Reputation: 529
Apache: how to make directories 'secure'
I think this is a 'simple' question but I would like to have a correct vision of the problem.
I created an EC2 instance on Amazon using Amazon Linux AMI. Then I installed Apache and php55.
Let's consider this scenario: - I have a php web application that has one configuraton file config.php where we store some important info for security of the application, like db credential, login criteria. - In some files I used include("configuration/config.php") - I putted the config.php in a "/configuration" directory under /var/html setted 775 - the config.php is actually setted 404 so that I will upgrade to 604 only if I will need some changes and then I will downgrade again to 404
I would like to have config.php and /configuration dir very secured, avoiding some bad user to look into it and getting info inside the file. In this way I could put any 'critical' file inside that subdir.
So is there anything I can do that I didn't yet? Is better to think to put /configuration dir outside /var/html public dir? If yes, how?
best regards, Matt
Upvotes: 1
Views: 76
Answers (1)
Reputation: 529
I posted here one step more of my testing:
Finally I made in this way (this is only for testing purpose):
in document root I created 2 files. Both files have 664 permission; owner = ec2-user and group = www
index.php
<?php
/**
* Created by PhpStorm.
* User: matteolatitude
* Date: 26/03/15
* Time: 1.12
*/
include($_SERVER["DOCUMENT_ROOT"].'/global.php');
include(PHP_FILES_PATH.'config.php');
echo '</br>';
for ($i = 1; $i <= 10; $i++) {
echo $i;
}
echo('Calculated result: '.$somma.'</br>');
global.php
<?php
/**
* Created by PhpStorm.
* User: matteolatitude
* Date: 26/03/15
* Time: 12.36
*/
define('PHP_FILES_PATH', '/var/mytest/');
Then I created /var/mytest dir with owner=root and group=root with 755 permission. Then in /var/mytest I saved config.php; this file is only a test; in real app I will use it to store for example db connection data. owner = root and group = root
config.php
<?php
/**
* Created by PhpStorm.
* User: matteolatitude
* Date: 26/03/15
* Time: 1.15
*/
// vediamo se esegue anche questo script
for ($k = 1; $k <= 4; $k++) {
$somma .= $k*2;
}
I would like to know
1) Is include($_SERVER["DOCUMENT_ROOT"].'/global.php') seems to be a good and secure choice? Is there a bettere and more secure method?
2) Are my permissions (and also owner and groups) a good choice or you would have done in a different way?
As you can see I'm very interested in security...
Thanks a lot, Matt
Upvotes: 1
Related Questions
- Password protect directory in AWS EC2 running Apache/Linux
- How to protect files in a LAMP server?
- File and folder access management and security (PHP/Apache)
- Secure folder structure for php site
- Ensuring security of files in folder on public_html
- make folder secure in php
- PHP Apache - How do I create a secure working directory, invisible to web
- Safely serving other people's PHP
- How can I protect a directory using PHP?
- Folder security?