使用PHP/MySQLI/Apache时在哪里安全地存储证书/密钥? [英] Where to securely store certs/keys when using PHP/MySQLI/Apache?

问题描述

我在SSL连接上使用mysqli的Web服务器(Apache/PHP)和数据库服务器(MySQL)分别运行良好.在框架内数据库连接库中的ssl_set()函数中，我可以指定key/pem文件的路径，只要它在docroot中即可.如果文件在docroot之外，我显然无法访问它们，并且连接失败.

I have separate web (Apache/PHP) and database (MySQL) servers using mysqli over an SSL connection working nicely. In the ssl_set() function in the database connection library within the framework, I can specify the path to the keys/pem files as long as it's within the docroot. If the files are outside the docroot, I obviously cannot access them, and the connection fails.

在apache docroot之外存储和访问mysql客户端ssl密钥的最安全方法是什么?

What is the most secure method for storing and accessing mysql client ssl keys outside the apache docroot?

是否可以安全地使用"ini_set"，从而可以即时"允许该访问然后删除该参数?还是应该使用符号链接?

Is there a secure use of "ini_set" whereby I can allow that access "on the fly" and then remove that parameter? Or should I use symlinks?

我正在这里寻找最佳实践.我想这个问题不仅限于证书密钥，而是我想确保您知道我的特定用例.

I'm looking for best practices here. I suppose this question isn't limited to cert keys, but I wanted to make sure you knew my specific use case.

谢谢！

推荐答案

我正在这里寻找最佳实践.我想这个问题不仅限于证书密钥，而是我想确保您知道我的特定用例.

I'm looking for best practices here. I suppose this question isn't limited to cert keys, but I wanted to make sure you knew my specific use case.

这个问题进入了一个领域，安全专家将针对不同的威胁模型权衡取舍，因此对于安全的凭据管理没有正确的答案".但是，有很多明显错误的答案.

This problem gets into a the territory where security experts will split hairs over trade-offs against different threat models, so there is no "one right answer" for secure credential management. However, there are a ton of obviously wrong answers.

Chris Cornutt发表了一篇有关使用Docker保护PHP凭据的文章我强烈建议您阅读有关解决凭证管理所涉及的威胁和策略的背景信息.

Chris Cornutt published an article about securing PHP credentials with Docker that I highly recommend reading for background information about the threats and strategies involved in solving credential management.

通常， psecio/secure_dotenv 可以为大多数用户解决此问题.这是一个用于管理凭据的开源库，该凭据存储了静态加密的凭据.

In general, psecio/secure_dotenv will solve this problem for most users. This is an open source library for managing credentials that stores them encrypted at-rest.

如果您需要更高级的产品(或与Vault等产品集成)，则可能需要请安全专家来审查您的设计和实现.

If you need something fancier (or to integrate with a product, e.g. Vault), you may want to ask a security expert to review your designs and implementations.

这篇关于使用PHP/MySQLI/Apache时在哪里安全地存储证书/密钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！