Il 12/09/2012 17:52, Tommy Pham ha scritto:
On Wed, Sep 12, 2012 at 7:18 AM, Tonix (Antonio Nati)
<tonix@xxxxxxxxxxxxxx> wrote:
Il 12/09/2012 16:08, Tommy Pham ha scritto:
On Wed, Sep 12, 2012 at 6:53 AM, Tonix (Antonio Nati)
<tonix@xxxxxxxxxxxxxx> wrote:
Is there a way to force a PHP script to bind to a prefixed IP?
Actually, while you can assign more IPs to Apache for listening,
assigning
domains to specific IPs, it looks like any PHP script can freely choose
which IP to bind. Instead I'd love some domains are permitted to open
connections only from the domain IP.
In FreeBSD I do it easily, setting up dedicated jails for domains. But
how
to do it simply using PHP on Linux?
Regards,
Tonino
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it tonix@xxxxxxxxxxxxxx
------------------------------------------------------------
1) Use Listen in Apache
2) Use VM such as KVM, VMWare, etc.
3) Make an array containing permissible domains. Check the
$_SERVER['SERVER_NAME'] if exists in that array. React/respond
accordingly.
1) is only for listening.
2) means a VPS for each domain, which we already do with vmware and FreeBSD
jails, but it is too expensive for some customers.
3) means I'm writing the script, which is not the standard situation.
You must suppose the script to be written from a malicious user in a shared
environment.
Is PHP able to 'force' binding IP? I hoped there was an external directive I
did not see, but probably this is a PHP lack.
Regards,
Tonino
--
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it tonix@xxxxxxxxxxxxxx
------------------------------------------------------------
2) Previously you've mentioned that you were able to do that in
FreeBSD jails. IIRC, the jails are similar to VMs in regards to
isolating of environment and dedicated IP for that environment. It
seems that you want something that is equivalent of jails and VM but
not actual VM/jails. Are you referring to 1 application with one
installed point but is used in multiple virtual domains and expect the
application to act/respond accordingly to the requests for each
virtual domain?
Yes, I'm thinking of a low cost shared WEB hosting for people which has
limited needs and don't want to spend more for a VM or a jail.
In this environment, a well tailored su-exec, with different UID and
group for each user, makes an excellent job for protecting disk areas,
so the unique point which remains uncovered is to limit network access:
* if you have internal interfaces in the same machine where you have
public IPs, a web PHP application could try to use the internal
address of the interface, exploring internal network (we avoid that
thanks to jails).
* if apache listens on a specific IP for a single domain, and listens
on other IPs for others domains, it would be safe if each domain can
use as source IP only the listening IP associated.
In our specific case, we always use jails, so each apache is always
within a jail and cannot explore other interfaces. When customers ask
for dedicated IP, we setup another jail, but that means also one apache
server for each domain, and it is justified only for big websites.
So, it would be nice if it could exist something which could force a
specific source IP or could force to use the listening IP (or both
options), on any network binding operation. Of course a script could use
external commands (like ping ot telnet) and escape this check, so we
don't have complete security, unless we disable any network tool... but
it would be a good start.
Regards,
Tonino
--
------------------------------------------------------------
Inter@zioni Interazioni di Antonio Nati
http://www.interazioni.it tonix@xxxxxxxxxxxxxx
------------------------------------------------------------
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
