Difference between revisions of "PHP"
From wiki
(always_populate_raw_post_data = -1;) |
(php7) |
||
| Line 7: | Line 7: | ||
== Installation == | == Installation == | ||
| + | === Debian Jessie === | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
# apt install php5-cli php5-fpm php5-apcu | # apt install php5-cli php5-fpm php5-apcu | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | === Debian Stretch === | ||
| + | <syntaxhighlight lang="console"> | ||
| + | # apt install php7.0-cli php7.0-fpm php7.0-apcu | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 18: | Line 24: | ||
Let’s create a common file read by all PHP interpreters. | Let’s create a common file read by all PHP interpreters. | ||
| + | |||
| + | ==== Debian Jessie ==== | ||
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
# echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' > /etc/php5/mods-available/local-common.ini | # echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' > /etc/php5/mods-available/local-common.ini | ||
| Line 24: | Line 32: | ||
Unless specified, all the settings bellow should go to <code>/etc/php5/mods-available/local-common.ini</code> | Unless specified, all the settings bellow should go to <code>/etc/php5/mods-available/local-common.ini</code> | ||
| + | |||
| + | ==== Debian Stretch ==== | ||
| + | <syntaxhighlight lang="console"> | ||
| + | # echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' > /etc/php/7.0/mods-available/local-common.ini | ||
| + | # phpenmod -v 7.0 local-common | ||
| + | </syntaxhighlight>Unless specified, all the settings bellow should go to <code>/etc/php/7.0/mods-available/local-common.ini</code> | ||
=== Integrate with Nginx === | === Integrate with Nginx === | ||
| Line 29: | Line 43: | ||
Create file <code>/etc/nginx/conf.d/php5.conf</code> | Create file <code>/etc/nginx/conf.d/php5.conf</code> | ||
<syntaxhighlight lang="nginx"> | <syntaxhighlight lang="nginx"> | ||
| − | upstream | + | upstream php5 { |
server unix:/var/run/php5-fpm.sock; | server unix:/var/run/php5-fpm.sock; | ||
} | } | ||
| Line 42: | Line 56: | ||
It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed. | It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed. | ||
<syntaxhighlight lang="ini"> | <syntaxhighlight lang="ini"> | ||
| − | ; Name of the sessionid cookie | + | ; Name of the sessionid cookie. Hide PHP and get a smaller cookie |
session.name = sid | session.name = sid | ||
; Don't add script name in emails | ; Don't add script name in emails | ||
| Line 84: | Line 98: | ||
==== Limit access to POST data ==== | ==== Limit access to POST data ==== | ||
| − | <syntaxhighlight lang="ini"> | + | This setting only apply to Debian 8 (Jessie) and bellow<syntaxhighlight lang="ini"> |
; The preferred method for accessing raw POST data is php://input, and $HTTP_RAW_POST_DATA is deprecated in PHP 5.6.0 onwards. | ; The preferred method for accessing raw POST data is php://input, and $HTTP_RAW_POST_DATA is deprecated in PHP 5.6.0 onwards. | ||
; This feature is removed in PHP7 | ; This feature is removed in PHP7 | ||
Revision as of 06:52, 9 May 2016
 Warning: | These instructions were only tested on Debian. It will probably work for other Linux distributions, but you might need to adapt the provided instructions. |
| Warning: | This page is a work in progress and is not completed. Important informations might be missing or wrong. |
Prerequisite
To use this guide, you will need Nginx installed and configured.
Installation
Debian Jessie
# apt install php5-cli php5-fpm php5-apcu
Debian Stretch
# apt install php7.0-cli php7.0-fpm php7.0-apcu
Configuration
Common configuration
In Debian, the different flavour of PHP have their own configuration file. This allow fine grained configuration but makes it harder to have common behaviour.
Let’s create a common file read by all PHP interpreters.
Debian Jessie
# echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' > /etc/php5/mods-available/local-common.ini
# php5enmod local-common
Unless specified, all the settings bellow should go to /etc/php5/mods-available/local-common.ini
Debian Stretch
# echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' > /etc/php/7.0/mods-available/local-common.ini
# phpenmod -v 7.0 local-common
Unless specified, all the settings bellow should go to /etc/php/7.0/mods-available/local-common.ini
Integrate with Nginx
Create file /etc/nginx/conf.d/php5.conf
upstream php5 {
server unix:/var/run/php5-fpm.sock;
}
Security
PHP is known to have a particularly poor track record in term of security. Although things are improving, it is recommended to harden you installation.
Hide PHP
It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed.
; Name of the sessionid cookie. Hide PHP and get a smaller cookie
session.name = sid
; Don't add script name in emails
mail.add_x_header = 0
Session IDs
By default PHP session IDs are not very random. Let's get some more entropy
; By default, PHP session IDs are not very random
; http://samy.pl/phpwn/ reduce session entropy down to 20 bits
; The settings bellow uses 256 bits of entropy from /dev/urandom
session.entropy_length = 32
; Default is md5
session.hash_function = sha256
; Not security related. Make the session ID cookie a bit shorter
session.hash_bits_per_character = 6
Prevent session fixation attacks
; Don't allow client to choose their session id
session.use_strict_mode = 1
; Hide session cookie from JavaScript
session.cookie_httponly = 1
; Make session cookie work only with HTTPS
; Warning: it might break you application if you don't use HTTPS
session.cookie_secure = 1
Limit File Access
By default, PHP allow scripts to read any file on the machine including sensible files like /etc/passwd.
The setting bellow limit that. Of course when new sites are added, the list of folder need to be extended.
; Column separated list of folder to allow inclusion from.
; Eg. "/usr/share/php/:/usr/share/phpmyadmin/"
open_basedir = "/usr/share/php/"
Limit access to POST data
This setting only apply to Debian 8 (Jessie) and bellow
; The preferred method for accessing raw POST data is php://input, and $HTTP_RAW_POST_DATA is deprecated in PHP 5.6.0 onwards.
; This feature is removed in PHP7
always_populate_raw_post_data = -1;
