->type)
{
// Look at CONST values in PHP
case "const":
$key = (string)$entry->key; // e.g LIBXML_NOENT
$cValue = self::$constants[$key]; // The current value
$rValue = (string)$entry->value; // The recomended value
$desc = (string)$entry->description; // Description
switch((string)$entry->value->attributes()->op)
{
case "eq":
self::Report("const", $key, $cValue, $rValue, $desc, ($cValue == $rValue) ? 0 : 1);
break;
}
break;
// Check the list of functions that should be restricted
case "disable_functions":
$disabled = ini_get("disable_functions");
$list = explode(",", $disabled);
$xmlList = (array)($entry->list);
$xmlList = $xmlList[‘function’];
foreach($xmlList as $null => $function) {
$de = array_search($function, $list);
self::Report("disabled", $function, (($de == 0) ? "enabled" : "disabled"), "disabled", "", (($de == 0) ? 1 : 0));
}
break;
// Look at values defined within the INI files
case "ini":
$key = (string)$entry->key; // e.g. display_errors
$cValue = trim(self::convertToBytes(ini_get($key))); // Current value
$rValue = (string)$entry->value; // Recomended value
$desc = (string)$entry->description; // Description
if (is_numeric($rValue) && $cValue == "") $cValue = "0";
// Deals with where one value should be compared to another
if ((string)$entry->value->attributes()->type == "key")
$rValue = self::convertToBytes(ini_get((string)$entry->value));
switch((string)$entry->value->attributes()->op)
{
// Equal to
case "eq":
self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue == $rValue) ? 0 : 1);
break;
// Less than or equal to
case "lt":
self::Report("ini", $key, $cValue, "< $rValue", $desc, ($cValue <= $rValue) ? 0 : 1);
break;
// Greater than or equal to
case "gt":
self::Report("ini", $key, $cValue, "> $rValue", $desc, ($cValue >= $rValue) ? 0 : 1);
break;
// Not equal to
case "ne":
$neValue = (string)$entry->value->attributes()->net;
$notBlank = (string)$entry->value->attributes()->notblank;
if ($notBlank == "true") {
self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue != "") ? 0 : 1);
break;
}
self::Report("ini", $key, $cValue, $rValue, $desc, ($cValue != $neValue) ? 0 : 1);
break;
}
break;
}
}
}
}
Audit::LoadRules();
Audit::ProcessXML();
Audit::HTMLReport();

php.xml代码如下：

<?xml version="1.0" encoding="UTF-8"?>
<rules>
<entry id="1">
<type>ini</type>
<key>upload_max_filesize</key>
<value op="lt">4194304</value>
<description>Sets the maximum size of an uploaded file. Reduce this to mitigate the risk of DOS attacks.</description>
</entry>
<entry id="29">
<type>ini</type>
<key>upload_max_filesize</key>
<value op="lt" type="key">memory_limit</value>
<description>The maximum size of an uploaded file should be able to fit within the avaliable memory limit.</description>
</entry>
<entry id="30">
<type>ini</type>
<key>post_max_size</key>
<value op="lt" type="key">memory_limit</value>
<description>The maximum post size of data posted to the server should be within the avaliable memory limit.</description>
</entry>
<entry id="32">
<type>ini</type>
<key>always_populate_raw_post_data</key>
<value op="eq">0</value>
<description>This does not need to be used. The preferred method for accessing the raw POST data is php://input.</description>
</entry>
<entry id="33">
<type>ini</type>
<key>magic_quotes_gpc</key>
<value op="eq">0</value>
<description>Sets magic_quotes state for GPC (GET PUT COOKIE) data. Relying on this feature is highly discouraged.</description>
<version op="before">50300</version>
<url>http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc</url>
</entry>
<entry id="34">
<type>ini</type>
<key>magic_quotes_runtime</key>
<value op="eq">0</value>
<description>Sets magic_quotes state for data from external sources. Relying on this feature is highly discouraged.</description>
<version op="before">50300</version>
<url>http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime</url>
</entry>
<entry id="35">
<type>ini</type>
<key>safe_mode</key>
<value op="eq">0</value>
<description>This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.</description>
<version op="before">50300</version>
</entry>
<entry id="36">
<type>ini</type>
<key>memory_limit</key>
<value op="lt">16777216</value>
<description>The maximum memory limit for each script should be 16M or less.</description>
</entry>
<entry id="5">
<type>ini</type>
<key>upload_max_filesize</key>
<value op="lt" type="key">post_max_size</value>
<description>The maximum upload file size should be less than or equal to the maximum post size.</description>
</entry>
<entry id="2">
<type>ini</type>
<key>max_file_uploads</key>
<value op="lt">10</value>
<description>The maximum mumber of files that can be uploaded in 1 go.</description>
</entry>
<entry id="3">
<type>ini</type>
<key>file_uploads</key>
<value op="eq">0</value>
<description>This may be impractical but if not needed file uploading should be disabled.</description>
</entry>
<entry id="4">
<type>ini</type>
<key>post_max_size</key>
<value op="lt">4194304</value>
<description>The maximum post size should as small as reasonably possible to mitigate the risk of DOS attacks.</description>
</entry>
<entry id="6">
<type>ini</type>
<key>register_long_arrays</key>
<value op="eq">0</value>
<description>Populates HTTP_*_VARS which should no longer be used.</description>
<version op="before">50300</version>
</entry>
<entry id="7">
<type>ini</type>
<key>register_globals</key>
<value op="eq">0</value>
<description>Highly dangerous feature enabling variables to be defined in scripts from the GPC paramaters. This should be always be turned off.</description>
<version op="before">50300</version>
</entry>
<entry id="8">
<type>ini</type>
<key>session.hash_function</key>
<value op="eq">1</value>
<description>MD5 should be replaced with SHA-160 as it is a more complex and secure hashing algorithm.</description>
<version op="after">50000</version>
</entry>
<entry id="9">
<type>ini</type>
<key>session.hash_bits_per_character</key>
<value op="gt">5</value>
<description>The number of bits encoded per character of the session key.</description>
<version op="after">50000</version>
</entry>
<entry id="10">
<type>ini</type>
<key>session.entropy_file</key>
<value op="ne" net="">/dev/random</value>
<description>Provides a random seed for generating the session.</description>
</entry>
<entry id="11">
<type>ini</type>
<key>session.entropy_length</key>
<value op="gt">32</value>
<description>The number of bytes to read for gathering entropy for session generation.</description>
</entry>
<entry id="12">
<type>ini</type>
<key>session.name</key>
<value op="ne" net="PHPSESSID">Custom String</value>
<description>The name given to the PHP Session. It is recomended this be changed from the default.</description>
</entry>
<entry id="14">
<type>ini</type>
<key>session.save_path</key>
<value op="ne" net="/tmp" notblank="true">/custom/location</value>
<description>The save path for the session should be changed from the default /tmp.</description>
</entry>
<entry id="15">
<type>ini</type>
<key>session.use_trans_sid</key>
<value op="eq">0</value>
<description>Sessions should not be allowed in GET paramaters.</description>
</entry>
<entry id="18">
<type>ini</type>
<key>display_errors</key>
<value op="eq">0</value>
<description>Error messages should be suppressed</description>
</entry>
<entry id="19">
<type>ini</type>
<key>allow_url_fopen</key>
<value op="eq">0</value>
<description>Remote files should not be accessable using fopen.</description>
</entry>
<entry id="20">
<type>ini</type>
<key>allow_url_include</key>
<value op="eq">0</value>
<description>You should not be able to include remote scripts using include.</description>
</entry>
<entry id="31">
<type>ini</type>
<key>session.cookie_httponly</key>
<value op="eq">1</value>
<description>Cookies must be httponly by default</description>
<version op="after">50200</version>
</entry>
<entry id="20">
<type>ini</type>
<key>open_basedir</key>
<value op="ne" net="/" notblank="true">/the/webroot</value>
<description>Limit the files that can be opened by PHP to the webroot.</description>
</entry>
<entry id="32">
<type>ini</type>
<key>upload_tmp_dir</key>
<value op="ne" net="/tmp" notblank="true">/custom/location</value>
<description>Change the location of where files are initally uploaded to</description>
</entry>
<entry id="21">
<type>ini</type>
<key>max_execution_time</key>
<value op="lt">20</value>
<description>Execution time should be limited to 20 seconds or less.</description>
</entry>
<entry id="22">
<type>ini</type>
<key>max_input_nesting_level</key>
<value op="lt">32</value>
<description>Maximum level of nesting of objects 32 is sufficent.</description>
</entry>
<entry id="23">
<type>ini</type>
<key>enable_dl</key>
<value op="eq">0</value>
<description>Disable loading of dynamic extensions.</description>
</entry>
<entry id="24">
<type>ini</type>
<key>display_startup_errors</key>
<value op="eq">0</value>
<description>Startup errors should be suppressed.</description>
</entry>
<entry id="25">
<type>ini</type>
<key>log_errors</key>
<value op="eq">1</value>
<description>All errors generated by PHP should be logged to a file.</description>
</entry>
<entry id="26">
<type>ini</type>
<key>log_errors_max_len</key>
<value op="gt">2048</value>
<description>At least 2048 characters of the error message should be stored in the error log.</description>
</entry>
<entry id="27">
<type>ini</type>
<key>error_log</key>
<value op="ne" net="">/custom/location</value>
<description>Should be set to the location of the php error log.</description>
</entry>
<entry id="28">
<type>const</type>
<key>LIBXML_NOENT</key>
<value op="eq">0</value>
<description>External entities should be disabled for XML parsing</description>
</entry>
<entry id="37">
<type>ini</type>
<key>session.use_only_cookies</key>
<value op="eq">1</value>
<description>Session variables should only be passed in cookies.</description>
</entry>
<entry id="29">
<type>const</type>
<key>LIBXML_NONET</key>
<value op="eq">0</value>
<description>Network access for XML parsers should be disabled.</description>
</entry>
<entry id="38">
<type>disable_functions</type>
<list>
<function>fsocket_open</function>
<function>pack</function>
<function>escapeshellarg</function>
<function>escapeshellcmd</function>
<function>exec</function>
<function>passthru</function>
<function>proc_close</function>
<function>php_uname</function>
<function>getmyuid</function>
<function>getmypid</function>
<function>passthru</function>
<function>leak</function>
<function>listen</function>
<function>diskfreespace</function>
<function>tmpfile</function>
<function>link</function>
<function>ignore_user_abort</function>
<function>set_time_limit</function>
<function>limit</function>
<function>exec</function>
<function>highlight_file</function>
<function>show_source</function>
<function>fpaththru</function>
<function>virtual</function>
<function>posix_ctermid</function>
<function>posix_getcwd</function>
<function>posix_getegid</function>
<function>posix_geteuid</function>
<function>posix_getgid</function>
<function>posix_getgrgid</function>
<function>posix_getgrnam</function>
<function>posix_getgroups</function>
<function>posix_getlogin</function>
<function>posix_getpgid</function>
<function>posix_getpgrp</function>
<function>posix_getpid</function>
<function>posix</function>
<function>posix_getpwnam</function>
<function>posix_getpwuid</function>
<function>posix_getrlimit</function>
<function>posix_getsid</function>
<function>posix_getuid</function>
<function>posix_isatty</function>
<function>posix_kill</function>
<function>posix_mkfifo</function>
<function>posix_setegid</function>
<function>posix_seteuid</function>
<function>posix_setgid</function>
<function>posix_setpgid</function>
<function>posix_setsid</function>
<function>posix_setuid</function>
<function>posix_times</function>
<function>posix_ttyname</function>
<function>posix_uname</function>
<function>proc_open</function>
<function>proc_close</function>
<function>proc_get_status</function>
<function>proc_nice</function>
<function>proc_terminate</function>
<function>phpinfo</function>
<function>proc_open</function>
<function>shell_exec</function>
<function>system</function>
<function>set_time_limit</function>
<function>ini_alter</function>
<function>dl</function>
<function>popen</function>
<function>parse_ini_file</function>
</list>
</entry>
</rules>

style.css代码如下：

@CHARSET "UTF-8";
body {background-color: #ffffff; color: #000000;}
body, td, th, h1, h2 {font-family: sans-serif;}
pre {margin: 0px; font-family: monospace;}
table {border-collapse: collapse;}
td, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline; padding-left:5px; padding-right:5px;}
h1 {font-size: 150%;}
h2 {font-size: 125%;}
.p {text-align: left;}
.e {background-color: #ccccff; font-weight: bold; color: #000000;}
.h {background-color: #9999cc; font-weight: bold; color: #000000;}
.v {background-color: #cccccc; color: #000000; padding-left:5px;}
.r {background-color: #c50000; color: #000000; padding-left:5px;}

三个文件已经打包：php-security-check.zip
转自：http://lanlan611.sinaapp.com/?p=112

php sockets扩展安装

今天安装cacti发现需要php sockets扩展，而现在的lnmp没有安装，于是想到了phpize工具安装扩展，安装方法如下：

cd php-5.3.8/ext/sockets/
/usr/local/php/bin/phpize
./configure –enable-sockets –with-php-config=/usr/local/php/bin/php-config
make
make install

接着在/etc/php.ini添加加载扩展代码：

extension=sockets.so

service php-fpm reload或service httpd reload

undefined reference to `libiconv_open’ collect2: ld returned 1 exit status错误

今天有一网友反映使用lnmp一键安装包无法安装php，叫他发错误文件给我看，发现提示这样的错误：

undefined reference to `libiconv_open’
collect2: ld returned 1 exit status

这个错误的原因可能php找不到iconv库文件，所以我们需要下载安装它。

#wget http://ftp.gnu.org/pub/gnu/libiconv/libiconv-1.14.tar.gz
#tar -zxvf libiconv-1.14.tar.gz
#cd libiconv-1.14
# ./configure –prefix=/usr/local/libiconv
# make
# make install

完成之后在编译php的./configure命令加上–with-iconv=/usr/local/libiconv指向iconv位置。
这样应该能解决这个问题。