在CentOS上为PHP实现安全连接,通常涉及到以下几个方面:
使用HTTPS协议:
配置PHP安全设置:
open_basedir限制PHP脚本可以访问的文件目录。exec(), system(), shell_exec()等。使用安全的数据库连接:
使用安全的文件上传:
配置防火墙:
firewalld或iptables限制对服务器的访问。定期更新系统和软件:
以下是一些具体的步骤:
sudo yum install certbot python2-certbot-apache
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com
/etc/pki/tls/certs/和/etc/pki/tls/private/)。/etc/httpd/conf.d/ssl.conf),添加以下内容:<VirtualHost *:443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/yourdomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/yourdomain.com.key
SSLCertificateChainFile /etc/pki/tls/certs/yourdomain.com.chain
...
</VirtualHost>
编辑php.ini文件(通常位于/etc/php.ini),进行以下配置:
; 限制PHP脚本可以访问的目录
open_basedir = /var/www/html/:/tmp/
; 禁用危险函数
disable_functions = exec,passthru,shell_exec,system
; 配置错误处理
display_errors = Off
log_errors = On
error_log = /var/log/php_errors.log
$mysqli = new mysqli("localhost", "user", "password", "database");
if ($mysqli->connect_error) {
die("Connection failed: " . $mysqli->connect_error);
}
// 使用预处理语句
$stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
$stmt->bind_param("s", $value);
$stmt->execute();
$stmt->close();
$mysqli->close();
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['file'])) {
$file = $_FILES['file'];
$uploadDirectory = '/var/www/html/uploads/';
if ($file['error'] === UPLOAD_ERR_OK) {
$fileName = basename($file['name']);
$uploadFile = $uploadDirectory . $fileName;
if (move_uploaded_file($file['tmp_name'], $uploadFile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "Possible file upload attack!\n";
}
} else {
echo "Error uploading file: " . $file['error'] . "\n";
}
}
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo service iptables save
sudo yum update
通过以上步骤,你可以在CentOS上为PHP实现一个相对安全的环境。
