Skip to content

How to apply restrictions per virtualhost in apache

Published by tex on November 24, 2016

If you are running apache on MPM Prefork, you can apply php restrictions for security or additional settings such as memory limit. Also, you can disable functions or php engine per directory or virtualhost.

Standard virtualhost example:

<VirtualHost *>
 DocumentRoot /home/tex/www/example.com
 ServerName example.com
 ServerAlias example.com
 ServerAdmin admin@example.com
 ErrorLog ${APACHE_LOG_DIR}/example.com-error_log
 CustomLog ${APACHE_LOG_DIR}/example.com-access_log combined
</VirtualHost>

 

Virtualhost with open_basedir restriction:

 
<VirtualHost *>
 DocumentRoot /home/tex/www/example.com
 ServerName example.com
 ServerAlias example.com
 ServerAdmin admin@example.com
 ErrorLog ${APACHE_LOG_DIR}/example.com-error_log
 CustomLog ${APACHE_LOG_DIR}/example.com-access_log combined
 php_admin_value open_basedir "/home/tex/www/example.com:/tmp:/usr/share/php:/var/lib/php5"
</VirtualHost>

open_basedir prevents users from opening files outside of their directory with php scripts. It is an important security feature which stops malicious scripts from being able to access important information. When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, php will refuse to access it.

 

Virtualhost with open_basedir restriction including some disabled php functions:

 
<VirtualHost *>
 DocumentRoot /home/tex/www/example.com
 ServerName example.com
 ServerAlias example.com
 ServerAdmin admin@example.com
 ErrorLog ${APACHE_LOG_DIR}/example.com-error_log
 CustomLog ${APACHE_LOG_DIR}/example.com-access_log combined
 php_admin_value disable_functions "exec,shell_exec,system,passthru,escapeshellcmd,escapeshellarg,proc_open,popen,parse_ini_file"
 php_admin_value open_basedir "/home/tex/www/example.com:/tmp:/usr/share/php:/var/lib/php5"
</VirtualHost>

 

Disabling php per virtualhost. Maybe the user have only a static web page…

<VirtualHost *>
 DocumentRoot /home/tex/www/example.com
 ServerName example.com
 ServerAlias example.com
 ServerAdmin admin@example.com
 ErrorLog ${APACHE_LOG_DIR}/example.com-error_log
 CustomLog ${APACHE_LOG_DIR}/example.com-access_log combined
 php_admin_flag engine off
</VirtualHost>

 

On systems with multiple users, each user can be permitted to have a web site in their home directory using the “UserDir” directive. Visitors to a url “http://www.example.com/~username/” will get content out of the home directory of the user “username”, out of the subdirectory specified by the UserDir directive.

 

Example:

UserDir public_html

 

You can also disable php engine for all users who use this feature. (for example, on a university server)

<Directory "/home/*/public_html">
  php_admin_flag engine off
</Directory>
Published inLinuxSecurity