How to create an Apache application environment tower in Windows

Objective: To configure restricted user permissions for Apache and php

Environment Configuration:
Apache installation directory: d: \ www-s \ apache
Php Directory: d: \ www-s \ php5
Mysql Directory: d: \ www-s \ mysql
Website root directory: d: \ www \ htdocs

Users used to run Apache: apache-u (not affiliated to any user group)

PS: Here we only talk about the directory permission settings related to the Apache application environment in Windows. We will not mention other basic server directory permission settings!

For Windows, follow these steps:

Configure Directory Permissions

The root directory (disk D) Where Apache is located only requires the read permission, and the read permission does not need to be inherited to subdirectories and files (you can select -- apply: only this folder-permission: List folders/read data, read attributes, read extended attributes, read permissions-OK ).

The upper-level directory (d: \ www-s) of the Apache installation directory requires the "read" permission (the same as the root directory d disk permission ).

The Apache installation directory requires "list folder directories" and "read" permissions (inheritance can be used for convenience ).

Subdirectory permission settings in the Apache installation directory

"Bin" and "modules" directories require "read and run", "list folders and directories", and "read" permissions.

The "logs" directory requires the permission to "list folders and directories", "read", and "write" (if the permission of the Apache installation directory is inherited, you can only add the "write" permission ).

Now the Apache permission has been set. Next, set the PHP permission.

PHP Directory (PHP5) can be set to "read and run", "list folders and directories", and "read.

Bin folder and file in the Mysql directory (mysql) you need to add the "traverse folders and running files" and "list folders and read data" permissions of apache users (which can be found in advanced permission settings ).

Now Apache + Mysql + Php is basically available, and then configure the website root directory permissions

The superior www directory of the website root directory (www \ htdocs) needs to be read ("list folders and read data", "Read attributes", "read extended attributes", and "Read Permissions ") permissions (similar to the upper-level directory permissions of Apache, do not need to inherit from subdirectories and files ).

You can simply set the "read" permission for the website root directory (htdocs) (and then set the write permission for the cache folder as needed ).

Now, the restricted permission settings for the Apache + PHP + Mysql environment are basically complete.

Enable restricted users for the Apache service
Enter the Service Manager (Services. msc, or "my computer -- properties -- Management -- service"), find Apache service items (Apache2.2), set properties, and log on to the user to select a restricted user (Apache-u) enter the password of the Restricted User, apply it, and click OK.

After "OK", a message is displayed (the account. \ apache-u has been granted the "service-based Logon" permission ). This prompt is equivalent to a group policy (START-> Administrative Tools-> Local Security Policy, or use gpedit. choose "Log on as a service" from "User Rights Assignment" in msc open) to add an apache-u user.

The User Name of the httpd.exe process in the task manager is apache-u, and PHP + Mysql programs can run normally.
Now, the "directory permission of Apache application environment in Windows" has been configured.

Supplement 3:
You can create a. htaccess file under the directory (with write permission) and write the following:

Copy codeThe Code is as follows: RewriteEngine On
Order Allow, Deny
Deny from all
<Files ~ ". (Css | js) $">
Allow from all
</Files>

Css and js are allowed file extension types!
Supplement 2:
1. error message about Apache permission settings
The apache directory, php Directory, and website directory cannot start the Apache service normally if one of the permission settings is not enough. The general prompt is:
Windows cannot start Apache2.2 on a local computer. For more information, see System Event Logs. If this is a non-Microsoft Service, please contact the service provider and participate in the specific service error code 1.
The System Event Log displays the following prompts:
Apache2.2 service stops due to 1 (0 × 1) service error.
If the php permission configuration is incorrect, it will be recorded in the Application Event Log.
2. In addition, the directory permission configuration of Mysql does not affect the normal startup of the Apache service, but the Mysql service cannot be used by website programs (Mysql module is not loaded in PHPINFO ).
Supplement 1:
These permissions are basically ignored when this plug-in is used for testing on the local machine, because the system user is used by default to start the Apache service! But it would be dangerous to expose it to the Internet!
Security is a comprehensive architecture consideration. Here we only talk about the tip of the iceberg and cannot cover it with points!
If any omissions are found, please correct them ..