搭建一個本地代碼審計環境(docker-compose——nginx + php5 + mysql)

看到最新Xiaocms爆了CVE，想審計一波

所以打算用docker-compose搭一個本地的平臺

分享一下我是怎么搭建的

nginx + php5 + mysql(其實一開始搭了7.2的，Xiaocms不支持php7。)

目錄結構.

├──?app│???└──?info.php├──?files│???├──?docker-compose.yml│???├──?nginx│???│???├──?conf.d│???│???│???└──?default.conf│???│???├──?dockerfile│???│???└──?nginx.conf│???└──?php│???????├──?dockerfile│???????├──?php-dev.ini│???????├──?php-fpm.conf│???????├──?php.ini│???????└──?pkg?#?這里可以放自己想多加的拓展，我放了redis│???????????└──?redis.tgz└──?logs

├──?nginx

│???└──?error.log

└──?php

docker-compose.ymlversion:?'3'services:

php-fpm:

build:?./php/

container_name:?php-fpm?#?容器名字

ports:

-?"9000"

volumes:

-?../../shenji/XiaoCms:/data/www:rw?#掛載的目錄，想審計別的目錄把前面的目錄換一下

-?./php/php.ini:/usr/local/etc/php/php.ini:ro?#?當前php配置文件；可以拷貝修改php.ini為想要的配置

-?./php/php-fpm.conf:/usr/local/etc/php-fpm.conf:ro?#配置文件

-?../logs/php:/var/log/php-fpm:rw?#存入的log前面的本地log掛載的地方

restart:?always?#?關閉的時候自動重啟

hostname:?"php-fpm"?#?在配置nginx.conf的地方把ip為這個

working_dir:?/app/php?#?工作目錄

nginx:

build:?./nginx

container_name:?nginx

depends_on:

-?php-fpm

links:

-?php-fpm?#?連到一個網絡

-?db

volumes:

-?../../shenji/XiaoCms:/data/www:rw

-?./nginx/conf.d:/etc/nginx/conf.d:ro?#?導入自己寫的nginx.conf

-?./nginx/nginx.conf:/etc/nginx/nginx.conf:ro

-?../logs/nginx:/var/log/nginx:rw

ports:

-?"8080:8080"

-?"443"

restart:?always

command:?nginx?-g?'daemon?off;'

db:

image:?daocloud.io/library/mysql:5.7.4

restart:?always????expose:

-?"3306"

environment:

-?MYSQL_ROOT_PASSWORD=root?#root的密碼

-?MYSQL_DATABASE=test?#創建的數據庫

php-fpm

dockerfileFROM?php:5.6.38-fpm-jessie?#?這個可以隨便改，想什么版本都可以?LABEL?maintainer="ckj123"#??設置時區ENV?TZ=Asia/ShanghaiRUN?ln?-snf?/usr/share/zoneinfo/$TZ?/etc/localtime?&&?echo?$TZ?>?/etc/timezoneRUN?apt-get?update?&&?apt-get?install?-y?\

cron?\

git?\

zlib1g-dev?\

libfreetype6-dev?\

libjpeg62-turbo-dev?\

libpng-dev?\

libsasl2-dev?\

libmemcached-dev?\

curl?\

&&?docker-php-ext-configure?gd?--with-freetype-dir=/usr/include/?--with-jpeg-dir=/usr/include/?\

&&?docker-php-ext-install?-j$(nproc)?gd?\

&&?docker-php-ext-install?zip?\

&&?docker-php-ext-install?pdo_mysql?\

&&?docker-php-ext-install?opcache?\

&&?docker-php-ext-install?mysqli?\

&&?docker-php-ext-install?mysql?\

&&?rm?-r?/var/lib/apt/lists/*COPY?./pkg/redis.tgz?/home/redis.tgz#?Install?PECL?extensions?(Redis)RUN?pecl?install?/home/redis.tgz?&&?echo?"extension=redis.so"?>?/usr/local/etc/php/conf.d/redis.ini#??安裝?ComposerENV?COMPOSER_HOME?/root/composerRUN?curl?-sS?https://getcomposer.org/installer?|?php?--?--install-dir=/usr/local/bin?--filename=composerENV?PATH?$COMPOSER_HOME/vendor/bin:$PATHRUN?rm?-f?/home/redis.tgzWORKDIR?/app#??Write?PermissionRUN?usermod?-u?1000?www-data

php-fpm.conf

php的配置文件[global]

daemonize?=?no

[www]

user?=?www-data

group?=?www-data

listen?=?[::]:9000

pm?=?dynamic

;pm?=?static

pm.max_children?=?50

pm.start_servers?=?10

pm.min_spare_servers?=?10

pm.max_spare_servers?=?30

clear_env?=?no

rlimit_files?=?1048576

;request_terminate_timeout?=?0

;request_slowlog_timeout?=?1

;slowlog?=?/data/log/php/php-slow.log

access.format?=?"%t?\"%m?%r%Q%q\"?%s?%{mili}dms?%{kilo}Mkb?%C%%"catch_workers_output?=?yes

php_flag[display_errors]?=?on

;php_admin_flag[log_errors]?=?truephp_admin_value[date.timezone]?=?"Asia/Shanghai"

nginx

dockerfileFROM?nginx:1.9?#?也可以使用1.13(寫博客的時候才發現用的是1.9)LABEL?maintainer="ckj123"#??set?timezomeENV?TZ=Asia/ShanghaiRUN?ln?-snf?/usr/share/zoneinfo/$TZ?/etc/localtime?&&?echo?$TZ?>?/etc/timezone

nginx.conf

因為我把很多路徑都改了，所以user??nginx;

worker_processes??1;

error_log??/var/log/nginx/error.log?warn;

pid????????/var/run/nginx.pid;

events?{

worker_connections??1024;

}

http?{

include?/etc/nginx/mime.types;

default_type?application/octet-stream;

charset?UTF-8;

sendfile?on;

tcp_nopush?on;

tcp_nodelay?on;

server_tokens?off;

keepalive_timeout?10;

send_timeout?10;

server_name_in_redirect?off;

server_names_hash_bucket_size?64;

types_hash_max_size?2048;

client_header_timeout?10;

client_header_buffer_size?32k;

large_client_header_buffers?4?32k;

client_max_body_size?100m;

client_body_timeout?10;

client_body_buffer_size?10m;

reset_timedout_connection?on;

#?log?setting

log_format?main??'$remote_addr?-?$remote_user?[$time_local]?"$request"?'

'$status?$body_bytes_sent?"$http_referer"?'

'"$http_user_agent"?"$http_x_forwarded_for"';????#?access_log?/var/log/nginx/access.log?main;

access_log?off;

error_log?/var/log/nginx/error.log?warn;

fastcgi_buffers?256?16k;

fastcgi_buffer_size?128k;

fastcgi_connect_timeout?3s;

fastcgi_send_timeout?120s;

fastcgi_read_timeout?120s;

fastcgi_busy_buffers_size?256k;

fastcgi_temp_file_write_size?256k;

fastcgi_hide_header?X-Powered-By;????#?Gzip?Compression

gzip?on;

gzip_disable?"MSIE?[1-6]\.(?!.*SV1)";

gzip_proxied?any;

gzip_min_length?1000;

gzip_comp_level?6;

gzip_buffers?16?8k;

gzip_http_version?1.0;

gzip_types?text/plain?text/css?application/json?application/x-javascript?text/xml?application/xml?application/xml+rss?text/javascript;

gzip_vary?on;

open_file_cache?max=10000?inactive=20s;

open_file_cache_valid?30s;

open_file_cache_min_uses?2;

open_file_cache_errors?on;

include?/etc/nginx/conf.d/*.conf;

}

conf.d

default.conf

端口監聽的配置文件server?{

listen???80?default;

index?index.html?index.htm;

server_name?localhost?docker;

root?/data/www;

index?index.php?index.html?index.htm;

location?/?{

index?index.php;

rewrite?^/index\.php$?-?last;??????????if?(!-e?$request_filename){

rewrite?^(.*)$?/index.php?/$1?last;

}

}

error_page???500?502?503?504??/50x.html;

location?=?/50x.html?{

root?/data/www;

}

location?~?\.php?{

include?fastcgi_params;

fastcgi_pass???php-fpm:9000;

fastcgi_index??index.php;

fastcgi_param??SCRIPT_FILENAME??/data/www/$fastcgi_script_name;

}

location?~?\.php$?{

index?index.php;

try_files?$uri?=?404;

fastcgi_pass???php-fpm:9000;

fastcgi_param??SCRIPT_FILENAME??$document_root$fastcgi_script_name;

include????????fastcgi_params;

}

}

server?{

listen???8080?default;

index?index.html?index.htm;

server_name?localhost?docker;

root?/data/www;

index?index.php?index.html?index.htm;

location?/?{

index?index.php;

rewrite?^/index\.php$?-?last;??????????if?(!-e?$request_filename){

rewrite?^(.*)$?/index.php?/$1?last;

}

}

error_page???500?502?503?504??/50x.html;

location?=?/50x.html?{

root?/data/www;

}

location?~?\.php?{

include?fastcgi_params;

fastcgi_pass???php-fpm:9000;?#?這里的php-fpm?是docker-compose.yml里面的php-fpm對應的hostname

fastcgi_index??index.php;

fastcgi_param??SCRIPT_FILENAME??/data/www/$fastcgi_script_name;

}

location?~?\.php$?{

index?index.php;

try_files?$uri?=?404;

fastcgi_pass???php-fpm:9000;

fastcgi_param??SCRIPT_FILENAME??$document_root$fastcgi_script_name;

include????????fastcgi_params;

}

}

結果

docker-compose up一下，等所有的下載完成之后就可以在本地的8080端口訪問了

image

安裝XiaoCms

image

image

ok,完成了可以代碼審計了嘻嘻嘻嘻

作者：ckj123

鏈接：https://www.jianshu.com/p/587c9162f461

總結

以上是生活随笔為你收集整理的mac搭建php审计环境,[docker]搭建一个本地代码审计环境(docker-compose——nginx + php5 + mysql)...的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。