Secure apache with php

Nicolas Letellier nicolas at nicoelro.net
Thu Jul 9 11:43:38 UTC 2009


Le Thu, 09 Jul 2009 12:49:57 +0200,
Julien Cigar <jcigar at ulb.ac.be> a écrit :

> What I do is running PHP in FastCGI mode (with something like x-cache)
> with a dedicated user for each webapp for which I have a dedicated
> script, for example :
> 
> =========
> jcigar at bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin
> (...)
> -rwxr-xr-x  1 www-scar    www-scar    202 Oct 27  2008
> scar-php-wrapper.fcgi*
> -rwxr-xr-x  1 www-lwatch  www-lwatch  202 Apr 24 12:05
> sfa-php-wrapper.fcgi*
> -rwxr-xr-x  1 www-tapir   www-tapir   202 Oct 27  2008
> tapir-php-wrapper.fcgi*
> (...)
> =========
> 
> each .fcgi contain something like :
> 
> =========
> jcigar at bccm-it ~ %
> cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi
> #!/bin/sh
> 
> #PHPRC="/path/to/php.ini"
> #export PHPRC
> 
> PHP_FCGI_CHILDREN=3
> export PHP_FCGI_CHILDREN
> 
> PHP_FCGI_MAX_REQUESTS=10000
> export PHP_FCGI_MAX_REQUESTS
> 
> exec /usr/local/bin/php-cgi -b 127.0.0.1:5009
> =========
> 
> you can control how much children have to be fork(), the number of
> maximum requests per process before it gets killed and re-launched
> (usefull if a webapp leaks memory), etc
> 
> Then in your Apache config you put something like :
> 
> =========
> FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi
> -host 127.0.0.1:5009 -idle-timeout 1800
> 
>     <Location /cgi-bin/scar-php-wrapper.fcgi>
>         SetHandler fastcgi-script
>     </Location>
> 
>     <Directory /usr/local/www/apache22/data/scarmarbin>
>         Order allow,deny
>         Allow from all
> 
>         AddHandler php-fastcgi .php
>         Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi
>     </Directory>
> =========
> 
> hope it helps,
> 
> best regards,
> Julien
> 
> 
> On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote:
> > Le Thu, 9 Jul 2009 13:18:39 +0300,
> > "Reko Turja" <reko.turja at liukuma.net> a écrit :
> > 
> > > > I want to secure my Apache/PHP environment...
> > > 
> > > Full suhosin, both patch and mod for the PHP. IIRC suhosin patch
> > > is optional in PHP port and the mod can be installed via ports.
> > > (http://www.hardened-php.net/suhosin/index.html)
> > > 
> > > Apache environment and binaries set up in a jail.
> > > 
> > > > Which Apache version do you advice?
> > > 
> > > I reckon these days 2.2 would be the best in regards of future 
> > > upgrades and development.
> > > 
> > > -Reko 
> > > 
> > Thanks. I already use suhosin patch in mod_php.
> > 
> > I have few users on this machine, each use a separate directory
> > (/var/www/user). I do not want to make a jail for each one.
> > 
> > That's why mpm-itk seems to be good (instead of safe_mode /
> > open_basedir).
> > 
> > Best regards,
> > 
> > 
> > 
When I tested php in cgi, performances were bad. That's why, php_mod is
better (in my case !=

-- 
Nicolas


More information about the freebsd-questions mailing list