Enhancing PHP Security Settings in Nginx Environments
Nginx is becoming increasingly popular, and most integrated environments such as Baota Panel, Oneinstack, and LNMP use Nginx as the web server. In an Nginx + PHP setup, FPM (FastCGI Process Manager) is used to execute PHP. This article focuses on strengthening PHP program security from the perspective of web server and PHP configuration settings, rather than vulnerabilities caused by improper PHP coding practices.
Disable Dangerous Functions
PHP provides functions like system() that can directly execute system commands. If program restrictions are not rigorous or coding practices are non-compliant, hackers can exploit these functions, posing a significant risk. Disabling such dangerous functions is necessary. You need to modify php.ini and add the following content:
disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,popen
Prevent Cross-Site Attacks
Cross-site attacks typically manifest as hackers using scripts to access other websites or directories after compromising one site, potentially leading to the compromise of all websites.
The open_basedir parameter restricts the files PHP can open to a specified directory tree, including the files themselves. When a program attempts to open a file using functions like fopen() or file_get_contents(), the file location is checked. If the file is outside the specified directory tree, the program will refuse to open it. There are several methods to configure open_basedir; here are a few common ones.
php.ini Configuration
You can directly modify php.ini to add:
open_basedir="specified_directory"
Configuration via PHP Script
Restrict within the program script:
ini_set('open_basedir', 'specified_directory');
Configuration via .user.ini
Let's first look at how the official documentation explains the .user.ini file:
Starting from PHP 5.3.0, PHP supports INI files in the .htaccess style for each directory. These files are processed only by the CGI/FastCGI SAPI. This feature renders the PECL htscanner extension obsolete. If using Apache, .htaccess files provide the same effect.
In addition to the main php.ini, PHP scans INI files in each directory, starting from the directory containing the executed PHP file and moving up to the web root directory (specified by $_SERVER['DOCUMENT_ROOT']). If the executed PHP file is outside the web root directory, only that directory is scanned.
In .user.ini style INI files, only INI settings with PHP_INI_PERDIR and PHP_INI_USER modes are recognized.
In short, when PHP runs in CGI/FastCGI SAPI mode, it reads a .user.ini configuration file. We can set the open_basedir parameter in this file to prevent cross-site attacks.
Create a .user.ini file in the site root directory with the following content:
open_basedir=/data/wwwroot/:/tmp/:/proc/
To prevent .user.ini from being tampered with, you can add the immutable attribute to this file:
chattr +i .user.ini
Currently, known integrated environments like Baota Panel and Junge LNMP (lnmp.org) use .user.ini by default to prevent cross-site attacks. This method is very flexible and allows for individual settings for each website.
Prohibit PHP Execution in Specific Directories
Most PHP frameworks, such as CodeIgniter and ThinkPHP, use a single entry point. As long as index.php has entry permissions, the program runs normally. Upload directories and static file directories do not need PHP execution permissions; granting them could actually lead to exploitation. Nginx can use the following rules to prohibit PHP execution in specific directories:
nginx
# uploads, temp, data directories are prohibited from executing PHP
location ~* ^/(uploads|templets|data)/.*.(php|php5)$ {
return 444;
}
Other Notes
The above measures focus on PHP configuration settings and Nginx restrictions. If there are any deficiencies, please correct them. Some content in this article references: