RE: [mod-security-users] Apache/PHP Configuration

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Well, I dropped the RH default configuration, that is the input/output
filters, added the handler, and restarted Apache.  Now when I hit the home
page of the web server, I see nice, clean PHP code instead of a running
application.  

So, I'm back to the input/output filtering.  

Maybe it's because RH 8.0 uses Apache 2.0.40 and PHP 4.2.2...

-----Original Message-----
From: Ivan Ristic [mailto:iv...@we...]
Sent: Wednesday, January 14, 2004 4:30 PM
To: L. Christopher Luther
Cc: ModSecurity-Users (E-mail)
Subject: Re: [mod-security-users] Apache/PHP Configuration

L. Christopher Luther wrote:
> Can someone tell me the difference between RH 8.0 Apache's default
> configuration for PHP handling:  
> 
>     <Files *.php>
>        SetOutputFilter PHP
>        SetInputFilter PHP
>        LimitRequestBody 524288
>     </Files>

  Strictly speaking, that's RedHat's default configuration, since
  Apache does not ship with PHP originally.

  The interface between PHP and Apache can be implemented in two
  different ways. PHP developers first attempted to
  implement PHP as an Apache filter. They have since abandoned
  that approach, going back to the "good old handler" approach.

  PHP 4.3.4 still ships with both interfaces but, as far as I
  know, apache2handler is being recommended as "the right way
  to do it".

> And what the mod_security docs suggest for the Apache/PHP configuration:  
> 
>     AddHandler application/x-httpd-php .php  
> 
> I'm using the vanilla RH 8.0 Apache/PHP configuration, but with regard to
> mod_security's dynamic request handling, I'm wondering what is best.  

  I would go with the mod_security way ;)

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]