Securing shared Apache2 + PHP

Posted on

Securing shared Apache2 + PHP – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about apache-2.2, php, security, , .

We want to setup a shared webserver running Apache2 and PHP5. Our need is to host some PHP apps like WordPress, Zend framework applications… Some of the sites may be controlled by external developers, so we need the security to be high.

We will like to run with php safemode = Off, because of the problems running ie. wordpress in safe mode.

How do we secure the access/permissions from the php-application to rest of the server?
(How to secure that PHP-cade, can’t access webserver config-files, logs etc.)

How do we secure the access/permissions between two sites?
(How to secure that one site can’t access files/data from another site)

We have considered taking advantage of the mpm-itk combined with open_basedir, but is it enough?

Is there a suggestion for the access rights on the servers filesystem?

What about disabling some functions like system(), exec() etc.?

Solution :

I’m using the peruser MPM with separate users/groups for every shared virtual host on the server. These users have restricted home directories (700) and separate directories for session files. I’ve patched PHP with suhosin and added the security-related directives (like open_basedir) to php.ini.

Keep in mind that with shared hosting configuration you can never be “fully” secured.

If you want a secure server, don’t run WordPress and don’t run code written by external developers.

But since that seems to be a basic requirement, then in addition to all the usual things you should do in setting up a secure http server…

open_basedir is a good start. But if you’ve only got 2 sites to seperate why not just put them in their own VMs on the server? Or run 2 instances of the webserver as different uids with a common reverse proxy?

You certainly want to very focussed on your egress filtering. And definitely have a look at suhosin if you plan to go down the single webserver route.

Leave a Reply

Your email address will not be published.