How to configure Suhosin php module
Step 1: Installing the Hardened-PHP Project Signaturekey
You should first grab a copy of the Hardened-PHP Project's Release Signaturekey and import it into your GNU Privacy Guard keychain. (For further information on the usage of gnupg please consult it’s manpage)
#> gpg --import < hardened-php-signature-key.asc
gpg: /root/.gnupg/trustdb.gpg: trust-db erzeugt
gpg: key 0A864AA1: public key "Hardened-PHP Signature Key" imported
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg: importiert: 1
Step 2: Downloading and verifying the necessary files
It is now time to grab a copy of a fresh PHP tarball and the latest version of the Suhosin-Patch. Additionally you should get the digital signature (*.sig) files. You can grab all of this on our suhosin download page.
As a first precaution you can check the MD5 hashs of the downloaded files against those you find on the download page.
#> md5sum php-5.1.4.tar.bz2
66a806161d4a2d3b5153ebe4cd0f2e1c php-5.1.4.tar.bz2
#> md5sum suhosin-patch-5.1.4-0.9.0.patch.gz
ea9026495c4ce34a329fd0a87474f1ba suhosin-patch-5.1.4-0.9.0.patch.gz
When the MD5 hash values are valid you can check the digital signatures like this.
#> gpg php-5.1.4.tar.bz2.sig
gpg: Signature made Di 16 Mai 2006 23:39:04 CEST using DSA key ID 0A864AA1
gpg: Good signature from "Hardened-PHP Signature Key"
#> gpg suhosin-patch-5.1.4-0.9.0.patch.gz.sig
gpg: Signature made So 21 August 2006 20:02:53 CEST using DSA key ID 0A864AA1
gpg: Good signature from "Hardened-PHP Signature Key"
Step 3: Unpacking and Patching
You now have to unpack the PHP tarball, gunzip the patchfile and then apply the patch.
#> tar -xfj php-5.1.4.tar.bz2
#> gunzip suhosin-patch-5.1.4-0.9.0.patch.gz
#> cd php-5.1.4
#> patch -p 1 -i ../suhosin-patch-5.1.4-0.9.0.patch
If you prefer to have suhosin as builtin extension you can also download the suhosin extension source code and copy the src files into the ext/suhosin directory within your PHP source tree.
Installing on a Generic Linux/Unix
After having prepared the PHP source tree the next step is not much different from the usual installation of PHP. If you have copied the suhosin extension into the ext directory you also have to activate it.
#> [./buildconf - in case you want to compile suhosin statically]
#> ./configure --with-whatever-you-want [--enable-suhosin]
#> make
#> make test
#> make install
By executing make test you can verify, that PHP still works and does not break anything.
If you are upgrading from a previous installation of PHP you do not need to recompile all installed PHP modules and extensions unless you are upgrading to a PHP version that breaks binary compatibility. However recompiling the extensions after having installed PHP with the Suhosin-Patch can protect them from possible format string vulnerabilities, which was built into the header files.
After having recompiled and installed everything, have a look at the bundled php.ini files for examples how to use the new configuration directives. For a documentation of the new directives consult the Configuration section.
Binary extensions from for example Zend should continue flawlessly. If you encounter any problem contact us immediately.
Installing the Extension
Unlike the Hardening-Patch for PHP, nearly all of Suhosin´s features are within the extension. Therefore you might want to only install the extension and use a plain unpatched PHP. Depending on the system we might already offer binary packages. You can check our Suhosin Downloads page. In that case you only need to activate the extension inside your php.ini and maybe add Configuration directives if you are not satisfied by the default values.
Before you continue compiling the Suhosin-Extension you should verify the file integrity. Please check the preparation section of this guide. The next step is unpacking the extension tarball and performing the usual compilation steps for PHP extensions.
#> cd suhosin
#> phpize
#> ./configure
#> make
#> make install
This should install suhosin in the correct extension directory. The final step is adding a load directive to php.ini
extension=suhosin.so
and optionally add some Configuration directives in case you do not like the default values.
Special Instructions
Some distributions already come with Suhosin source or binary packages. Here is a small overview how to install Suhosin on this distributions.
Installing on Gentoo
Installing and using Suhosin on Gentoo is very easy. At the moment the Suhosin patches and extensions are only available in the external PHP Overlay, and not yet in the Portage tree, you can expect them to also be available in the main Portage tree during October 2006. Let’s install the PHP Overlay then:
#> emerge layman
#> layman -f
#> layman -a php-testing
Now let’s install PHP with the Suhosin patch and extension:
#> echo "dev-lang/php" >> /etc/portage/package.keywords
(unstable version needed)
#> USE="suhosin" emerge =php-4* for PHP4, or =php-5* for PHP5
(NOTE: you cannot also have the "hardenedphp" USE flag enabled at the same time!)
That’s it, your PHP on Gentoo is now running with the Suhosin patch enabled, and the Suhosin extension was automatically installed (from the dev-php{4,5}/suhosin package).
Installing on FreeBSD
The Suhosin-Patch and the Suhosin extension are both within the FreeBSD ports. Therefore installing it on FreeBSD is very simple. The Suhosin-Patch is an option which you can choose when you install the lang/php4 or lang/php5 port. To install the patch just do
#> cd /usr/ports/lang/php5
#> make
... now select the menu item that says: Enable Suhosin Protection
#> make install
To install the extension just do
#> cd /usr/ports/security/php-suhosin
#> make
#> make install
After these simple steps Suhosin-Patch is successfully installed on your system.
Upgrading
Upgrading to a new PHP or new Suhosin-Patch version is quite identical to the normal installation process. This is like upgrading a normal PHP. That means, if the binary compatibility was broken between PHP versions you have to recompile all installed PHP modules/extension. Upgrading the Suhosin-Extension on the other hand is as simple as recompiling it (or using a binary), replacing the file and restarting your webserver.
Use PHP, GD and .htaccess to Watermark All Images in a Directory
The goal here is to watermark all images in a certain directory, except for thumbnails or other selection. You can either do this on each file prior to placing on your webserver - which is probably wise for CPU load issues - but let’s just say you want to do this for all files served in a single directory dynamically, a gallery for example.
The first step is to create a .png file with transparency which holds your watermark image. For this exercise, I’ve created this image:
(I’ve added the border to stand the image out from the background of the page).
Here is the original image we are going to test with:
After we have our watermark and sample image, we need to write a php file to use PHP’s GD function to apply this image to our original image. The particular function we use is imagecopy(). Here is the code I am using, I name it w.php:
$basedir=”/home/user/public_html/com/gallery/”;
$watermarkimage=”tbwm.png”;
$file=basename($_GET['i']);
$image = $basedir.”/”.$file;
$watermark = $basedir.”/”.$watermarkimage;
$im = imagecreatefrompng($watermark);
$ext = substr($image, -3);
if (strtolower($ext) == “gif”) {
if (!$im2 = imagecreatefromgif($image)) {
echo “Error opening $image!”; exit;
}
} else if(strtolower($ext) == “jpg”) {
if (!$im2 = imagecreatefromjpeg($image)) {
echo “Error opening $image!”; exit;
}
} else if(strtolower($ext) == “png”) {
if (!$im2 = imagecreatefrompng($image)) {
echo “Error opening $image!”; exit;
}
} else {
die;
}
imagefilledrectangle($im2, 0 , (imagesy($im2))-(imagesy($im)) , imagesx($im2) , imagesy($im2) , imagecolorallocatealpha($im2, 0, 0, 0, 100) );
imagecopy($im2, $im, (imagesx($im2)-(imagesx($im))), (imagesy($im2))-(imagesy($im)), 0, 0, imagesx($im), imagesy($im));
$last_modified = gmdate(’D, d M Y H:i:s T’, filemtime ($image));
header(”Last-Modified: $last_modified”);
header(”Content-Type: image/jpeg”);
imagejpeg($im2,NULL,95);
imagedestroy($im);
imagedestroy($im2);
?>
This file is placed in the images directory.
Also in the images, create an .htaccess file with the following code:
RewriteEngine on
RewriteRule ^([^thumb].*\.[jJ].*)$ /com/gallery/w.php?i=$1
This tells the web server that instead of serving jpg files out of this directory, that we should instead process the filename with w.php and then serve to the browser. It also adds in a clause that if it starts with thumb_, that it will not run on this file. This is so it does not run on thumbnails.
Here is the resulting image, with watermark! This is served right out of an image directory with no watermark on the original picture:
thanks to systembash
How to install Xcache module for Apache
XCache is a fast, stable PHP opcode cacher that has been tested and is now running on production servers under high load. It is tested (on linux) and supported on all of the latest PHP cvs branches such as PHP_4_3 PHP_4_4 PHP_5_0 PHP_5_1 PHP_5_2 HEAD(6.x). ThreadSafe/Windows is also supported. It overcomes a lot of problems that has been with other competing opcachers such as being able to be used with new PHP versions. See Introduction for more information.
You don't have to check the following list yourself, the configure script will do for you, unless you have problem with configure/make.
Check version with cli
$ php-cgi -v
PHP 4.4.3-dev (cgi-fcgi) (built: Mar 10 2006 18:46:02)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
or setup a file with:
Check version with phpinfo
<?php
phpinfo();
?>
and request it from your browser.
* Get the php works with webserver without XCache first!
* common build tools: c compiler, make, libtool (required by php build env)
* php building env installed. if you've install php yourself, make sure you have do "make install". for some os distro, there is "php-devel" package. check it out with:
Check phpize
$ which phpize
/usr/local/bin/phpize
(or)
/usr/bin/phpize
you output may be vary from this, depending on your installtion of php. if it's not found, you should find it yourself
* m4
* indent (optional)
Building:
~ $ cd ~/src/xcache
~/src/xcache $ ls
(you XCache source is here)
~/src/xcache $ phpize
(generating configure .... everytime you upgrade php, or update to a new XCache, you have to run phpize again)
(it is suggested to build outside of the source directory, so make an build directory first and enter it)
~/src/xcache $ mkdir ../xcache-build
~/src/xcache $ cd ../xcache-build
~/src/xcache-build $ ../xcache/configure --help
......
--enable-xcache Include XCACHE support.
--enable-xcache-optimizer XCACHE: (N/A)
--enable-xcache-coverager XCACHE: Enable code coverage dumper
--enable-xcache-assembler XCACHE: (N/A)
--enable-xcache-disassembler XCACHE: Enable opcode to php variable dumper
--enable-xcache-encoder XCACHE: (N/A)
--enable-xcache-decoder XCACHE: (N/A)
--enable-xcache-test XCACHE: Enable self test - FOR DEVELOPERS ONLY!!
......
(run configure with options you selected now)
~/src/xcache-build $ ../xcache/configure --enable-xcache --enable-xcache-coverager
(many output here, if you have problem, read the error message twice)
(and search inside config.log, and check Pre-requirement in this page above)
~/src/xcache-build $ make
(many output here again, check if it success or error out.)
NOTE: It's always better not to enable unnecessary modules for production server unless you're not the maintainer of the server. Play with it locally.
WARNING: If you're using something like /opt/php/bin/phpize which isn't the 1st one found in $PATH, remember to configure --with-php-config=/opt/php/bin/php-config, exactly the same directory as phpiz.
Special path
~/src/xcache-build $ PATH="/opt/php/bin/:$PATH" ../xcache/configure \
--with-php-config=/opt/php/bin/php-config \
--enable-xcache \
--enable-xcache-coverager
(line is broken up for readability)
~/src/xcache-build $ make
Installing
~/src/xcache-build $ su
Password:
(input your root password here. whenever u see a red # in code listing in this wiki, it means you need to be root to do that)
~/src/xcache-build # make install
(many output here, and you can see where the XCache extension is installed into, remember the extension path)
You have to modify php.ini to make XCache enable in your php!