luncrzs 发布的文章

PHP用Curl发送值为空的header

对接方要求在header中传一个空的Authorizaiton过去,然而测试发现

curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: '));

并没有用。curl会自动过滤空的header,在google搜了半天,发现一个hack

curl_setopt($ch, CURLOPT_HTTPHEADER, array("Authorization: \r\nAccept: */*"));

将另一个header接在空header之后,就可以了

CentOS7升级OpenSSH

服务器在安全扫描中被报告openssh版本低于7.7,存在安全漏洞,需要升级,于是就开始折腾。

1.安装依赖

yum install -y pam pam-devel zlib zlib-devel gcc make

2.备份配置文件

cp /etc/ssh/sshd_config /root/sshd_config.bak

3.删除老版本openssl和openssh 【注意】删除openssl后sudo报错,需先以root身份登录

rpm -e --nodeps `rpm -qa|grep openss` 

4.下载新版openssl和openssh
下载1.0.X版本的openssl
下载最新版本openssh

5.安装openssl

unzip openssl_XXXX.zip
cd openssl_XXXX
./config --prefix=/usr --shared && make && make install
ln -s /usr/lib64/libcrypto.so.1.0.0  /usr/lib64/libcrypto.so.10
ln -s /usr/lib64/libssl.so.1.0.0  /usr/lib64/libssl.so.10
chmod -R 644 /usr/ssl

6.升级openssh

cp -R /etc/ssh/ /root/ssh-bak
tar -zxvf openssh_XXX.tar.gz
cd openssh_XXX
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install
cp /root/sshd_config.bak /etc/ssh/sshd_config
cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig sshd on
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

7.将以下写入/etc/pam.d/sshd

auth required pam_sepermit.so 
auth include password-auth 
account required pam_nologin.so 
account include password-auth 
password include password-auth 
# pam_selinux.so close should be the first session rule 
session required pam_selinux.so close 
session required pam_loginuid.so 
# pam_selinux.so open should only be followed by sessions to be executed in the user context 
session required pam_selinux.so open env_params 
session optional pam_keyinit.so force revoke 
session include password-auth

8.重启sshd服务

systemctl restart sshd

SELinux下目录权限配置

配置可读目录权限

chcon -Rt httpd_sys_content_t /PATH_TO_DIR

配置可读写目录权限

chcon -Rt public_content_rw_t /PATH_TO_DIR
setsebool -P allow_httpd_anon_write=1

检查目录状态

ll -Z

Centos 7 安装 Nginx

安装依赖

yum install -y pcre pcre-devel zlib zlib-devel openssl openssl-devel

下载源码并安装

wget https://nginx.org/download/nginx-1.15.8.tar.gz
tar -xzvf nginx-1.15.8.tar.gz
cd nginx-1.15.8
./configure --user=www --group=www
make && make install

修改Nginx配置

mkdir /usr/local/nginx/conf/servers
vim /usr/local/nginx/conf/nginx.conf

在http模块最后添加

include servers/*.conf;

配置环境变量

echo "export PATH=\$PATH:/usr/local/nginx/sbin" >> /etc/profile
source /etc/profile

自启动

echo "/usr/local/nginx/sbin/nginx" >> /etc/rc.local
chmod +x /etc/rc.local

启动、停止Nginx

nginx 
nginx -s stop
nginx -s quit
nginx -s reload

Centos 7 安装 PHP 7

安装基础依赖

yum -y install wget vim pcre pcre-devel openssl openssl-devel libicu-devel gcc gcc-c++ cmake3 autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel ncurses ncurses-devel curl curl-devel krb5-devel libidn libidn-devel openldap openldap-devel nss_ldap jemalloc-devel cmake boost-devel bison automake libevent libevent-devel gd gd-devel libtool* libmcrypt libmcrypt-devel mcrypt mhash libxslt libxslt-devel readline readline-devel gmp gmp-devel libcurl libcurl-devel openjpeg-devel  

下载依赖包源码

wget http://www.tortall.net/projects/yasm/releases/yasm-1.3.0.tar.gz
wget https://sourceforge.net/projects/mcrypt/files/Libmcrypt/2.5.8/libmcrypt-2.5.8.tar.gz/download -O libmcrypt-2.5.8.tar.gz
wget http://download.osgeo.org/libtiff/tiff-4.0.9.tar.gz
wget https://nchc.dl.sourceforge.net/project/libpng/libpng16/1.6.35/libpng-1.6.35.tar.gz
wget http://ring.u-toyama.ac.jp/archives/graphics/freetype/freetype2/freetype-2.7.1.tar.gz
wget http://www.ijg.org/files/jpegsrc.v9a.tar.gz
wget https://github.com/libgd/libgd/releases/download/gd-2.2.5/libgd-2.2.5.tar.gz
wget https://libzip.org/download/libzip-1.5.1.tar.gz

解压

tar -xzvf *.tar.gz

安装

./configure --enable-shared
make && make install

其中libgd的安装为

./configure --prefix=/usr/local/libgd --enable-shared --with-jpeg=/usr/local/jpeg --with-png=/usr/local/libpng --with-freetype=/usr/local/freetype --with-fontconfig=/usr/local/freetype --with-xpm=/usr/ --with-tiff=/usr/local/tiff --with-webp=/usr/local/libwebp/
make && make install

其中libzip的安装为

mkdir build && cd build && cmake3 .. && make && make install

PHP安装准备工作

mkdir /usr/local/php
useradd -s /sbin/nologin www

下载PHP源码并安装

wget http://cn2.php.net/distributions/php-7.3.1.tar.gz
tar -xzvd php-7.3.1.tar.gz
cd php-7.3.1
./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --with-pdo-mysql --with-pdo-mysql=mysqlnd --with-gd --with-iconv --with-zlib --enable-xml --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --enable-mbregex --enable-fpm --enable-mbstring --enable-ftp --with-openssl --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --without-pear --with-gettext --enable-session --with-curl --with-jpeg-dir --with-freetype-dir --enable-opcache --with-fpm-user=www --with-fpm-group=www
make -j2 && make install
cp php.ini-production /usr/local/php/php.ini
cp /usr/local/etc/php-fpm.conf.default /usr/local/etc/php-fpm.conf
cp /usr/local/php/etc/php-fpm.d/www.conf.default /usr/local/php/etc/php-fpm.d/www.conf
cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm
chmod +x /etc/init.d/php-fpm

配置环境变量

echo "export PATH=\$PATH:/usr/local/php/bin:/usr/local/php/sbin" >> /etc/profile
source /etc/profile

优化

vim /usr/local/php/etc/php.ini

修改如下

cgi.fix_pathinfo=0
disable_functions=passthru,system,chroot,scandir,chgrp,chown,proc_open,proc_get_status, ini_alter,ini_alter,ini_restore,dl,openlog,syslog,readlink, symlink,popepassthru,stream_socket_server, escapeshellcmd, dll, popen,disk_free_space,checkdnsrr,checkdnsrr,getservbyname, getservbyport,disk_total_space,posix_ctermid,posix_get_last_error,posix_getcwd,posix_getegid, posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid, posix_getrlimit,posix_getsid,posix_getuid,posix_isatty, posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid, posix_setpgid,posix_setsid, posix_setuid,  posix_strerror,posix_times,posix_ttyname,posix_uname
date.timezone =  PRC
expose_php = Off
short_open_tag = On

vim /usr/local/php/etc/php-fpm.d/www.conf

修改如下配置

listen = unix:/var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660

vim /usr/local/php/etc/php-fpm.conf

修改如下配置

daemonize = yes

设置开机启动

chkconfig php-fpm on

启动、停止PHP-FPM

service php-fpm start
service php-fpm stop

参考链接

https://www.cnblogs.com/Anwar/p/9744576.html