这是一个多部分的问题。
首先,我有502坏的门户,但我敢肯定,这是因为我下面这些线路之一是错误的。
其次,我很想知道我是如何做'安全明智的'。 我明白,那里的许多指导给了可怕的build议。 我试图聪明地集合所有的知识,但是我很新,所以我可能错过了一些东西。 安全对我来说非常重要,所以如果你喜欢,我会喜欢一个快速而肮脏的“审计”。
对于我的拓扑结构,我正在使用EC2和VPC。 亚马逊Linux AMI。 我有一个弹性负载平衡器,链接到2个nginx服务器。 这些服务器链接到一个单独的php-fpm服务器。
1 nginx服务器被禁用,而我debugging这个。
这是我得到的错误。 我觉得这很奇怪,因为我实际上并10.0.0.94在任何地方使用10.0.0.94 (据我所知)。 我正在使用* .210和* .248。
2013/03/27 14:33:10 [error] 2724#0: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.0.94, server: www.example.com, request: "GET /index.php HTTP/1.1", upstream: "fastcgi://10.0.0.210:9001", host: "xxx.us-east-1.elb.amazonaws.com"
编辑:有一件事我忘了提及。 我认为,因为php-fpm是一个单独的服务器,我读了我必须有相同的文件作为nginx服务器。 我没有rsync或任何设置尚未…我只是上传一个简单的index.php文件到/var/www/html/example.com/index.php作为一个testing。
nginx.conf
# Run as a less privileged user for security reasons. user www www; worker_processes auto; events { worker_connections 1024; } error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; http { server_tokens off; include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; # How long to allow each connection to stay idle; longer values are better # for each individual client, particularly for SSL, but means that worker # connections are tied up longer. (Default: 65) keepalive_timeout 65; # Speed up file transfers by using sendfile() to copy directly # between descriptors rather than using read()/write(). sendfile on; # Tell Nginx not to send out partial frames; this increases throughput # since TCP frames are filled up before being sent out. (adds TCP_CORK) tcp_nopush on; # Tell Nginx to enable the Nagle buffering algorithm for TCP packets, which # collates several smaller packets together into one larger packet, thus saving # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY) tcp_nodelay off; gzip on; gzip_http_version 1.0; gzip_disable "msie6"; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types # text/html is always compressed by HttpGzipModule text/css text/plain text/x-component application/javascript application/json application/xml application/xhtml+xml application/x-font-ttf application/x-font-opentype application/vnd.ms-fontobject image/svg+xml image/x-icon; # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols. # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support. ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions ssl_session_timeout 10m; # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication). # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. # ssl_certificate /etc/nginx/default_ssl.crt; # ssl_certificate_key /etc/nginx/default_ssl.key; upstream php { # ip_hash; server 10.0.0.210:9001; } include sites-enabled/*; }
启用站点-/ example.com
server { listen 80; server_name www.example.com; root /var/www/html/example.com; index index.html index.htm index.php; charset utf-8; error_page 404 /system/404.html; error_page 403 /system/404.html; location ~ \.php$ { fastcgi_index index.php; fastcgi_pass php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # fastcgi_intercept_errors on; } include conf/base.conf; } server { listen 80; server_name example.com; return 301 $scheme://www.example.com$request_uri; }
php.ini中
cgi.fix_pathinfo = 0
PHP-fpm.conf
;;;;;;;;;;;;;;;;;;;;; ; FPM Configuration ; ;;;;;;;;;;;;;;;;;;;;; include=/etc/php-fpm.d/*.conf ;;;;;;;;;;;;;;;;;; ; Global Options ; ;;;;;;;;;;;;;;;;;; [global] pid = /var/run/php-fpm/php-fpm.pid error_log = /var/log/php-fpm/error.log emergency_restart_threshold = 5 emergency_restart_interval = 2
/etc/php-fpm.d/www.conf
[www] listen = 127.0.0.1:9001 listen.allowed_clients = 10.0.0.248 user = www group = www pm = dynamic pm.max_children = 50 pm.start_servers = 15 pm.min_spare_servers = 5 pm.max_spare_servers = 25 request_terminate_timeout = 30 slowlog = /var/log/php-fpm/www-slow.log security.limit_extensions = .php php_flag[display_errors] = off php_admin_value[error_reporting] = 0 php_admin_value[error_log] = /var/log/php-fpm/www-error.log php_admin_flag[log_errors] = on php_admin_value[memory_limit] = 128M php_value[session.save_handler] = files php_value[session.save_path] = /var/lib/php/session
那关于所有我迄今为止:| 慢慢地取得进展……谢谢!
所以这是你的问题,在/etc/php-fpm.d/www.conf :
listen = 127.0.0.1:9001
您只能监听环回地址,因此无法接收来自VPC中其他服务器的连接。
改为:
listen = 9001
至于“安全审计”,这里真的没有足够的信息给你任何有意义的东西。 仔细检查你的安全组。