Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 09 Jul 2009 12:49:57 +0200
From:      Julien Cigar <jcigar@ulb.ac.be>
To:        Nicolas Letellier <nicolas@nicoelro.net>
Cc:        Reko Turja <reko.turja@liukuma.net>, freebsd-questions@freebsd.org
Subject:   Re: Secure apache with php
Message-ID:  <1247136597.2653.15.camel@frodon.be-bif.ulb.ac.be>
In-Reply-To: <20090709122212.658bcc24@belegost.nicoelro.net>
References:  <20090709113534.43373278@belegost.nicoelro.net> <EA9FE81A7F144C89AFCD0E9390FD69FC@rivendell> <20090709122212.658bcc24@belegost.nicoelro.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
What I do is running PHP in FastCGI mode (with something like x-cache)
with a dedicated user for each webapp for which I have a dedicated
script, for example :

=========
jcigar@bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin
(...)
-rwxr-xr-x  1 www-scar    www-scar    202 Oct 27  2008
scar-php-wrapper.fcgi*
-rwxr-xr-x  1 www-lwatch  www-lwatch  202 Apr 24 12:05
sfa-php-wrapper.fcgi*
-rwxr-xr-x  1 www-tapir   www-tapir   202 Oct 27  2008
tapir-php-wrapper.fcgi*
(...)
=========

each .fcgi contain something like :

=========
jcigar@bccm-it ~ %
cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi
#!/bin/sh

#PHPRC="/path/to/php.ini"
#export PHPRC

PHP_FCGI_CHILDREN=3
export PHP_FCGI_CHILDREN

PHP_FCGI_MAX_REQUESTS=10000
export PHP_FCGI_MAX_REQUESTS

exec /usr/local/bin/php-cgi -b 127.0.0.1:5009
=========

you can control how much children have to be fork(), the number of
maximum requests per process before it gets killed and re-launched
(usefull if a webapp leaks memory), etc

Then in your Apache config you put something like :

=========
FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi -host 127.0.0.1:5009 -idle-timeout 1800

    <Location /cgi-bin/scar-php-wrapper.fcgi>
        SetHandler fastcgi-script
    </Location>

    <Directory /usr/local/www/apache22/data/scarmarbin>
        Order allow,deny
        Allow from all

        AddHandler php-fastcgi .php
        Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi
    </Directory>
=========

hope it helps,

best regards,
Julien


On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote:
> Le Thu, 9 Jul 2009 13:18:39 +0300,
> "Reko Turja" <reko.turja@liukuma.net> a écrit :
> 
> > > I want to secure my Apache/PHP environment...
> > 
> > Full suhosin, both patch and mod for the PHP. IIRC suhosin patch is 
> > optional in PHP port and the mod can be installed via ports.
> > (http://www.hardened-php.net/suhosin/index.html)
> > 
> > Apache environment and binaries set up in a jail.
> > 
> > > Which Apache version do you advice?
> > 
> > I reckon these days 2.2 would be the best in regards of future 
> > upgrades and development.
> > 
> > -Reko 
> > 
> Thanks. I already use suhosin patch in mod_php.
> 
> I have few users on this machine, each use a separate directory
> (/var/www/user). I do not want to make a jail for each one.
> 
> That's why mpm-itk seems to be good (instead of safe_mode /
> open_basedir).
> 
> Best regards,
> 
> 
> 
-- 
Julien Cigar
Belgian Biodiversity Platform
http://www.biodiversity.be
Université Libre de Bruxelles (ULB)
Campus de la Plaine CP 257
Bâtiment NO, Bureau 4 N4 115C (Niveau 4)
Boulevard du Triomphe, entrée ULB 2
B-1050 Bruxelles
Mail: jcigar@ulb.ac.be
@biobel: http://biobel.biodiversity.be/person/show/471
Tel : 02 650 57 52

No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1247136597.2653.15.camel>