Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I'm using WAMP and wanted to know if it's ok for the forbidden page to show the services (Apache/PHP) and their version numbers? Is this standard practice?
Thanks
I think for a development system this is good practise while for a production system you should deactivate this feature. To do this you have to change the following lines in your httpd.conf/apache.conf:
ServerSignature off
ServerTokens prod
You would also have to set
expose_php off
in your php.ini to prevent php from showing the php version.
The names of services (Apache/PHP) and their version numbers shown on the 403 forbidden other error pages like that(404 not found, "Internal Server Error" etc.), is called server signature.
Since WAMP is local development environment there is no problem with it.
But for a production server, its not at all a good practice, since every version of Apache or PHP has some points of weaknesses. These maybe exploited by a malicious hacker.
You can disable the server signature by editing your apache2.conf/httpd.conf file.
Add following lines at the end of the file and restart apache
ServerSignature Off
ServerTokens Prod
Back to your question whether or not its a standard practice to show the server signature on error pages, well, for development environment its a standard practice. But for production servers "No its not a good or standard practice"
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Can I use php7.4-fpm with Apache? Or is php-fpm really only for use with nginx? And why?
Does php7.4 support http2? Or do you still need php-fpm? The official http2 site (http2.pro) hasn't been updated in a couple of years.
Is it Still worth activating HTTP2? (The latest update dates back to a couple of years ago.)
To activate http2 I followed all the procedure described here: https://http2.pro/doc/Apache, now if I have to reactivate php (normal) how do I go back?
(The question was initially much more explanatory, but the administrators didn't like it ... they ask for it to be more focused, so let's try with only the questions.)
PHP-fpm is a version PHP that talks to the outside world with a protocol (a style of communication) called FastCGI. Apache can also talk via fastcgi to the servers it uses to answer requests - in both Nginx & Apache via the php-fpm: master process, that organises the pool of workers that actually run the PHP code. Since Nginx doesn't have mod_php, the only significant way to have it run PHP code is with php-fpm (there are some other methods, but they are not so often used)
HTTP2 is something for the webserver to deal with - Apache, or NginX. PHP doesn't need to worry about it, unless you want to send additional headers that the webserver would then deal with on its behalf (like also sending CSS or .JS files along with the initial connection - this is called HTTP-push, but it's not yet well widely established).
HTTP2 it totally worth it - you will, however, use this alongside the older http v1.0, or v1.1, but it is more efficient for browsers that support it.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I want to hide server/PHP version details from hackers/spammers etc when they view an HTTP response etc.
X-Powered-By:PHP/5.2.6-1+Squeezy
I have read articles like > ducea.com/2006/06/15/apache-tips-tricks-hide-apache-software-version/
And others that say to add
ServerSignature Off
ServerTokens ProductOnly
To my Apache2.conf file, which I have done at the bottom of the file as well as turning off the expose_php option in php.ini etc
expose_php = Off
However even after reloads and restarts of Apache I still see this Response Header.
I am behind Cloudflare so don't know if they have the ability to override my settings or why they would want to.
Does the position of my directives in the Apache.conf file matter?
Are there other files I need to check?
What can I do to ensure this header is hidden from probers etc.
Thanks
I'll be honest in that you're fighting a losing battle here. You're using PHP 5.2.6, which is not only not the latest release of 5.2 (5.2.11), it's been EOL for 4+ years. It sounds like hackers are finding the header and attacking your machine. The problem is that even if you somehow remove the header this will not make your machine more secure. Any vulnerabilities in 5.2 are not being patched. All you're doing is making the problem less obvious.
Cloudflare does not add server headers, nor can they change your server settings.
As to turning it off, you probably did not edit the right file
settings from /etc/apache2/conf.d/security will overwrite ServerSignature / ServerTokens settings set in /etc/apache2/apache2.conf
I think you edited the wrong php.ini file. You have to edit /etc/php5/apache2/php.ini and then set expose_php to 'off' in order to make it work.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
From what I understand, Apache (or Nginx) has been the server of choice (as well as it being installed as part of LAMP/WAMP/MAMP packages). However, the current installation instructions for Symfony (2.6) recommend using the built-in PHP webserver.
From what I understand, this has been in active development since php 5.4 and is making continual improvements. Could someone help give some perspective on this switch from Apache->PHP webserver?
Is to due comparable speed/efficiency/security
Is it more to do with simplifying the Symfony setup (and therefore
only really to be used for development servers)?
read the warning in documentation:
http://php.net/manual/en/features.commandline.webserver.php
It is not intended to be a full-featured web server.
they don't intend to make the tool a webserver.
I recommend nginx with php-fpm
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
Our live server running PHP v5.2.6 (yes, circa 2008) needs an upgrade.
I'm thinking the best process is:
Copying over all of our live sites to my personal server
Testing our sites on my personal server with the newest versions of all of our software
Making the versions on my server live (so that there are no interruptions in web access)
Upgrading to the newest versions of all of our software on our live server
Moving all of our sites back to our live server
Making the sites on our live server live again
Could you give me a better solution to this issue (if one exists)?
I have done this, and I recommend doing the following:
Purchase the new server (or start renting the production server - if you don't own it)
Move all the files over to the new server, but make sure that you make sure that Google cannot crawl the site. You don't want duplicate content on both websites running at the same time. You can do this by editing the /robots.txt file.
Get all the applications up and running with your new sites. (make sure everything works)
Enable Google to crawl the sites on your new server.
Disable Google to crawl on your OLD server.
If you are with the same hosting provider ask them to switch over the IP addresses to your new server. If they cannot do this then you will have to do it via DNS (which is more dangerous because if the is a problem it can take DNS 24 hours to switch back to the old server)
Let the server run for about a week, and if you see everything okay shutdown the old one.
To me it's more safe this option because I have experienced issues with moving to a new OS LAMP development, and this process let me work out the issues without the stress of worrying when I switched it over.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
im installing WordPress on my local host for development purpose.
i have installed php and verified it is working using
phpinfo();
I have also installed MySQL on my machine.
I have unmarked MySQL.dll
Unmarked MySQL.dll extension on my PHP.INI file and restarted IIS.
now once i go to the WordPress installation address im getting :
HTTP Error 500.0 - Internal Server Error
is there another settings im forgetting to deal with ?
Just get IIS Express with Web Platform Installer. You'll find PHP in the list there and URL Rewrite, PHP WinCache and more utilities. IIS Express is better for local dev than IIS as it's lighter on the permissions that it needs.
Read here IIS Express vs Default IIS that comes with Windows 7 ... you might have issues this your permissions and that's a major PITA to handle. I always eventually set IIS up properly but can never actually tell what I did :) on the permissions side.
Apache on Windows is not as fast as IIS. But if your hosting is Linux, you might want to use it to get acquainted to .htaccess Rewrites and overall rules too.