Mini Servers: Apache 2.2.9 PHP 5.2.6 Portable

Mini Servers:  Introduction | Support | Server 1 - Portable | Server 2 - Service | Server 3 - Portable Authentication | Server 4 - Portable Authen. SSL | Server 5 - SSL Standalone | Browsers dislike self-signed certificates | Server 6 - PHP 5.2.6 Portable | Server 7 - PHP 5.2.6 Service | Server 8 - MySQL Support | Guest Book | Server 9 - Perl 5.2.6 Portable | Server 10 - Perl 5.2.6 Service | Server 11 - MySQL 5.0.67 Portable | Server 12 - MySQL 5.0.67 Service | Server 13 - MySQL 4.1.22 Portable | Server 14 - MySQL 4.1.22 Service | phpMyAdmin - Mini support | MySQL - General problems

Mini Servers: Compact but fully functional.

Mini Server 6 using Apache 2.2.9 and PHP 5.2.6 Core

This mini server packs a real punch; trouble is it also packs a real disk hit, increases server size from 1MB to 6MB. However adding the PHP 5.2.6 core greatly extends the server's power.

Hey not much use without a MYSQL server! So you have never considered file databases as an alternative. The support files include an excellent example; it’s a quest book (Version 1.7.2) from the DigiOz stable. A single file database, code is well commented and easy to follow. These chaps produce height quality open source software, their site is more than worth a visit, and forum is friendly check out their tutorials. I would like to thank Pete for his kind permission to use the DigiOz logo and use the quest book as an example.

Note: Check the support files section for server download details.

Security

In order for PHP applications to perform their task they need to interact with the underlying programs if a security hole exists between interactions it can be exploited. Exploitation occurs only when data is returned by a user! or if the script is malicious.

A well-written program like the guest book will have these holes plugged, however an application remains venerable if server software leave other security holes open. Security issues are a two way street which I attempt to cover later.

Anyway I digress before looking at security issues lets get the server up and running with PHP.

Top

Specification

The server has the following specification:

• Server shall be portable
• Static HTML and Dynamic PHP pages shall be served.
• The server shall log all web requests.
• All unused modules shall be disabled.

Our mini server is intended to be small in keeping with this philosophy only the PHP core shall be used it is relatively large at 5MB however this is small in comparison to the complete PHP package of 25MB.

If the basic core does not meet your requirements download the full PHP package and add extensions as required.

Top

Configuring Apache

Using the configuration file from Mini Server 1a very few changes are required these I have highlighted in bold.

httpd.conf located in folder: *\udrive\usr\local\apache2\conf	Comments
# File name: http.conf # Created By: The Uniform Server Development Team # Edited Last By: Mike Gleaves (ric) # Main Apache 2.2.9 HTTP server configuration file. # Supports PHP # V 1.0 14-7-2008
# ================================================== # Modules # ==================================================  LoadModule authz_host_module modules/mod_authz_host.so  LoadModule dir_module modules/mod_dir.so  LoadModule log_config_module modules/mod_log_config.so  LoadModule mime_module modules/mod_mime.so  LoadModule php5_module "/usr/local/php/php5apache2_2.dll"	LoadModule php5_module: Module required to handle PHP5 pages.
# ======================================== # Basic settings # ========================================  PHPIniDir "/usr/local/php/"  Listen 8086  ServerName localhost:8086  ServerAdmin fred@www.somedomain.com  UseCanonicalName Off  ServerSignature Off  HostnameLookups Off ServerTokens Prod  ServerRoot "/usr/local/apache2"  DocumentRoot "/www"  PidFile /usr/local/apache2/logs/httpd.pid <IfModule mod_dir.c>   DirectoryIndex index.html index.htm index.php </IfModule>	PHPIniDir: Informs PHP where to find the php.ini file. Note: I found without this line php.ini was correctly located. However I would recommend using it otherwise PHP swans off looking in various locations (see info). The line guarantees correct php.ini file is used (multi servers or individual installations will place other php.ini files on your PC resulting in conflicts). DirectoryIndex: When a user requests a page supplying only a folder name (example fred.com) the index page is automatically returned by default. Note you can have more than one index page in the same folder with a different file extension. Order of priority left to right, first one found in the list is returned, all other are ignored. I have added index.php to this list. Note: Moved server port to 8086 prevents clashing with other servers.
# ======================================== # HTTP and performance settings # ========================================  Timeout 300  KeepAlive On  MaxKeepAliveRequests 100  KeepAliveTimeout 15 <IfModule mpm_winnt.c>   ThreadsPerChild 64   MaxRequestsPerChild 0 </IfModule>
# ======================================== # Access control # ======================================== <Directory />   Options None   AllowOverride None   Order deny,allow   Deny from all </Directory> <Directory "/www">   Order allow,deny   Allow from all </Directory>
# ======================================== # MIME encoding # ========================================  DefaultType text/plain  TypesConfig /usr/local/apache2/conf/mime.types  AddType Application/x-httpd-php .php	Note: The AddType directive maps a content-type to a file extension. Without this line pages will be served unprocessed in plain text and reveal your PHP code.
# ======================================== # Logs: debug, info, notice, warn, error, crit # ========================================  LogLevel warn  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"  \"%{User-Agent}i\"" combined  LogFormat "%h %l %u %t \"%r\" %>s %b" common  LogFormat "%{Referer}i -> %U" referer  LogFormat "%{User-agent}i" agent  ErrorLog "logs/error_log"  CustomLog "logs/access.log" combined # ========================================

Top

Information

I have shown below the search order PHP performs to locate its php.ini file no real need to understand this just make sure to include a PHPIniDir command in the Apache configuration file.

1. SAPI module specific location:
   1. PHPIniDir directive in Apache 2
   2. -c command line option in CGI and CLI
   3. php_ini parameter in NSAPI
   4. PHP_INI_PATH environment variable in THTTPD
2. The PHPRC environment variable (Before PHP 5.2.0 this was checked after the registry key mentioned below.)
3. HKEY_LOCAL_MACHINE\SOFTWARE\PHP\IniFilePath (Windows Registry location)
4. Current working directory (for CLI)
5. The web server’s directory (for SAPI modules)
6. Directory of PHP (If Windows)
7. Windows directory (C:\windows or C:\winnt)
8. –with-config-file-path compile time option

Top

PHP - Core

Although our mini server only uses the PHP core you need to download the full package to extract it. (OK I have included a core in the support files) Check the PHP site and download any newer version this allows you to install any extensions you require. On the other hand perhaps you want to run an earlier version of PHP. The following outlines how to install PHP on our mini server.

Download site [php.net http://www.php.net/downloads.php php.net]

We are not interested in installing PHP on our PC hence download a zip package:

PHP 5.2.6 zip package [9,516Kb] - 3 May 2008 located in the “Windows Binaries” section

After downloading unzip to any folder, locate files php5apache2_2.dll, php5ts.dll and php.ini-recommended copy these to mini server folder *\mini_server_6\udrive\usr\local\php

Rename the file php.ini-recommended to php.ini

Believe it or not that’s all there is to the installation process, all that remains is to modify the php.ini file.

Top

php.ini

Open php.ini have a read, yep its not a bedtime classic it’s a long confusing read. So what do you change! Surprisingly very little, to get you up and running the following table shows the lines that require changing:

Line	php.ini located in folder: *\mini_server_6\udrive\usr\local\php
131	short_open_tag = On
149	output_buffering = Off
212	allow_call_time_pass_reference = On
229	safe_mode_include_dir = ".;/usr/local/PHP/includes;/usr/local/PHP/pear"
297	expose_php = Off
355	error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT
407	track_errors = On
431	error_log = logs/logs.log
455	variables_order = "EGPCS"
492	magic_quotes_gpc = On
495	magic_quotes_runtime = Off
498	magic_quotes_sybase = Off
525	include_path = ".;/usr/local/PHP/includes;/usr/local/PHP/pear"
537	user_dir = "/www"
541	extension_dir = "/usr/local/PHP/extensions"
598	upload_tmp_dir = /tmp
601	upload_max_filesize = 10M
757	sendmail_from = me@localhost.com
1045	session.save_path = "/tmp/"
1332	soap.wsdl_cache_dir="/tmp"

Note 1: Our mini server does not require the folders pear, includes or extensions however including these in the ini file will make it easier when you want to add extensions or includes at a later date.

For extension you enable the appropriate line in the php.ini file remember to copy a corresponding dll into the extensions folder.

Note 2: Line 466 register_globals = Off this is the default keep it that way. There are security issues if you tun it on. Checks out the included example site explaining why register_globals are evil.

Top

Testing

• Start the server by double clicking on server_start.bat
• Type http://localhost:8086 into your browser address bar.
• Check test site runs, this confirms the server is working.
• Close the server using server_stop.bat

Top

Security

When testing you need as much information as possible however when you put your servers on-line its best to restrict what you make public. Restrict public Information:

Make sure the following are set in the Apache configuration file:

• ServerTokens Prod – Prevents exposing server information makes it a little more difficult for automated attacks, which scan for vulnerable versions of Apache or its modules.
• ServerSignature Off - Suppresses the error line which exposes the server version number, virtual host ServerName, "mailto:" reference to the ServerAdmin

Make sure the following are set in the PHP configuration file:

• expose_php = Off – Prevents reports in every request that PHP is being used to process the request, and what version of PHP is installed. makes it a little more difficult for automated attacks,

If you download the mini server on the index page you will find a link named PHP info this runs a page containing a small script:

info.php located in folder www
<? phpinfo(); ?>

Delete the file info.php before you put your server on-line it exposes your PHP configuration and detailed server information.

Note: You can disable the function by setting this line in the php.ini configuration file: disable_functions = "phpinfo"

The above are not real security measures they just provide a little fence to be jumped when a script kiddie wants to play.

Top

Disable functions

I previously mentioned don’t install what you do not use hence disable all unused functions. This really is an impractical option however there are a number of system functions that should be disabled:

phpinfo
dir	— Return an instance of the Directory class
virtual	— Perform an Apache sub-request
popen	— Opens process file pointer
pclose	— Closes process file pointer
putenv	— Sets the value of an environment variable
dl	— Loads a PHP extension at runtime
exec	— Execute an external program
shell_exec	— Execute command via shell and return the complete output as a string
system	— Execute an external program and display the output
passthru	— Execute an external program and display raw output
proc_open	— Execute a command and open file pointers for input/output
proc_terminate	— Kills a process opened by proc_open
proc_get_status	— Get information about a process opened by proc_open()
proc_close	— Close a process opened by proc_open() and return the exit code of that process.
pfsockopen	— Open persistent Internet or Unix domain socket connection
pcntl_exec	— Executes specified program in current process space
posix_kill	— Send a signal to a process
posix_mkfifo	— Create a fifo special file (a named pipe)
posix_setpgid	— Set process group id for job control
posix_setsid	— Make the current process a session leader
posix_setuid	— Set the UID of the current process
escapeshellcmd	— Escape shell metacharacters
escapeshellarg	— Escape a string to be used as a shell argument
readfile	— Reads a file and writes it to the output buffer.
ini_alter	— Alias of ini_set()
parse_ini_file	— Parse a configuration file
show_source	— Alias of highlight_file()
curl_exec	— Perform a cURL session

Your disable function line will look like this:

disable_functions = "phpinfo, dir, virtual, popen, pclose, putenv, dl, exec, shell_exec, system, passthru, proc_open, proc_terminate, proc_get_status, proc_close, pfsockopen, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, readfile, ini_alter, parse_ini_file, show_source, curl_exec"

Backticks are dangerous when looking at a line of code they can be confused with a single quote . What follows a backtick is system commands never let anyone have access to this.

Note: Backticks are an alias for shell_exec() when shell_exec() is disabled backticks are also disabled.

You need to edit php.ini to include phpinfo I have added the other functions, note when disabling functions be careful that you don't break any features you need hence always test.

That completes plugging the server holes, however what I have covered does not guarantee the server is one hundred percent secure. Think of the above as a pointer, it provides search terms you should be using when doing further research into hardening your server. I mentioned its a two way street any application must also be hardened this I cover on the next page.

Top

Support files

Each mini server is complete and zipped into a single self-extracting archive file.

Download

Download this server from SourceForge Project Page save the file mini_server_6.exe to any folder of your choice.

Note: Check out the mini server's support and download page detailing how to obtain full binaries for Apache and PHP.

Top

Extract files

Double click on mini_server_6.exe, starts the extraction process.

No need to change the folder destination, click extract, this creates a new folder mini_server_6 containing the following:

Top level folder mini_server_6 contains two files: 1) server_start.bat - Double click to start the 2) server_stop.bat - Double click to stop server program folder: Uniform Server's programs that make the server portable tmp folder: Stores temporary files such as sessions apache2 folder: Contains all files associate with the Apache server php folder: Contains files that make up the PHP core www folder: This is where you put your web site or sites Test sites: guestbook, test1 and test2 are test sites these are included to provide an idea of the servers capability's. Delete these folders and copy your sites into this folder (Referred to as the document root folder)

Top

---

Test

Testing is straight forward.

1. Start the server by double clicking on server_start.bat (automatically detects free drive letter creates new virtual drive and runs the server.)
2. Start a web browser.
3. Type http://localhost:8086/ into the browser address bar.
4. An index page is displayed, check out test sites MPG1, MPG2 and guestbook.
5. Stop the server by double clicking on server_stop.bat

Top

Your web site

Open the folder www located in folder *mini_server_6\udrive\www (Note * is the path to the folder you extracted the server files) delete everything in www and copy your site into it.

Note: Make sure one of your pages in folder www is named index.html, index.htm or index.php, otherwise you will need to type a page name in every time to access your site.

e.g. http://localhost:8086/somepage.html

Top

Change Virtual Drive

The server automatically detects the first free drive letter and uses that to run the server on. You can override this in one of two ways:

1. Start the server using a drive parameter for example: server_start.bat z this forces the server to use drive z
2. Edit server_start.bat, locate the following line:
     rem set Disk=w
   Remove the rem and replace w with the letter you want to use for example:
     set Disk=x  Forces the server to use drive letter x

Top

Change server default port

• Open file: httpd.conf (Located in folder: \mini_server_6\udrive\usr\local\apache2\conf)
• Locate the lines:
  Listen 8086
  ServerName localhost:8086
  
• Change to:
  Listen 8080
  ServerName localhost:8080

This moves the server to the standard secondary web server port

Note: Type http://localhost:8080 into a browser to view the site.

If port already in use try any value above 2000

Top

Multi Servers

If you wish to run several mini servers at the same time create a new folder for each server and copy contents of mini_server_6 into each of these.

Change the server port for each server to be unique. The servers may be started in any order.

Note: You can run the mini servers alongside Uniform Server 3.5-Apollo however you must start Uniform Server first.

Top

Summary

This mini server is ideal for learning PHP its compact size allows you have several copies installed on a USB pen drive each with different test applications. I have covered how to secure the server and PHP in the real world you also must pay attention to securing your PHP scripts. Included with the support files is a guest book script that demonstrates some of the techniques used.

When you change the scripts configuration file hopefully you will notice there is a fundamental problem, on the next page I show how to resolve this, in addition cover some defensive programming.

Top

---

Ric