搭建一个本地代码审计环境(docker-compose——nginx + php5 + mysql)
看到最新Xiaocms爆了CVE,想审计一波
所以打算用docker-compose搭一个本地的平台
分享一下我是怎么搭建的
nginx + php5 + mysql(其实一开始搭了7.2的,Xiaocms不支持php7。)
目录结构
. ├── app│ └── info.php├── files│ ├── docker-compose.yml│ ├── nginx│ │ ├── conf.d│ │ │ └── default.conf│ │ ├── dockerfile│ │ └── nginx.conf│ └── php│ ├── dockerfile│ ├── php-dev.ini│ ├── php-fpm.conf│ ├── php.ini│ └── pkg # 这里可以放自己想多加的拓展,我放了redis│ └── redis.tgz└── logs ├── nginx │ └── error.log └── php
docker-compose.yml
version: '3'services: php-fpm: build: ./php/ container_name: php-fpm # 容器名字 ports: - "9000" volumes: - ../../shenji/XiaoCms:/data/www:rw #挂载的目录,想审计别的目录把前面的目录换一下 - ./php/php.ini:/usr/local/etc/php/php.ini:ro # 当前php配置文件;可以拷贝修改php.ini为想要的配置 - ./php/php-fpm.conf:/usr/local/etc/php-fpm.conf:ro #配置文件 - ../logs/php:/var/log/php-fpm:rw #存入的log前面的本地log挂载的地方 restart: always # 关闭的时候自动重启 hostname: "php-fpm" # 在配置nginx.conf的地方把ip为这个 working_dir: /app/php # 工作目录 nginx: build: ./nginx container_name: nginx depends_on: - php-fpm links: - php-fpm # 连到一个网络 - db volumes: - ../../shenji/XiaoCms:/data/www:rw - ./nginx/conf.d:/etc/nginx/conf.d:ro # 导入自己写的nginx.conf - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro - ../logs/nginx:/var/log/nginx:rw ports: - "8080:8080" - "443" restart: always command: nginx -g 'daemon off;' db: image: daocloud.io/library/mysql:5.7.4 restart: always expose: - "3306" environment: - MYSQL_ROOT_PASSWORD=root #root的密码 - MYSQL_DATABASE=test #创建的数据库
php-fpm
dockerfile
FROM php:5.6.38-fpm-jessie # 这个可以随便改,想什么版本都可以 LABEL maintainer="ckj123"# 设置时区ENV TZ=Asia/ShanghaiRUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezoneRUN apt-get update && apt-get install -y \ cron \ git \ zlib1g-dev \ libfreetype6-dev \ libjpeg62-turbo-dev \ libpng-dev \ libsasl2-dev \ libmemcached-dev \ curl \ && docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ \ && docker-php-ext-install -j$(nproc) gd \ && docker-php-ext-install zip \ && docker-php-ext-install pdo_mysql \ && docker-php-ext-install opcache \ && docker-php-ext-install mysqli \ && docker-php-ext-install mysql \ && rm -r /var/lib/apt/lists/*COPY ./pkg/redis.tgz /home/redis.tgz# Install PECL extensions (Redis)RUN pecl install /home/redis.tgz && echo "extension=redis.so" > /usr/local/etc/php/conf.d/redis.ini# 安装 ComposerENV COMPOSER_HOME /root/composerRUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composerENV PATH $COMPOSER_HOME/vendor/bin:$PATHRUN rm -f /home/redis.tgzWORKDIR /app# Write PermissionRUN usermod -u 1000 www-data
php-fpm.conf
php的配置文件
[global] daemonize = no [www] user = www-data group = www-data listen = [::]:9000 pm = dynamic ;pm = static pm.max_children = 50 pm.start_servers = 10 pm.min_spare_servers = 10 pm.max_spare_servers = 30 clear_env = no rlimit_files = 1048576 ;request_terminate_timeout = 0 ;request_slowlog_timeout = 1 ;slowlog = /data/log/php/php-slow.log access.format = "%t \"%m %r%Q%q\" %s %{mili}dms %{kilo}Mkb %C%%"catch_workers_output = yes php_flag[display_errors] = on ;php_admin_flag[log_errors] = truephp_admin_value[date.timezone] = "Asia/Shanghai"
nginx
dockerfile
FROM nginx:1.9 # 也可以使用1.13(写博客的时候才发现用的是1.9)LABEL maintainer="ckj123"# set timezomeENV TZ=Asia/ShanghaiRUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
nginx.conf
因为我把很多路径都改了,所以
user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; charset UTF-8; sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; keepalive_timeout 10; send_timeout 10; server_name_in_redirect off; server_names_hash_bucket_size 64; types_hash_max_size 2048; client_header_timeout 10; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 100m; client_body_timeout 10; client_body_buffer_size 10m; reset_timedout_connection on; # log setting log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # access_log /var/log/nginx/access.log main; access_log off; error_log /var/log/nginx/error.log warn; fastcgi_buffers 256 16k; fastcgi_buffer_size 128k; fastcgi_connect_timeout 3s; fastcgi_send_timeout 120s; fastcgi_read_timeout 120s; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_hide_header X-Powered-By; # Gzip Compression gzip on; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; gzip_proxied any; gzip_min_length 1000; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.0; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; gzip_vary on; open_file_cache max=10000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; include /etc/nginx/conf.d/*.conf; }
conf.d
default.conf
端口监听的配置文件
server { listen 80 default; index index.html index.htm; server_name localhost docker; root /data/www; index index.php index.html index.htm; location / { index index.php; rewrite ^/index\.php$ - last; if (!-e $request_filename){ rewrite ^(.*)$ /index.php?/$1 last; } } error_page 500 502 503 504 /50x.html; location = /50x.html { root /data/www; } location ~ \.php { include fastcgi_params; fastcgi_pass php-fpm:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/www/$fastcgi_script_name; } location ~ \.php$ { index index.php; try_files $uri = 404; fastcgi_pass php-fpm:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } server { listen 8080 default; index index.html index.htm; server_name localhost docker; root /data/www; index index.php index.html index.htm; location / { index index.php; rewrite ^/index\.php$ - last; if (!-e $request_filename){ rewrite ^(.*)$ /index.php?/$1 last; } } error_page 500 502 503 504 /50x.html; location = /50x.html { root /data/www; } location ~ \.php { include fastcgi_params; fastcgi_pass php-fpm:9000; # 这里的php-fpm 是docker-compose.yml里面的php-fpm对应的hostname fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/www/$fastcgi_script_name; } location ~ \.php$ { index index.php; try_files $uri = 404; fastcgi_pass php-fpm:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
结果
docker-compose up
一下,等所有的下载完成之后就可以在本地的8080端口访问了
image
安装XiaoCms
image
image
ok,完成了可以代码审计了嘻嘻嘻嘻
作者:ckj123
链接:https://www.jianshu.com/p/587c9162f461