What I do is running PHP in FastCGI mode (with something like x-cache) with a dedicated user for each webapp for which I have a dedicated script, for example :
========= jci...@bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin (...) -rwxr-xr-x 1 www-scar www-scar 202 Oct 27 2008 scar-php-wrapper.fcgi* -rwxr-xr-x 1 www-lwatch www-lwatch 202 Apr 24 12:05 sfa-php-wrapper.fcgi* -rwxr-xr-x 1 www-tapir www-tapir 202 Oct 27 2008 tapir-php-wrapper.fcgi* (...) ========= each .fcgi contain something like : ========= jci...@bccm-it ~ % cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi #!/bin/sh #PHPRC="/path/to/php.ini" #export PHPRC PHP_FCGI_CHILDREN=3 export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS=10000 export PHP_FCGI_MAX_REQUESTS exec /usr/local/bin/php-cgi -b 127.0.0.1:5009 ========= you can control how much children have to be fork(), the number of maximum requests per process before it gets killed and re-launched (usefull if a webapp leaks memory), etc Then in your Apache config you put something like : ========= FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi -host 127.0.0.1:5009 -idle-timeout 1800 <Location /cgi-bin/scar-php-wrapper.fcgi> SetHandler fastcgi-script </Location> <Directory /usr/local/www/apache22/data/scarmarbin> Order allow,deny Allow from all AddHandler php-fastcgi .php Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi </Directory> ========= hope it helps, best regards, Julien On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote: > Le Thu, 9 Jul 2009 13:18:39 +0300, > "Reko Turja" <reko.tu...@liukuma.net> a écrit : > > > > I want to secure my Apache/PHP environment... > > > > Full suhosin, both patch and mod for the PHP. IIRC suhosin patch is > > optional in PHP port and the mod can be installed via ports. > > (http://www.hardened-php.net/suhosin/index.html) > > > > Apache environment and binaries set up in a jail. > > > > > Which Apache version do you advice? > > > > I reckon these days 2.2 would be the best in regards of future > > upgrades and development. > > > > -Reko > > > Thanks. I already use suhosin patch in mod_php. > > I have few users on this machine, each use a separate directory > (/var/www/user). I do not want to make a jail for each one. > > That's why mpm-itk seems to be good (instead of safe_mode / > open_basedir). > > Best regards, > > > -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: jci...@ulb.ac.be @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"