Skip to content

Latest commit

 

History

History
323 lines (269 loc) · 11.9 KB

README.md

File metadata and controls

323 lines (269 loc) · 11.9 KB

PHPStatic package is build for better performance, check our benchmarks.

PHPStatic package is build as static shared object, to reduce the dynamic library runtime overheads and attack surface. Static link also allow our package suite for most of linux distribution, avoid dependent library miss match problem during system upgrade time.

$ file /usr/local/bin/php
/usr/local/bin/php: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped

$ readelf -l ./php

Elf file type is DYN (Shared object file)
Entry point 0x37f9a8
There are 7 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000002b48980 0x0000000002b48980  R E    0x200000
  LOAD           0x0000000002b49920 0x0000000002d49920 0x0000000002d49920
                 0x0000000000256b80 0x000000000035ee48  RW     0x200000
  DYNAMIC        0x0000000002d45540 0x0000000002f45540 0x0000000002f45540
                 0x00000000000001d0 0x00000000000001d0  RW     0x8
  TLS            0x0000000002b49920 0x0000000002d49920 0x0000000002d49920
                 0x0000000000000088 0x0000000000005d98  R      0x20
  GNU_EH_FRAME   0x000000000278ccbc 0x000000000278ccbc 0x000000000278ccbc
                 0x0000000000080d5c 0x0000000000080d5c  R      0x4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     0x10
  GNU_RELRO      0x0000000002b49920 0x0000000002d49920 0x0000000002d49920
                 0x00000000001fd6e0 0x00000000001fd6e0  R      0x1

 Section to Segment mapping:
  Segment Sections...
   00     .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_d .rela.dyn .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table 
   01     .tdata .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got .data .bss 
   02     .dynamic 
   03     .tdata .tbss 
   04     .eh_frame_hdr 
   05     
   06     .tdata .init_array .fini_array .ctors .dtors .data.rel.ro .dynamic .got 

PHPStatic package also build for security, by add gcc flags -fstack-clash-protection, -fstack-protector-strong, -Wp,-D_FORTIFY_SOURCE=2, -Wp,-D_GLIBCXX_ASSERTIONS, -fPIE, -Wl,-z,now, -Wl,-z,relro, -Wl,-z,text, -Wl,-z,noexecstack to enable Address space layout randomization, Full RELRO, STACK CANARY, non-executable stack, FORTIFY, stack clash protection, stack overflow protection.

PHPStatic is immune to LD_PRELOAD preload attacks like this.

Linux package need CPU support AVX.

macOS package need CPU >= Sandy Bridge(2011), os >= 10.13(High Sierra), macOS package also work for VM with Penryn(+aes, +avx) CPU.

maxOS >= 10.9 Mavericks package is not support any more, you can download old MAC OSX packages for develop only.

debian, ubuntu

this work with systemd, for old debian/ubuntu please try docker or https://phpstatic.com/linux/

echo deb http://phpstatic.com/debian/ / > /etc/apt/sources.list.d/phpstatic.list
apt-get install gnupg curl sudo
curl -L https://phpstatic.com/repo.gpg | sudo apt-key add -
# for debian 11
curl -L https://phpstatic.com/repo.gpg | sudo apt-key --keyring /etc/apt/trusted.gpg.d/phpstatic.gpg add -
apt-get update
apt-get install php-static-7.4 nginx-static
/etc/init.d/php-fpm status

CentOS/Fedora/Red Hat/SUSE

this work with systemd, for old redhat/centos please try docker or https://phpstatic.com/linux/

curl -L https://phpstatic.com/centos/phpstatic.repo -o /etc/yum.repos.d/phpstatic.repo
yum update
yum install php-static-7.4 nginx-static -y 
systemctl status php-fpm

alpine

curl -o /etc/apk/keys/phpstatic.com-5e2a99b5.rsa.pub -L https://phpstatic.com/alpine/phpstatic.com-5e2a99b5.rsa.pub
echo http://phpstatic.com/alpine >> /etc/apk/repositories
apk update
apk add php-static-7.4 nginx-static 
/etc/init.d/php-fpm status

others linux

curl -O https://phpstatic.com/php-static-7.4-latest-linux-x64.tar.gz
curl -O https://phpstatic.com/nginx-static-latest-linux-x64.tar.gz
tar xvf php-static-* -C /
tar xvf nginx-static-* -C /

/usr/local/bin/php-fpm
killall php-fpm

/usr/sbin/nginx
/usr/sbin/nginx -s stop

macOS

curl -O https://phpstatic.com/php-static-7.4-latest-osx-x64.tar.gz
tar xvf php-static-* -C /
otool -L /usr/local/bin/php
/usr/local/bin/php:
	/usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 1.0.0)
	/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1455.12.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)

run this on your project dirs:

docker pull phpstatic/php:7.4.15
docker run --name php74 -itd -v $(pwd):/app --mount source=php74_etc,target=/usr/local/etc/php phpstatic/php:7.4.15
docker logs php74
docker volume inspect php74_etc
docker exec -i -t php74 composer install
docker exec -i -t php74 ash

Windows

try docker or https://docs.microsoft.com/en-us/windows/wsl/install-win10

BSD

not ready yet, try docker

xdebug, taint, tideways_xhprof, SPX, SeasLog, wasm, ast, componere, xattr is default disabled, to enable it add disable_extensions=none into php.ini.

xdebug conflict with taint, remember just enable one of them.

[PHP Modules]
amqp
apcu
ast
base58
bcmath
brotli
bz2
calendar
componere
Core
ctype
curl
date
dom
ds
elastic_apm
event
exif
fileinfo
filter
ftp
gd
gearman
gettext
gmp
grpc
hash
hoedown
iconv
igbinary
imap
intl
ip2region
jchash
jq
jsmin
json
json_post
jwt
libxml
lz4
mbstring
memcached
mongodb
msgpack
mysqli
mysqlnd
newrelic
OAuth
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_pgsql
pdo_sqlite
pgsql
phalcon
Phar
pinpoint_php
posix
protobuf
pspell
psr
rar
rdkafka
readline
redis
Reflection
sass
SeasLog
session
shmop
SimpleXML
skywalking
snappy
soap
sockets
sodium
solr
SPL
SPX
sqlite3
ssh2
standard
swoole
sysvmsg
sysvsem
sysvshm
tideways_xhprof
tidy
tokenizer
trie_filter
xattr
xdebug
xlswriter
xml
xmlreader
xmlwriter
xsl
xxhash
yaconf
yaml
yar
Zend OPcache
zip
zlib
zmq
zstd

[Zend Modules]
Xdebug
Zend OPcache

swoole_orm and wasm removed since 2021/03/08.

nginx -V

nginx 1.18.0 is build with http3, njs(0.6.1), io_uring, ssl_stapling+BoringSSL support(the only solution that support multi domain without cronjob).

nginx build with ModSecurity (https://github.com/SpiderLabs/ModSecurity-nginx) support. (remove until owasp-modsecurity/ModSecurity-nginx#174 get fixed!)

build -flto=full.

nginx-uring require kernel >= 5.1 and avx2.

nginx version: nginx/1.18.0 (nginx)
built by gcc version 10.3.0
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments:--conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=www-data --group=www-data --without-select_module --with-poll_module --with-file-aio --with-threads --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_stub_status_module --with-http_slice_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_secure_link_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-pcre --with-pcre-jit --with-zlib --with-zlib-asm=pentiumpro --with-libatomic --with-http_addition_module --without-http_uwsgi_module --with-mail --with-mail_ssl_module --with-http_mp4_module --with-http_flv_module --add-module=devel_kit --add-module=brotli --add-module=zstd --add-module=substitutions_filter --add-module=headers-more --add-module=h264_streaming --add-module=vod --add-module=secure-token --add-module=flv --add-module=dynamic_limit_req --add-module=slice --add-module=njs/nginx --add-module=vts --with-http_geoip_module --with-stream_geoip_module --add-module=geoip2 --add-module=ipip --add-module=waf --add-module=security_headers --add-module=tcp-keepalive --add-module=websockify --with-http_v3_module --with-openssl --with-quiche

nginx-openssl build without http3 (version is 1.21.0).

nginx version: nginx/1.21.0 (nginx)
built by gcc version 10.3.0
built with OpenSSL 1.1.1k  16 Feb 2021
TLS SNI support enabled
configure arguments:--conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=www-data --group=www-data --without-select_module --with-poll_module --with-file-aio --with-threads --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_stub_status_module --with-http_slice_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_secure_link_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-pcre --with-pcre-jit --with-zlib --with-zlib-asm=pentiumpro --with-libatomic --with-http_addition_module --without-http_uwsgi_module --with-mail --with-mail_ssl_module --with-http_mp4_module --with-http_flv_module --add-module=devel_kit --add-module=brotli --add-module=zstd --add-module=substitutions_filter --add-module=headers-more --add-module=h264_streaming --add-module=vod --add-module=secure-token --add-module=flv --add-module=dynamic_limit_req --add-module=slice --add-module=njs/nginx --add-module=vts --with-http_geoip_module --with-stream_geoip_module --add-module=geoip2 --add-module=ipip --add-module=waf --add-module=security_headers --add-module=tcp-keepalive --add-module=websockify --with-openssl --with-http_v2_hpack_enc