Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by jmcg: http://wiki.apache.org/httpd/ScratchPad/SecuringPHP The comment on the change is: Added an explanation about the Directory block and realized that WikiWords suck. ------------------------------------------------------------------------------ #language en == Securing a Multi-site PHP setup == ===== This is a working title. ===== - Due to many requests of this kind #apache, I decided that repeatin myself is getting boring, so I will start writing down my approach to this and invite anybody who has experience in this field to extend this wiki page. + Due to many requests of this kind #apache, I decided that repeating myself is getting boring, so I will start writing down my approach to this, and I invite anybody who has experience in this field to extend this wiki page. === open_basedir === ==== Prerequisites ==== - To seperate the single PHP sites I host, I use PHP's open_basedir apraoch. + To seperate the single PHP sites I host, I use PHP's open_basedir directive. Due to the fact, that this directive is NOT respected by all functions, be it a design flaw, an exploit or third party libraries that simply ignore this setting, I recommend installing the [http://www.hardened-php.net/suhosin.127.html Suhosin Extension], which in the past has proven to be capable of holding against such flaws. @@ -37, +37 @@ ''/srv/web'' being the base of my installation, I chose to put every domain and every subdomain of those domains in it's own directory. Please note that this is a simple setup, serving as an idea an example -- not a reference installation. - ''/srv/web/domain.tld/htdocs'' will be our [http://httpd.apache.org/docs/2.2/mod/core.html#documentroot DocumentRoot] ''tmp'' and ''sessions'' will be configured per vhost as directories for temporary uploads and sessions. + ''/srv/web/domain.tld/htdocs'' will be our [http://httpd.apache.org/docs/2.2/mod/core.html#documentroot DocumentRoot], ''tmp'' and ''sessions'' will be configured per vhost as directories for temporary uploads and sessions. Now let's have look at our config! @@ -75, +75 @@ This piece of information is important if you host a wiki for instance, which uses diff or diff3, you will have to supply it in the open_basedir string. + Eventually, in the Directory block, we allow PHP to be executed, via ''php_admin_flag engine on'', because by default I have PHP disabled via ''egnine off'' in ''/etc/php.ini''. + + I also allow the overriding of AuthConfig and that of FileInfo. Note that allowing to override FileInfo is dangerous, as it allows a number of settings to be overridden, some of which could affect your PHP installation as well, but it also allows the use of mod_rewrite. + === Limitation === xxx
