使用chroot让nginx更安全

post by rocdk890 / 2012-3-4 20:44 Sunday linux技术

首先下载编译 nginx，我的编译参数是这样的.
--prefix=/usr/local/nginx --without-select_module --with-poll_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre=/usr/source_code/pcre-7.7/
然后建立 chroot 目录
建立目录文件夹，这里要和编译是制定的目录完全一样，否则会出错。
我编译时目录为 /usr/local/nginx

首先下载编译 nginx，我的编译参数是这样的.
--prefix=/usr/local/nginx --without-select_module --with-poll_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre=/usr/source_code/pcre-7.7/
然后建立 chroot 目录
建立目录文件夹，这里要和编译是制定的目录完全一样，否则会出错。
我编译时目录为 /usr/local/nginx
mkdir -p /var/chroot/usr/local/
cp -a /usr/local/nginx /var/chroot/usr/local/

然后拷贝一下文件：

|-- bin
|   |-- bash
|   `-- sh -> bash
|-- dev
|   |-- null
|   |-- random
|   |-- root
|   |-- urandom
|   `-- zero
|-- etc
|   |-- group
|   `-- passwd
|-- lib
|   |-- ld-2.5.so
|   |-- ld-linux-x86-64.so.2 -> ld-2.5.so
|   |-- libc-2.5.so
|   |-- libc.so.6 -> libc-2.5.so
|   |-- libcrypt-2.5.so
|   |-- libcrypt.so.1 -> libcrypt-2.5.so
|   |-- libdl-2.5.so
|   |-- libdl.so.2 -> libdl-2.5.so
|   |-- libnsl.so.1
|   |-- libnss_compat.so.2
|   |-- libpcre.so.0 -> libpcre.so.0.0.1
|   |-- libnss_files.so.2
|   |-- libnss_files-2.5.so
|   |-- libpcre.so.0.0.1
|   |-- libtermcap.so.2 -> libtermcap.so.2.0.8
|   `-- libtermcap.so.2.0.8
`-- usr
    |-- lib
    |   |-- libz.so.1 -> libz.so.1.2.3
    |   `-- libz.so.1.2.3
    `-- local
        `-- nginx
            |-- ... ...

做完这些以后就可以启动nginx了。 /var/chroot 就是我们新的根目录。如果你在配置里添加了其他配置，请不要忘记建立文件和目录.
chroot /var/chroot /usr/local/nginx/sbin/ngxin
如果觉得这样比较麻烦可以用下面这个脚本.
/etc/init.d/nginxd

    #!/bin/sh
    #
    # chkconfig: 35 75 15
    # description: A WWW Servieces.
    CHROOT_DIR="/var/chroot"
    NGINXHOME="/usr/local/nginx"

    . /etc/rc.d/init.d/functions
    prog="${NGINXHOME}/sbin/nginx"
    NGINX_OPTIONS="${NGINXHOME}/conf/nginx.conf"
    PIDFILE=$(awk '{if($1~/^\ *pid/) print substr($2,1,length($2)-1);}' ${NGINX_OPTIONS})
    RETVAL=0

    start() {
      [ -s ${CHROOT_DIR}/${PIDFILE:-${NGINXHOME}/logs/nginx.pid} ] && { echo "pid file is already exist";return 1; }
      [ -s ${PIDFILE:-${NGINXHOME}/logs/nginx.pid} ] && { echo "pid file is already exist";return 1; }
      echo -n "Nginx Server Starting ... "
      if [ -s ${CHROOT_DIR}/etc/passwd ];then
      chroot ${CHROOT_DIR} ${prog} -c ${NGINX_OPTIONS}
      else
      ${prog} -c ${NGINX_OPTIONS}
      fi
      if $(ps -e|grep -q nginx);then
      echo_success;echo
      return 0;
      fi
      echo_failure;echo
      RETVAL=1
    }
    stop() {
      echo -n "Nginx Server Stoping ... "
      [ -s ${CHROOT_DIR}/etc/passwd ] && NGINXHOME="${CHROOT_DIR}/${NGINXHOME}"
      if [ -e ${PIDFILE:-${NGINXHOME}/logs/nginx.pid} ];then
         kill -15 $(cat ${PIDFILE:-${NGINXHOME}/logs/nginx.pid}) 2>&-
         echo_success;echo
         return 0
      fi
      echo_failure;echo
      RETVAL=1
    }
    configtest() {
      ${prog} -c ${NGINX_OPTIONS} -v -V -t
      RETVAL=$?
    }

    case $1 in
      start|stop|configtest)
            [ -s ${CHROOT_DIR}/${PIDFILE:-${NGINXHOME}/logs/nginx.pid} ] || rm -f ${CHROOT_DIR}/${PIDFILE:-${NGINXHOME}/logs/nginx.pid}
            [ -s ${PIDFILE:-${NGINXHOME}/logs/nginx.pid} ] || rm -f ${PIDFILE:-${NGINXHOME}/logs/nginx.pid}
            $1
            ;;
      restart)
            [ -s ${CHROOT_DIR}/etc/passwd ] && NGINXHOME="${CHROOT_DIR}/${NGINXHOME}"
            if [ -s ${PIDFILE:-${NGINXHOME}/logs/nginx.pid} ];then
            kill -s HUP $(cat ${PIDFILE:-${NGINXHOME}/logs/nginx.pid}) 2>&-
            fi
            ;;
      *)
            echo $"Usage: $0 {start|stop|restart|configtest}"
            exit 0
    esac

    exit $RETVAL

夜空- 本站版权

1、本站所有主题由该文章作者发表，该文章作者与夜空享有文章相关版权
2、其他单位或个人使用、转载或引用本文时必须同时征得该文章作者和夜空的同意
3、本帖部分内容转载自其它媒体，但并不代表本站赞同其观点和对其真实性负责
4、如本帖侵犯到任何版权问题，请立即告知本站，本站将及时予与删除并致以最深的歉意
5、原文链接：blog.slogra.com/post-146.html