Secure apache with php
Julien Cigar
jcigar at ulb.ac.be
Thu Jul 9 12:33:06 UTC 2009
On Thu, 2009-07-09 at 13:43 +0200, Nicolas Letellier wrote:
> Le Thu, 09 Jul 2009 12:49:57 +0200,
> Julien Cigar <jcigar at ulb.ac.be> a écrit :
>
> > What I do is running PHP in FastCGI mode (with something like x-cache)
> > with a dedicated user for each webapp for which I have a dedicated
> > script, for example :
> >
> > =========
> > jcigar at bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin
> > (...)
> > -rwxr-xr-x 1 www-scar www-scar 202 Oct 27 2008
> > scar-php-wrapper.fcgi*
> > -rwxr-xr-x 1 www-lwatch www-lwatch 202 Apr 24 12:05
> > sfa-php-wrapper.fcgi*
> > -rwxr-xr-x 1 www-tapir www-tapir 202 Oct 27 2008
> > tapir-php-wrapper.fcgi*
> > (...)
> > =========
> >
> > each .fcgi contain something like :
> >
> > =========
> > jcigar at bccm-it ~ %
> > cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi
> > #!/bin/sh
> >
> > #PHPRC="/path/to/php.ini"
> > #export PHPRC
> >
> > PHP_FCGI_CHILDREN=3
> > export PHP_FCGI_CHILDREN
> >
> > PHP_FCGI_MAX_REQUESTS=10000
> > export PHP_FCGI_MAX_REQUESTS
> >
> > exec /usr/local/bin/php-cgi -b 127.0.0.1:5009
> > =========
> >
> > you can control how much children have to be fork(), the number of
> > maximum requests per process before it gets killed and re-launched
> > (usefull if a webapp leaks memory), etc
> >
> > Then in your Apache config you put something like :
> >
> > =========
> > FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi
> > -host 127.0.0.1:5009 -idle-timeout 1800
> >
> > <Location /cgi-bin/scar-php-wrapper.fcgi>
> > SetHandler fastcgi-script
> > </Location>
> >
> > <Directory /usr/local/www/apache22/data/scarmarbin>
> > Order allow,deny
> > Allow from all
> >
> > AddHandler php-fastcgi .php
> > Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi
> > </Directory>
> > =========
> >
> > hope it helps,
> >
> > best regards,
> > Julien
> >
> >
> > On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote:
> > > Le Thu, 9 Jul 2009 13:18:39 +0300,
> > > "Reko Turja" <reko.turja at liukuma.net> a écrit :
> > >
> > > > > I want to secure my Apache/PHP environment...
> > > >
> > > > Full suhosin, both patch and mod for the PHP. IIRC suhosin patch
> > > > is optional in PHP port and the mod can be installed via ports.
> > > > (http://www.hardened-php.net/suhosin/index.html)
> > > >
> > > > Apache environment and binaries set up in a jail.
> > > >
> > > > > Which Apache version do you advice?
> > > >
> > > > I reckon these days 2.2 would be the best in regards of future
> > > > upgrades and development.
> > > >
> > > > -Reko
> > > >
> > > Thanks. I already use suhosin patch in mod_php.
> > >
> > > I have few users on this machine, each use a separate directory
> > > (/var/www/user). I do not want to make a jail for each one.
> > >
> > > That's why mpm-itk seems to be good (instead of safe_mode /
> > > open_basedir).
> > >
> > > Best regards,
> > >
> > >
> > >
> When I tested php in cgi, performances were bad. That's why, php_mod is
> better (in my case !=
>
It's not CGI, it's FastCGI.
There is no performance loss if you use an opcode cacher (like x-cache).
--
Julien Cigar
Belgian Biodiversity Platform
http://www.biodiversity.be
Université Libre de Bruxelles (ULB)
Campus de la Plaine CP 257
Bâtiment NO, Bureau 4 N4 115C (Niveau 4)
Boulevard du Triomphe, entrée ULB 2
B-1050 Bruxelles
Mail: jcigar at ulb.ac.be
@biobel: http://biobel.biodiversity.be/person/show/471
Tel : 02 650 57 52
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
More information about the freebsd-questions
mailing list