Tuesday, February 3, 2015

apache 2.2 - How to allow PHP outgoing connections only to specific server?



On a Red Hat-based host running a fairly recent Apache and PHP 5.2, we are using the solr-php-client library to connect to an external Solr server. This library requires the PHP directive allow_url_fopen to be enabled. Therefore, I would like to disable outgoing PHP connections via iptables, other than connections to the necessary server.




Googling for an appropriate iptables rule leads down many wrong paths. What rule would allow PHP to connect via CURL or fopen() to a specific server, but no other?



Thank you.


Answer



how about using iptables rule that filters not only based on the destination address/port but also based on the source user?



iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner uidForYourApacheUser -p tcp --dport 80 -d yourServerIp -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner uidForYourApacheUser -p tcp --dport 80 -j REJECT



if needed you can use su-php to run just your sorl scripts under different uid than your apache.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...