Re: [PHP] Re: How to limit source IP in PHP
Il 18/09/2012 16:24, Daniel Brown ha scritto: On Tue, Sep 18, 2012 at 9:15 AM, Ian php_l...@fishnet.co.uk wrote: Hi Curtis, I am suffering from sleep deprivation due to a new family addition and I fail to see how your code will prevent a malicious user from binding to an IP that I do not want him to. It appears to be an example of how to bind to an IP, not how to prevent it. Could you please explain? Congrats on the new little one, Ian, and if you don't already know, you're in for a long ride of sleepless nights. Get used to it. That aside, please start a new thread if you'd like to discuss that in greater detail, as it will go off-topic from and out of scope of the originally-posted question. Others subscribed to the thread may not want to be bothered with the discussion, while others who are ignoring the thread (thinking it's a long, drawn-out, beating-a-dead-horse discussion) may never see a valuable discussion take place. Please, continue in this thread. I do not see too how your suggestion can avoid malicious coding. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 14/09/2012 21:19, Jim Lucas ha scritto: On 09/13/2012 04:15 PM, Tonix (Antonio Nati) wrote: Jim, sorry but you did not read carefully my posts. Since the fist post, I ALWAYS spoke about connections a PHP script may open autonomously (what you name second connection). I'm never speaking about listening/intercepting/using the original HTTP request. Then why did you bring up apache? That seems to be the source of confusion... There is no confusion at all. When a script is executing under apache, it can do whatever it wants (within its permissions of course), opening other sockets and making any kind of processing and IO. It does not interphere with apache connections, it just uses new connections. So, my request is clear: how to force a PHP script to bind only to permitted IP (i.e. using directive similar to OPEN_BASEDIR). The answer is clear. Actually PHP cannot force a PHP script to bind only to specific IPs. So I've filed a request in PHP bug's repository for examining this possibility. In a multi IP apache configuration, I feel right each PHP script should only (eventually) bind to the IP where the connection is received, or to a permitted IP. Hope this helps. Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 13/09/2012 18:16, Mihamina Rakotomandimby ha scritto: On 09/12/2012 07:02 PM, Daniel Brown wrote: So, the answer is no, PHP is not able to do that. There is an (heavy) BASEDIR directive for disk, but nothing equivalent (and simpler) for IP. That's correct. However, that doesn't mean you can't put in a feature request at https://bugs.php.net/ to see if it can be included in a future release. PHP handler is triggered depending on the request (ie: GET /dir/file.php) The HTTP transaction stil has to be initiated fisrt then. The TCP connection has been opened before the HTTP gets to Apache. No chance PHP could change the binding IP. Filing the request is IMHO technically irrelevant. You are speaking about incoming connections, I suppose. I'm speaking about connections started from within PHP. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 13/09/2012 18:19, Mihamina Rakotomandimby ha scritto: On 09/12/2012 04:53 PM, Tonix (Antonio Nati) wrote: PHP script can freely choose which IP to bind. PHP doesnt bind at all. The HTTP server (Apache, Lighthttpd,...) does. PHP is called only when the HTTP server wants (you configure it that way): make Apache handle PHP on conditionnal REMOTE_HOST if possible (I did not look deep into APache documentation) PHP is like any other programming language. After it is called by apache, he can read and write files, as well as opening incoming and outgoing connections. Please check carefully http://www.php.net/manual/en/book.sockets.php. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 13/09/2012 21:41, Jim Lucas ha scritto: On 09/13/2012 12:28 PM, Tonix (Antonio Nati) wrote: You are speaking about incoming connections, I suppose. I'm speaking about connections started from within PHP. Which is a response to the incoming connection. And so? There is no relation between the call received from Apache (which is not passed to PHP), and any connection PHP may open later. Unless you are talking about PHP being ran from cron or the CLI. if you are talking about YOU running a PHP script as a daemon, then yes, you have the ability to BIND to an IP address. I do this in a few scripts/daemons of mine. I use the stream_* functions for this. But, if you are talking about calling fopen() from the CLI and have it bind to a specific IP when connecting out, that is more of a OS specific option. You will need to find out how to run a php script and have it bind to a given IP (or interface) when it connects to the WWW. When apache starts a php script, the script can open a socket towards another end-point, asking to bind to any local address as source address. Period. Regards, Tonino Hope this helps. Jim Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 14/09/2012 00:09, Jim Lucas ha scritto: On 09/13/2012 12:55 PM, Tonix (Antonio Nati) wrote: Il 13/09/2012 21:41, Jim Lucas ha scritto: On 09/13/2012 12:28 PM, Tonix (Antonio Nati) wrote: You are speaking about incoming connections, I suppose. I'm speaking about connections started from within PHP. Which is a response to the incoming connection. And so? There is no relation between the call received from Apache (which is not passed to PHP), and any connection PHP may open later. My experience has always been, with Apache and lighttpd at least, that the response comes from the IP:PORT that the request was made to. Jim, sorry but you did not read carefully my posts. Since the fist post, I ALWAYS spoke about connections a PHP script may open autonomously (what you name second connection). I'm never speaking about listening/intercepting/using the original HTTP request. It is well clear for anyone with a minimum knowledge of programming in apache that only apache listens and answers from the binded port of httpd. And, of course, any program/script/binary called from apache, will return his data to apache, and apache only will send them back to the original requester. At the same time it is well clear too that each called program/script/binary may live autonomously before returning data to apache, and do whatever action it requires to do, including the opening of a network socket to an external or internal server. And this is true for any language, from perl to C to PHP. Only first two replies understood the initial request, all other just added confusion to the thread. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to limit source IP in PHP
Is there a way to force a PHP script to bind to a prefixed IP? Actually, while you can assign more IPs to Apache for listening, assigning domains to specific IPs, it looks like any PHP script can freely choose which IP to bind. Instead I'd love some domains are permitted to open connections only from the domain IP. In FreeBSD I do it easily, setting up dedicated jails for domains. But how to do it simply using PHP on Linux? Regards, Tonino Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 12/09/2012 16:08, Tommy Pham ha scritto: On Wed, Sep 12, 2012 at 6:53 AM, Tonix (Antonio Nati) to...@interazioni.it wrote: Is there a way to force a PHP script to bind to a prefixed IP? Actually, while you can assign more IPs to Apache for listening, assigning domains to specific IPs, it looks like any PHP script can freely choose which IP to bind. Instead I'd love some domains are permitted to open connections only from the domain IP. In FreeBSD I do it easily, setting up dedicated jails for domains. But how to do it simply using PHP on Linux? Regards, Tonino Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it 1) Use Listen in Apache 2) Use VM such as KVM, VMWare, etc. 3) Make an array containing permissible domains. Check the $_SERVER['SERVER_NAME'] if exists in that array. React/respond accordingly. 1) is only for listening. 2) means a VPS for each domain, which we already do with vmware and FreeBSD jails, but it is too expensive for some customers. 3) means I'm writing the script, which is not the standard situation. You must suppose the script to be written from a malicious user in a shared environment. Is PHP able to 'force' binding IP? I hoped there was an external directive I did not see, but probably this is a PHP lack. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 12/09/2012 17:21, Daniel Brown ha scritto: On Wed, Sep 12, 2012 at 10:18 AM, Tonix (Antonio Nati) to...@interazioni.it wrote: Is PHP able to 'force' binding IP? I hoped there was an external directive I did not see, but probably this is a PHP lack. Not at all. Essentially, PHP is an interface to underlying software, OS commands, and APIs. You'd have to configure the system to bind requests, as PHP does not presently have that capability (and, to my knowledge, there's no plan to change that). So, the answer is no, PHP is not able to do that. There is an (heavy) BASEDIR directive for disk, but nothing equivalent (and simpler) for IP. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 12/09/2012 17:52, Tommy Pham ha scritto: On Wed, Sep 12, 2012 at 7:18 AM, Tonix (Antonio Nati) to...@interazioni.it wrote: Il 12/09/2012 16:08, Tommy Pham ha scritto: On Wed, Sep 12, 2012 at 6:53 AM, Tonix (Antonio Nati) to...@interazioni.it wrote: Is there a way to force a PHP script to bind to a prefixed IP? Actually, while you can assign more IPs to Apache for listening, assigning domains to specific IPs, it looks like any PHP script can freely choose which IP to bind. Instead I'd love some domains are permitted to open connections only from the domain IP. In FreeBSD I do it easily, setting up dedicated jails for domains. But how to do it simply using PHP on Linux? Regards, Tonino Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it 1) Use Listen in Apache 2) Use VM such as KVM, VMWare, etc. 3) Make an array containing permissible domains. Check the $_SERVER['SERVER_NAME'] if exists in that array. React/respond accordingly. 1) is only for listening. 2) means a VPS for each domain, which we already do with vmware and FreeBSD jails, but it is too expensive for some customers. 3) means I'm writing the script, which is not the standard situation. You must suppose the script to be written from a malicious user in a shared environment. Is PHP able to 'force' binding IP? I hoped there was an external directive I did not see, but probably this is a PHP lack. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it 2) Previously you've mentioned that you were able to do that in FreeBSD jails. IIRC, the jails are similar to VMs in regards to isolating of environment and dedicated IP for that environment. It seems that you want something that is equivalent of jails and VM but not actual VM/jails. Are you referring to 1 application with one installed point but is used in multiple virtual domains and expect the application to act/respond accordingly to the requests for each virtual domain? Yes, I'm thinking of a low cost shared WEB hosting for people which has limited needs and don't want to spend more for a VM or a jail. In this environment, a well tailored su-exec, with different UID and group for each user, makes an excellent job for protecting disk areas, so the unique point which remains uncovered is to limit network access: * if you have internal interfaces in the same machine where you have public IPs, a web PHP application could try to use the internal address of the interface, exploring internal network (we avoid that thanks to jails). * if apache listens on a specific IP for a single domain, and listens on other IPs for others domains, it would be safe if each domain can use as source IP only the listening IP associated. In our specific case, we always use jails, so each apache is always within a jail and cannot explore other interfaces. When customers ask for dedicated IP, we setup another jail, but that means also one apache server for each domain, and it is justified only for big websites. So, it would be nice if it could exist something which could force a specific source IP or could force to use the listening IP (or both options), on any network binding operation. Of course a script could use external commands (like ping ot telnet) and escape this check, so we don't have complete security, unless we disable any network tool... but it would be a good start. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
