[PHP] How to limit source IP in PHP
Is there a way to force a PHP script to bind to a prefixed IP? Actually, while you can assign more IPs to Apache for listening, assigning domains to specific IPs, it looks like any PHP script can freely choose which IP to bind. Instead I'd love some domains are permitted to open connections only from the domain IP. In FreeBSD I do it easily, setting up dedicated jails for domains. But how to do it simply using PHP on Linux? Regards, Tonino Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
On Wed, Sep 12, 2012 at 6:53 AM, Tonix (Antonio Nati) wrote: > > Is there a way to force a PHP script to bind to a prefixed IP? > > Actually, while you can assign more IPs to Apache for listening, assigning > domains to specific IPs, it looks like any PHP script can freely choose > which IP to bind. Instead I'd love some domains are permitted to open > connections only from the domain IP. > > In FreeBSD I do it easily, setting up dedicated jails for domains. But how > to do it simply using PHP on Linux? > > Regards, > > Tonino > > > Inter@zioniInterazioni di Antonio Nati >http://www.interazioni.it to...@interazioni.it > > 1) Use Listen in Apache 2) Use VM such as KVM, VMWare, etc. 3) Make an array containing permissible domains. Check the $_SERVER['SERVER_NAME'] if exists in that array. React/respond accordingly. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 12/09/2012 16:08, Tommy Pham ha scritto: On Wed, Sep 12, 2012 at 6:53 AM, Tonix (Antonio Nati) wrote: Is there a way to force a PHP script to bind to a prefixed IP? Actually, while you can assign more IPs to Apache for listening, assigning domains to specific IPs, it looks like any PHP script can freely choose which IP to bind. Instead I'd love some domains are permitted to open connections only from the domain IP. In FreeBSD I do it easily, setting up dedicated jails for domains. But how to do it simply using PHP on Linux? Regards, Tonino Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it 1) Use Listen in Apache 2) Use VM such as KVM, VMWare, etc. 3) Make an array containing permissible domains. Check the $_SERVER['SERVER_NAME'] if exists in that array. React/respond accordingly. 1) is only for listening. 2) means a VPS for each domain, which we already do with vmware and FreeBSD jails, but it is too expensive for some customers. 3) means I'm writing the script, which is not the standard situation. You must suppose the script to be written from a malicious user in a shared environment. Is PHP able to 'force' binding IP? I hoped there was an external directive I did not see, but probably this is a PHP lack. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
On Wed, Sep 12, 2012 at 10:18 AM, Tonix (Antonio Nati) wrote: > > Is PHP able to 'force' binding IP? I hoped there was an external directive I > did not see, but probably this is a PHP lack. Not at all. Essentially, PHP is an interface to underlying software, OS commands, and APIs. You'd have to configure the system to bind requests, as PHP does not presently have that capability (and, to my knowledge, there's no plan to change that). -- Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 12/09/2012 17:21, Daniel Brown ha scritto: On Wed, Sep 12, 2012 at 10:18 AM, Tonix (Antonio Nati) wrote: Is PHP able to 'force' binding IP? I hoped there was an external directive I did not see, but probably this is a PHP lack. Not at all. Essentially, PHP is an interface to underlying software, OS commands, and APIs. You'd have to configure the system to bind requests, as PHP does not presently have that capability (and, to my knowledge, there's no plan to change that). So, the answer is no, PHP is not able to do that. There is an (heavy) BASEDIR directive for disk, but nothing equivalent (and simpler) for IP. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
On Wed, Sep 12, 2012 at 7:18 AM, Tonix (Antonio Nati) wrote: > Il 12/09/2012 16:08, Tommy Pham ha scritto: > >> On Wed, Sep 12, 2012 at 6:53 AM, Tonix (Antonio Nati) >> wrote: >>> >>> Is there a way to force a PHP script to bind to a prefixed IP? >>> >>> Actually, while you can assign more IPs to Apache for listening, >>> assigning >>> domains to specific IPs, it looks like any PHP script can freely choose >>> which IP to bind. Instead I'd love some domains are permitted to open >>> connections only from the domain IP. >>> >>> In FreeBSD I do it easily, setting up dedicated jails for domains. But >>> how >>> to do it simply using PHP on Linux? >>> >>> Regards, >>> >>> Tonino >>> >>> >>> Inter@zioniInterazioni di Antonio Nati >>> http://www.interazioni.it to...@interazioni.it >>> >>> >> 1) Use Listen in Apache >> 2) Use VM such as KVM, VMWare, etc. >> 3) Make an array containing permissible domains. Check the >> $_SERVER['SERVER_NAME'] if exists in that array. React/respond >> accordingly. >> > > 1) is only for listening. > 2) means a VPS for each domain, which we already do with vmware and FreeBSD > jails, but it is too expensive for some customers. > 3) means I'm writing the script, which is not the standard situation. > > You must suppose the script to be written from a malicious user in a shared > environment. > > Is PHP able to 'force' binding IP? I hoped there was an external directive I > did not see, but probably this is a PHP lack. > > Regards, > > Tonino > > > -- > > Inter@zioniInterazioni di Antonio Nati >http://www.interazioni.it to...@interazioni.it > > 2) Previously you've mentioned that you were able to do that in FreeBSD jails. IIRC, the jails are similar to VMs in regards to isolating of environment and dedicated IP for that environment. It seems that you want something that is equivalent of jails and VM but not actual VM/jails. Are you referring to 1 application with one installed point but is used in multiple virtual domains and expect the application to act/respond accordingly to the requests for each virtual domain? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
On Wed, Sep 12, 2012 at 11:38 AM, Tonix (Antonio Nati) wrote: > > So, the answer is no, PHP is not able to do that. > There is an (heavy) BASEDIR directive for disk, but nothing equivalent (and > simpler) for IP. That's correct. However, that doesn't mean you can't put in a feature request at https://bugs.php.net/ to see if it can be included in a future release. -- Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP array unions
Hi, In PHP the array is in fact a hash map, but especially it is _used_ for nearly everything map-, set-, ...-like thing. So in short: The is no operator or built-in function, that merges two arrays _and_ treat them as set (instead of the hashmap, what they are). Your solution is the way to go. Regards, Sebastian Am 12.09.2012 17:10, schrieb Adam Richardson: Hi! So, PHP has the '+' array operator, which forms the union of arrays, but it does so by key. What I'm looking for is a function that forms the union of arrays based on value. Currently, I use code like the following: array_unique(array_merge($array1, $array2, $array3)); This is useful to me because I tend to program using functional programming principles. Just want to make sure I'm not missing a core function that already does this. If there's not a core function, I might just build an array_union extension because the functionality is so common in my codebases. Thanks, Adam -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to limit source IP in PHP
Il 12/09/2012 17:52, Tommy Pham ha scritto: On Wed, Sep 12, 2012 at 7:18 AM, Tonix (Antonio Nati) wrote: Il 12/09/2012 16:08, Tommy Pham ha scritto: On Wed, Sep 12, 2012 at 6:53 AM, Tonix (Antonio Nati) wrote: Is there a way to force a PHP script to bind to a prefixed IP? Actually, while you can assign more IPs to Apache for listening, assigning domains to specific IPs, it looks like any PHP script can freely choose which IP to bind. Instead I'd love some domains are permitted to open connections only from the domain IP. In FreeBSD I do it easily, setting up dedicated jails for domains. But how to do it simply using PHP on Linux? Regards, Tonino Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it 1) Use Listen in Apache 2) Use VM such as KVM, VMWare, etc. 3) Make an array containing permissible domains. Check the $_SERVER['SERVER_NAME'] if exists in that array. React/respond accordingly. 1) is only for listening. 2) means a VPS for each domain, which we already do with vmware and FreeBSD jails, but it is too expensive for some customers. 3) means I'm writing the script, which is not the standard situation. You must suppose the script to be written from a malicious user in a shared environment. Is PHP able to 'force' binding IP? I hoped there was an external directive I did not see, but probably this is a PHP lack. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it 2) Previously you've mentioned that you were able to do that in FreeBSD jails. IIRC, the jails are similar to VMs in regards to isolating of environment and dedicated IP for that environment. It seems that you want something that is equivalent of jails and VM but not actual VM/jails. Are you referring to 1 application with one installed point but is used in multiple virtual domains and expect the application to act/respond accordingly to the requests for each virtual domain? Yes, I'm thinking of a low cost shared WEB hosting for people which has limited needs and don't want to spend more for a VM or a jail. In this environment, a well tailored su-exec, with different UID and group for each user, makes an excellent job for protecting disk areas, so the unique point which remains uncovered is to limit network access: * if you have internal interfaces in the same machine where you have public IPs, a web PHP application could try to use the internal address of the interface, exploring internal network (we avoid that thanks to jails). * if apache listens on a specific IP for a single domain, and listens on other IPs for others domains, it would be safe if each domain can use as source IP only the listening IP associated. In our specific case, we always use jails, so each apache is always within a jail and cannot explore other interfaces. When customers ask for dedicated IP, we setup another jail, but that means also one apache server for each domain, and it is justified only for big websites. So, it would be nice if it could exist something which could force a specific source IP or could force to use the listening IP (or both options), on any network binding operation. Of course a script could use external commands (like ping ot telnet) and escape this check, so we don't have complete security, unless we disable any network tool... but it would be a good start. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
