Dump the code

Fine-tuning security settings

Created 9 months ago
Posted By admin
3min read
Fine-tuning security settings in PHP-FPM is essential to enhance the security posture of your PHP applications and server environment. Here are some key security-related settings you might consider adjusting in your pool config:

security.limit_extensions:
   - Specifies a list of file extensions that are allowed to be executed by PHP.
   - Limiting the allowed extensions can help prevent the execution of potentially malicious files.

security.limit_extensions = .php .php3

env[PATH]:
Defines the environment variables for PHP-FPM processes. Setting the PATH environment variable explicitly can help prevent insecure PATH configurations.

env[PATH] = /usr/local/bin:/usr/bin:/bin

rlimit_files:
Limits the maximum number of open file descriptors that a PHP-FPM process can have. This helps mitigate risks associated with file descriptor exhaustion attacks.

rlimit_files = 1024

rlimit_core:
Sets the core dump size limit. Limiting core dump size can help prevent attackers from exploiting vulnerabilities to create excessively large core dumps.

rlimit_core = unlimited

catch_workers_output:
   - Redirects the stderr output of PHP-FPM child processes to the main error log.
   - Capturing worker output can help in debugging and identifying potential issues.

catch_workers_output = yes

clear_env:
If set to "no," it retains the environment variables for PHP-FPM processes. Setting it to "yes" ensures a clean environment for PHP processes.

clear_env = yes

php_admin_value and php_admin_flag:
Sets PHP INI values and flags specifically for the PHP-FPM pool. These override values set in the global php.ini.

php_flag[display_errors] = off
php_flag[expose_php] = off
php_admin_flag[log_errors] = on
php_admin_value[upload_max_filesize] = 20M

After making changes to the PHP-FPM configuration, restart PHP-FPM to apply the new settings:

sudo systemctl restart php8.2-fpm  # Adjust the version number

Always carefully review and test security-related changes to ensure that they do not negatively impact your applications and that they effectively enhance the security of your PHP environment. Regularly monitor system logs and conduct security audits to identify and address potential vulnerabilities.
Topics

Mastering Nginx

27 articles

Bash script

2 articles

Crontab

2 articles