Apache server security settings for PHP security

PHP Security ramble on Apache server security settings

1, to nobody users to run

In general, Apache is installed and run by root. If the Apache server process has root user privileges, it poses a significant threat to the security of the system and should ensure that the Apache server process runs with the most likely low-privileged users. By modifying the following options in the httpd.conf file to nobody users to run Apache for relative security purposes.

User nobodygroup#-1

2. Permissions of the ServerRoot directory

To ensure that all configurations are appropriate and secure, access to the Apache home directory needs to be tightly controlled so that non-superuser cannot modify the contents of the directory. Apache's home directory corresponds to the server root control of the Apache server profile httpd.conf, which should be:
Server Root/usr/local/apache

3, the configuration of SSI

The includes NO exec option is added to the options directive in the configuration file access.conf or httpd.conf to disable the execution function in Apache Server. To prevent users from directly executing the Apache server execution program, resulting in the public server system.

Options includes Noexec

4. Prevent users from modifying system settings

The following settings are set in the Apache server's configuration file to prevent users from creating and modifying. htaccess files to prevent users from exceeding the system security features that can be defined.

Allowoveride noneoptions Noneallow from all

The specific directories are then configured appropriately.

5, change the Apache server default Access characteristics

Apache's default settings only guarantee a certain degree of security, if the server can find the file through normal mapping rules, then the client will get the file, such as Http://local host/~ root/will allow users to access the entire file system. Add the following to the server file:

Order Deny,ellowdeny from all

Default access to the file system is forbidden.

6. Security Considerations for CGI scripts

A CGI script is a series of programs that can be run through a Web server. In order to ensure the security of the system, you should ensure that the CGI author is trustworthy. For CGI, it is best to limit it to a specific directory, such as Cgi-bin, easy to manage, but also to ensure that the CGI directory files are not writable, to avoid some deceptive programs to reside or mingle with it, if you can provide users with a security good CGI program module as a reference, It may reduce many unnecessary troubles and security risks, and remove all non-business application scripts under the CGI directory to prevent abnormal information leaks.

7. SSL Link Encryption

These common measures can give Apache Server a basic security operating environment, obviously in the implementation of the further refinement of the decomposition, to develop a practical application of the Security Configuration scheme.

