Question

我正在将 docker 与 ngnix、php 和 mysql 一起使用。我也在使用 api 平台版本 2.6.4。当服务器什么都不做，然后当我向端点发出请求时，它会返回正常响应，但也会返回请求正文中的json。我试图调试这个，但这不是来自代码，它似乎是 ngnix 形式，或者我不知道。但这发生在服务器空闲一段时间后，没有发送请求，但是当我发送请求时，响应也有请求的正文。但这也不适用于所有请求，有时没有请求正文的响应是好的。例如，我使用 body

向登录端点发送 post 请求

{
    "email": "test@test.eu",
    "password": "password"
}

并得到回复：

{
        "email": "test@test.eu",
        "password": "password"
    }{"token":"eyJ0eXAiOiOtS4wxOtXAdA..."}

这是错误的，有时我会得到正常的响应，例如：

{"token":"eyJ0eXAiOiOtS4wxOtXAdA..."}

这是我的 conf 文件。

[mysql]
extension = pdo_mysql

[intl]
extension = intl

[apcu]
extension = apcu

[sodium]
extension = sodium

[zip]
extension = zip

[php]
apc.enable_cli = 1
date.timezone = Europe/Bratislava
session.auto_start = Off
short_open_tag = Off
expose_php = Off
realpath_cache_size = 4096K
realpath_cache_ttl = 600

[opcache]
zend_extension = opcache

opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 20000
opcache.memory_consumption = 256
opcache.validate_timestamps = 0
opcache.preload_user=www-data
opcache.preload=/var/www/config/preload.php

user nginx;
worker_processes auto;
daemon off;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;

    sendfile off;
    keepalive_timeout 65;

    gzip on;
    gzip_types text/html application/xml application/ld+json application/json ;

    server {
        server_name localhost;
        root /var/www/public;
    
        location / {
            # try to serve file directly, fallback to app.php
            try_files $uri /index.php$is_args$args;
        }
    
        location ~ ^/index\.php(/|$) {
            # optionally set the value of the environment variables used in the application
            # fastcgi_param APP_ENV prod;
    
            # When you are using symlinks to link the document root to the current version of your application, you should
            # pass the real application path instead of the path to the symlink to PHP FPM. Otherwise, PHP's OPcache may
            # not properly detect changes to your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126).
            fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
            fastcgi_param DOCUMENT_ROOT $realpath_root;
    
            # Bigger buffer size to handle cache invalidation headers expansion
            fastcgi_buffer_size 32k;
            fastcgi_buffers 8 16k;
    
            # Sets the address of a FastCGI server. The address can be specified as a domain name or IP address, and a port
            fastcgi_pass php:9000;
            fastcgi_split_path_info ^(.+\.php)(/.*)$;
            include fastcgi_params;
    
            internal;
       }
    
        # return 404 for all other php files not matching the front controller
        # this prevents access to other php files you don't want to be accessible.
        location ~ \.php$ {
            return 404;
        }
    }

}

这适用于所有 PATCH、POST 端点。有没有人遇到过这种行为。我也尝试禁用 opcache 和 apcu 但它没有帮助。

谢谢

Answer 1

问题出在我的 php 容器配置中，我确实打开了端口 9000 (-p 9000:9000)。因此，任何人都可以在此请求“POST /usr/local/lib/php/PEAR.php 200”后进行攻击，服务器开始执行此操作。在修复此配置并重新安装容器后，一切都很好。关闭

请求中的正文作为响应返回

1 个答案: