nginx、php-fpm 在不同服务器上存在网关错误（安全性也不佳）

这是一个由多部分组成的问题。

首先，我遇到了 502 错误网关，但我确信那只是因为下面的其中一行是错误的。

其次，我很想知道我的“安全方面”表现如何。我明白许多外面的指南给出的建议很糟糕。我试图明智地收集所有指南中的知识，但我是个新手，所以我可能会错过一些东西。安全对我来说真的很重要，所以如果你愿意的话，我很乐意进行一次快速而粗略的“审计” :)

对于我的拓扑，我使用带有 VPC 的 EC2。Amazon Linux AMI。我有一个弹性负载均衡器，它链接到 2 个 nginx 服务器。这些服务器链接到单独的 php-fpm 服务器。

1 当我调试这个时，nginx 服务器被禁用。

这是我收到的错误。我觉得这很奇怪，因为10.0.0.94据我所知，我实际上没有在任何地方使用。我使用的是 *.210 和 *.248。

2013/03/27 14:33:10 [error] 2724#0: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.0.94, server: www.example.com, request: "GET /index.php HTTP/1.1", upstream: "fastcgi://10.0.0.210:9001", host: "xxx.us-east-1.elb.amazonaws.com"

编辑：有一件事我忘了提。我认为因为 php-fpm 是一个单独的服务器，所以我读到它上面必须有与 nginx 服务器相同的文件。我还没有设置 rsync 或任何东西……我只是将一个简单的 index.php 文件上传到两者/var/www/html/example.com/index.php作为测试。

服务器 1 和 2 (nginx)

nginx.conf

# Run as a less privileged user for security reasons.
user  www www;

worker_processes  auto;

events {
    worker_connections  1024;
}

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

http {

    server_tokens  off;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    # How long to allow each connection to stay idle; longer values are better
    # for each individual client, particularly for SSL, but means that worker
    # connections are tied up longer. (Default: 65)
    keepalive_timeout  65;

    # Speed up file transfers by using sendfile() to copy directly
    # between descriptors rather than using read()/write().
    sendfile        on;

    # Tell Nginx not to send out partial frames; this increases throughput
    # since TCP frames are filled up before being sent out. (adds TCP_CORK)
    tcp_nopush      on;

    # Tell Nginx to enable the Nagle buffering algorithm for TCP packets, which
    # collates several smaller packets together into one larger packet, thus saving
    # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY)
    tcp_nodelay     off; 

    gzip          on;
    gzip_http_version 1.0;
    gzip_disable      "msie6";
    gzip_comp_level   5;
    gzip_min_length   256;
    gzip_proxied      any;
    gzip_vary         on;
    gzip_types
      # text/html is always compressed by HttpGzipModule
      text/css
      text/plain
      text/x-component
      application/javascript
      application/json
      application/xml
      application/xhtml+xml
      application/x-font-ttf
      application/x-font-opentype
      application/vnd.ms-fontobject
      image/svg+xml
      image/x-icon;

    # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.
    # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.
    ssl_protocols              SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                RC4:HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
    # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
    # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
    # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
    ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
    ssl_session_timeout  10m;

    # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
    # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
    # ssl_certificate      /etc/nginx/default_ssl.crt;
    # ssl_certificate_key  /etc/nginx/default_ssl.key;

    upstream php {
        # ip_hash;
        server  10.0.0.210:9001;
    }

    include sites-enabled/*;
}

sites-enabled/example.com

server {
    listen       80;
    server_name  www.example.com;
    root         /var/www/html/example.com;

    index  index.html index.htm index.php;
    charset utf-8;

    error_page 404 /system/404.html;
    error_page 403 /system/404.html;

    location ~ \.php$ {
        fastcgi_index  index.php;
        fastcgi_pass   php;
        include        fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        # fastcgi_intercept_errors on;
    }

    include conf/base.conf;
}

server {
    listen      80;
    server_name example.com;
    return 301  $scheme://www.example.com$request_uri;
}

服务器 3 (php-fpm)

php.ini

cgi.fix_pathinfo = 0

php-fpm.conf

;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;


include=/etc/php-fpm.d/*.conf

;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;

[global]
pid = /var/run/php-fpm/php-fpm.pid

error_log = /var/log/php-fpm/error.log

emergency_restart_threshold = 5

emergency_restart_interval = 2

/etc/php-fpm.d/www.conf

[www]

listen = 127.0.0.1:9001

listen.allowed_clients = 10.0.0.248

user = www
group = www

pm = dynamic
pm.max_children = 50
pm.start_servers = 15
pm.min_spare_servers = 5
pm.max_spare_servers = 25

request_terminate_timeout = 30
slowlog = /var/log/php-fpm/www-slow.log
security.limit_extensions = .php

php_flag[display_errors] = off
php_admin_value[error_reporting] = 0
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 128M

php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session

这就是我目前得到的全部内容 :| 正在慢慢取得进展... 谢谢！