Il 12/09/2012 17:52, Tommy Pham ha scritto:
On Wed, Sep 12, 2012 at 7:18 AM, Tonix (Antonio Nati)
<> wrote:
Il 12/09/2012 16:08, Tommy Pham ha scritto:

On Wed, Sep 12, 2012 at 6:53 AM, Tonix (Antonio Nati)
<> wrote:
Is there a way to force a PHP script to bind to a prefixed IP?

Actually, while you can assign more IPs to Apache for listening,
domains to specific IPs, it looks like any PHP script can freely choose
which IP to bind. Instead I'd love some domains are permitted to open
connections only from the domain IP.

In FreeBSD I do it easily, setting up dedicated jails for domains. But
to do it simply using PHP on Linux?



          Inter@zioni            Interazioni di Antonio Nati

1) Use Listen in Apache
2) Use VM such as KVM, VMWare, etc.
3) Make an array containing permissible domains.  Check the
$_SERVER['SERVER_NAME'] if exists in that array.  React/respond

1) is only for listening.
2) means a VPS for each domain, which we already do with vmware and FreeBSD
jails, but it is too expensive for some customers.
3) means I'm writing the script, which is not the standard situation.

You must suppose the script to be written from a malicious user in a shared

Is PHP able to 'force' binding IP? I hoped there was an external directive I
did not see, but probably this is a PHP lack.



         Inter@zioni            Interazioni di Antonio Nati

2) Previously you've mentioned that you were able to do that in
FreeBSD jails.  IIRC, the jails are similar to VMs in regards to
isolating of environment and dedicated IP for that environment.  It
seems that you want something that is equivalent of jails and VM but
not actual VM/jails.  Are you referring to 1 application with one
installed point but is used in multiple virtual domains and expect the
application to act/respond accordingly to the requests for each
virtual domain?

Yes, I'm thinking of a low cost shared WEB hosting for people which has limited needs and don't want to spend more for a VM or a jail.

In this environment, a well tailored su-exec, with different UID and group for each user, makes an excellent job for protecting disk areas, so the unique point which remains uncovered is to limit network access:

 * if you have internal interfaces in the same machine where you have
   public IPs, a web PHP application could try to use the internal
   address of the interface, exploring internal network (we avoid that
   thanks to jails).
 * if apache listens on a specific  IP for a single domain, and listens
   on other IPs for others domains, it would be safe if each domain can
   use as source IP only the listening IP associated.

In our specific case, we always use jails, so each apache is always within a jail and cannot explore other interfaces. When customers ask for dedicated IP, we setup another jail, but that means also one apache server for each domain, and it is justified only for big websites.

So, it would be nice if it could exist something which could force a specific source IP or could force to use the listening IP (or both options), on any network binding operation. Of course a script could use external commands (like ping ot telnet) and escape this check, so we don't have complete security, unless we disable any network tool... but it would be a good start.



        Inter@zioni            Interazioni di Antonio Nati

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to