0x00 起因
起初是因为某ctf搭建php 7.0.28环境复现opcache getshell的(以及nodejs和mongo复合环境),然而菜到不得不逼自己翻了一些docker的手册和教程,对搭建过程做一个记录,所以这篇很水,大佬不必再看。
0x01 镜像
php官方的镜像分为三种,cli、fpm和apache,为了更改php.ini来满足条件,选择了fpm,同时配合nginx使用。
我们使用docker pull php:7.0-fpm拉取镜像。或者使用官方提供的dockerfile。
我们就可以在本地镜像列表里查到REPOSITORY为php,标签为7.0-fpm的镜像。
进入工作目录,使用docker run -p 9000:9000 --name myphp-fpm -v $PWD/html:/var/www/html -v $PWD/conf:/usr/local/etc/php -v $PWD/logs:/phplogs -d php:7.0-fpm
- -p 9000:9000 :将容器的9000端口映射到主机的9000端口
- --name myphp-fpm :将容器命名为myphp-fpm
- -v $PWD/html:/var/www/html :将主机中当前目录下的html挂载到容器的html
- -v $PWD/conf:/usr/local/etc/php :将主机中当前目录下的conf目录挂载到容器的/usr/local/etc/php
- -v $PWD/logs:/phplogs :将主机中当前目录下的logs目录挂载到容器的/phplogs
之后可以使用docker ps查看容器状态
0x02 环境
容器启动之后,fpm就搭建好了。
更改nginx的site-available,更改配置文件:
location ~ \.php$ {
#include snippets/fastcgi-php.conf;
root /var/www/html;
fastcgi_index index.php;
fastcgi_pass 172.17.0.2:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
fastcgi_pass部分填写容器ip和port,ip可以可以使用docker inspect name查看。
在html文件夹下初始化index.php,使用phpinfo。
复制一份php.ini到conf文件夹下。
重启fpm,即重启容器docker container restart name
注:若fpm启动失败使用docker logs name查看日志,若服务器出现问题可查阅errorlog,或使用docker exec -it id /bin/bash进入容器。
重启后查看phpinfo可看到当前的设置,之后配置opcache
删除php.ini相关配置的前;示例附在最后,添加zend_extension。
需要注意的是,file_cache指向的目录必须存在,有权限读写。
此时重启容器,在phpinfo中即可查看到opcache已经启用。
另,微服务模型的复合环境见refer2
如果nginx没有配置完整,那么nginx会在本地检查请求的文件是否存在,然后将请求转发到fpm,如果发现大部分路径都是404时,检查nginx配置文件与上文是否一致。配置原则按照nginx和php-fpm分别部署在不同服务器配置,动态文件部署在fpm服务器,静态文件部署在nginx服务器,更简单的处理办法是将本机www目录与fpm的www目录映射。
refer:
1.http://www.runoob.com/docker/docker-install-php.html
2.http://www.ruanyifeng.com/blog/2018/02/docker-wordpress-tutorial.html
3.http://www.cnblogs.com/fansik/p/6635813.html
附:
; Determines if Zend OPCache is enabled
opcache.enable=1
; Determines if Zend OPCache is enabled for the CLI version of PHP
opcache.enable_cli=0
zend_extension = /usr/local/lib/php/extensions/no-debug-non-zts-20151012/opcache.so
; The OPcache shared memory storage size.
opcache.memory_consumption=64
; The amount of memory for interned strings in Mbytes.
opcache.interned_strings_buffer=4
; The maximum number of keys (scripts) in the OPcache hash table.
; Only numbers between 200 and 1000000 are allowed.
opcache.max_accelerated_files=2000
; The maximum percentage of "wasted" memory until a restart is scheduled.
opcache.max_wasted_percentage=5
; When this directive is enabled, the OPcache appends the current working
; directory to the script key, thus eliminating possible collisions between
; files with the same name (basename). Disabling the directive improves
; performance, but may break existing applications.
opcache.use_cwd=1
; When disabled, you must reset the OPcache manually or restart the
; webserver for changes to the filesystem to take effect.
opcache.validate_timestamps=1
; How often (in seconds) to check file timestamps for changes to the shared
; memory storage allocation. ("1" means validate once per second, but only
; once per request. "0" means always validate)
opcache.revalidate_freq=2
; Enables or disables file search in include_path optimization
opcache.revalidate_path=0
; If disabled, all PHPDoc comments are dropped from the code to reduce the
; size of the optimized code.
opcache.save_comments=1
; If enabled, a fast shutdown sequence is used for the accelerated code
; Depending on the used Memory Manager this may cause some incompatibilities.
opcache.fast_shutdown=0
; Allow file existence override (file_exists, etc.) performance feature.
opcache.enable_file_override=0
; A bitmask, where each bit enables or disables the appropriate OPcache
; passes
opcache.optimization_level=0x7FFFBFFF
opcache.inherited_hack=1
opcache.dups_fix=0
; The location of the OPcache blacklist file (wildcards allowed).
; Each OPcache blacklist file is a text file that holds the names of files
; that should not be accelerated. The file format is to add each filename
; to a new line. The filename may be a full path or just a file prefix
; (i.e., /var/www/x blacklists all the files and directories in /var/www
; that start with 'x'). Line starting with a ; are ignored (comments).
opcache.blacklist_filename=
; Allows exclusion of large files from being cached. By default all files
; are cached.
opcache.max_file_size=0
; Check the cache checksum each N requests.
; The default value of "0" means that the checks are disabled.
opcache.consistency_checks=1
; How long to wait (in seconds) for a scheduled restart to begin if the cache
; is not being accessed.
opcache.force_restart_timeout=180
; OPcache error_log file name. Empty string assumes "stderr".
opcache.error_log=
; All OPcache errors go to the Web server log.
; By default, only fatal errors (level 0) or errors (level 1) are logged.
; You can also enable warnings (level 2), info messages (level 3) or
; debug messages (level 4).
opcache.log_verbosity_level=1
; Preferred Shared Memory back-end. Leave empty and let the system decide.
opcache.preferred_memory_model=
; Protect the shared memory from unexpected writing during script execution.
; Useful for internal debugging only.
opcache.protect_memory=0
; Allows calling OPcache API functions only from PHP scripts which path is
; started from specified string. The default "" means no restriction
opcache.restrict_api=
; Mapping base of shared memory segments (for Windows only). All the PHP
; processes have to map shared memory into the same address space. This
; directive allows to manually fix the "Unable to reattach to base address"
; errors.
;opcache.mmap_base=
; Enables and sets the second level cache directory.
; It should improve performance when SHM memory is full, at server restart or
; SHM reset. The default "" disables file based caching.
opcache.file_cache='/tmp/cache'
; Enables or disables opcode caching in shared memory.
opcache.file_cache_only=1
; Enables or disables checksum validation when script loaded from file cache.
opcache.file_cache_consistency_checks=1
; Implies opcache.file_cache_only=1 for a certain process that failed to
; reattach to the shared memory (for Windows only). Explicitly enabled file
; cache is required.
;opcache.file_cache_fallback=1
; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
; This should improve performance, but requires appropriate OS configuration.
opcache.huge_code_pages=0
; Validate cached file permissions.
opcache.validate_permission=0
; Prevent name collisions in chroot'ed environment.
opcache.validate_root=0