If you have configured an Nginx web server and PHP- FPM wrapper, now it is better to change the PHP default setting. It is not bad the files which are default configuration from Ubuntu or Debian repositories. But it may be better for our needs. Through this article, we focus only on one file. According to that, now we focus the way of changing the php.ini file, which located in etc/ php/ YOUR_ VERSION/ fpm directory.
Now we focus on it.
PHP.ini configuration file
This is the main PHP configuration file for all daemons that use this PHP version with global settings. We have the ability to rewrite some of these file values in wrapper configuration files. This is not being the topic for this entry. You can just open the file and find some values.
memory_limi = 32M
The above mention setting, which is the memory limit, is a very important setting for the PHP process. It can consume more memory for some of our scripts. A good example of that is images and text processing. Meanwhile, some standard scripts want a high memory limit for their consumption. There is another good example, which is Invision Power Board community software. It is want a minimum 128MB memory limit for installation.
But for the Nginx web server, is it want a very big limit, half of our server memory capacity? The answer is no. it can be limit per process. Assume that, if you set 256MB limit and there is 4 high memory usage processes. They may only consume 1GB. Therefor better option is to set the low limit as an example 32MB. And gradually increase this value according to demand using ini_ set function.
upload_ max_ filesize = 16M
post_ max_ size = 16M
The above settings are related to files uploading. Based on the AJAX request etc, we able to limit the size of files which are upload by users on our forms. All based on our needs. In here you should set the maximum possible value. And keep on mind that it may be lead to block your process through big upload limit and slow connection.
max_ execution_ time = 30
This is the maximum time (in second) for one PHP request. After 30 seconds, the script will be automatically terminated by the PHP engine. It will display an error message to the user. So you have to do this setting always and make sure to set small values always. If you have a slow script, it may be allowed to potential attackers to block your PHP and overload through setting higher value as execution limit.
max_ input_ time = -1
This is the maximum time for get data from user request. The meaning of it, the maximum time, PHP can wait for user input such as file uploading, send (very) big form, and others. In this situation, it is similar to maximum execution time. But it is apply only to POST/ GET processing and not applicable for whole script execution. Through setting -1 as default value, it is not meaning that unlimited. It is same to the maximum execution time and will be a good option.
session. use_ strict_ mode = 1
session. use_ only_ cookies = 1
session. cookie_ secure = 1
These settings are related to user sessions and cookies handling. It is regeneration and strengthens security by first forces. If you don’t intend to use this setting, you have to regenerate the session ID after each request. For the store session ID, if you use only cookies, it will prevent script to use URLs. But it is not a secured method. Because potential attackers has an ability o steal your ID from URL (otherwise users can be copied such URLs to other people) it will force to script to use a secure connection to send cookies it will force to script to use a secure connection to send cookies by cookies secure. Although it is a great option, it is better to use encryption on your web server. It is only a proposed configuration.
disable_functions = exec;shell_exec;other_function
Through disabling functions deactivation allows us to disable some of the built-in PHP functions. It is also a great option, if we want limit our PHP wrappers and also you want to disallow to run for example shell commands. It is difficult to say what is most suitable for your websites. Always it depends on your website and based on your needs.
log_ errors = on
error_ reporting = E_ ALL
This is the level of error reporting. For the log on any reports and fix bad scripts, this is a good option. But sometimes, all is too much. You can configure this option through increasing or decreasing logging level. It is strict standard information through disabling notice, warning or new PHP version.
display_ errors = off
error _ log = /var/ log/ php
This is good. But it is not necessary if there is not showing any error to users. This is not a pretty method and it may be able to reveal your website configuration. it is more suitable to log to error file and check it regularly. You can send the errors to the browser only on the development environment.
date. timezone = “US/ Central”
You can set the time zone in here. It is not more important. But it is important because of without that and without an on-demand set time zone, some Script can send the PHP notices about invalid time zone. It should be useful to handle all dates and properly without a set time zone every time.
cgi. fix_ pathinfo = 1
This is a small option. But it is enabling on default and it will fix some PHP variables (like PHP_ SELF) through configuration with the Nginx web server. There is a security issue. It allowed attackers to run other files as a PHP script through using invalid requests. This was an issue most common before 5.4 versions. Because of changing other PHP settings now, it is no issue. You can follow the below option if you use Nginx.
Through this option, it will display the PHP information on server headers. It is not necessary and there is no problem whether we hide. The real users will not persuade to check the server header, because of that; we can hide information as much as possible. It may check our information by potential attackers or script kiddies. We have an idea about the PHP version, which are we use. Therefore, there is no need to reveal about our PHP version for our entire user. After the PHP installation, you should disable it.