我正在运行一个电子商务/LMS wordpress 网站,该网站配备 2 核 CPU、4G 内存和 4Gswap、100G 磁盘空间服务器以及 CentOS 网络管理面板。
今天,在从客户端收到几个 http 502 报告后,我突然注意到使用此命令执行了 14 个 php 文件,其中 2 个在 index.php(nginx)上,12 个在我的 wordfence wflogs php 文件(php-fpm)上watch -n1 "lsof | grep '\.php'"
。
重新启动 nginx 和 php-fpm 服务器后,执行的 php 文件就会消失,但重新连接到网站后,2 分钟内问题又会出现。
进一步调查后,我有自定义的 php-fpm74 php.ini 和 nginx.conf,我删除了它们并重新安装。问题仍然存在
每次重启后,前几次刷新时,我都可以看到所有 php 文件都被执行然后被删除,但刷新几次后,我会得到一个打开的 php 文件列表,其中有以下内容
nginx 1893 nobody 38r REG 253,2 405 7357 /home/azc/public_html/index.php
nginx 1893 nobody 42r REG 253,2 5543 93120 /home/azc/public_html/wp-cron.php
nginx 1894 nobody 38r REG 253,2 405 7357 /home/azc/public_html/index.php
php-fpm 2784 azc 6u REG 253,2 51 98078 /home/azc/public_html/wp-content/wflogs/ips.php
php-fpm 2784 azc 7u REG 253,2 560 58362 /home/azc/public_html/wp-content/wflogs/config.php
php-fpm 2784 azc 8u REG 253,2 40083 99496 /home/azc/public_html/wp-content/wflogs/attack-data.php
php-fpm 2784 azc 9u REG 253,2 16502 29005 /home/azc/public_html/wp-content/wflogs/config-synced.php
php-fpm 2784 azc 10u REG 253,2 5656 100459 /home/azc/public_html/wp-content/wflogs/config-livewaf.php
php-fpm 2784 azc 11u REG 253,2 1402945 99209 /home/azc/public_html/wp-content/wflogs/config-transient.php
如果我多次重新连接到ctrl+shift+R
我的网站,其中许多都没有关闭,然后服务器开始返回 502。我已经安装了 Aapache、PHP-CGI,但不幸的是我无法运行该网站,所以我决定专注于这个问题。
服务版本:
- Centos 7
- Nginx 1.22.1
- PHP-FPM 7.4.32
- WordPress 6.1.1
- Wordfence 插件 7.8
站点 azc-fpm 配置
[azc]
listen = /opt/alt/php-fpm74/usr/var/sockets/azc.sock
listen.allowed_clients = 127.0.0.1
;listen.owner = "azc"
listen.group = "nobody"
listen.mode = 0660
user = "azc"
group = "azc"
request_slowlog_timeout = 15s
slowlog = /opt/alt/php-fpm74/usr/var/log/php-fpm-slowlog-azc.log
pm = ondemand
pm.max_children = 4
pm.max_requests = 4000
pm.process_idle_timeout = 15s
;listen.backlog = -1
;request_terminate_timeout = 0s
rlimit_files = 131072
rlimit_core = unlimited
catch_workers_output = yes
env[HOSTNAME] = $HOSTNAME
env[TMP] = /home/azc/tmp
env[TMPDIR] = /home/azc/tmp
env[TEMP] = /home/azc/tmp
env[PATH] = /usr/local/bin:/usr/bin:/bin
php-fpm.conf 本身(因为我正在运行 centos web 面板,它的 cwpsvc.conf)
[cwpsvc]
listen = /opt/alt/php-fpm74/usr/var/sockets/cwpsvc.sock
listen.owner = cwpsvc
listen.group = cwpsvc
listen.mode = 0640
user = cwpsvc
group = cwpsvc
;request_slowlog_timeout = 5s
;slowlog = /opt/alt/php-fpm74/usr/var/log/php-fpm-slowlog-cwpsvc.log
listen.allowed_clients = 127.0.0.1
pm = ondemand
pm.max_children = 25
pm.process_idle_timeout = 15s
;listen.backlog = -1
request_terminate_timeout = 0s
rlimit_files = 131073
rlimit_core = unlimited
catch_workers_output = yes
env[HOSTNAME] = $HOSTNAME
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
网站 Nginx 配置
erver {
listen x.x.x.x:443 ssl ;
server_name azc.com www.azc.com;
root /home/azc/public_html;
index index.php index.html index.htm;
access_log /usr/local/apache/domlogs/azc.com.bytes bytes;
access_log /usr/local/apache/domlogs/azc.com.log combined;
error_log /usr/local/apache/domlogs/azc.com.error.log error;
ssl_certificate /etc/pki/tls/certs/azc.com.bundle;
ssl_certificate_key /etc/pki/tls/private/azc.com.key;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eN$
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
location / {
try_files $uri $uri/ /index.php?$args;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
location ~.*\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
expires max;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass unix:/opt/alt/php-fpm74/usr/var/sockets/azc.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
location ~* "/\.(htaccess|htpasswd)$" {deny all;return 404;}
disable_symlinks if_not_owner from=/home/azc/public_html;
location /.well-known/acme-challenge {
default_type "text/plain";
alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}
location /.well-known/pki-validation {
default_type "text/plain";
alias /usr/local/apache/autossl_tmp/.well-known/acme-challenge;
}
}
网站的 PHP-FPM slowLog
[29-Nov-2022 09:12:23] [pool azc] pid 20575
script_filename = /home/azc/public_html/wp-admin/admin-ajax.php
[0x00007f856ca13df0] curl_exec() /home/azc/public_html/wp-includes/class-requests.php:381
[0x00007f856ca13870] request() /home/azc/public_html/wp-includes/class-wp-http.php:395
[0x00007f856ca136e0] request() /home/azc/public_html/wp-includes/class-wp-http.php:633
[0x00007f856ca13640] get() /home/azc/public_html/wp-includes/http.php:162
[0x00007f856ca135b0] wp_remote_get() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/Engine/Preload/AbstractProcess.php:202
[0x00007f856ca13510] preload() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/Engine/Preload/AbstractProcess.php:159
[0x00007f856ca13480] maybe_preload() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/Engine/Preload/PartialProcess.php:41
[0x00007f856ca13420] task() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/classes/dependencies/wp-media/background-processing/wp-background-process.php:315
[0x00007f856ca13370] handle() /home/azc/public_html/wp-content/plugins/wp-rocket/inc/classes/dependencies/wp-media/background-processing/wp-background-process.php:$
[0x00007f856ca13300] maybe_handle() /home/azc/public_html/wp-includes/class-wp-hook.php:308
[0x00007f856ca13220] apply_filters() /home/azc/public_html/wp-includes/class-wp-hook.php:332
[0x00007f856ca131b0] do_action() /home/azc/public_html/wp-includes/plugin.php:517
[0x00007f856ca130d0] do_action() /home/azc/public_html/wp-admin/admin-ajax.php:203
谢谢你的帮助