Setup secure shared hosting (Apache, PHP, MySQL)
Posted
by
Apaz
on Server Fault
See other posts from Server Fault
or by Apaz
Published on 2011-10-07T13:42:44Z
Indexed on
2012/06/29
9:18 UTC
Read the original article
Hit count: 285
So I'm setting up a shared hosting with Apache, PHP, MySQL and the biggest question mark is how to do with PHP, since there is a million options out there how to configure it securely.
The plan is:
- Chroot for MySQL (built in support for chroot)
- Chroot for Apache (mod_security)
- Each user executing their PHP-scripts as their own user (see below)
- Set open_basedir
- Disable all "evil" php-functions (allow_url_fopen, system, exec, and so on)
Ive looked at suexec and suphp but they seems very slow;
http://blog.stuartherbert.com/php/2007/12/18/using-suexec-to-secure-a-shared-server/ http://blog.stuartherbert.com/php/2008/01/18/using-suphp-to-secure-a-shared-server/
So I've looked some more and found some other solutions:
- apache2-mpm-itk + mod_php(?)
- mod_fcgid + php-fpm
- mod_fastcgi + php-fpm
Ive tried a simple setup with mod_fastcgi + php-fpm and it seems to work, runs as correct user and so on, but the protection against directory traveling is still open_basedir(?)
One solution for that could be to use php-fpm's chroot option, but that causes a lot of other issues like
- domain name resolver does not work
- sending mail does not work
Tips?
© Server Fault or respective owner