Write the Code. Change the World.

4月 21

php官网:https://php.net/downloads.php

Nginx官网提供了三个类型的版本。

  1. Mainline version:Mainline 是 Nginx 目前主力在做的版本,可以说是开发版
  2. Stable version:最新稳定版,生产环境上建议使用的版本
  3. Legacy versions:遗留的老版本的稳定版

打开下载页面,选择适合的版本(当前最新版本是7.3.4),进入镜像页面。找到对应的镜像地址。进入存储目录,开始下载。

cd /usr/local/src

http://cn2.php.net/distributions/php-7.3.4.tar.gz

tar -xzvf php-7.3.4.tar.gz

先下着。

准备编译环境

yum install curl-devel

yum install  libxml2-devel

yum install  libjpeg-devel

yum install  libpng-devel

yum install freetype-devel

yum install libxslt-devel

libzip 一定要编译安装,否则版本低,安装 php7.3.4 过不了。不过之前安装 nginx 的时候,已经安装过了。没啥问题了。

安装

cd /usr/local/src/php-7.3.4

./configure --prefix=/alidata/service/php \
--with-config-file-path=/alidata/service/php/etc \
--with-config-file-scan-dir=/alidata/service/php/etc/php.d \
--with-fpm-user=www \
--with-fpm-group=www \
--with-curl \
--with-freetype-dir \
--with-gd \
--with-gettext \
--with-iconv-dir \
--with-kerberos \
--with-libdir=lib64 \
--with-libxml-dir \
--with-mysqli \
--with-openssl \
--with-pcre-regex \
--with-pdo-mysql \
--with-pdo-sqlite \
--with-pear \
--with-png-dir \
--with-jpeg-dir \
--with-xmlrpc \
--with-xsl \
--with-zlib \
--with-bz2 \
--with-mhash \
--enable-fpm \
--enable-bcmath \
--enable-libxml \
--enable-inline-optimization \
--enable-mbregex \
--enable-mbstring \
--enable-opcache \
--enable-pcntl \
--enable-shmop \
--enable-soap \
--enable-sockets \
--enable-sysvsem \
--enable-sysvshm \
--enable-xml \
--enable-zip \
--enable-fpm

如果提示:configure: error: Cannot find OpenSSL's libraries, 那是因为没有找到 libssl.so, 我们需要处理下。

find / -name libssl.so

# 输出
# /usr/local/openssl/lib/libssl.so
# 我们建立一个软链接,再配置 php
ln -s /usr/local/openssl/lib/libssl.so /usr/lib

如果还报这个错,估计少了 openssl-devel,用 yum 安装下。

yum install openssl-devel

如果是其他错误,缺少模块,可以用 yum 安装。

直到提示说 Thank you for using PHP,然后。

make && make install

安装完成之后,可以通过命令 make test 检查一下。

检查发现有好几个 bug。

Number of tests : 16250             12978
Tests skipped   : 3272 ( 20.1%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    4 (  0.0%) (  0.0%)
Expected fail   :   36 (  0.2%) (  0.3%)
Tests passed    : 12938 ( 79.6%) ( 99.7%)
---------------------------------------------------------------------
Time taken      :  777 seconds
=====================================================================

=====================================================================
EXPECTED FAILED TEST SUMMARY
---------------------------------------------------------------------
Test open_basedir configuration [tests/security/open_basedir_linkinfo.phpt]  XFAIL REASON: BUG: open_basedir cannot delete symlink to prohibited file. See also
bugs 48111 and 52176.
Inconsistencies when accessing protected members [Zend/tests/access_modifiers_008.phpt]  XFAIL REASON: Discussion: http://marc.info/?l=php-internals&m=120221184420957&w=2
Inconsistencies when accessing protected members - 2 [Zend/tests/access_modifiers_009.phpt]  XFAIL REASON: Discussion: http://marc.info/?l=php-internals&m=120221184420957&w=2
Bug #48770 (call_user_func_array() fails to call parent from inheriting class) [Zend/tests/bug48770.phpt]  XFAIL REASON: See Bug #48770
Bug #48770 (call_user_func_array() fails to call parent from inheriting class) [Zend/tests/bug48770_2.phpt]  XFAIL REASON: See Bug #48770
Bug #48770 (call_user_func_array() fails to call parent from inheriting class) [Zend/tests/bug48770_3.phpt]  XFAIL REASON: See Bug #48770
Initial value of static var in method depends on the include time of the class definition [Zend/tests/method_static_var.phpt]  XFAIL REASON: Maybe not a bug
DateTime::add() -- fall type2 type3 [ext/date/tests/DateTime_add-fall-type2-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::add() -- fall type3 type2 [ext/date/tests/DateTime_add-fall-type3-type2.phpt]  XFAIL REASON: Various bugs exist
DateTime::add() -- fall type3 type3 [ext/date/tests/DateTime_add-fall-type3-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::add() -- spring type2 type3 [ext/date/tests/DateTime_add-spring-type2-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::add() -- spring type3 type2 [ext/date/tests/DateTime_add-spring-type3-type2.phpt]  XFAIL REASON: Various bugs exist
DateTime::add() -- spring type3 type3 [ext/date/tests/DateTime_add-spring-type3-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::diff() -- fall type2 type3 [ext/date/tests/DateTime_diff-fall-type2-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::diff() -- fall type3 type2 [ext/date/tests/DateTime_diff-fall-type3-type2.phpt]  XFAIL REASON: Various bugs exist
DateTime::diff() -- fall type3 type3 [ext/date/tests/DateTime_diff-fall-type3-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::diff() -- spring type2 type3 [ext/date/tests/DateTime_diff-spring-type2-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::diff() -- spring type3 type2 [ext/date/tests/DateTime_diff-spring-type3-type2.phpt]  XFAIL REASON: Various bugs exist
DateTime::diff() -- spring type3 type3 [ext/date/tests/DateTime_diff-spring-type3-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::sub() -- fall type2 type3 [ext/date/tests/DateTime_sub-fall-type2-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::sub() -- fall type3 type2 [ext/date/tests/DateTime_sub-fall-type3-type2.phpt]  XFAIL REASON: Various bugs exist
DateTime::sub() -- fall type3 type3 [ext/date/tests/DateTime_sub-fall-type3-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::sub() -- spring type2 type3 [ext/date/tests/DateTime_sub-spring-type2-type3.phpt]  XFAIL REASON: Various bugs exist
DateTime::sub() -- spring type3 type2 [ext/date/tests/DateTime_sub-spring-type3-type2.phpt]  XFAIL REASON: Various bugs exist
DateTime::sub() -- spring type3 type3 [ext/date/tests/DateTime_sub-spring-type3-type3.phpt]  XFAIL REASON: Various bugs exist
Bug #52480 (Incorrect difference using DateInterval) [ext/date/tests/bug52480.phpt]  XFAIL REASON: See https://bugs.php.net/bug.php?id=52480
RFC: DateTime and Daylight Saving Time Transitions (zone type 3, bd2) [ext/date/tests/rfc-datetime_and_daylight_saving_time-type3-bd2.phpt]  XFAIL REASON: Still not quite right
RFC: DateTime and Daylight Saving Time Transitions (zone type 3, fs) [ext/date/tests/rfc-datetime_and_daylight_saving_time-type3-fs.phpt]  XFAIL REASON: Still not quite right
Bug #42718 (unsafe_raw filter not applied when configured as default filter) [ext/filter/tests/bug42718.phpt]  XFAIL REASON: FILTER_UNSAFE_RAW not applied when configured as default filter, even with flags
Bug #67296 (filter_input doesn't validate variables) [ext/filter/tests/bug49184.phpt]  XFAIL REASON: See Bug #49184
Bug #67167: filter_var(null,FILTER_VALIDATE_BOOLEAN,FILTER_NULL_ON_FAILURE) returns null [ext/filter/tests/bug67167.02.phpt]  XFAIL REASON: Requires php_zval_filter to not use convert_to_string for all filters.
via [ext/pdo_sqlite/tests/common.phpt]
    SQLite PDO Common: PDOStatement::getColumnMeta [ext/pdo_sqlite/tests/pdo_022.phpt]  XFAIL REASON: This feature is not yet finalized, no test makes sense
Phar: bug #69958: Segfault in Phar::convertToData on invalid file [ext/phar/tests/bug69958.phpt]  XFAIL REASON: Still has memory leaks, see https://bugs.php.net/bug.php?id=70005
updateTimestamp never called when session data is empty [ext/session/tests/bug71162.phpt]  XFAIL REASON: Current session module is designed to write empty session always. In addition, current session module only supports SessionHandlerInterface only from PHP 7.0.
Bug #73529 session_decode() silently fails on wrong input [ext/session/tests/bug73529.phpt]  XFAIL REASON: session_decode() does not return proper status.
Bug #70219 Use after free vulnerability in session deserializer [ext/standard/tests/serialize/bug70219.phpt]  XFAIL REASON: Unfinished merge, needs fix.
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #64267 (CURLOPT_INFILE doesn't allow reset) [ext/curl/tests/bug64267.phpt]
Bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec) [ext/curl/tests/bug71523.phpt]
stream context tcp_nodelay fopen [ext/standard/tests/streams/stream_context_tcp_nodelay_fopen.phpt]
ZipArchive::setEncryption*() functions [ext/zip/tests/oo_encryption.phpt]
=====================================================================

You may have found a problem in PHP.
This report can be automatically sent to the PHP QA team at
http://qa.php.net/reports and http://news.php.net/php.qa.reports
This gives us a better understanding of PHP's behavior.
If you don't want to send the report immediately you can choose
option "s" to save it.  You can then email it to qa-reports@lists.php.net later.
Do you want to send this report now? [Yns]: 

还得修复。

配置环境变量。

在终端中,任意位置都能使用的命令,需要配置环境变量。就如在win下一样。liunx下,只要编辑 /etc/profile 文件并 source 就可以。

vi /etc/profile

在末尾追加

PATH=$PATH:/alidata/service/php/bin
export PATH

保存,然后 source

source /etc/profile
echo $PATH  #看到配置的环境变量了
php -v #查看php的版本信息

刚安装完成,你并不会发现 php-fpm.conf,www.conf 以及 php.ini 文件。这几个重要文件,其实都有,前边两个文件只是将名字后边加了 .default 。第三个文件在源码包的根目录里,而且有两个,一个是 php.ini-development ,另一个是php.ini-production。既然找到了对应文件的位置,只需要复制一份过来就可以了。注意复制过来的路径(-with-config-file-path对应)和名字。

填充文件。

cp /alidata/service/php/etc/php-fpm.conf.default  /alidata/service/php/etc/php-fpm.conf
cp /alidata/service/php/etc/php-fpm.d/www.conf.default /alidata/service/php/etc/php-fpm.d/www.conf

cp /usr/local/src/php-7.3.4/php.ini-production  /alidata/service/php/etc/php.ini

cp /usr/local/src/php-7.3.4/sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm

chmod +x /etc/init.d/php-fpm

chkconfig --add php-fpm  #开机自启动

开启可以这样

#启动服务
service php-fpm start 
#停止服务
service php-fpm stop  
#重启服务
service php-fpm reload

到此,我们熟悉的 /etc/init.d/php-fpm start回来了。

/etc/init.d/php-fpm start   #开启
/etc/init.d/php-fpm stop  #关闭
/etc/init.d/php-fpm restart  #重启
php -i|grep php.ini 
4月 21

什么是 brotli

brotli 是 Google 开发的最新压缩算法,有效减少网站传输数据。具体内容请查看 WIKI。

https://en.wikipedia.org/wiki/Brotli

安装

安装依赖 cmake

https://blog.vini123.com/289

下载安装

下载安装模块

https://github.com/google/ngx_brotli

https://github.com/eustas/ngx_brotli

cd /usr/local/src

git clone https://github.com/eustas/ngx_brotli.git 

cd ngx_brotli

git submodule update --init --recursive

原文

https://www.xp8.net/server/645.html

4月 21

官网:https://www.openssl.org/ 当前最新版本 1.1.1

下载安装

cd /usr/local/src

wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

tar -xzvf openssl-1.1.1b.tar.gz

cd openssl-1.1.1b

# 制定编译安装后的位置
./config --prefix=/usr/local/openssl

make && make install

查看安装

which openssl

建立软链接

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

执行

cd /usr/local/openssl

ldd /usr/local/openssl/bin/openssl

查看版本

openssl version

# 找不到动态库

解决动态库问题

vim /etc/ld.so.conf

# 在尾部追加
/usr/local/openssl/lib

# 然后执行
ldconfig /etc/ld.so.conf
openssl version
# 这个时候,版本号就出来了
4月 21

官网:http://www.bzip.org/downloads.html
源码包:https://sourceforge.net/projects/bzip2/

步骤

当前最新版本 1.0.6

cd /usr/local/src

wget https://nchc.dl.sourceforge.net/project/bzip2/bzip2-1.0.6.tar.gz 

tar -xzvf bzip2-1.0.6.tar.gz

cd bzip2-1.0.6

# 为编译做准备,创建libbz2.so动态链接库

make -f Makefile-libbz2_so

# 编译安装
make && make install

安装完成。

4月 20

当下 (2019-04-20)最新的稳定版本的 nginx 版本是 1.14.2。下边来进行编译安装该版本,使其支持 http2 以及 TLS1.3 还有 Brotli 。 都是好东西,可以慢慢去了解。

安装依赖包

### 先更新包,软件,系统内核
yum update 

安装 gcc

安装 nginx 源码进行编译,编译依赖 gcc 环境,需要安装gcc: yum install gcc-c++

安装 pcre-devel

PCRE(Perl Compatible Regular Expressions) 是一个Perl库,包括 perl 兼容的正则表达式库。nginx 的 http 模块使用 pcre 来解析正则表达式,所以需要在 linux 上安装 pcre 库,pcre-devel 是使用 pcre 开发的一个二次开发库。

yum install  pcre pcre-devel

zlib 安装

nginx 使用 zlib 对 http 包的内容进行 gzip。可是,不是用 Brotli 么。两个都装,装了也没事。gzip 编译安装来个。如果不编译,使用 yum 安装,版本达不到要求。

# 版本没要求可以这样
yum install zlib zlib-devel

先安装 cmake
https://blog.vini123.com/289

再安装 zlib
https://blog.vini123.com/299

再安装 bzip2
https://blog.vini123.com/300

最后安装 libzib
https://blog.vini123.com/290

OpenSSL 安装

OpenSSL 是一个强大的安全套接字层密码库,囊括主要的密码算法、常用的密钥和证书封装管理功能及 SSL 协议,并提供丰富的应用程序供测试或其它目的使用。

https://blog.vini123.com/301

安装 ngx_brotli

cd /opt
git clone https://github.com/eustas/ngx_brotli.git
cd ngx_brotli
git submodule update --init --recursive

可以看这里: https://blog.vini123.com/302

增加用户组

我们创建一个新的用户组和用户来运行服务,这样可以把nginx和root分开,保证nginx不具备root权限。但是,我们并不希望nginx成为一个真实的可以登陆到远程进行操作的用户,所以,我们并不给它创建home目录,在useradd的时候,用-M参数:

 groupadd www
 useradd -g www -M www

-g参数为nginx用户指定了一个组。-M参数保证其不自动生成home目录。

但通过上面的用户创建之后,www 用户可以通过设置一个密码登陆到服务器,这个不是我们想要的,我们禁用它的 ssh 登陆权限.禁止用户登陆也很方便,只需要修改配置文件中有关用户和用户组的信息即可。

vi /etc/passwd

找到www,将后面的/bin/bash改为/sbin/nologin即可。

下载安装 nginx

官网:http://nginx.org/en/download.html 当前最新稳定版本 1.14.2

cd /usr/local/src

wget http://nginx.org/download/nginx-1.14.2.tar.gz

tar -xzvf nginx-1.14.2.tar.gz

cd nginx-1.14.2 

配置编译

./configure \
--user=www \
--group=www \
--prefix=/alidata/service/nginx \
--pid-path=/alidata/service/nginx/run/nginx.pid \
--with-http_stub_status_module \ ## 监控模块,nginx自带,但默认不安装
--with-threads \
--with-file-aio \
--with-pcre-jit \
--with-http_ssl_module \ ## 开启 HTTPS 支持
--with-http_v2_module \ ## 开启 HTTP/2 
--with-http_gzip_static_module \ ## 开启 GZip 压缩
--with-http_sub_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \
--with-http_realip_module \
--with-http_addition_module \
--with-stream \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-stream_realip_module \
--with-http_slice_module \
--with-pcre \
--with-openssl=/usr/local/src/openssl-1.1.1b/  \ ## 指定单独编译入 OpenSSL 的源码位置
--with-openssl-opt=enable-tls1_3 \ ## 开启 TLS 1.3 支持
--add-module=/usr/local/src/ngx_brotli/ ## 编译入 ngx_BroTli 扩展

如果有问题,将这些配置写成一行。没有问题会提示:


Configuration summary + using threads + using system PCRE library + using OpenSSL library: /usr/local/src/openssl-1.1.1b + using system zlib library nginx path prefix: "/alidata/service/nginx" nginx binary file: "/alidata/service/nginx/sbin/nginx" nginx modules path: "/alidata/service/nginx/modules" nginx configuration prefix: "/alidata/service/nginx/conf" nginx configuration file: "/alidata/service/nginx/conf/nginx.conf" nginx pid file: "/alidata/service/nginx/run/nginx.pid" nginx error log file: "/alidata/service/nginx/logs/error.log" nginx http access log file: "/alidata/service/nginx/logs/access.log" nginx http client request body temporary files: "client_body_temp" nginx http proxy temporary files: "proxy_temp" nginx http fastcgi temporary files: "fastcgi_temp" nginx http uwsgi temporary files: "uwsgi_temp" nginx http scgi temporary files: "scgi_temp"

好了,现在开始编译安装。

make && make install

安装完毕后,启动 nginx

/alidata/server/nginx/sbin/nginx 
ps -ef|grep nginx

# 查看编译的模块
/alidata/service/nginx/sbin/nginx -V

配置开机自启动

切换到 /lib/systemd/system/ 目录,创建 nginx.service 文件 vi nginx.service
编辑 nginx.service

[Unit]
Description=nginx 
After=network.target 

[Service] 
Type=forking 
ExecStart=/alidata/service/nginx/sbin/nginx
ExecReload=/alidata/service/nginx/sbin/nginx reload
ExecStop=/alidata/service/nginx/sbin/nginx quit
PrivateTmp=true 

[Install] 
WantedBy=multi-user.target

保存,并退出。再执行 systemctl enable nginx.service 激活重启自启动功能

systemctl enable nginx.service

systemctl start nginx.service #启动nginx
systemctl stop nginx.service #结束nginx
systemctl restart nginx.service #重启nginx

curl 127.0.0.1 查看欢迎页面。或输入外网 ip,如果外网 ip 访问不到,可能是 80端口没开放。去开放端口。比如去阿里云添加安全组,再重启 nginx。

参考

https://www.mf8.biz/nginx-install-tls1-3/

4月 17

https 测试

https://myssl.com

nginx 配置

ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000";
add_header Content-Security-Policy "default-src 'self';script-src * 'unsafe-inline';style-src * 'unsafe-inline';";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options 'SAMEORIGIN';

TLS 1.3 也渐渐流行。可以自行配置。

4月 14

owasp 安全测试,其中一项就是关于请求头中的 servers 信息和 x-powered-by 信息要隐藏。该怎么隐藏呢。servers 对应的是 nginx 或 apache 的信息,x-powered-by 可能是 php 的版本号。

如下图:

用户,可以很方便的看到你服务器环境的版本信息。想要隐藏只需下边这样操作即可。

隐藏 servers

nginx

vim nginx.conf

# http 里边添加下边的设置

server_tokens off;

然后重启 nginx 。 ../sbin/nginx -s reload

隐藏 php 版本

# 找到 php.ini 的位置
php -i|grep php.ini

vim php.ini

# 设置下边的值即可。即将 on 改成 off
expose_php = Off

然后重启 php 。 /etc/init.d/php-fpm restart

4月 02

想做聊天这样的app或页面,就会使用到长连接。websocket 是一种方式。服务方可以用 nodejs 这些。对于 php,还是使用 workman 或 swoole 比较方便。这里就记录下 laravel 框架使用 swoole 的过程。

编译安装 swoole 扩展

http://pecl.php.net/package/swoole
当前,最新版本是 4.31。所有一切都是新的,服务器是新的,装的环境也是最新的。所以没有心理压力,都用最新的。

cd /usr/local/src

wget http://pecl.php.net/get/swoole-4.3.1.tgz

tar -xzvf swoole-4.3.1.tgz

cd swoole-4.3.1

phpize

# 对 ssl 的支持。这个还是比较重要的
./configure --enable-openssl 

make && make install

make test

vim /alidata/service/php/etc/php.ini

# 尾部追加
extension=swoole.so

# 重启 php
/etc/init.d/php-fpm restart

# 查看扩展
# php -m|grep swoole

继续阅读