php5.3站点间安全及.user.ini功能


php.ini 配置

如果你使用的是Nginx+php,且在一台服务器上使用多个网站,可能对服务器PHP进程间的安全感到担心,也会觉得Nginx+php不适合多站点的部署:没有Apache php_admin_value对open_basedir的限制,也没有.htaccess对php.ini的自定义。


PHP5.3及时地对这方面进行弥补,可能很多系统管理员和PHP程序员不知道,php5.3内置了对nginx这类软件类apache的支持:


使用[PATH]和[HOST]对php.ini进行自定义

[HOST  pic.a.com]

open_basedir ="/data/www/pic.a.com:/tmp:/tmpnfs:/data/www/yii:/data/www/lib"


[HOST bbs.a.com]

open_basedir ="/data/www/bbs.a.com:/tmp:/tmpnfs:/data/www/yii:/data/www/lib"



Notice:这些设置仅仅在CGI/FastCGI中生效,并且不能设置extension和zend_extension指令。

如果要exetnsion生效,也有人提出了解决方案:


http://www.php.net/manual/zh/ini.sections.php

For example hosts.ini:

[HOST=dev.example.com]

display_errors = on


[PHP]


this will change the section back to [PHP]where extension= and zend_extension= is allowed.



用phpshell进行测试

$ cd /data/www/bbs.a.com

chdir(): open_basedir restriction ineffect. File(/data/www/bbs.a.com) is not within the allowed path(s):(/data/www/pic.a.com:/tmp:/tmpnfs:/data/www/yii:/data/www/lib)

cd: could not change to: /data/www/bbs.a.com







http://www.php.net/manual/en/configuration.file.per-user.php


类似apache的/htaccess的功能也被支持了,那就是.user.ini 文件


.user.ini files


Since PHP 5.3.0, PHP includes support for .htaccess-styleINI files on a per-directory basis. These files are processed only by theCGI/FastCGI SAPI. This functionality obsoletes the PECL htscanner extension. Ifyou are using Apache, use .htaccess files for the same effect.


In addition to the main php.ini file, PHPscans for INI files in each directory, starting with the directory of therequested PHP file, and working its way up to the current document root (as setin $_SERVER['DOCUMENT_ROOT']). In case the PHP file is outside the documentroot, only its directory is scanned.


Only INI settings with the modesPHP_INI_PERDIR and PHP_INI_USER will be recognized in .user.ini-style INIfiles.


Two new INI directives, user_ini.filenameand user_ini.cache_ttl control the use of user INI files.


user_ini.filename sets the name of the filePHP looks for in each directory; if set to an empty string, PHP doesn't scan atall. The default is .user.ini.


user_ini.cache_ttl controls how often userINI files are re-read. The default is 300 seconds (5 minutes).



PHP.ini文件中有下列的配置项

;;;;;;;;;;;;;;;;;;;;

; php.ini Options  ;

;;;;;;;;;;;;;;;;;;;;

; Name for user-defined php.ini (.htaccess)files. Default is ".user.ini"

user_ini.filename = ".user.ini"


; To disable this feature set this optionto empty value

;user_ini.filename =


; TTL for user-defined php.ini files(time-to-live) in seconds. Default is 300 seconds (5 minutes)

user_ini.cache_ttl = 300



.user.ini测试[HOST] 不起作用

其他普通的变量有效


/usr/bin/vim .user.ini

error_log = /var/log/php_error2.log


用phpinfo能看到如下:                              

error_log /var/log/php_error2.log /var/log/php_errors2.log