問題描述

我有單獨的 Web (Apache/PHP) 和數據庫 (MySQL) 服務器，它們通過 SSL 連接使用 mysqli，運行良好.在框架內的數據庫連接庫的ssl_set()函數中，我可以指定keys/pem文件的路徑，只要在docroot內即可.如果文件在 docroot 之外，我顯然無法訪問它們，并且連接失敗.

I have separate web (Apache/PHP) and database (MySQL) servers using mysqli over an SSL connection working nicely. In the ssl_set() function in the database connection library within the framework, I can specify the path to the keys/pem files as long as it's within the docroot. If the files are outside the docroot, I obviously cannot access them, and the connection fails.

在 apache docroot 之外存儲和訪問 mysql 客戶端 ssl 密鑰的最安全方法是什么?

What is the most secure method for storing and accessing mysql client ssl keys outside the apache docroot?

是否可以安全使用ini_set"，以便我可以即時"允許該訪問，然后刪除該參數?還是應該使用符號鏈接?

Is there a secure use of "ini_set" whereby I can allow that access "on the fly" and then remove that parameter? Or should I use symlinks?

我在這里尋找最佳實踐.我想這個問題不限于證書密鑰，但我想確保您知道我的具體用例.

I'm looking for best practices here. I suppose this question isn't limited to cert keys, but I wanted to make sure you knew my specific use case.

謝謝！

推薦答案

我在這里尋找最佳實踐.我想這個問題不限于證書密鑰，但我想確保您知道我的具體用例.

I'm looking for best practices here. I suppose this question isn't limited to cert keys, but I wanted to make sure you knew my specific use case.

這個問題進入了一個領域，安全專家會在權衡不同威脅模型的問題上爭論不休，因此安全憑證管理沒有唯一正確的答案".但是，有大量明顯錯誤的答案.

This problem gets into a the territory where security experts will split hairs over trade-offs against different threat models, so there is no "one right answer" for secure credential management. However, there are a ton of obviously wrong answers.

Chris Cornutt 發表了一篇關于使用 Docker 保護 PHP 憑據 我強烈建議您閱讀有關解決憑據管理所涉及的威脅和策略的背景信息.

Chris Cornutt published an article about securing PHP credentials with Docker that I highly recommend reading for background information about the threats and strategies involved in solving credential management.

一般來說，psecio/secure_dotenv 會為大多數用戶解決這個問題.這是一個用于管理憑據的開源庫，這些憑據以靜態方式存儲它們.

In general, psecio/secure_dotenv will solve this problem for most users. This is an open source library for managing credentials that stores them encrypted at-rest.

如果您需要更高級的東西(或與產品集成，例如保險柜)，您可能需要請安全專家來審查您的設計和實施.

If you need something fancier (or to integrate with a product, e.g. Vault), you may want to ask a security expert to review your designs and implementations.

這篇關于使用 PHP/MySQLI/Apache 時在哪里安全地存儲證書/密鑰?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！