Reputation: 26336
Secure my php files in case the php module of apache doesn't work
The other day, something happened on my website(s) and it scared me, and showed me that I have a security flaw in my Apache virtual-host setup.
I use php7.0 from DotDeb. I was sudo apt-get upgradeing my Debian Jessie, and for some reason, the php module of apache got disabled. I didn't notice that, but the consequence was that all my php files on my website became downloadable! This creates a security risk because, for example, my database passwords became visible for the visitors of my website.
What is the correct configuration that guarantees that such event won't happen? For example, how can I make apache fail if php is not present? Or any other solution that will not give my php files to my website visitors in such an event!
The following is my current virtual-host configuration.
<VirtualHost *:443>
DocumentRoot /web/root/directory
ServerName www.example.com
<IfModule mod_rewrite.c>
RewriteEngine On
</IfModule>
php_admin_flag engine on
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLCipherSuite AES256+EECDH:AES256+EDH
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/key.key
SSLCertificateChainFile /path/to/chain.chn
</VirtualHost>
Upvotes: 2
Views: 56
Answers (1)
Reputation: 5886
Maybe you want something like this?
<Directory />
<IfModule !mod_php7.c>
Deny from all
</IfModule>
</Directory>
Upvotes: 1
Related Questions
- How do I use PHP to get the current year?
- How to get the client IP address in PHP
- How do I get the current date and time in PHP?
- Secure hash and salt for PHP passwords
- How does PHP 'foreach' actually work?
- Get the full URL in PHP
- ps command doesn't work in docker container
- How do I Configure a Docker Registry V2 with Apache and a CA certificate?