{{tag>Brouillon Php Sécurité}}

= Notes php.ini

<code ini>
; Allow the <? tag. Otherwise, only <?php and <script> tags are recognized. 
short_open_tag = Off

; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header).  It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
; http://php.net/expose-php
expose_php = Off


date.timezone = 'Europe/Paris'

Voir https://www.dokuwiki.org/install:php

et 

https://www.zabbix.com/documentation/2.0/manual/installation/install

Apparemment le "safe mode" et remplacé par : 
disable_functions =

http://php.net/disable-functions

http://php.net/disable-classes

max_execution_time 
memory_limit = 
max_input_time = 
default_socket_timeout = 

; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
; http://php.net/error-reporting
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT


sql.safe_mode =
</code>


http://www.thonky.com/how-to/prevent-base-64-decode-hack/
<code ini>
allow_url_fopen=Off
allow_url_include=Off
open_basedir = On
register_globals = Off
exec = Off
shell_exec = Off
allow_url_fopen = Off
allow_url_include = Off

allow_url_fopen = off
allow_url_include = off


display_errors = Off       //safe to disable on live site
register_globals = Off    //off by default but a good reminder to check
expose_php = Off         //safe to disable
allow_url_fopen = Off    //might break something
allow_url_include = Off  //might break something
log_errors = On           //logging errors is always a good idea if you check them
error_log = /var/log/phperror.log
enable_dl = Off           //might break something

file_uploads = Off //will most likely break something

disable_functions="popen,exec,system,passthru,proc_open,shell_exec,show_source,php
disable_functions = =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
disable_functions = show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen

exec, passthru, shell_exec, system, proc_open, posix_mkfifo, pg_lo_import, dbmopen, dbase_open, popen, chgrp, chown, chmod, symlink, pcntl_exec,
apache_child_terminate, apache_setenv, define_syslog_variables, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,
posix_setuid, posix_uname, proc_close, pclose, proc_nice, proc_terminate, shell_exec

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, phpinfo, gzinflate, fsockopen, pfsockopen


apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, syslog, system, xmlrpc_entity_decode, ini_set



disable_functions = "ln, cat, popen, pclose, posix_getpwuid, posix_getgrgid, posix_kill, parse_perms, system, dl, passthru, exec, shell_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, escapeshellcmd, escapeshellarg, show_source, posix_mkfifo, mysql_list_dbs, get_current_user, getmyuid, pconnect, link, symlink, pcntl_exec, ini_alter, pfsockopen, leak, apache_child_terminate, posix_kill, posix_setpgid, posix_setsid, posix_setuid, proc_terminate, syslog, fpassthru, stream_select, socket_select, socket_create, socket_create_listen, socket_create_pair, socket_listen, socket_accept, socket_bind, socket_strerror, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, openlog, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, virtual, chmod, file_upload, delete, deleted, edit, fwrite, cmd, rename, unlink, mkdir, mv, touch, cp, cd, pico"

disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,parse_ni_file,show_source,phpinfo,proc_open,base64_decode,base64_encodem,proc_terminate;

base64_decode

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
</code>


http://www.totalcomputersusa.com/2012/05/evalbase64_decodehardening-php-how-to-protect-your-site-and-your-visitors/

<code ini>
allow_url_include = Off
allow_url_fopen = Off
session.use_only_cookies = 1
session.cookie_httponly = 1
expose_php = Off
display_errors = Off
register_globals = Off
disable_functions = escapeshellarg, escapeshellcmd,passthru, proc_close, proc_get_status, proc_nice, proc_open,proc_terminate
</code>

== Socket Listen

Voir :
* http://manpagesfr.free.fr/man/man2/listen.2.html
* http://www.saltwaterc.eu/nginx-php-fpm-for-high-loaded-websites.html
* http://serverfault.com/questions/518862/will-increasing-net-core-somaxconn-make-a-difference

''/etc/php-fpm.d/www.conf''
<code ini>
listen.backlog = -1
</code>

<code bash>
man 2 listen
php-fpm -tt -y /etc/php-fpm.conf
</code>

<code bash>
cat /proc/sys/net/core/somaxconn
</code>


<code bash>
sysctl net.core.somaxconn=1024
</code>

Valeur possibles :
* 128
* 1024
* 65535