PHP.ini parameter Tuning
Directory
1. Open the Safe Mode of PHP 1
2. User group security 1
3. Close the hazard function 1
4. Turn off PHP version information leak in HTTP header 1
5. Close the Register global variable 1
6. Open MAGIC_QUOTES_GPC to prevent SQL injection 1
7. Error Message control 2
8. Error log 2
9. Partial resource limit parameter optimization 2
10. Partial Safety parameter optimization 2
11. Adjust PHP sesson information storage type and location 2
Both Apache and Nginx,php.ini are suitable. and php-fpm.conf is suitable for nginx+fcgi configuration
First select the PHP.ini (php.ini-production) of the product environment
/home/oldboy/tools/php-5.3.27/php.ini-development
/home/oldboy/tools/php-5.3.27/php.ini-production
1. Open the Safe mode of PHP
PHP's security model is a very important security mechanism embedded in PHP, to control some of the functions in PHP, such as System (), and many of the functions of file operations to control permissions.
This parameter is configured as follows:
Safe_mode = Off
; Whether to enable Safe mode
When opened, PHP will check that the owner of the current script is the same as the owner of the file being manipulated.
The default php.ini is not open safe mode, we turn it on as follows:
Safe_mode = On
2. User group Security
When Safe_mode is turned on, Safe_mode_gid is turned off, and the PHP script is able to access the file, and the same group of users can access the file. The recommended setting is:
Safe_mode_gid = Off
If we do not set up, we may not be able to operate the files in our server web directory, such as when we need to operate the file. php5.3.27 defaults to Safe_mode_gid = Off
3. Close the hazard function
If Safe mode is turned on, then the function prohibition is not necessary, but we consider it to be safe. For example, we don't want to execute PHP functions such as system () that can execute commands, or phpinfo (), which can view PHP information, so we can disable them by doing the following:
Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo
Disable_functions = Chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir,rmdir,rename, File,file_get_contents,fputs,fwrite,chgrp,chmod,chown
4. Turn off the PHP version information leak in the HTTP header
In order to prevent hackers from getting the PHP version of the server information, you can close the information ramp in the HTTP header.
The default configuration for this parameter is as follows:
expose_php = On
Whether or not to expose the fact that PHP is installed on the server (with the HTTP header plus its signature)
It does not have a direct security threat, but it makes the client aware that PHP is installed on the server.
Recommended setting to
expose_php = Off
5. Close Registered Global variables
Variables that are committed in PHP, including those that use post or get commits, are automatically registered as global variables and can be accessed directly, which is very insecure to the server, so we can't register the global variable with the Register global variable option off:
Default configuration:
Register_globals = Off
, whether to register the e,g,p,c,s variable as a global variable
Opening this directive can cause serious security problems unless your script is checked very carefully.
Recommended use of pre-defined hyper-Global variables: $_env,$_get,$_post,$_cookie,$_server
The directive is affected by the Variables_order directive.
This directive has been removed from the;p hp6.
The recommended setting is:
Register_globals = Off
6. Open MAGIC_QUOTES_GPC to prevent SQL injection
MAGIC_QUOTES_PGC = Off
This is off by default, and if it is opened it will automatically convert the user to the SQL query, such as the ' Escape to \ ', which is important to prevent SQL injection, so we recommend setting to:
MAGIC_QUOTES_PGC = On
7. Error Message Control
In general, PHP is not connected to the database or other situations will be prompted error, the general error message will contain the PHP script current path information or query SQL statements and other information, this kind of information to the hacker is not safe, so the general server recommends that the error prompt is forbidden.
The default configuration for this parameter is as follows:
Display_errors = Off
; Whether to display the error message as part of the output to the end user. When you apply debugging, you can open it for easy viewing of errors.
On the final published Web site, it is strongly recommended that you turn off this feature and use the error log instead (see below).
, opening this feature at the final published Web site may expose some security information,
, such as the file path, database planning, or other information on your Web server.
Set to:
Display_errors = Off
(php5.3.27 default is display_errors = OFF)
If you are sure you want to display the error message, be sure to set the level at which the error is displayed, such as displaying only the warning message:
error_reporting = e_waring & ERROR
Of course, it is best to turn off the error prompt.
8. Error log
It is recommended to log the error message after closing the dispaly_errors to find out why the server is running:
Log_errors = On
php5.3.27 default is log_errors = On
Also set the directory where the error log is stored, suggesting that the root Apache log exists together:
Error_log =/app/logs/php_error.log
Note: The to file must allow Apache users and groups to have write permissions
9. Partial Resource Limit parameter optimization
(1) Set the maximum time per script to run
When unable to upload the file or background device data often timeout, this thing needs to adjust the following settings:
Max_execution_time = 30
; The maximum allowable execution time per script (seconds), 0 means no limit.
This parameter helps prevent inferior scripts from endlessly consuming server resources.
This directive only affects the run time of the script itself, and any other time spent outside of the script's run
, such as the use of System ()/sleep () functions, database queries, file uploads, and so on, are not included.
In Safe mode, you cannot change this setting at run time with Ini_set ().
(2) maximum memory used by each script
Memory_limit = 128M
The maximum number of bytes of memory that a script can request (using K and M as units)
This helps prevent inferior scripts from consuming all the memory on the server.
; to be able to use the directive, you must use the "--enable-memory-limit" configuration option at compile time.
If you want to cancel the memory limit, you must set it to-1
After the directive is set, the Memory_get_usage () function becomes available.
(3) Maximum time for each script to wait for input data
Max_input_time =-1
; Maximum allowable time (in seconds) for each script parsing input data (post,get,upload)
;-1 means no limit
Set to
Max_input_time = 60;
(4) Maximum license size for uploaded files
When uploading large files, you need to adjust the following parameters:
Upload_max_filesize = 2M;
, upload the maximum license size of the file, some picture forums need this larger value.
10. Partial Safety parameter optimization
(1) Prohibit opening the remote address, remember the recent PHP include that the vulnerability? is to include the variable in a PHP program, then the intruder can use this control server to execute a remote PHP program locally, such as Phpshell, so we close this.
Allow_url_fopen = Off
(2) Set: cgi.fix_pathinfo=0 prevent Nginx file type Error parsing vulnerability
Cgi.fix_pathinfo=0
11. Adjust PHP sesson information storage type and location
Session.save_handler = Files
Stores and retrieves the processor name of the data associated with the session. Default to file ("files")
If you want to use a custom processor (such as a database-based processor), "user" can be used
; set to "Memcache" you can use Memcache as the session processor (you need to specify the "--enable-memcache-session" compilation Option)
; Session.save_path = "/tmp"
; The parameters passed to the storage processor. For files processors, this value is the path to the creation of the session data file
Resources:
Lamp system performance Tuning, part 1th: Understanding the Lamp architecture
http://www.ibm.com/developerworks/cn/linux/l-tune-lamp-1/
Lamp system Performance Tuning, part 2nd: Optimizing Apache and PHP
Http://www.ibm.com/developerworks/cn/linux/l-tune-lamp-2.html
Lamp system Performance Tuning, part 3rd: MySQL Server tuning
Http://www.ibm.com/developerworks/cn/linux/l-tune-lamp-3.html
Installing the Memcache Client
To modify the configuration file, set the global settings in php.ini:
Web cluster session shared storage settings:
The type and configuration path of the session in the default php.ini:
#session. Save_handler = Files
#session. Save_path = "/tmp"
Modify the settings as follows:
Session.save_handler = Memcache
Session.save_path = "tcp://10.0.0.18:11211"
Tips:
1) 10.0.0.18:11211 for memcached Database cache IP and port
2) The above is suitable for lnmp,lamp environment
3) memcached server can also be multiple units via hash dispatch
This article is from the "Yi Xiaoyi" blog, make sure to keep this source http://gongxiaoyi.blog.51cto.com/7325139/1825444
PHP.ini parameter Tuning