我应该在哪里将敏感文件，以便它们是由PHP脚本读取能力？ [英] Where should I place sensitive files so that they are read-able by PHP scripts?

问题描述

我在Parallels / VPS的Plesk主机上，这是一个真正的新手问题。

Web根目录是：

  /无功/网络/虚拟主机/我的网域名称/ httpdocs资料
 

还有一种称为路径：

  /无功/网络/虚拟主机/我的网域名称/私营/
 

但PHP脚本似乎无法在那里读取文件。<​​/ P>

从我的理解放在根目录内的任何文件，是的，如果由它的网络路径/文件名请求被送达给公众的危险。我隐约意识到使用.htaccess文件告诉Apache不要为某些文件/显示目录的。

但可以（或应该）我某处的将我的敏感文件之外的Web根目录中，同时仍允许其通过PHP脚本读取？

感谢您！

下面是我的错误，试图将私人上述文件夹中读取文件时：

 警告：文件（）[function.file]：实际上open_basedir的限制。文件（../../私营/ test.txt的）是不是在允许的路径（S）内：在/ var /网络/虚拟主机/胡说（/var/www/vhosts/blah.com/httpdocs:/tmp） .COM / httpdocs资料/其它/ testscript.php第8行警告：文件（../../私营/测试dt.txt）[function.file]：未能打开流：操作/var/www/vhosts/blah.com/httpdocs/misc/testscript不允许的。 PHP的第8行
 

更新：解决

在象形reddit的/ R / PHPHelp给我我需要的东西，这是具体到Plesk的系统。
我不得不写放置在存在于同一级别的httpdocs conf文件夹的文件名为vhost.conf。而在vhost.conf，我用：

 ＆LT;目录/ var /网络/虚拟主机/我的网域名称/ httpdocs资料＆GT;
php_admin_value open_basedir的/无功/网络/虚拟主机/我的网域名称/的httpdocs：/ tmp目录：/无功/网络/虚拟主机/我的网域名称/ MyFolder中
＆LT; /目录＆GT;
 

所以，我现在把我的敏感文件中的MyFolder的，这是Web根目录（httpdocs资料）之外。
在此之后，以使这些设置生效，（重启动Apache不工作）有一定的Plesk特定命令给，请参阅：的 http://www.gadberry.com/aaron/2006/02/09/plesk_vhost/

解决方案

这是一个很好的做法店的Apache文档根目录以外的敏感数据。

您需要让PHP来访问这些文件夹添加或修改虚拟主机配置。

查找
     php_value的open_basedir

和加用冒号隔开的文件夹（：）

在更多信息 open_basedir的

注：没有用open_basedir一些安全问题，在解释

<一个href=\"http://www.hardened-php.net/advisory_012004.42.html\">http://www.hardened-php.net/advisory_012004.42.html

编辑：

我用这种树结构为每个域：

 域/ www数据permisions
├──等R-X
├──登录RWX
├──phpCache RWX
├──phpFiler RWX
├──phpInclude R-X
├──phpLogs RWX
├──phpSession RWX
├──phpTmp RWX
├──phpTrash RWX
├──普里瓦---
├──www443 R-X
└──www80 R-X
 

等：应用程序配置文件

日志：对于Ap​​ache或nginx的日志文件

phpCache：调用Zend_Cache为文件

phpFiler：为应用程序的文件，一个PHP脚本提供，如果用户有权限

。

phpInclude：php_value的include_path

phpLogs：应用程序日志

phpSessions：用于存储的虚拟主机的数据会话

phpTmp：对于时间的文件，如上传

phpTrash：为phpFiler垃圾桶

隐私：我的私人pourposes

www443：用于HTTPS文档根目录

www80：对于HTTP文档根目录

在open_basedir的clausule我把所有的文件夹，除了日志和普里瓦。

I am on a Parallels/Plesk VPS host, and this is a really newbie question.

The webroot is at:

/var/www/vhosts/my-domain-name/httpdocs

There is also a path called:

/var/www/vhosts/my-domain-name/private/

But PHP scripts can't seem to read files in there.

From my understanding any file placed within the webroot, is in danger of being served to the public if requested by its web-path/filename. I am vaguely aware of the use of .htaccess files to tell Apache not to serve certain files/dirs.

But can (or should) I place my sensitive file somewhere outside of the webroot, while still allowing it to be read by PHP scripts?

Thank you!

Here were my errors when trying to read a file within the "private" folder above:

Warning: file() [function.file]: open_basedir restriction in effect. File(../../private/test.txt) is not within the allowed path(s): (/var/www/vhosts/blah.com/httpdocs:/tmp) in /var/www/vhosts/blah.com/httpdocs/misc/testscript.php on line 8

Warning: file(../../private/test-dt.txt) [function.file]: failed to open stream: Operation not permitted in /var/www/vhosts/blah.com/httpdocs/misc/testscript.php on line 8

UPDATE: SOLVED

Picto at reddit/r/PHPHelp gave me what I needed, and it is specific to Plesk systems. I had to write a file called vhost.conf placed in the conf folder which exists at the same level as httpdocs. And in the vhost.conf, I used:

<Directory /var/www/vhosts/my-domain-name/httpdocs>
php_admin_value open_basedir /var/www/vhosts/my-domain-name/httpdocs:/tmp:/var/www/vhosts/my-domain-name/myfolder
</Directory>

So I now place my sensitive files in "myfolder", which is outside of the webroot (httpdocs). After this, to make these settings take effect, (restarting Apache doesn't work) there are some Plesk specific commands to give, see: http://www.gadberry.com/aaron/2006/02/09/plesk_vhost/

解决方案

It's a good practice store sensitive data outside apache document root.

You need to allow PHP to access these folders adding or modifying the Virtual Host configuration.

Look for php_value open_basedir

and add your folders separated by a colon (:)

More info at open_basedir

Note: there is a few security issues with open_basedir, explained in

http://www.hardened-php.net/advisory_012004.42.html

EDIT:

I use this tree structure for each domain:

domain/            www-data permisions
├── etc            r-x
├── log            rwx
├── phpCache       rwx
├── phpFiler       rwx
├── phpInclude     r-x
├── phpLogs        rwx
├── phpSession     rwx
├── phpTmp         rwx
├── phpTrash       rwx
├── privat         --- 
├── www443         r-x
└── www80          r-x

etc: for application configuration files.

log: for Apache or nginx log files

phpCache: for Zend_Cache files

phpFiler: for app's files, a PHP script serves it if the user has privileges.

phpInclude: php_value include_path

phpLogs: for application logs

phpSessions: for store this virtual host data sessions.

phpTmp: for temporal files, like uploaded.

phpTrash: a trash for phpFiler.

privat: for my private pourposes

www443: for https document root

www80: for http document root

In open_basedir clausule I put all folders except log and privat.

这篇关于我应该在哪里将敏感文件，以便它们是由PHP脚本读取能力？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！