linux下apache+php安全设置:apache虚拟主机间隔离

1、实现虚拟主机笼环境

a.upl.com /wwwroot/a.upl.com/
b.upl.com /wwwroot/b.upl.com/

<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot “/wwwroot/a.upl.com/”
ServerName a.upl.com
ErrorLog “logs/a.upl.com-error_log”
CustomLog “logs/a.upl.com.com-access_log” common

<IfModule mod_php5.c>
php_admin_value open_basedir “/wwwroot/a.upl.com/:/tmp:/var/lib/php/session”
</IfModule>
(本节配置中间一行是重点!)

<IfModule suexec.c>
SuexecUserGroup daemon daemon
</IfModule>
(以上三行似乎没有用?)

</VirtualHost>
<VirtualHost *:80>
ServerAdmin webmaster@dummy-host2.example.com
DocumentRoot “/www”
ServerName b.upl.com
ErrorLog “logs/b.upl.com-error_log”
CustomLog “logs/b.upl.com-access_log” common

<Directory “/wwwroot/b.upl.com/”>
Order deny,allow
allow from all
</Directory>

<IfModule mod_php5.c>
php_admin_value open_basedir “/wwwroot/b.upl.com/:/tmp:/var/lib/php/session”
</IfModule>

<IfModule suexec.c>
SuexecUserGroup daemon daemon
</IfModule>
</VirtualHost>

实例测试:

www.abc.com与www.def.com两个站点,站点根目录分别是/var/www/html/vhost/www.abc.com/html、/var/www/html/vhost/www.def.com/html

在www.abc.com站点下建一个php文件,读取www.def.com的一个文件输出到浏览器(严格的说php是把它输出到web服务器的output buffer)

<?php
readfile(‘../../www.def.com/html/index.html’);
?>

执行时报错,错误消息大致如下:

Warning: readfile(): open_basedir restriction in effect. File(../../www.def.com/html/index.html) is not within the allowed path(s): (/var/www/html/vhosts/www.def.com/html/:/tmp) in /var/www/html/vhosts/abc/html/test.php on line 2

Warning: readfile(../../www.def.com/html/index.html): failed to open stream: Operation not permitted in /var/www/html/vhosts/www.abc.com/html/test.php on line 2

2、实现禁止php后门执行系统指令

# vim /usr/local/lib/php.ini

disable_functions = phpinfo,gzcompress,apache_note,apache_setenv,proc_get_status,exec,passthru,proc_nice,proc_open,proc_terminate,shell_exec,system,popen,ini_restore,syslog,define_syslog_variables,symlink,link,error_log,leak,dbmopen,openlog,closelog,popen,pclose,stream_socket_server

关健是passthru函数,是它使后门可以执行系统指令
3、隐藏掉php信息
expose_php = On

4、关闭错误提示(如果经常在线调试就算了)
display_errors = Off

5、使用php过滤单引号等特殊字符(此设置不推荐,容易造成问题;仅供参考)
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = On

; Use Sybase-style magic quotes (escape ‘ with ” instead of \’).
magic_quotes_sybase = On
如果打开了,有些php应用工作不正常,所以不推荐

6、让php工作在安全模式(一般不用,设定很严格;亦不推荐
safe_mode = On

from http://www.tanpao.com/archives/17 (有小幅改动及标注)




coded by nessus
发表评论?

0 条评论。

发表评论