Obviously, Php+mysql+apache is a popular web technology, and this combination is powerful, extensible, and free. However, the default settings for PHP are not as appropriate for websites that are already online. The following changes the default configuration file to enhance the security policy of PHP!
0X01: Disabling the remote URL file processing feature
Like the fopen file handler function, accept the file's Rul parameter (for example: fopen (' http://www.yoursite.com ', ' R ')), which can easily access remote resources, however, this is a very important security threat, Disabling this feature to restrict the file function is a good choice, in the php.ini file, make the following changes:
Copy CodeThe code is as follows:
Allow_url_fopen = Off
0x02: Disable registering global variables
PHP in the previous version of 4.2.0, with global variables as input, this function is called register_globals, in the Web application it caused a lot of security problems, because it allows the attacker in some cases easy to manipulate global variables, Fortunately in 4.2.0 This feature is disabled by default, it is very dangerous, regardless of the circumstances to disable this feature. If some scripts require this functionality, there is a potential security threat to the script. Modify Pnp.ini To disable this feature:
Copy CodeThe code is as follows:
Register_globals = Off
0x03: Restricting PHP read and write operations
In many web development processes, PHP scripts need to read and write to the local file system, such as/var/www/htdocs/files, in order to enhance security, you can modify the local file read and Write permissions:
Copy CodeThe code is as follows:
Open_basedir =/var/www/htdocs/files
0x04:posing Limit
Restricting PHP execution time, memory usage, post, and upload data is the best strategy, and can be configured as follows:
Copy CodeThe code is as follows:
Max_execution_time = 30; Max Script Execution Time
Max_input_time = 60; Max time spent parsing input
Memory_limit = 16M; Max memory used by one script
Upload_max_filesize = 2M; Max Upload File size
Post_max_size = 8M; Max Post Size
0X05: Disable error messages and enable logging
In the default settings, PHP will output error messages to the browser, which is the most reasonable configuration in the application development process, however, it can also disclose some security information to the user, such as the installation path and user name. In a Web site that has already been developed, it is best to disable the error message and then output the error message to the log file.
Copy CodeThe code is as follows:
Display_errors = Off
Log_errors = On
0x06: Hide php files
If there is no hidden php file, we can get the server PHP version in several ways, for example using: http://www.example.com/script.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Obviously, we don't want users to get the PHP version of your Web server directly, fortunately, there is a switch in php.ini to disable this feature:
Copy CodeThe code is as follows:
expose_php = Off
0X07: Safe Mode configuration
In the default case, PHP can be configured as Safe mode, in this mode, Apache prohibit access to files, environment variables and binaries, in safe mode, the biggest problem is that only the owner of the file can access this write PHP file, if there are many developers to jointly develop this program, This setting is impractical, when you need to access a PHP file you need to modify the owner of the file, and another problem is that other programs can not access these PHP files, the following configuration will be able to modify the permissions of the file for the user group rather than a single user.
Copy CodeThe code is as follows:
Safe_mode = Off
Safe_mode_gid = On
By enabling Safe_mode_gid, you can access PHP files using this group of Apache. Safe mode is also very effective against the execution of binary files, however, developers want to be able to run some binary files in certain situations. In these special cases, you can put a binary file into a directory, for example (/var/www/binaries), you can do the following settings:
Copy CodeThe code is as follows:
Safe_mode_exec_dir =/var/www/binaries
Finally, with the following settings, you can access the server's environment variables and provide a prefix separated by "_" to access only the environment variables with the specified prefix:
Copy CodeThe code is as follows:
Safe_mode_allowed_env_vars = Php_
0x08: Restricting access of public users to files with specific suffix names
For security reasons, many files with specific suffix names cannot be accessed by public users, such as the. inc suffix file, which contains sensitive information, such as MySQL connection information, if not properly configured, then each user can access the configuration file, in order to enhance the security of the site, you need to. The. htaccess file is configured as follows:
Copy CodeThe code is as follows:
<filesmatch>
Order Allow,deny
Deny from all
</filesmatch>
0X09: summary
The default configuration for PHP is for developers, and if the site is for a wide range of users, it is recommended that you reconfigure PHP.
Improved PHP Security: 8 PHP Default configurations that must be modified