Differences between revisions 1 and 7 (spanning 6 versions)

PHP Configuration

php(1) has a long history, leading to harsh backward-compatibility constraints. The default behaviors are not desirable on a modern internet.

The configuration file is /etc/php/php.ini. Some distributions provide two versions: a hardened php.ini-production and a verbose php.ini-development.

Contents

PHP Configuration

Configuration Template

[PHP]

;;;;;;;;;;;;;;;;;;;
; php.ini Options ;
;;;;;;;;;;;;;;;;;;;
user_ini.filename =

;;;;;;;;;;;;;;;;;;;;
; Language Options ;
;;;;;;;;;;;;;;;;;;;;
engine = Off
short_open_tag = Off
output_buffering = 4096
implicit_flush = Off
zend.enable_gc = On
zend.exception_ignore_args = On

;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;
expose_php = Off

;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;
max_execution_time = 30
max_input_time = 60
memory_limit = 128M

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
report_memleaks = Off
report_zend_debug = Off
error_log = "/var/log/php.log"

;;;;;;;;;;;;;;;;
; Data Handing ;
;;;;;;;;;;;;;;;;
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_hit = On
post_max_size = 8M
default_mimetype = "text/html"
default_charset = "UTF-8"

;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;
doc_root =
user_dir =
enable_dl = Off

;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
file_uploads = Off
upload_max_filesize = 2m
max_file_uploads = 20

;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
allow_url_fopen = Off
allow_url_include = Off
default_socket_timeout = 60

Module Settings

ODBC

extension=odbc

[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1

MySQL

There are two drivers for MySQL and/or MariaDB databases: pdo_mysql and mysqli (MySQL Improved).

extension=pdo_mysql

[Pdo_mysql]
pdo_mysql.default_socket =

extension=mysqli

[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off

The MySQL Native Driver is a set of internal communication utilities that is already enabled.

[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off

PostgreSQL

An official driver for PostgreSQL.

extension=pgsql

[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0

LDAP

extension=ldap

[ldap]
ldap.max_links = -1

mcrypt

mcrypt has been replaced with sodium.

mssql

mssql has been replaced with pdo_dblib.

Hardening

Crafted URLs

To prevent an attacker from calling php(1) directly, force all requests to come through a web server redirection.

; mitigate crafted URLs
cgi.force_redirect = On

Read-Only

If file uploads are not required, here are some sane defaults.

; disable uploading
file_uploads = Off

; disable remote file access
allow_url_fopen = Off
allow_url_include = Off

Leaking Information

Several debugging settings should be explicitly disabled for production.

zend.exception_ignore_args = On
display_errors = Off
display_startup_errors = Off
report_memleaks = Off
report_zend_debug = Off

Testing

For interactive testing of a configuration file, try:

php -i

The phpinfo function can also be used to develop a test web page.

<?php
phpinfo();

// Show just the module information.
phpinfo(INFO_MODULES);
?>

CategoryRicottone

-  ⇤ ← Revision 1 as of 2020-09-05 17:12:09 → 
  Size: 3916
  Editor: DominicRicottone
  Comment:
+   ← Revision 7 as of 2023-05-25 17:26:17 → ⇥
  Size: 4272
  Editor: DominicRicottone
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 3:
-'''PHP''' is a scripting language for web services. The PHP project has a strong emphasis on backwards-compatibility, which has led to a prevalence of security issues and intuitive default behaviors.
+`php(1)` has a long history, leading to harsh backward-compatibility constraints. The default behaviors are ''not'' desirable on a modern internet.

The configuration file is `/etc/php/php.ini`. Some distributions provide two versions: a hardened `php.ini-production` and a verbose `php.ini-development`.
-Line 107:
+Line 109:
-Line 109:
+Line 113:
-In modern PHP, there are two MySQL driver: `pdo_mysql` and `mysqli` (MySQL Improved).
+There are two drivers for [[MySQL]] and/or [[MariaDB]] databases: `pdo_mysql` and `mysqli` (MySQL Improved).
-Line 133:
+Line 137:
-MySQL Native Driver is a set of internal communication utilities that is already enabled.
+The '''MySQL Native Driver''' is a set of internal communication utilities that is already enabled.
-Line 144:
+Line 148:
+An official driver for [[PostgreSQL]].
-Line 184:
+Line 190:
-== Security ==
+== Hardening ==
-Line 188:
+Line 196:
-To prevent an attacker from calling PHP directly, force all requests to come through a web server redirection.
+To prevent an attacker from calling `php(1)` directly, force all requests to come through a web server redirection.
-Line 195:
+Line 203:
-See also [[NGINX/FastCGIConfiguration#Crafted_URLs|here]].
-Line 201:
+Line 207:
-For simple environments that don't require file uploads, there are some easy steps that can be taken to harden PHP.
+If file uploads are not required, here are some sane defaults.
-Line 226:
+Line 232:
+----



== Testing ==

For interactive testing of a configuration file, try:

{{{
php -i
}}}

The `phpinfo` function can also be used to develop a test web page.

{{{
<?php
phpinfo();

// Show just the module information.
phpinfo(INFO_MODULES);
?>
}}}

Diff for "PHP/Configuration"