PHP Application Security Settings in Jelastic Cloud

By November 14, 2013 HowTo No Comments
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

man

Do you plan to host your own PHP application? Or, is your PHP app already up and running? Regardless, it’s never too late to think about the protection of your “PHP baby.” Attacks on applications come in all forms and are becoming more difficult to detect and defend. The risks to your web applications and data are always increasing. Unfortunately, the battle for application and network security is never-ending. Being aware of security vulnerabilities is paramount to running a secure application.

PHP has several functions which can be used as a way of compromising your server, if they are not configured correctly. Protecting your system requires a variety of prevention tools, but you can start with some basics which do not require additional costs. In this article, we will provide instructions on the initial settings that can be configured in the Jelastic Cloud to beef up the security of your application.

PHP.INI file security configurations

The main PHP configuration file is php.ini. Here you can find the default settings and edit them based on your requirements or just add some custom configurations. Jelastic provides full access to the /etc/php.ini file in your Apache or NGINX-php server. Let’s have a look which settings can be created to increase the security level of your application.

Note: In this tutorial, we present some recommended values, but you need to consider the system requirements of your application so you don’t adversely affect your application’s performance.

To open the php.ini file, click the Config button next to your application server (Apache or NGINX) and navigate to the etc folder.

php-ini-file

Edit the configurations following this example:

1. Disable insecure functions by adding the following string with such values:

disable_functions = phpinfo, system, mail, exec

If you want additional security you can also add the following functions to the string of values:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

disable-functions

2. Limit the amount of allowed resources, if it is acceptable for your application:

  • Maximum execution time (in seconds) for the script max_execution_time = 30

  • Maximum amount of time for parsing request data by each script max_input_time = 60

  • Maximum size allowed for uploading the files upload_max_filesize = 2M

  • Maximum amount of memory for a script (8MB) memory_limit = 8M (by default it is set to 128M but you can state lower value if it is allowed for your app normal performance)

  • Maximum size of POST data acceptable for PHP post_max_size = 8M

3. Restrict the following functions, if your application does not require them:

  • Disallow HTTP file uploads file_uploads = Off

  • Disallow PHP error messages to be displayed for the end-users display_errors = Off

  • Limit external access to your PHP environment safe_mode_allowed_env_vars = PHP_

  • Restrict the leakage of PHP information expose_php = Off

  • Do not register globals for input data register_globals = Off

  • Disallow opening remote files allow_url_fopen = Off

4. Enable some functions to get more information about the security state:

  • Ensure appropriateness of PHP redirecting cgi.force_redirect = 0

  • Log all possible errors log_errors = On

5. Switch on available safe modes:

  • Enable safe mode safe_mode = On
  • Enable SQL safe mode sql.safe_mode = On

Note: You need to specify the above settings and consider the requirements of your application as in some cases, it can be unavailable.

Restrict access to your PHP app by authentication request

To set the authentication to your Apache/NGINX application or to just separate a directory in your application, follow these next steps.

Regardless of the server you use (Apache or NGINX) you need to create the password that is going to be used for authentication:

1. Generate hash from your password using any htpasswd tool or online service (for example, http://www.htpasswdgenerator.net/).

2. Create a simple text file with the previously generated hash (in our case, .htpasswd.txt).

3. Click Config button for your server and upload the created file to the webroot/ROOT folder.

password-file

The rest of the steps differ, depending on the application server used:

Apache

1. Navigate to the conf folder and open the httpd.conf file.

2. Check if the mod_authz_host.so module is enabled (it should be enabled by default).

mod_authz_host-module

If it is disabled – add the following string as it is shown on the image above:

LoadModule authz_host_module modules/mod_authz_host.so

3. In the same httpd.conf file (or .htaccess file, if you use it) perform the following configurations:

  • authentication for the whole application

Add the following strings to the Directory as it is shown in the image below:

AuthName "Restricted area"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/webroot/ROOT/.htpasswd
Require valid-user

apache authentication for the whole application

  • authentication for the separate directory

Add the following Location strings stating the path to the required directory:

<Location /directory_path>
AuthName "Restricted area"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/webroot/ROOT/.htpasswd
Require valid-user
</Location>

apache authentication for the separate directory

7. Save the changes and Restart the Apache server.

Note: If you perform the configurations in the httpd.conf file, you need to restart Apache to apply the changes. In the case of .htaccess files usage, changes take immediate effect, because config files are read on every request.

NGINX

1. In the conf folder open nginx.conf file and make the following configurations:

  • authentication for the whole application

Modify the location configurations by adding the following strings:

auth_basic "Restricted area";
auth_basic_user_file /var/www/webroot/ROOT/.htpasswd;

nginx authentication for the whole application

  • authentication for the separate directory

Add the following location strings stating the path to the required directory:

location ~ /directory_path {   
auth_basic  "Restricted";   
auth_basic_user_file /var/www/webroot/ROOT/.htpasswd; 
}

nginx authentication for the separate directory

5. Save the changes and Restart the NGINX server.

As a result, while accessing the application (with Apache or NGINX respectively) or the protected directory a user will be requested to authenticate.

authentication required

 

Restrict access to your PHP app by IP

You can allow or deny access by IP address or domain name to your Apache/NGINX application or a separate directory in it.

The Allow and Deny directives are used to specify which clients are allowed to access the server. The Order directive sets the default access state, and configures the interaction between the Allow and Deny directives.

The Order directive controls a three-pass access control system. The first pass processes either all Allow or all Deny directives, as specified by the Order directive. The second pass parses the rest of the directives (Deny or Allow). The third pass applies to all requests which do not match either of the first two.

Apache

1. Navigate to the conf folder and open httpd.conf or .htaccess file.

2. Add necessary directives to deny access to:

  • whole application

Modify Directory option by adding the next strings as it is shown in the image:

Order Allow,Deny
Allow from xx.xx.xx.x
Deny from all

apache app ip restriction

  • separate directory

Modify the Directory option by stating the path to the required directory and the following strings as it is shown in the image:

Order Allow,Deny
Allow from xx.xx.xx.x
Deny from all

apache directory ip restriction

3. Save the changes and Restart the Apache server.

NGINX

1. Open the nginx.conf file in the conf folder.

2. Add necessary directives to deny access to:

  • whole application

Modify the location configurations by adding the strings of the following type:

deny    xx.xx.xx.x;
allow xx.xx.xx.x;
deny all;

nginx ip restriction

  • separate directory

Add the following location strings stating the path to the needed directory:

location /directory_path {   
deny    xx.xx.xx.x;   
allow   xx.xx.xx.x;   
deny    all;
}

nginx directory ip restriction

3. Save the changes and Restart the NGINX server.

As a result, a user with any IP except of the allowed ones will see the 403 error while trying to open your application.

nginx 403

Note: Denying access to your application with Apache or NGINX server via IP makes sense if you use the Public IP feature.

 

Hide Apache server version

Usually with default configurations, the Apache server version is publicly shown. As a result, the information about the version of your Apache and operating system/version, or even the details about installed Apache Modules can be used to perform an attack.

To avoid this, you need to add two directives in your httpd.conf file.

Click Conf for your Apache server and navigate to the conf folder where the httpd.conf file is located. Open this file and add the following configurations:

ServerSignature Off
ServerTokens Prod

hide apache server version

The ServerSignature directive appears at the 404 pages, directory listings and other such pages generated by Apache.

The ServerTokens directive determines Apache Server HTTP response header. Using the Prod value the HTTP response header will be as follows – Server: Apache

It’s impossible to prevent all attacks entirely, but you can make certain configurations to mitigate potential problems. We hope that these instructions will be useful for you and will help to protect your application from possible attacks. Do you use any other settings to secure your application in the Jelastic Cloud? Please share your experience in the comments below.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Leave a Reply

Subscribe to get the latest updates