Apache – 盧尛朋友

在開發 PHP 程式時，習慣將 Apache 或 PHP-FPM 的群組，與使用者共用

但二者預設新增檔案的權限，經常是 755

也就是說，群組沒有權限異動檔案，在開發時較不方便

以下就是修改預設檔案權限方式。

umask() 用來做檔案權限的遮罩 (限制權限)

PHP 預設 umask 是 022，當建立檔案或資料夾權限給 777 時，最終的權限會是 777 – 022 = 755

如下 PHP 語句

chmod(“/FilePath/FileName”, 0777); // FileName 權限為 755

mkdir(“/Folder/”, 0777, true); // Folder 權限為 755

若要調整權限，以下有 3 個方式

1． Apache 可以更改預設 umask，修改後重啟 Restart Apache 才會生效，如下 Linux 指令

echo "umask 000" >> /etc/sysconfig/httpd
service httpd restart

1 2	echo "umask 000" >> /etc/sysconfig/httpd service httpd restart

2．PHP 寫入檔案前，執行 umask(0)

$old = umask(000); //儲存當前的 umask，再更新 umask 為 000
fopen('foo.txt', 'w');
umask($old); // 還原 umask

$old = umask(000); //儲存當前的 umask，再更新 umask 為 000

fopen('foo.txt', 'w');

umask($old); // 還原 umask

3．PHP 寫入檔案後，使用 chmod()

fopen('foo.txt', 'w');
chmod('foo.txt', 0777); // 變更權限

1 2	fopen('foo.txt', 'w'); chmod('foo.txt', 0777); // 變更權限

PHP-FPM (NGINX)

修改檔案路徑：/lib/systemd/system/php-fpm.service

[Service]
UMask=0002

1 2	[Service] UMask=0002

加上 UMASK 設定後，如下

[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target

[Service]
Type=notify
PIDFile=/var/run/php-fpm/php-fpm.pid
EnvironmentFile=/etc/sysconfig/php-fpm
ExecStart=/usr/sbin/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true
UMask=0002
[Install]
WantedBy=multi-user.target

[Unit]

Description=The PHP FastCGI Process Manager

After=syslog.target network.target

[Service]

Type=notify

PIDFile=/var/run/php-fpm/php-fpm.pid

EnvironmentFile=/etc/sysconfig/php-fpm

ExecStart=/usr/sbin/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf

ExecReload=/bin/kill -USR2 $MAINPID

PrivateTmp=true

UMask=0002

[Install]

WantedBy=multi-user.target

重啟 php-fpm 服務

有時內網有其他的伺服器，但是對外僅有一個 80、443 PORT

這時就能利用 Apache 設定 Virtual Host 做代理，將內網的伺服器的資訊轉發出來。

需要的 Apache 套件

mod_proxy、mod_proxy_connect、mod_proxy_http、mod_proxy_ajp.so、mod_ssl、mod_rewrite

查看已啟用套件：apachectl -M

Apache 設定檔路徑：/etc/httpd/conf/httpd.conf、/etc/httpd/conf.d/ssl.conf

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

LoadModule ssl_module modules/mod_ssl.so

LoadModule rewrite_module modules/mod_rewrite.so

設定訪問 HTTP 跳轉到 HTTPS (安全性考量)。/etc/httpd/conf.d/vhost_proxy.conf

# demo.rusnake.com
<VirtualHost *:80>
  ServerName demo.rusnake.com
  ServerAlias demo2.rusnake.com
  RewriteEngine on
  ReWriteCond %{SERVER_PORT} !^443$
  RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

# demo.rusnake.com

ServerName demo.rusnake.com

ServerAlias demo2.rusnake.com

RewriteEngine on

ReWriteCond %{SERVER_PORT} !^443$

RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

</VirtualHost>

以下為 3 台伺服器 IP

Apache Proxy：192.168.1.200

Web Server01：192.168.1.201

Web Server02：192.168.1.202

方式一：設定 proxy 代理內部 HTTP 8000 PORT，外網則是 HTTPS。/etc/httpd/conf.d/vhost_proxy.conf

# demo.rusnake.com
<VirtualHost 192.168.1.200:443>
  ServerName demo.rusnake.com

  SSLEngine On
  SSLProtocol -ALL +TLSv1 +TLSv1.2
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA
  SSLCertificateFile    /etc/httpd/ssl/rusnake/demo.rusnake.com.crt
  SSLCertificateKeyFile /etc/httpd/ssl/rusnake/demo.rusnake.com.key
  SSLCACertificateFile /etc/httpd/ssl/rusnake/demo.rusnake.com.ca.crt
  
  ProxyRequests     Off
  ProxyPass         /  http://192.168.1.201:8000/
  ProxyPassReverse  /  http://192.168.1.201:8000/
  <Proxy *>
    Order Deny,Allow
    Deny from all
    #內部 IP
    Allow from 192.168.1
    #外部 IP
    Allow from 210.61.12.219
  </Proxy>
  ProxyPreserveHost on
</VirtualHost>

# demo.rusnake.com

ServerName demo.rusnake.com

SSLEngine On

SSLProtocol -ALL +TLSv1 +TLSv1.2

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA

SSLCertificateFile /etc/httpd/ssl/rusnake/demo.rusnake.com.crt

SSLCertificateKeyFile /etc/httpd/ssl/rusnake/demo.rusnake.com.key

SSLCACertificateFile /etc/httpd/ssl/rusnake/demo.rusnake.com.ca.crt

ProxyRequests Off

ProxyPass / http://192.168.1.201:8000/

ProxyPassReverse / http://192.168.1.201:8000/

Order Deny,Allow

Deny from all

#內部 IP

Allow from 192.168.1

#外部 IP

Allow from 210.61.12.219

</Proxy>

ProxyPreserveHost on

</VirtualHost>

方式二：設定 proxy 代理內部 HTTPS 443 PORT，外網也是 HTTPS。/etc/httpd/conf.d/vhost_proxy.conf

<virtualHost 192.168.1.200:443>
  ServerName demo2.rusnake.com
  ProxyRequests Off
  #LogLevel debug
  #ErrorLog /home/proxy_err.txt
  #TransferLog /home/proxy_trans.txt
  SSLEngine On
  SSLProxyEngine On
  SSLProtocol -ALL +TLSv1.1 +TLSv1.2
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA
  SSLCertificateFile /etc/httpd/ssl/rusnake/demo2.rusnake.com.crt
  SSLCertificateKeyFile /etc/httpd/ssl/rusnake/demo2.rusnake.com.key
  SSLCACertificateFile /etc/httpd/ssl/rusnake/demo2.rusnake.com.ca.crt
  <Proxy *>
    Order Deny,Allow
    Deny from all
    #內部 IP
    Allow from 192.168.1
    #外部 IP
    Allow from 210.61.12.219
  </Proxy>
  
  ProxyPreserveHost on
  ProxyPass         /  https://192.168.1.202:443/
  ProxyPassMatch    /  https://192.168.1.202:443/(.*)
  ProxyPassReverse  /  https://192.168.1.202:443/(.*)
</virtualHost>

ServerName demo2.rusnake.com

ProxyRequests Off

#LogLevel debug

#ErrorLog /home/proxy_err.txt

#TransferLog /home/proxy_trans.txt

SSLEngine On

SSLProxyEngine On

SSLProtocol -ALL +TLSv1.1 +TLSv1.2

SSLCertificateFile /etc/httpd/ssl/rusnake/demo2.rusnake.com.crt

SSLCertificateKeyFile /etc/httpd/ssl/rusnake/demo2.rusnake.com.key

SSLCACertificateFile /etc/httpd/ssl/rusnake/demo2.rusnake.com.ca.crt

Order Deny,Allow

Deny from all

#內部 IP

Allow from 192.168.1

#外部 IP

Allow from 210.61.12.219

</Proxy>

ProxyPreserveHost on

ProxyPass / https://192.168.1.202:443/

ProxyPassMatch / https://192.168.1.202:443/(.*)

ProxyPassReverse / https://192.168.1.202:443/(.*)

</virtualHost>

設定好之後，要記得重載設定檔

service httpd reload

1	service httpd reload

盧尛朋友

學海無涯，回頭是ㄢ‵

分類: Apache

CentOS PHP UMASK 設定

Apache Proxy 設定