使用 PHP/MySQLI/Apache 时在哪里安全地存储证书/密钥?

2021-12-25 00:00:00 ssl certificate security php mysqli

我有单独的 Web (Apache/PHP) 和数据库 (MySQL) 服务器,它们通过 SSL 连接使用 mysqli,运行良好.在框架内的数据库连接库的ssl_set()函数中,我可以指定keys/pem文件的路径,只要在docroot内即可.如果文件在 docroot 之外,我显然无法访问它们,并且连接失败.

I have separate web (Apache/PHP) and database (MySQL) servers using mysqli over an SSL connection working nicely. In the ssl_set() function in the database connection library within the framework, I can specify the path to the keys/pem files as long as it's within the docroot. If the files are outside the docroot, I obviously cannot access them, and the connection fails.

在 apache docroot 之外存储和访问 mysql 客户端 ssl 密钥的最安全方法是什么?

What is the most secure method for storing and accessing mysql client ssl keys outside the apache docroot?

是否可以安全使用ini_set",以便我可以即时"允许该访问,然后删除该参数?还是应该使用符号链接?

Is there a secure use of "ini_set" whereby I can allow that access "on the fly" and then remove that parameter? Or should I use symlinks?

我在这里寻找最佳实践.我想这个问题不限于证书密钥,但我想确保您知道我的具体用例.

I'm looking for best practices here. I suppose this question isn't limited to cert keys, but I wanted to make sure you knew my specific use case.

谢谢!

推荐答案

我在这里寻找最佳实践.我想这个问题不限于证书密钥,但我想确保您知道我的具体用例.

I'm looking for best practices here. I suppose this question isn't limited to cert keys, but I wanted to make sure you knew my specific use case.

这个问题进入了一个领域,安全专家会在权衡不同威胁模型的问题上争论不休,因此安全凭证管理没有唯一正确的答案".但是,有大量明显错误的答案.

This problem gets into a the territory where security experts will split hairs over trade-offs against different threat models, so there is no "one right answer" for secure credential management. However, there are a ton of obviously wrong answers.

Chris Cornutt 发表了一篇关于使用 Docker 保护 PHP 凭据 我强烈建议您阅读有关解决凭据管理所涉及的威胁和策略的背景信息.

Chris Cornutt published an article about securing PHP credentials with Docker that I highly recommend reading for background information about the threats and strategies involved in solving credential management.

一般来说,psecio/secure_dotenv 会为大多数用户解决这个问题.这是一个用于管理凭据的开源库,这些凭据以静态方式存储它们.

In general, psecio/secure_dotenv will solve this problem for most users. This is an open source library for managing credentials that stores them encrypted at-rest.

如果您需要更高级的东西(或与产品集成,例如保险柜),您可能需要请安全专家来审查您的设计和实施.

If you need something fancier (or to integrate with a product, e.g. Vault), you may want to ask a security expert to review your designs and implementations.

相关文章