7

I had a terrifying issue a few days ago. I was installing updates on my ubuntu server, which is a hosts for about 10 websites. During the update, something went wrong, and apaches mod_php became disabled. As a result, PHP support was gone, and for a few minutes (until I figured what's wrong) users got an invitation to download PHP scripts, instead of seeing a website. Needless to say, there is nothing worse then exposing your script sources to the whole world, especially when database credentials are kept inside.

The question: How can I configure apache, so this situation would not be possible in the future? What lines should I add to apache2.conf, so that PHP files could not be downloaded, if mod_php is disabled?

Improve this question
1
  • 2
    I think you should probably just down your apache when you are upgrading =| Commented Dec 2, 2010 at 10:09

2 Answers 2

Reset to default
9

Just add the following to the .htaccess in the root directory

php_admin_flag engine on

In this case user will get HTTP 500 error trying to read any file from this dir and below because no module defines php_admin_flag directive in case mod_php is off.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Interesting approach; I think what I propose below is still a better approach, as it will work without .htaccess files being enabled at all.
Thanks, great idea. Will the work in a global configuration (apache2.conf)? I don't want to forget to edit a .htaccess file and end up with the same result...
@Silver Light: yes, it will work in apache2.conf also, but disabling PHP module in this case will prevent the whole server from starting
5

A more secure approach would be simply to not put things you don't want accessed in the document root in the first place. See my answer here which provides more detail; the basic idea is, if you don't ever want a file accessed via URL, don't put the damn file in a URL accessible place. 99% of your app code should not be under the document root; then it doesn't really matter what you do to your apache/php setup, you're still safe.

Improve this answer

2 Comments

A very good advice, thanks. This does not quite solve the problem, because I at least must put index.php in the document root, am I not?
Yes, but you're not trying to protect that; or rather, nothing important would be there. My index.php has about 2 lines, which just creates a controller and calls it; this takes care of everything else.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.