[WEB SECURITY] Securing apache installation with PHP

Ivan Ristic ivan.ristic at gmail.com
Mon May 23 11:09:35 EDT 2005


On 5/19/05, Cedric Foll <cedric.foll at ac-rouen.fr> wrote:
> Hi,

Hi Cedric,

FYI, the installation and configuration chapter of my book, Apache
Security, is available online at http://www.apachesecurity.net/ . I am
sure you will find plenty of useful information there. I am expecting
the PHP chapter to be freely available soon (e.g. in a week or so).
After that I am planning to convert both chapters to HTML and start
posting new content and updates.
 
> I have to set up a new web server where many users would be able to put
> PHP web pages.
> 
> ...
> 
> What else can i do to protect my webserver ?

The best advice I can give you is not to deploy PHP as a module.
Instead, run it as CGI using the suEXEC mechanism. Having the scripts
executed under users' own identities will increase the security of
your setup significantly. If you *really* need to have PHP run as fast
as possible, use the FastCGI module to have the security benefits of
suEXEC with the speed of a module.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list