問題描述

我有單獨的 Web (Apache/PHP) 和數(shù)據(jù)庫 (MySQL) 服務器，它們通過 SSL 連接使用 mysqli，運行良好.在框架內(nèi)的數(shù)據(jù)庫連接庫的ssl_set()函數(shù)中，我可以指定keys/pem文件的路徑，只要在docroot內(nèi)即可.如果文件在 docroot 之外，我顯然無法訪問它們，并且連接失敗.

I have separate web (Apache/PHP) and database (MySQL) servers using mysqli over an SSL connection working nicely. In the ssl_set() function in the database connection library within the framework, I can specify the path to the keys/pem files as long as it's within the docroot. If the files are outside the docroot, I obviously cannot access them, and the connection fails.

在 apache docroot 之外存儲和訪問 mysql 客戶端 ssl 密鑰的最安全方法是什么?

What is the most secure method for storing and accessing mysql client ssl keys outside the apache docroot?

是否可以安全使用ini_set"，以便我可以即時"允許該訪問，然后刪除該參數(shù)?還是應該使用符號鏈接?

Is there a secure use of "ini_set" whereby I can allow that access "on the fly" and then remove that parameter? Or should I use symlinks?

我在這里尋找最佳實踐.我想這個問題不限于證書密鑰，但我想確保您知道我的具體用例.

I'm looking for best practices here. I suppose this question isn't limited to cert keys, but I wanted to make sure you knew my specific use case.

謝謝！

推薦答案

我在這里尋找最佳實踐.我想這個問題不限于證書密鑰，但我想確保您知道我的具體用例.

I'm looking for best practices here. I suppose this question isn't limited to cert keys, but I wanted to make sure you knew my specific use case.

這個問題進入了一個領域，安全專家會在權衡不同威脅模型的問題上爭論不休，因此安全憑證管理沒有唯一正確的答案".但是，有大量明顯錯誤的答案.

This problem gets into a the territory where security experts will split hairs over trade-offs against different threat models, so there is no "one right answer" for secure credential management. However, there are a ton of obviously wrong answers.

Chris Cornutt 發(fā)表了一篇關于使用 Docker 保護 PHP 憑據(jù) 我強烈建議您閱讀有關解決憑據(jù)管理所涉及的威脅和策略的背景信息.

Chris Cornutt published an article about securing PHP credentials with Docker that I highly recommend reading for background information about the threats and strategies involved in solving credential management.

一般來說，psecio/secure_dotenv 會為大多數(shù)用戶解決這個問題.這是一個用于管理憑據(jù)的開源庫，這些憑據(jù)以靜態(tài)方式存儲它們.

In general, psecio/secure_dotenv will solve this problem for most users. This is an open source library for managing credentials that stores them encrypted at-rest.

如果您需要更高級的東西(或與產(chǎn)品集成，例如保險柜)，您可能需要請安全專家來審查您的設計和實施.

If you need something fancier (or to integrate with a product, e.g. Vault), you may want to ask a security expert to review your designs and implementations.

這篇關于使用 PHP/MySQLI/Apache 時在哪里安全地存儲證書/密鑰?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！