Date: Thu, 9 Jul 2009 13:43:29 +0200 From: Nicolas Letellier <nicolas@nicoelro.net> To: Julien Cigar <jcigar@ulb.ac.be> Cc: Reko Turja <reko.turja@liukuma.net>, freebsd-questions@freebsd.org Subject: Re: Secure apache with php Message-ID: <20090709134329.0f86c78b@belegost.nicoelro.net> In-Reply-To: <1247136597.2653.15.camel@frodon.be-bif.ulb.ac.be> References: <20090709113534.43373278@belegost.nicoelro.net> <EA9FE81A7F144C89AFCD0E9390FD69FC@rivendell> <20090709122212.658bcc24@belegost.nicoelro.net> <1247136597.2653.15.camel@frodon.be-bif.ulb.ac.be>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Thu, 09 Jul 2009 12:49:57 +0200, Julien Cigar <jcigar@ulb.ac.be> a =E9crit : > What I do is running PHP in FastCGI mode (with something like x-cache) > with a dedicated user for each webapp for which I have a dedicated > script, for example : >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D > jcigar@bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin > (...) > -rwxr-xr-x 1 www-scar www-scar 202 Oct 27 2008 > scar-php-wrapper.fcgi* > -rwxr-xr-x 1 www-lwatch www-lwatch 202 Apr 24 12:05 > sfa-php-wrapper.fcgi* > -rwxr-xr-x 1 www-tapir www-tapir 202 Oct 27 2008 > tapir-php-wrapper.fcgi* > (...) > =3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > each .fcgi contain something like : >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D > jcigar@bccm-it ~ % > cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi > #!/bin/sh >=20 > #PHPRC=3D"/path/to/php.ini" > #export PHPRC >=20 > PHP_FCGI_CHILDREN=3D3 > export PHP_FCGI_CHILDREN >=20 > PHP_FCGI_MAX_REQUESTS=3D10000 > export PHP_FCGI_MAX_REQUESTS >=20 > exec /usr/local/bin/php-cgi -b 127.0.0.1:5009 > =3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > you can control how much children have to be fork(), the number of > maximum requests per process before it gets killed and re-launched > (usefull if a webapp leaks memory), etc >=20 > Then in your Apache config you put something like : >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D > FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fc= gi > -host 127.0.0.1:5009 -idle-timeout 1800 >=20 > <Location /cgi-bin/scar-php-wrapper.fcgi> > SetHandler fastcgi-script > </Location> >=20 > <Directory /usr/local/www/apache22/data/scarmarbin> > Order allow,deny > Allow from all >=20 > AddHandler php-fastcgi .php > Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi > </Directory> > =3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > hope it helps, >=20 > best regards, > Julien >=20 >=20 > On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote: > > Le Thu, 9 Jul 2009 13:18:39 +0300, > > "Reko Turja" <reko.turja@liukuma.net> a =E9crit : > >=20 > > > > I want to secure my Apache/PHP environment... > > >=20 > > > Full suhosin, both patch and mod for the PHP. IIRC suhosin patch > > > is optional in PHP port and the mod can be installed via ports. > > > (http://www.hardened-php.net/suhosin/index.html) > > >=20 > > > Apache environment and binaries set up in a jail. > > >=20 > > > > Which Apache version do you advice? > > >=20 > > > I reckon these days 2.2 would be the best in regards of future=20 > > > upgrades and development. > > >=20 > > > -Reko=20 > > >=20 > > Thanks. I already use suhosin patch in mod_php. > >=20 > > I have few users on this machine, each use a separate directory > > (/var/www/user). I do not want to make a jail for each one. > >=20 > > That's why mpm-itk seems to be good (instead of safe_mode / > > open_basedir). > >=20 > > Best regards, > >=20 > >=20 > >=20 When I tested php in cgi, performances were bad. That's why, php_mod is better (in my case !=3D --=20 Nicolas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090709134329.0f86c78b>