[docker]搭建一个本地代码审计环境(docker-comp
2018-11-13 本文已影响11人
ckj123
搭建一个本地代码审计环境(docker-compose——nginx + php5 + mysql)
看到最新Xiaocms爆了CVE,想审计一波
所以打算用docker-compose搭一个本地的平台
分享一下我是怎么搭建的
nginx + php5 + mysql(其实一开始搭了7.2的,Xiaocms不支持php7。)
目录结构
.
├── app
│ └── info.php
├── files
│ ├── docker-compose.yml
│ ├── nginx
│ │ ├── conf.d
│ │ │ └── default.conf
│ │ ├── dockerfile
│ │ └── nginx.conf
│ └── php
│ ├── dockerfile
│ ├── php-dev.ini
│ ├── php-fpm.conf
│ ├── php.ini
│ └── pkg # 这里可以放自己想多加的拓展,我放了redis
│ └── redis.tgz
└── logs
├── nginx
│ └── error.log
└── php
docker-compose.yml
version: '3'
services:
php-fpm:
build: ./php/
container_name: php-fpm # 容器名字
ports:
- "9000"
volumes:
- ../../shenji/XiaoCms:/data/www:rw #挂载的目录,想审计别的目录把前面的目录换一下
- ./php/php.ini:/usr/local/etc/php/php.ini:ro # 当前php配置文件;可以拷贝修改php.ini为想要的配置
- ./php/php-fpm.conf:/usr/local/etc/php-fpm.conf:ro #配置文件
- ../logs/php:/var/log/php-fpm:rw #存入的log前面的本地log挂载的地方
restart: always # 关闭的时候自动重启
hostname: "php-fpm" # 在配置nginx.conf的地方把ip为这个
working_dir: /app/php # 工作目录
nginx:
build: ./nginx
container_name: nginx
depends_on:
- php-fpm
links:
- php-fpm # 连到一个网络
- db
volumes:
- ../../shenji/XiaoCms:/data/www:rw
- ./nginx/conf.d:/etc/nginx/conf.d:ro # 导入自己写的nginx.conf
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ../logs/nginx:/var/log/nginx:rw
ports:
- "8080:8080"
- "443"
restart: always
command: nginx -g 'daemon off;'
db:
image: daocloud.io/library/mysql:5.7.4
restart: always
expose:
- "3306"
environment:
- MYSQL_ROOT_PASSWORD=root #root的密码
- MYSQL_DATABASE=test #创建的数据库
php-fpm
dockerfile
FROM php:5.6.38-fpm-jessie # 这个可以随便改,想什么版本都可以
LABEL maintainer="ckj123"
# 设置时区
ENV TZ=Asia/Shanghai
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN apt-get update && apt-get install -y \
cron \
git \
zlib1g-dev \
libfreetype6-dev \
libjpeg62-turbo-dev \
libpng-dev \
libsasl2-dev \
libmemcached-dev \
curl \
&& docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ \
&& docker-php-ext-install -j$(nproc) gd \
&& docker-php-ext-install zip \
&& docker-php-ext-install pdo_mysql \
&& docker-php-ext-install opcache \
&& docker-php-ext-install mysqli \
&& docker-php-ext-install mysql \
&& rm -r /var/lib/apt/lists/*
COPY ./pkg/redis.tgz /home/redis.tgz
# Install PECL extensions (Redis)
RUN pecl install /home/redis.tgz && echo "extension=redis.so" > /usr/local/etc/php/conf.d/redis.ini
# 安装 Composer
ENV COMPOSER_HOME /root/composer
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
ENV PATH $COMPOSER_HOME/vendor/bin:$PATH
RUN rm -f /home/redis.tgz
WORKDIR /app
# Write Permission
RUN usermod -u 1000 www-data
php-fpm.conf
php的配置文件
[global]
daemonize = no
[www]
user = www-data
group = www-data
listen = [::]:9000
pm = dynamic
;pm = static
pm.max_children = 50
pm.start_servers = 10
pm.min_spare_servers = 10
pm.max_spare_servers = 30
clear_env = no
rlimit_files = 1048576
;request_terminate_timeout = 0
;request_slowlog_timeout = 1
;slowlog = /data/log/php/php-slow.log
access.format = "%t \"%m %r%Q%q\" %s %{mili}dms %{kilo}Mkb %C%%"
catch_workers_output = yes
php_flag[display_errors] = on
;php_admin_flag[log_errors] = true
php_admin_value[date.timezone] = "Asia/Shanghai"
nginx
dockerfile
FROM nginx:1.9 # 也可以使用1.13(写博客的时候才发现用的是1.9)
LABEL maintainer="ckj123"
# set timezome
ENV TZ=Asia/Shanghai
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
nginx.conf
因为我把很多路径都改了,所以
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset UTF-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
keepalive_timeout 10;
send_timeout 10;
server_name_in_redirect off;
server_names_hash_bucket_size 64;
types_hash_max_size 2048;
client_header_timeout 10;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 100m;
client_body_timeout 10;
client_body_buffer_size 10m;
reset_timedout_connection on;
# log setting
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# access_log /var/log/nginx/access.log main;
access_log off;
error_log /var/log/nginx/error.log warn;
fastcgi_buffers 256 16k;
fastcgi_buffer_size 128k;
fastcgi_connect_timeout 3s;
fastcgi_send_timeout 120s;
fastcgi_read_timeout 120s;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_hide_header X-Powered-By;
# Gzip Compression
gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_proxied any;
gzip_min_length 1000;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.0;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
open_file_cache max=10000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
include /etc/nginx/conf.d/*.conf;
}
conf.d
default.conf
端口监听的配置文件
server {
listen 80 default;
index index.html index.htm;
server_name localhost docker;
root /data/www;
index index.php index.html index.htm;
location / {
index index.php;
rewrite ^/index\.php$ - last;
if (!-e $request_filename){
rewrite ^(.*)$ /index.php?/$1 last;
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /data/www;
}
location ~ \.php {
include fastcgi_params;
fastcgi_pass php-fpm:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www/$fastcgi_script_name;
}
location ~ \.php$ {
index index.php;
try_files $uri = 404;
fastcgi_pass php-fpm:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 8080 default;
index index.html index.htm;
server_name localhost docker;
root /data/www;
index index.php index.html index.htm;
location / {
index index.php;
rewrite ^/index\.php$ - last;
if (!-e $request_filename){
rewrite ^(.*)$ /index.php?/$1 last;
}
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /data/www;
}
location ~ \.php {
include fastcgi_params;
fastcgi_pass php-fpm:9000; # 这里的php-fpm 是docker-compose.yml里面的php-fpm对应的hostname
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www/$fastcgi_script_name;
}
location ~ \.php$ {
index index.php;
try_files $uri = 404;
fastcgi_pass php-fpm:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
结果
docker-compose up一下,等所有的下载完成之后就可以在本地的8080端口访问了
image
安装XiaoCms
image
image
ok,完成了可以代码审计了嘻嘻嘻嘻
