2013年4月2日星期二
linux下apache+php安全设置:apache虚拟主机间隔离
1、实现虚拟主机笼环境
a.upl.com /wwwroot/a.upl.com/
b.upl.com /wwwroot/b.upl.com/
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot “/wwwroot/a.upl.com/”
ServerName a.upl.com
ErrorLog “logs/a.upl.com-error_log”
CustomLog “logs/a.upl.com.com-access_log” common
<IfModule mod_php5.c>
php_admin_value open_basedir “/wwwroot/a.upl.com/:/tmp:/var/lib/php/session”
</IfModule>
(本节配置中间一行是重点!)
<IfModule suexec.c>
SuexecUserGroup daemon daemon
</IfModule>
(以上三行似乎没有用?)
</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot “/www”
ServerName b.upl.com
ErrorLog “logs/b.upl.com-error_log”
CustomLog “logs/b.upl.com-access_log” common
<Directory “/wwwroot/b.upl.com/”>
Order deny,allow
allow from all
</Directory>
<IfModule mod_php5.c>
php_admin_value open_basedir “/wwwroot/b.upl.com/:/tmp:/var/lib/php/session”
</IfModule>
<IfModule suexec.c>
SuexecUserGroup daemon daemon
</IfModule>
</VirtualHost>
实例测试:
www.abc.com与www.def.com两个站点,站点根目录分别是/var/www/html/vhost/www.abc.com/html、/var/www/html/vhost/www.def.com/html
在www.abc.com站点下建一个php文件,读取www.def.com的一个文件输出到浏览器(严格的说php是把它输出到web服务器的output buffer)
<?php
readfile('../../www.def.com/html/index.html');
?>
执行时报错,错误消息大致如下:
Warning: readfile(): open_basedir restriction in effect. File(../../www.def.com/html/index.html) is not within the allowed path(s): (/var/www/html/vhosts/www.def.com/html/:/tmp) in /var/www/html/vhosts/abc/html/test.php on line 2
Warning: readfile(../../www.def.com/html/index.html): failed to open stream: Operation not permitted in /var/www/html/vhosts/www.abc.com/html/test.php on line 2
2、实现禁止php后门执行系统指令
# vim /usr/local/lib/php.ini
disable_functions = phpinfo,gzcompress,apache_note,apache_setenv,proc_get_status,exec,passthru,proc_nice,proc_open,proc_terminate,shell_exec,system,popen,ini_restore,syslog,define_syslog_variables,symlink,link,error_log,leak,dbmopen,openlog,closelog,popen,pclose,stream_socket_server
关健是passthru函数,是它使后门可以执行系统指令
3、隐藏掉php信息
expose_php = On
4、关闭错误提示(如果经常在线调试就算了)
display_errors = Off
5、使用php过滤单引号等特殊字符(此设置不推荐,容易造成问题;仅供参考)
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = On
; Use Sybase-style magic quotes (escape ‘ with ” instead of \’).
magic_quotes_sybase = On
如果打开了,有些php应用工作不正常,所以不推荐
6、让php工作在安全模式(一般不用,设定很严格;亦不推荐)
safe_mode = On
from http://www.tanpao.com/archives/17 (有小幅改动及标注)
订阅:
博文评论 (Atom)
没有评论:
发表评论