doc/md/Server-security.md

   1 ## php.ini
   2 PHP settings are defined in:
   3
   4 - a main configuration file, usually found under `/etc/php/$php_version/php.ini`; some distributions provide different configuration environments, e.g.
   5     - `/etc/php/$php_version/cli/php.ini` - used when running console scripts
   6     - `/etc/php/$php_version/apache2/php.ini` - used when a client requests PHP resources from Apache
   7     - `/etc/php/$php_version/php-fpm.conf` - used when PHP requests are proxied to PHP-FPM
   8 - additional configuration files/entries, depending on the installed/enabled extensions:
   9     - `/etc/php/conf.d/xdebug.ini`
  10
  11 ### Locate .ini files
  12 #### Console environment
  13 ```bash
  14 $ php --ini
  15 Configuration File (php.ini) Path: /etc/php
  16 Loaded Configuration File:         /etc/php/php.ini
  17 Scan for additional .ini files in: /etc/php/conf.d
  18 Additional .ini files parsed:      /etc/php/conf.d/xdebug.ini
  19 ```
  20
  21 #### Server environment
  22 - create a `phpinfo.php` script located in a path supported by the web server, e.g.
  23     - Apache (with user dirs enabled): `/home/myself/public_html/phpinfo.php`
  24     - `/var/www/test/phpinfo.php`
  25 - make sure the script is readable by the web server user/group (usually, `www`, `www-data` or `httpd`)
  26 - access the script from a web browser
  27 - look at the _Loaded Configuration File_ and _Scan this dir for additional .ini files_ entries
  28 ```php
  29 <?php phpinfo(); ?>
  30 ```
  31
  32 ## fail2ban
  33 `fail2ban` is an intrusion prevention framework that reads server (Apache, SSH, etc.) and uses `iptables` profiles to block brute-force attempts:
  34
  35 - [Official website](http://www.fail2ban.org/wiki/index.php/Main_Page)
  36 - [Source code](https://github.com/fail2ban/fail2ban)
  37
  38 ### Read Shaarli logs to ban IPs
  39 Example configuration:
  40 - allow 3 login attempts per IP address
  41 - after 3 failures, permanently ban the corresponding IP adddress
  42
  43 `/etc/fail2ban/jail.local`
  44 ```ini
  45 [shaarli-auth]
  46 enabled  = true
  47 port     = https,http
  48 filter   = shaarli-auth
  49 logpath  = /var/www/path/to/shaarli/data/log.txt
  50 maxretry = 3
  51 bantime = -1
  52 ```
  53
  54 `/etc/fail2ban/filter.d/shaarli-auth.conf`
  55 ```ini
  56 [INCLUDES]
  57 before = common.conf
  58 [Definition]
  59 failregex = \s-\s<HOST>\s-\sLogin failed for user.*$
  60 ignoreregex =
  61 ```
  62
  63 ## Robots - Restricting search engines and web crawler traffic
  64
  65 Creating a `robots.txt` with the following contents at the root of your Shaarli installation will prevent _honest_ web crawlers from indexing each and every link and Daily page from a Shaarli instance, thus getting rid of a certain amount of unsollicited network traffic.
  66
  67 ```
  68 User-agent: *
  69 Disallow: /
  70 ```
  71
  72 See:
  73
  74 - http://www.robotstxt.org
  75 - http://www.robotstxt.org/robotstxt.html
  76 - http://www.robotstxt.org/meta.html