securing outward-facing website db configs

Question

I'm adding some database usage to a public facing site, and I wanted input on what the most secure way to store mysql connection information might be. I've come up with a few options:

First I could store the config in another directory, and just set the PHP include path to look for that dir. Second, I know there are some files that apache won't serve to browsers, I could use one of these types of files. Third, I could store encrypted files on the server, and decrypt them with PHP.

Any help would be much appreciated.

Answer 1

You can configure apache to disallow any files with htaccess.

in the config folder add a .htaccess with the following

order allow,deny
deny from all

If you don't want to use .htaccess as @johua k, mentions, instead add

<Directory /home/www/public/config>
    order allow,deny
    deny from all
</Directory>

to your apache config.

This will deny any files in that folder from being served to anyone, which is fine since php doesn't care about htaccess you can just

include('config/db.php')

If you properly config your php scripts, they should never appear in plain text.

so a file like

define('mysql_password', 'pass')

would never display that text.

If you are worried about a shared hosting environment and another use having access to read this file then you should evaluate the security of the linux installation and the host. Other users should have any browsing access to your file. From the web files marked php should never return source.

You can explicitly tell apache not to serve the files ever, so they would only be include() or require() able.

Answer 2

Storing the config outside of apache's document root is a must