From owner-freebsd-questions@FreeBSD.ORG  Thu Jul  9 11:43:37 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CC7B6106564A
	for <freebsd-questions@freebsd.org>;
	Thu,  9 Jul 2009 11:43:37 +0000 (UTC)
	(envelope-from nicolas@nicoelro.net)
Received: from mail.nicoelro.net (helm.nicoelro.net [87.98.216.147])
	by mx1.freebsd.org (Postfix) with ESMTP id 62ED08FC19
	for <freebsd-questions@freebsd.org>;
	Thu,  9 Jul 2009 11:43:37 +0000 (UTC)
	(envelope-from nicolas@nicoelro.net)
Received: by mail.nicoelro.net (Postfix, from userid 58)
	id 100D578D46; Thu,  9 Jul 2009 13:43:36 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on helm.nicoelro.net
X-Spam-Level: 
X-Spam-Status: No, score=-4.6 required=6.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.2.5
Received: from belegost.nicoelro.net (unknown [93.1.201.175])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: nicolas@nicoelro.net)
	by mail.nicoelro.net (Postfix) with ESMTP id 618BB78C19;
	Thu,  9 Jul 2009 13:43:34 +0200 (CEST)
Date: Thu, 9 Jul 2009 13:43:29 +0200
From: Nicolas Letellier <nicolas@nicoelro.net>
To: Julien Cigar <jcigar@ulb.ac.be>
Message-ID: <20090709134329.0f86c78b@belegost.nicoelro.net>
In-Reply-To: <1247136597.2653.15.camel@frodon.be-bif.ulb.ac.be>
References: <20090709113534.43373278@belegost.nicoelro.net>
	<EA9FE81A7F144C89AFCD0E9390FD69FC@rivendell>
	<20090709122212.658bcc24@belegost.nicoelro.net>
	<1247136597.2653.15.camel@frodon.be-bif.ulb.ac.be>
X-Mailer: Claws Mail 3.7.1 (GTK+ 2.12.9; i486-slackware-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Reko Turja <reko.turja@liukuma.net>, freebsd-questions@freebsd.org
Subject: Re: Secure apache with php
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2009 11:43:38 -0000

Le Thu, 09 Jul 2009 12:49:57 +0200,
Julien Cigar <jcigar@ulb.ac.be> a =E9crit :

> What I do is running PHP in FastCGI mode (with something like x-cache)
> with a dedicated user for each webapp for which I have a dedicated
> script, for example :
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> jcigar@bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin
> (...)
> -rwxr-xr-x  1 www-scar    www-scar    202 Oct 27  2008
> scar-php-wrapper.fcgi*
> -rwxr-xr-x  1 www-lwatch  www-lwatch  202 Apr 24 12:05
> sfa-php-wrapper.fcgi*
> -rwxr-xr-x  1 www-tapir   www-tapir   202 Oct 27  2008
> tapir-php-wrapper.fcgi*
> (...)
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> each .fcgi contain something like :
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> jcigar@bccm-it ~ %
> cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi
> #!/bin/sh
>=20
> #PHPRC=3D"/path/to/php.ini"
> #export PHPRC
>=20
> PHP_FCGI_CHILDREN=3D3
> export PHP_FCGI_CHILDREN
>=20
> PHP_FCGI_MAX_REQUESTS=3D10000
> export PHP_FCGI_MAX_REQUESTS
>=20
> exec /usr/local/bin/php-cgi -b 127.0.0.1:5009
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> you can control how much children have to be fork(), the number of
> maximum requests per process before it gets killed and re-launched
> (usefull if a webapp leaks memory), etc
>=20
> Then in your Apache config you put something like :
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
> FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fc=
gi
> -host 127.0.0.1:5009 -idle-timeout 1800
>=20
>     <Location /cgi-bin/scar-php-wrapper.fcgi>
>         SetHandler fastcgi-script
>     </Location>
>=20
>     <Directory /usr/local/www/apache22/data/scarmarbin>
>         Order allow,deny
>         Allow from all
>=20
>         AddHandler php-fastcgi .php
>         Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi
>     </Directory>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
>=20
> hope it helps,
>=20
> best regards,
> Julien
>=20
>=20
> On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote:
> > Le Thu, 9 Jul 2009 13:18:39 +0300,
> > "Reko Turja" <reko.turja@liukuma.net> a =E9crit :
> >=20
> > > > I want to secure my Apache/PHP environment...
> > >=20
> > > Full suhosin, both patch and mod for the PHP. IIRC suhosin patch
> > > is optional in PHP port and the mod can be installed via ports.
> > > (http://www.hardened-php.net/suhosin/index.html)
> > >=20
> > > Apache environment and binaries set up in a jail.
> > >=20
> > > > Which Apache version do you advice?
> > >=20
> > > I reckon these days 2.2 would be the best in regards of future=20
> > > upgrades and development.
> > >=20
> > > -Reko=20
> > >=20
> > Thanks. I already use suhosin patch in mod_php.
> >=20
> > I have few users on this machine, each use a separate directory
> > (/var/www/user). I do not want to make a jail for each one.
> >=20
> > That's why mpm-itk seems to be good (instead of safe_mode /
> > open_basedir).
> >=20
> > Best regards,
> >=20
> >=20
> >=20
When I tested php in cgi, performances were bad. That's why, php_mod is
better (in my case !=3D

--=20
Nicolas