Configure open_basedir in PHP to run virtual sites independently. At that time, I thought this was really bad compared with IIS, because in IIS, you can set an anonymous account used for site or even directory access in security, as long as the sites used at the time think this is too bad compared with IIS, because in IIS, you can set an anonymous account used to access a site or even a directory in security, as long as the accounts used by different sites are different, the security between sites will not affect each other. These days I discovered that the original idea was wrong. in Apache, you can configure PHP to run the sites independently, although you cannot control the running of a site by a user in detail, at least the whole server won't be taken down.
You can implement this control by configuring open_basedir of PHP. This configuration is also useful in IIS, but only the configuration under Apache is described here.
Open_basedir can restrict the activity scope of files accessed by users to a specified region. it is usually the path of the home directory
The "." symbol can be used to represent the current directory. Open_basedir can also set multiple directories at the same time. in Windows, use semicolons to separate directories and use them in any other system.
Separate directories with colons. When it acts on the Apache module, the open_basedir path in the parent directory is automatically inherited. The following uses the configuration in Linux as an example:
Method 1: configure in php. ini
Open_basedir =.:/tmp/
Method 2: Set it in VirtualHost configured in Apache
Php_admin_value open_basedir.:/tmp/
Method 3: Set in Direcotry of Apache configuration
Php_admin_value open_basedir.:/tmp/
Explanation of the three configuration methods:
A. The priority of Method 2 is higher than method 1, that is, Method 2 will overwrite method 1; Method 3 has a higher priority than method 2, that is, Method 3 will overwrite method 2;
B. add "/tmp/" to the configuration directory because the default temporary php files (such as uploaded files and sessions) are stored in this directory. Therefore, you generally need to add this directory, otherwise, some functions are unavailable;
C. add "." to the configuration directory to the current directory where the php file is run. This avoids setting each site one by one;
D. If the site also uses files outside the site directory, you need to set this directory separately on the corresponding VirtualHost;
After completing the settings, remember to find a PHP web horse (such as phpspy) and test whether there is a problem or not. The permissions should be well controlled.
You are welcome to share your PHP security configuration experience.
...