Difference between revisions of "PHP hardening"
From CMU ITSC Network
(Created page with "= การตั้งค่า PHP เพื่อให้มีความปลอดภัยมากขึ้น = == Docker image พื้นฐาน == FROM php:...") |
|||
| Line 2: | Line 2: | ||
== Docker image พื้นฐาน == | == Docker image พื้นฐาน == | ||
| + | <syntaxhighlight lang=dockerfile> | ||
FROM php:8.2.6-apache | FROM php:8.2.6-apache | ||
| Line 7: | Line 8: | ||
RUN set -x \ | RUN set -x \ | ||
| − | + | && apt-get update \ | |
| − | + | && apt-get install -y libmagickwand-dev libldap2-dev libjpeg-dev libpng-dev libzip-dev libicu-dev libbz2-dev \ | |
| − | + | && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \ | |
| − | + | && docker-php-ext-install ldap \ | |
| − | + | && docker-php-ext-configure gd --with-jpeg \ | |
| − | + | && docker-php-ext-install gd \ | |
| − | + | && docker-php-ext-install mysqli \ | |
| − | + | && docker-php-ext-install pdo_mysql \ | |
| − | + | && docker-php-ext-install opcache \ | |
| − | + | && docker-php-ext-install zip \ | |
| − | + | && docker-php-ext-install bz2 \ | |
| − | + | && docker-php-ext-install bcmath \ | |
| − | + | && docker-php-ext-install intl \ | |
| − | + | && docker-php-ext-install gettext \ | |
| − | + | && pecl install apcu \ | |
| − | + | && echo "extension=apcu.so" > /usr/local/etc/php/conf.d/apcu.ini \ | |
| − | + | && pecl install -o -f imagick \ | |
| − | + | && docker-php-ext-enable imagick \ | |
| − | + | && rm -rf /var/lib/apt/lists/* | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" \ | RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" \ | ||
| − | |||
&& a2enmod remoteip \ | && a2enmod remoteip \ | ||
| − | |||
&& a2enmod rewrite \ | && a2enmod rewrite \ | ||
| − | |||
&& a2enmod headers \ | && a2enmod headers \ | ||
| − | |||
&& echo 'LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined' | tee "$APACHE_CONFDIR/conf-available/xff.conf" \ | && echo 'LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined' | tee "$APACHE_CONFDIR/conf-available/xff.conf" \ | ||
| − | |||
&& a2enconf xff.conf \ | && a2enconf xff.conf \ | ||
| − | |||
&& echo "ServerSignature Off" | tee "$APACHE_CONFDIR/conf-available/serversigoff.conf" \ | && echo "ServerSignature Off" | tee "$APACHE_CONFDIR/conf-available/serversigoff.conf" \ | ||
| − | |||
&& echo "ServerTokens Prod" | tee -a "$APACHE_CONFDIR/conf-available/serversigoff.conf" \ | && echo "ServerTokens Prod" | tee -a "$APACHE_CONFDIR/conf-available/serversigoff.conf" \ | ||
| − | |||
&& echo "SetEnvIf X-Forwarded-Proto \"https\" HTTPS=on" | tee "$APACHE_CONFDIR/conf-available/ssloffload.conf" \ | && echo "SetEnvIf X-Forwarded-Proto \"https\" HTTPS=on" | tee "$APACHE_CONFDIR/conf-available/ssloffload.conf" \ | ||
| − | |||
&& a2enconf ssloffload.conf \ | && a2enconf ssloffload.conf \ | ||
| − | |||
&& a2enconf serversigoff.conf \ | && a2enconf serversigoff.conf \ | ||
| − | |||
&& ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone | && ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone | ||
| + | </syntaxhighlight> | ||
Revision as of 08:14, 25 May 2023
การตั้งค่า PHP เพื่อให้มีความปลอดภัยมากขึ้น
Docker image พื้นฐาน
FROM php:8.2.6-apache
ENV TZ=Asia/Bangkok
RUN set -x \
&& apt-get update \
&& apt-get install -y libmagickwand-dev libldap2-dev libjpeg-dev libpng-dev libzip-dev libicu-dev libbz2-dev \
&& docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \
&& docker-php-ext-install ldap \
&& docker-php-ext-configure gd --with-jpeg \
&& docker-php-ext-install gd \
&& docker-php-ext-install mysqli \
&& docker-php-ext-install pdo_mysql \
&& docker-php-ext-install opcache \
&& docker-php-ext-install zip \
&& docker-php-ext-install bz2 \
&& docker-php-ext-install bcmath \
&& docker-php-ext-install intl \
&& docker-php-ext-install gettext \
&& pecl install apcu \
&& echo "extension=apcu.so" > /usr/local/etc/php/conf.d/apcu.ini \
&& pecl install -o -f imagick \
&& docker-php-ext-enable imagick \
&& rm -rf /var/lib/apt/lists/*
RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" \
&& a2enmod remoteip \
&& a2enmod rewrite \
&& a2enmod headers \
&& echo 'LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined' | tee "$APACHE_CONFDIR/conf-available/xff.conf" \
&& a2enconf xff.conf \
&& echo "ServerSignature Off" | tee "$APACHE_CONFDIR/conf-available/serversigoff.conf" \
&& echo "ServerTokens Prod" | tee -a "$APACHE_CONFDIR/conf-available/serversigoff.conf" \
&& echo "SetEnvIf X-Forwarded-Proto \"https\" HTTPS=on" | tee "$APACHE_CONFDIR/conf-available/ssloffload.conf" \
&& a2enconf ssloffload.conf \
&& a2enconf serversigoff.conf \
&& ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
