Record the problem of PHP program accessing system files incorrectly

Running environment centos  lnmp

problem ：

The test script can be run directly to obtain the files in the system directory

Cannot get system catalog files by running through browser

**Warning**: require(): open_basedir restriction in effect. File(/home/wwwroot/ssmanager/vendor/autoload.php) is not within the allowed path(s): (/home/wwwroot/ssmanager/public/:/tmp/:/proc/) in **/home/wwwroot/ssmanager/public/index.php**on line **24**
**Warning**: require(/home/wwwroot/ssmanager/vendor/autoload.php): failed to open stream: Operation not permitted in **/home/wwwroot/ssmanager/public/index.php** on line **24**
**Fatal error**: require(): Failed opening required '/home/wwwroot/ssmanager/public/../vendor/autoload.php' (include_path='.:/usr/local/php/lib/php') in **/home/wwwroot/ssmanager/public/index.php** on line **24**

resolvent ：

1、 Check whether there are permission restrictions , By modifying the file directory, the group owner and the given permission

chown and chmod

2、 of nginx fastcgi Problems setting up the

resolvent
find Nginx Medium fastcgi.conf The configuration file , Generally located fastcgi.conf In file

/usr/local/nginx/conf/fastcgi.conf

Open the file and find the following section

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";

Put it $document_root Change the variable to the project directory （ Or delete this line ）, For example, my current project is ssmanager(Laravel project ), Just put the $document_root It is amended as follows ssmanager directory .

fastcgi_param PHP_ADMIN_VALUE "open_basedir=/home/wwwroot/ssmanager/:/tmp/:/proc/";

 

restart Nginx The server
/etc/init.d/nginx restart

error analysis
fastcgi_param What is it?
fastcgi_param Belong to ngx_http_fastcgi_module Parameters of the module , Used to set the transmission to FastCgi Server parameters and settings PHP Configuration item , It includes user access IP And others Webserver Information ; adopt PHP_ADMIN_VALUE Options can be given PHP To configure

（ since PHP 5.3.3 rise , Can pass web server setting PHP Configuration of ）PHP Official documents

fastcgi_param grammar ：

name      Options
Syntax    fastcgi_param parameter value [if_not_empty]
Default    -
Context    http, server, location
among value Can contain text , Variables and their combinations . Only if there is no definition at the current level fastcgi_param When the command , Only the defined instructions can be inherited from the previous level .

Some general parameters are listed below , It can be seen that fastcgi_param Specific usage of

fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/";

It can be seen from observation that , We are using PHP Medium $_SERVER[SERVER_ADDR] obtain WEBSERVER Relevant parameters , In fact, it is with fastcgi_param Corresponding to the parameter of .

Compiling PHP add --enable-force-cgi-redirect Options ,REDIRECT_STATUS and PHP_ADMIN_VALUE Will take effect

PHP_ADMIN_VALUE
PHP_ADMIN_VALUE Pass additional environment variables for a run pool , Or update PHP The configuration of the value

stay FPM in , You can use different settings to run multiple process pools . These settings can be set individually for each process pool .
You can also pass additional environment variables for a run pool , Or update PHP The configuration of the value .PHP Official documents

We can draw Nginx By making PHP_ADMIN_VALUE Here it is PHP Set up open_basedir Configuration item

OPEN_BASEDIR
open_basedir Role is to PHP The files that can be opened are limited to the specified directory tree , Including the file itself .

When a script tries to use, for example fopen() perhaps gzopen() When opening a file , The location of the file will be checked . When the file is outside the specified directory tree PHP Will refuse to open it . All symbolic connections will be parsed , Therefore, it is impossible to avoid this limitation through symbolic connection .

Actually open_basedir There are some points for attention

open_basedir The specified limit is actually a prefix , It's not a directory name . in other words “open_basedir = /dir/incl” Will also allow access to “/dir/include” and “/dir/incls”, If they exist . If you want to restrict access to only the specified directory , End the pathname with a slash . for example ：“open_basedir = /dir/incl/”

summary
got it fastcgi_param,PHP_ADMIN_VALUE,open_basedir What is it? , You can know that the problem is , Nginx Use in PHP_ADMIN_VALUE Configured with PHP For controlling PHP It can open the directory tree itself open_basedir Options , Want to solve the problem , You can specify the corresponding directory tree or delete this configuration （ Simple and crude ）.

open_basedir php Authorization directory settings

php For security reasons , There is one open_basedir Set up . According to your web Server environment ,open_basedir It can be set in several places .

First stay php.ini Middle configuration .

;open_basedir =

fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/tmp/:/proc/:/you_web_path";　　 If the configuration item is found with a semicolon , indicate php.ini There is no such setting in . It's probably in   php-fpm   Medium fastcgi.conf Configuration of the .php-fpm The configuration in will override php.ini Configuration of .

/you_web_path Is what you want to add to let php Accessible path . Multiple paths are separated by semicolons

If there are multiple projects for the server , Whether in the php.ini perhaps fastcgi.cong Set in , For all projects . Can it be set only for a certain project ？
The answer is yes . You can also use  .user.ini To configure .
.user.ini To configure
First , To make .user.ini take effect , To set up php.ini Medium

user_ini.filename = ".user.ini"

user_ini.cache_ttl = 300

　　 About the significance of these two configurations , Please have a look at php manual  http://php.net/manual/zh/configuration.file.per-user.php

Comment out fastcgi.conf Medium  open_basedir   Configuration of .

In the project root directory establish .user.ini file , Write the following

open_basedir=/tmp/:/proc/:/you_web_path

/you_web_path Is what you want to add to let php Accessible path . Multiple paths are separated by semicolons

Restart it php-fpm The service can be .

In the test, it is also found that the priorities of these three configurations are as follows

“php.ini” > “nginx fastcgi fastcgi_param” > “php-fpm.conf”