Fine-tuning security settings in PHP-FPM is essential to enhance the security posture of your PHP applications and server environment. Here are some key security-related settings you might consider adjusting in your pool config:
security.limit_extensions:
- Specifies a list of file extensions that are allowed to be executed by PHP.
- Limiting the allowed extensions can help prevent the execution of potentially malicious files.
security.limit_extensions = .php .php3
env[PATH]:
Defines the environment variables for PHP-FPM processes. Setting the PATH environment variable explicitly can help prevent insecure PATH configurations.
env[PATH] = /usr/local/bin:/usr/bin:/bin
rlimit_files:
Limits the maximum number of open file descriptors that a PHP-FPM process can have. This helps mitigate risks associated with file descriptor exhaustion attacks.
rlimit_files = 1024
rlimit_core:
Sets the core dump size limit. Limiting core dump size can help prevent attackers from exploiting vulnerabilities to create excessively large core dumps.
rlimit_core = unlimited
catch_workers_output:
- Redirects the stderr output of PHP-FPM child processes to the main error log.
- Capturing worker output can help in debugging and identifying potential issues.
catch_workers_output = yes
clear_env:
If set to "no," it retains the environment variables for PHP-FPM processes. Setting it to "yes" ensures a clean environment for PHP processes.
clear_env = yes
php_admin_value and php_admin_flag:
Sets PHP INI values and flags specifically for the PHP-FPM pool. These override values set in the global php.ini.
php_flag[display_errors] = off
php_flag[expose_php] = off
php_admin_flag[log_errors] = on
php_admin_value[upload_max_filesize] = 20M
After making changes to the PHP-FPM configuration, restart PHP-FPM to apply the new settings:
sudo systemctl restart php8.2-fpm # Adjust the version number
Always carefully review and test security-related changes to ensure that they do not negatively impact your applications and that they effectively enhance the security of your PHP environment. Regularly monitor system logs and conduct security audits to identify and address potential vulnerabilities.