PHP Configuration

php(1) has a long history, leading to harsh backward-compatibility constraints. The default behaviors are not desirable on a modern internet.

The configuration file is /etc/php/php.ini. Some distributions provide two versions: a hardened php.ini-production and a verbose php.ini-development.

Contents

  1. PHP Configuration
    1. Configuration Template
    2. Module Settings
      1. ODBC
      2. MySQL
      3. PostgreSQL
      4. LDAP
      5. mcrypt
      6. mssql
    3. Hardening
      1. Crafted URLs
      2. Read-Only
      3. Leaking Information
    4. Testing

Configuration Template

[PHP]

;;;;;;;;;;;;;;;;;;;
; php.ini Options ;
;;;;;;;;;;;;;;;;;;;
user_ini.filename =

;;;;;;;;;;;;;;;;;;;;
; Language Options ;
;;;;;;;;;;;;;;;;;;;;
engine = Off
short_open_tag = Off
output_buffering = 4096
implicit_flush = Off
zend.enable_gc = On
zend.exception_ignore_args = On

;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;
expose_php = Off

;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;
max_execution_time = 30
max_input_time = 60
memory_limit = 128M

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
report_memleaks = Off
report_zend_debug = Off
error_log = "/var/log/php.log"

;;;;;;;;;;;;;;;;
; Data Handing ;
;;;;;;;;;;;;;;;;
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_hit = On
post_max_size = 8M
default_mimetype = "text/html"
default_charset = "UTF-8"

;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;
doc_root =
user_dir =
enable_dl = Off

;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
file_uploads = Off
upload_max_filesize = 2m
max_file_uploads = 20

;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
allow_url_fopen = Off
allow_url_include = Off
default_socket_timeout = 60

Module Settings

ODBC

extension=odbc

[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1

MySQL

There are two drivers for MySQL and/or MariaDB databases: pdo_mysql and mysqli (MySQL Improved). 

extension=pdo_mysql

[Pdo_mysql]
pdo_mysql.default_socket =

extension=mysqli

[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off

The MySQL Native Driver is a set of internal communication utilities that is already enabled. 

[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off

PostgreSQL

An official driver for PostgreSQL. 

extension=pgsql

[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0

LDAP

extension=ldap

[ldap]
ldap.max_links = -1

mcrypt

mcrypt has been replaced with sodium.

mssql

mssql has been replaced with pdo_dblib.

Hardening

Crafted URLs

To prevent an attacker from calling php(1) directly, force all requests to come through a web server redirection. 

; mitigate crafted URLs
cgi.force_redirect = On

Read-Only

If file uploads are not required, here are some sane defaults. 

; disable uploading
file_uploads = Off

; disable remote file access
allow_url_fopen = Off
allow_url_include = Off

Leaking Information

Several debugging settings should be explicitly disabled for production. 

zend.exception_ignore_args = On
display_errors = Off
display_startup_errors = Off
report_memleaks = Off
report_zend_debug = Off

Testing

For interactive testing of a configuration file, try: 

php -i

The phpinfo function can also be used to develop a test web page. 

<?php
phpinfo();

// Show just the module information.
phpinfo(INFO_MODULES);
?>

CategoryRicottone

PHP/Configuration (last edited 2023-05-25 17:26:17 by DominicRicottone)