使用Zend Framework安全地运行Cron作业 [英] Securely Run Cron Jobs with Zend Framework

问题描述

我已经看到很多有关cron和ZF的文章，但是大多数解决方案让这项工作可以由公众触发。

I've seen plenty of posts about cron and ZF but most of the solutions leave the job to be run available to triggering by the public.

想设置一个只能由cron运行的操作？不是由某些匿名用户而不是由必须登录的人

What if you want to set up an action that can ONLY be run by cron? Not by some anonymous user and not by someone that has to log in?

我使用的解决方案涉及将文件放在我的web根目录之外，有足够的引导ZF使用我需要的（像，我不需要视图），然后从cron击中。 我的问题是，这是一个最佳实践方式吗？如果您需要通过网络访问代码，但仍需要阻止随机用户查找和运行该代码，该怎么办？

The solution I am using involved putting a file outside of my web root, having it bootstrap enough of the ZF to use what I need (like, I don't need the view) and then hit that from cron. My questions are, is this a "best practice" way to do this? What if you needed to make the code accessible over the web but still need to prevent random users from finding and running it?

我在从php命令行运行cron作业，并在同一台服务器上做这样的工作：

For illustration, here is what I am doing (that works) for a cron job run from the php command line, and on the same server, something like this:

* 10 * * * php /Apps/ZF/cronjobs/crontest.php

Webroot是： / Apps / ZF / someproject /

Webroot is: /Apps/ZF/someproject/

crontest.php：

crontest.php:

<?php
ini_set('include_path', ini_get('include_path') . ':/Apps/ZF/someproject/library');

define('APPLICATION_PATH','/Apps/ZF/someproject/application');
define('APPLICATION_ENVIRONMENT','test');

//Include the loader (for loading ZF resources)
require_once 'Zend/Loader.php';

//Include the model (to access the Sites model in this case)
require_once(APPLICATION_PATH . '/models/Planets.php');

Zend_Loader::registerAutoload();

$configuration = new Zend_Config_Ini(
    APPLICATION_PATH . '/config/config.ini',
    APPLICATION_ENVIRONMENT
);

// DB adapter
$dbAdapter = Zend_Db::factory($configuration->database);

// DB table setup
Zend_Db_Table_Abstract::setDefaultAdapter($dbAdapter);

// Whatever code we want to run... 
$test = new Model_Planets();

$test->fetchEntries();

Zend_Debug::dump($test);
?>

所以，正如我所说，这样做，我不想找人写我的解决方案...只是好奇这样做更好。此外，如果我需要这是通过网络访问，但仍然希望保持它只能由cron运行？使它更灵活（因为这里我是硬编码的几个路径，我怀疑可以使更加动态）？

So, as I said, this works so I'm not looking for someone to write me a solution... just curious about doing this "better". Also, what if I needed this to be accessible via the web but still want to keep it only runnable by cron? What about making it more flexible (because here I am hard coding a few paths that I suspect could be made more dynamic)?

我假设我可以列出允许的服务器，然后用 $ _ SERVER ['REMOTE_ADDR'] ？

I assume I could make a list of permitted servers, then test that with $_SERVER['REMOTE_ADDR']?

你们都认为什么？建议？我单独工作，所以我没有同事要求帮助这个... SO是我的同事，在某种程度上。

What do you all think? Suggestions? I work alone so I have no colleague to ask for help on this... SO is my colleague, in a way.

推荐答案

一种方法是设置一个环境变量。

One way is to set an environmental variable.

所以在你的crontab中

So in your crontab

SCRIPT_RUN_ENV=cron
* * * * * foo.php // Whatever your line is

然后，在应用程序中，只需检查：

Then, in the application, just check that:

if (get_env('SCRIPT_RUN_ENV') != 'cron') {
    echo "Program cannot be run manually\n";
    exit(1);
}

现在，任何人都可以将其环境变量设置为该值并成功运行cron ，但它应该停止平凡的运行（或意外）...

Now, anyone can set their environmental variable to that value and successfully run the cron, but it should stop the trivial running (or accidental)...

但还要注意，任何人谁可以编辑环境变量在服务器上已经可以执行它，因此，没有真正的方法来确保它从那个角度（没有是至少是自动的）...这也值得注意，你不能通过HTTP注入环境变量。

But also note that anyone who can edit the environmental variable on the server can already execute it, so there's no real way to secure it from that angle (none that are automated at least)... It's also worth noting that you cannot inject an environmental variable through HTTP.

这篇关于使用Zend Framework安全地运行Cron作业的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！