Secure apache with php
Hello. I want to secure my Apache/PHP environment without : - safe_mode - suphp / suexec So, I found this : http://mpm-itk.sesse.net/ In this page, we can see that a FreeBSD port exists, but I can't find it. What do you thinh about it? This tool seems to be good. Which Apache version do you advice? apache13 apache20 apache22 apache22-peruser-mp Best regards, -- Nicolas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Secure apache with php
Le Thu, 9 Jul 2009 13:18:39 +0300, Reko Turja reko.tu...@liukuma.net a écrit : I want to secure my Apache/PHP environment... Full suhosin, both patch and mod for the PHP. IIRC suhosin patch is optional in PHP port and the mod can be installed via ports. (http://www.hardened-php.net/suhosin/index.html) Apache environment and binaries set up in a jail. Which Apache version do you advice? I reckon these days 2.2 would be the best in regards of future upgrades and development. -Reko Thanks. I already use suhosin patch in mod_php. I have few users on this machine, each use a separate directory (/var/www/user). I do not want to make a jail for each one. That's why mpm-itk seems to be good (instead of safe_mode / open_basedir). Best regards, -- Nicolas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Secure apache with php
I want to secure my Apache/PHP environment... Full suhosin, both patch and mod for the PHP. IIRC suhosin patch is optional in PHP port and the mod can be installed via ports. (http://www.hardened-php.net/suhosin/index.html) Apache environment and binaries set up in a jail. Which Apache version do you advice? I reckon these days 2.2 would be the best in regards of future upgrades and development. -Reko ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Secure apache with php
What I do is running PHP in FastCGI mode (with something like x-cache) with a dedicated user for each webapp for which I have a dedicated script, for example : = jci...@bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin (...) -rwxr-xr-x 1 www-scarwww-scar202 Oct 27 2008 scar-php-wrapper.fcgi* -rwxr-xr-x 1 www-lwatch www-lwatch 202 Apr 24 12:05 sfa-php-wrapper.fcgi* -rwxr-xr-x 1 www-tapir www-tapir 202 Oct 27 2008 tapir-php-wrapper.fcgi* (...) = each .fcgi contain something like : = jci...@bccm-it ~ % cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi #!/bin/sh #PHPRC=/path/to/php.ini #export PHPRC PHP_FCGI_CHILDREN=3 export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS=1 export PHP_FCGI_MAX_REQUESTS exec /usr/local/bin/php-cgi -b 127.0.0.1:5009 = you can control how much children have to be fork(), the number of maximum requests per process before it gets killed and re-launched (usefull if a webapp leaks memory), etc Then in your Apache config you put something like : = FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi -host 127.0.0.1:5009 -idle-timeout 1800 Location /cgi-bin/scar-php-wrapper.fcgi SetHandler fastcgi-script /Location Directory /usr/local/www/apache22/data/scarmarbin Order allow,deny Allow from all AddHandler php-fastcgi .php Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi /Directory = hope it helps, best regards, Julien On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote: Le Thu, 9 Jul 2009 13:18:39 +0300, Reko Turja reko.tu...@liukuma.net a écrit : I want to secure my Apache/PHP environment... Full suhosin, both patch and mod for the PHP. IIRC suhosin patch is optional in PHP port and the mod can be installed via ports. (http://www.hardened-php.net/suhosin/index.html) Apache environment and binaries set up in a jail. Which Apache version do you advice? I reckon these days 2.2 would be the best in regards of future upgrades and development. -Reko Thanks. I already use suhosin patch in mod_php. I have few users on this machine, each use a separate directory (/var/www/user). I do not want to make a jail for each one. That's why mpm-itk seems to be good (instead of safe_mode / open_basedir). Best regards, -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: jci...@ulb.ac.be @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Secure apache with php
Le Thu, 09 Jul 2009 12:49:57 +0200, Julien Cigar jci...@ulb.ac.be a écrit : What I do is running PHP in FastCGI mode (with something like x-cache) with a dedicated user for each webapp for which I have a dedicated script, for example : = jci...@bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin (...) -rwxr-xr-x 1 www-scarwww-scar202 Oct 27 2008 scar-php-wrapper.fcgi* -rwxr-xr-x 1 www-lwatch www-lwatch 202 Apr 24 12:05 sfa-php-wrapper.fcgi* -rwxr-xr-x 1 www-tapir www-tapir 202 Oct 27 2008 tapir-php-wrapper.fcgi* (...) = each .fcgi contain something like : = jci...@bccm-it ~ % cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi #!/bin/sh #PHPRC=/path/to/php.ini #export PHPRC PHP_FCGI_CHILDREN=3 export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS=1 export PHP_FCGI_MAX_REQUESTS exec /usr/local/bin/php-cgi -b 127.0.0.1:5009 = you can control how much children have to be fork(), the number of maximum requests per process before it gets killed and re-launched (usefull if a webapp leaks memory), etc Then in your Apache config you put something like : = FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi -host 127.0.0.1:5009 -idle-timeout 1800 Location /cgi-bin/scar-php-wrapper.fcgi SetHandler fastcgi-script /Location Directory /usr/local/www/apache22/data/scarmarbin Order allow,deny Allow from all AddHandler php-fastcgi .php Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi /Directory = hope it helps, best regards, Julien On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote: Le Thu, 9 Jul 2009 13:18:39 +0300, Reko Turja reko.tu...@liukuma.net a écrit : I want to secure my Apache/PHP environment... Full suhosin, both patch and mod for the PHP. IIRC suhosin patch is optional in PHP port and the mod can be installed via ports. (http://www.hardened-php.net/suhosin/index.html) Apache environment and binaries set up in a jail. Which Apache version do you advice? I reckon these days 2.2 would be the best in regards of future upgrades and development. -Reko Thanks. I already use suhosin patch in mod_php. I have few users on this machine, each use a separate directory (/var/www/user). I do not want to make a jail for each one. That's why mpm-itk seems to be good (instead of safe_mode / open_basedir). Best regards, When I tested php in cgi, performances were bad. That's why, php_mod is better (in my case != -- Nicolas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Secure apache with php
On Thu, 2009-07-09 at 13:43 +0200, Nicolas Letellier wrote: Le Thu, 09 Jul 2009 12:49:57 +0200, Julien Cigar jci...@ulb.ac.be a écrit : What I do is running PHP in FastCGI mode (with something like x-cache) with a dedicated user for each webapp for which I have a dedicated script, for example : = jci...@bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin (...) -rwxr-xr-x 1 www-scarwww-scar202 Oct 27 2008 scar-php-wrapper.fcgi* -rwxr-xr-x 1 www-lwatch www-lwatch 202 Apr 24 12:05 sfa-php-wrapper.fcgi* -rwxr-xr-x 1 www-tapir www-tapir 202 Oct 27 2008 tapir-php-wrapper.fcgi* (...) = each .fcgi contain something like : = jci...@bccm-it ~ % cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi #!/bin/sh #PHPRC=/path/to/php.ini #export PHPRC PHP_FCGI_CHILDREN=3 export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS=1 export PHP_FCGI_MAX_REQUESTS exec /usr/local/bin/php-cgi -b 127.0.0.1:5009 = you can control how much children have to be fork(), the number of maximum requests per process before it gets killed and re-launched (usefull if a webapp leaks memory), etc Then in your Apache config you put something like : = FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi -host 127.0.0.1:5009 -idle-timeout 1800 Location /cgi-bin/scar-php-wrapper.fcgi SetHandler fastcgi-script /Location Directory /usr/local/www/apache22/data/scarmarbin Order allow,deny Allow from all AddHandler php-fastcgi .php Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi /Directory = hope it helps, best regards, Julien On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote: Le Thu, 9 Jul 2009 13:18:39 +0300, Reko Turja reko.tu...@liukuma.net a écrit : I want to secure my Apache/PHP environment... Full suhosin, both patch and mod for the PHP. IIRC suhosin patch is optional in PHP port and the mod can be installed via ports. (http://www.hardened-php.net/suhosin/index.html) Apache environment and binaries set up in a jail. Which Apache version do you advice? I reckon these days 2.2 would be the best in regards of future upgrades and development. -Reko Thanks. I already use suhosin patch in mod_php. I have few users on this machine, each use a separate directory (/var/www/user). I do not want to make a jail for each one. That's why mpm-itk seems to be good (instead of safe_mode / open_basedir). Best regards, When I tested php in cgi, performances were bad. That's why, php_mod is better (in my case != It's not CGI, it's FastCGI. There is no performance loss if you use an opcode cacher (like x-cache). -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: jci...@ulb.ac.be @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Secure apache with php
Le Thu, 09 Jul 2009 14:36:11 +0200, Julien Cigar jci...@ulb.ac.be a écrit : When I tested php in cgi, performances were bad. That's why, php_mod is better (in my case != It's not CGI, it's FastCGI. There is no performance loss if you use an opcode cacher (like x-cache). And is anyboy use mpm-itk ? I'm interested more with this solution than another php fix (like safe_mode, open_basedir or cgi/fastcie). -- Nicolas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Secure apache with php
Just build www/apache22 with WITH_MPM=itk and you'll have it. :) Then add something like this in each vhost: IfModule mpm_itk_module AssignUserId my_user my_group /IfModule Nicolas Letellier wrote: Le Thu, 09 Jul 2009 14:36:11 +0200, Julien Cigar jci...@ulb.ac.be a écrit : When I tested php in cgi, performances were bad. That's why, php_mod is better (in my case != It's not CGI, it's FastCGI. There is no performance loss if you use an opcode cacher (like x-cache). And is anyboy use mpm-itk ? I'm interested more with this solution than another php fix (like safe_mode, open_basedir or cgi/fastcie). signature.asc Description: OpenPGP digital signature
Re: Secure apache with php
Hi, I'm currently using mpm-itk (on debian, but should be replaced with freebsd soon ;-)). I'm quite happy with the solution as it's easy to setup many user accounts for web without ugly access right stuff and all that. apache never made a problem after setup :-) unfortunately I've never had the time to do futher hardening for mpm-itk in special (only 'standard' apache/php hardening is applied). but as I'm planning to keep this setup and extend userbase after move to freebsd I'm curious what your results will be. Regards, --- Mr. Olli On Thu, 2009-07-09 at 16:05 +0200, Nicolas Letellier wrote: Le Thu, 09 Jul 2009 14:36:11 +0200, Julien Cigar jci...@ulb.ac.be a écrit : When I tested php in cgi, performances were bad. That's why, php_mod is better (in my case != It's not CGI, it's FastCGI. There is no performance loss if you use an opcode cacher (like x-cache). And is anyboy use mpm-itk ? I'm interested more with this solution than another php fix (like safe_mode, open_basedir or cgi/fastcie). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org