Difference between revisions of "PHP"
From wiki
(Integrate with nginx) |
(Secure sessions) |
||
| Line 12: | Line 12: | ||
== Configuration == | == Configuration == | ||
| + | |||
| + | === Common configuration === | ||
| + | |||
| + | In Debian, the different flavour of PHP have their own configuration file. This allow fine grained configuration but makes it harder to have common behaviour. | ||
| + | |||
| + | Let’s create a common file read by all PHP interpreters. | ||
| + | <syntaxhighlight lang="console"> | ||
| + | # echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' > /etc/php5/mods-available/local-common.ini | ||
| + | # php5enmod local-common | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Unless specified, all the settings bellow should go to <code>/etc/php5/mods-available/local-common.ini</code> | ||
=== Integrate with Nginx === | === Integrate with Nginx === | ||
| Line 22: | Line 34: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | === Security === | ||
| + | |||
| + | PHP is known to have a particularly poor track record in term of security. Although things are improving, it is recommended to harden you installation. | ||
| + | |||
| + | ==== Hide PHP ==== | ||
| + | |||
| + | It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed. It also is shorter than the default which gain a few bytes per request. | ||
| + | <syntaxhighlight lang="ini"> | ||
| + | ; Name of the sessionid cookie | ||
| + | session.name = sid | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==== Session IDs ==== | ||
| + | |||
| + | By default PHP session IDs are not very random. Let's get some more entropy | ||
| + | <syntaxhighlight lang="ini"> | ||
| + | ; By default, PHP session IDs are not very random | ||
| + | ; http://samy.pl/phpwn/ reduce session entropy down to 20 bits | ||
| + | ; The settings bellow uses 256 bits of entropy from /dev/urandom | ||
| + | session.entropy_length = 32 | ||
| + | ; Default is md5 | ||
| + | session.hash_function = sha256 | ||
| + | ; Not security related. Make the session ID cookie a bit shorter | ||
| + | session.hash_bits_per_character = 6 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Prevent session fixation attacks | ||
| + | <syntaxhighlight lang="ini"> | ||
| + | ; Don't allow client to choose their session id | ||
| + | session.use_strict_mode = 1 | ||
| + | ; Hide session cookie from JavaScript | ||
| + | session.cookie_httponly = 1 | ||
| + | ; Make session cookie work only with HTTPS | ||
| + | ; Warning: it might break you application if you don't use HTTPS | ||
| + | session.cookie_secure = 1 | ||
| + | </syntaxhighlight> | ||
[[Category:Linux Server]] | [[Category:Linux Server]] | ||
[[Category:Web Server]] | [[Category:Web Server]] | ||
Revision as of 15:29, 19 March 2016
 Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
| Warning: | This page is a work in progress and is not completed. Important informations might be missing or wrong. |
Prerequisite
To use this guide, you will need Nginx installed and configured.
Installation
# apt install php5-cli php5-fpm php5-apcu
Configuration
Common configuration
In Debian, the different flavour of PHP have their own configuration file. This allow fine grained configuration but makes it harder to have common behaviour.
Let’s create a common file read by all PHP interpreters.
# echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' > /etc/php5/mods-available/local-common.ini
# php5enmod local-common
Unless specified, all the settings bellow should go to /etc/php5/mods-available/local-common.ini
Integrate with Nginx
Create file /etc/nginx/conf.d/php5.conf
upstream php {
server unix:/var/run/php5-fpm.sock;
}
Security
PHP is known to have a particularly poor track record in term of security. Although things are improving, it is recommended to harden you installation.
Hide PHP
It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed. It also is shorter than the default which gain a few bytes per request.
; Name of the sessionid cookie
session.name = sid
Session IDs
By default PHP session IDs are not very random. Let's get some more entropy
; By default, PHP session IDs are not very random
; http://samy.pl/phpwn/ reduce session entropy down to 20 bits
; The settings bellow uses 256 bits of entropy from /dev/urandom
session.entropy_length = 32
; Default is md5
session.hash_function = sha256
; Not security related. Make the session ID cookie a bit shorter
session.hash_bits_per_character = 6
Prevent session fixation attacks
; Don't allow client to choose their session id
session.use_strict_mode = 1
; Hide session cookie from JavaScript
session.cookie_httponly = 1
; Make session cookie work only with HTTPS
; Warning: it might break you application if you don't use HTTPS
session.cookie_secure = 1
