From owner-freebsd-questions@FreeBSD.ORG Thu Jul 9 12:33:06 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EC58106566C for ; Thu, 9 Jul 2009 12:33:06 +0000 (UTC) (envelope-from jcigar@ulb.ac.be) Received: from mxin.vub.ac.be (mxin.vub.ac.be [134.184.129.112]) by mx1.freebsd.org (Postfix) with ESMTP id 3529C8FC14 for ; Thu, 9 Jul 2009 12:33:05 +0000 (UTC) (envelope-from jcigar@ulb.ac.be) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AoABALJzVUqkD30E/2dsb2JhbAAI0CiECAWBOg Received: from bebif01.ulb.ac.be (HELO [10.0.0.194]) ([164.15.125.4]) by smtp.vub.ac.be with ESMTP; 09 Jul 2009 14:33:03 +0200 From: Julien Cigar To: Nicolas Letellier In-Reply-To: <20090709134329.0f86c78b@belegost.nicoelro.net> References: <20090709113534.43373278@belegost.nicoelro.net> <20090709122212.658bcc24@belegost.nicoelro.net> <1247136597.2653.15.camel@frodon.be-bif.ulb.ac.be> <20090709134329.0f86c78b@belegost.nicoelro.net> Content-Type: text/plain; charset=utf-8 Date: Thu, 09 Jul 2009 14:36:11 +0200 Message-Id: <1247142971.2653.19.camel@frodon.be-bif.ulb.ac.be> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 8bit Cc: Reko Turja , freebsd-questions@freebsd.org Subject: Re: Secure apache with php X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2009 12:33:06 -0000 On Thu, 2009-07-09 at 13:43 +0200, Nicolas Letellier wrote: > Le Thu, 09 Jul 2009 12:49:57 +0200, > Julien Cigar a écrit : > > > What I do is running PHP in FastCGI mode (with something like x-cache) > > with a dedicated user for each webapp for which I have a dedicated > > script, for example : > > > > ========= > > jcigar@bccm-it ~ % ls -l /usr/local/www/apache22/cgi-bin > > (...) > > -rwxr-xr-x 1 www-scar www-scar 202 Oct 27 2008 > > scar-php-wrapper.fcgi* > > -rwxr-xr-x 1 www-lwatch www-lwatch 202 Apr 24 12:05 > > sfa-php-wrapper.fcgi* > > -rwxr-xr-x 1 www-tapir www-tapir 202 Oct 27 2008 > > tapir-php-wrapper.fcgi* > > (...) > > ========= > > > > each .fcgi contain something like : > > > > ========= > > jcigar@bccm-it ~ % > > cat /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi > > #!/bin/sh > > > > #PHPRC="/path/to/php.ini" > > #export PHPRC > > > > PHP_FCGI_CHILDREN=3 > > export PHP_FCGI_CHILDREN > > > > PHP_FCGI_MAX_REQUESTS=10000 > > export PHP_FCGI_MAX_REQUESTS > > > > exec /usr/local/bin/php-cgi -b 127.0.0.1:5009 > > ========= > > > > you can control how much children have to be fork(), the number of > > maximum requests per process before it gets killed and re-launched > > (usefull if a webapp leaks memory), etc > > > > Then in your Apache config you put something like : > > > > ========= > > FastCgiExternalServer /usr/local/www/apache22/cgi-bin/scar-php-wrapper.fcgi > > -host 127.0.0.1:5009 -idle-timeout 1800 > > > > > > SetHandler fastcgi-script > > > > > > > > Order allow,deny > > Allow from all > > > > AddHandler php-fastcgi .php > > Action php-fastcgi /cgi-bin/scar-php-wrapper.fcgi > > > > ========= > > > > hope it helps, > > > > best regards, > > Julien > > > > > > On Thu, 2009-07-09 at 12:22 +0200, Nicolas Letellier wrote: > > > Le Thu, 9 Jul 2009 13:18:39 +0300, > > > "Reko Turja" a écrit : > > > > > > > > I want to secure my Apache/PHP environment... > > > > > > > > Full suhosin, both patch and mod for the PHP. IIRC suhosin patch > > > > is optional in PHP port and the mod can be installed via ports. > > > > (http://www.hardened-php.net/suhosin/index.html) > > > > > > > > Apache environment and binaries set up in a jail. > > > > > > > > > Which Apache version do you advice? > > > > > > > > I reckon these days 2.2 would be the best in regards of future > > > > upgrades and development. > > > > > > > > -Reko > > > > > > > Thanks. I already use suhosin patch in mod_php. > > > > > > I have few users on this machine, each use a separate directory > > > (/var/www/user). I do not want to make a jail for each one. > > > > > > That's why mpm-itk seems to be good (instead of safe_mode / > > > open_basedir). > > > > > > Best regards, > > > > > > > > > > When I tested php in cgi, performances were bad. That's why, php_mod is > better (in my case != > It's not CGI, it's FastCGI. There is no performance loss if you use an opcode cacher (like x-cache). -- Julien Cigar Belgian Biodiversity Platform http://www.biodiversity.be Université Libre de Bruxelles (ULB) Campus de la Plaine CP 257 Bâtiment NO, Bureau 4 N4 115C (Niveau 4) Boulevard du Triomphe, entrée ULB 2 B-1050 Bruxelles Mail: jcigar@ulb.ac.be @biobel: http://biobel.biodiversity.be/person/show/471 Tel : 02 650 57 52 No trees were killed in the creation of this message. However, many electrons were terribly inconvenienced.