Differences between revisions 4 and 5

PHP Configuration

php(1) has a long history, leading to harsh backward-compatibility constraints. The default behaviors are not desirable on a modern internet.

The configuration file is /etc/php/php.ini. Some distributions provide two versions: a hardened php.ini-production and a verbose php.ini-development.

Contents

PHP Configuration

Configuration Template

[PHP]

;;;;;;;;;;;;;;;;;;;
; php.ini Options ;
;;;;;;;;;;;;;;;;;;;
user_ini.filename =

;;;;;;;;;;;;;;;;;;;;
; Language Options ;
;;;;;;;;;;;;;;;;;;;;
engine = Off
short_open_tag = Off
output_buffering = 4096
implicit_flush = Off
zend.enable_gc = On
zend.exception_ignore_args = On

;;;;;;;;;;;;;;;;;
; Miscellaneous ;
;;;;;;;;;;;;;;;;;
expose_php = Off

;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;
max_execution_time = 30
max_input_time = 60
memory_limit = 128M

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
report_memleaks = Off
report_zend_debug = Off
error_log = "/var/log/php.log"

;;;;;;;;;;;;;;;;
; Data Handing ;
;;;;;;;;;;;;;;;;
variables_order = "GPCS"
request_order = "GP"
register_argc_argv = Off
auto_globals_hit = On
post_max_size = 8M
default_mimetype = "text/html"
default_charset = "UTF-8"

;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;
doc_root =
user_dir =
enable_dl = Off

;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
file_uploads = Off
upload_max_filesize = 2m
max_file_uploads = 20

;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
allow_url_fopen = Off
allow_url_include = Off
default_socket_timeout = 60

Module Settings

ODBC

extension=odbc

[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1

MySQL

There are two MySQL drivers: pdo_mysql and mysqli (MySQL Improved).

extension=pdo_mysql

[Pdo_mysql]
pdo_mysql.default_socket =

extension=mysqli

[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off

The MySQL Native Driver is a set of internal communication utilities that is already enabled.

[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off

PostgreSQL

extension=pgsql

[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0

LDAP

extension=ldap

[ldap]
ldap.max_links = -1

mcrypt

mcrypt has been replaced with sodium.

mssql

mssql has been replaced with pdo_dblib.

Hardening

Crafted URLs

To prevent an attacker from calling php(1) directly, force all requests to come through a web server redirection.

; mitigate crafted URLs
cgi.force_redirect = On

Read-Only

If file uploads are not required, here are some sane defaults.

; disable uploading
file_uploads = Off

; disable remote file access
allow_url_fopen = Off
allow_url_include = Off

Leaking Information

Several debugging settings should be explicitly disabled for production.

zend.exception_ignore_args = On
display_errors = Off
display_startup_errors = Off
report_memleaks = Off
report_zend_debug = Off

CategoryRicottone

-  ⇤ ← Revision 4 as of 2021-11-18 08:53:47 → 
  Size: 4046
  Editor: DominicRicottone
  Comment:
+   ← Revision 5 as of 2022-09-25 19:57:35 → ⇥
  Size: 3921
  Editor: DominicRicottone
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 3:
-The PHP project has a strong emphasis on backwards-compatibility, which has led to a prevalence of security issues and unintuitive default behaviors. 

The primary configuration for PHP is found at `/etc/php/php.ini`. Some distributions provide two versions: a hardened `php.ini-production` and a verbose `php.ini-development`.
+`php(1)` has a long history, leading to harsh backward-compatibility constraints. The default behaviors are ''not'' desirable on a modern internet.

The configuration file is `/etc/php/php.ini`. Some distributions provide two versions: a hardened `php.ini-production` and a verbose `php.ini-development`.
 Line 109:
-Line 111:
+Line 113:
-In modern PHP, there are two MySQL drivers: `pdo_mysql` and `mysqli` (MySQL Improved).
+There are two [[MySQL]] drivers: `pdo_mysql` and `mysqli` (MySQL Improved).
-Line 135:
+Line 137:
-MySQL Native Driver is a set of internal communication utilities that is already enabled.
+The '''MySQL Native Driver''' is a set of internal communication utilities that is already enabled.
-Line 186:
+Line 188:
-== Security ==
+== Hardening ==
-Line 190:
+Line 194:
-To prevent an attacker from calling PHP directly, force all requests to come through a web server redirection.
+To prevent an attacker from calling `php(1)` directly, force all requests to come through a web server redirection.
-Line 197:
+Line 201:
-See also [[NGINX/FastCGIConfiguration#Crafted_URLs|here]].
-Line 203:
+Line 205:
-For simple environments that don't require file uploads, there are some easy steps that can be taken to harden PHP.
+If file uploads are not required, here are some sane defaults.

Diff for "PHP/Configuration"