PHP: Configure open_basedir to run each virtual site independently _ PHP Tutorial

Source: Internet
Author: User
Configure open_basedir in PHP to run each virtual site independently. Several years ago, I complained that Apache was not running PHP securely. as long as one site was taken down, other sites on the server would suffer. At that time, I felt that this was quite a few years ago compared with IIS. I complained that Apache could not run PHP securely. as long as one site was taken down, other sites on the server would suffer. At that time, I thought this was really bad compared with IIS, because in IIS, you can set an anonymous account used for site or even directory access in security, as long as the accounts used by different sites are different, the security between sites will not affect each other. These days I discovered that the original idea was wrong. in Apache, you can configure PHP to run the sites independently, although you cannot control the running of a site by a user in detail, at least the whole server won't be taken down.

You can implement this control by configuring open_basedir of PHP. This configuration is also useful in IIS, but only the configuration under Apache is described here.

Open_basedir can restrict the activity scope of files accessed by users to a specified region. it is usually the path of the home directory
The "." symbol can be used to represent the current directory. Open_basedir can also set multiple directories at the same time. in Windows, use semicolons to separate directories and use them in any other system.
Separate directories with colons. When it acts on the Apache module, the open_basedir path in the parent directory is automatically inherited. The following uses the configuration in Linux as an example:

Method 1: configure in php. ini
Open_basedir =.:/tmp/

Method 2: Set it in VirtualHost configured in Apache
Php_admin_value open_basedir.:/tmp/

Method 3: Set in Direcotry of Apache configuration
Php_admin_value open_basedir.:/tmp/

Explanation of the three configuration methods:
A. The priority of Method 2 is higher than method 1, that is, Method 2 will overwrite method 1; Method 3 has a higher priority than method 2, that is, Method 3 will overwrite method 2;
B. add "/tmp/" to the configuration directory because the default temporary php files (such as uploaded files and sessions) are stored in this directory. Therefore, you generally need to add this directory, otherwise, some functions are unavailable;
C. add "." to the configuration directory to the current directory where the php file is run. This avoids setting each site one by one;
D. If the site also uses files outside the site directory, you need to set this directory separately on the corresponding VirtualHost;

After completing the settings, remember to find a PHP web horse (such as phpspy) and test whether there is a problem or not. The permissions should be well controlled. You are welcome to share your PHP security configuration experience.

Bytes. At that time, I thought it was too much like IIS...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.