2

I'm looking for a way to manipulate the webserver PHP is running under, using APIs.

For example, I'd like to be able to add mod rewrite rules dynamically or block IP addresses for certain paths, all without touching .htaccess files.

Does something like this exist for PHP?

oxygen
  • 5,891
  • 6
  • 37
  • 69
  • Why not `.htaccess` files? You would have to restart the server every time you made a change, but I suppose that would be fine if the config was not modified often. – uınbɐɥs Sep 09 '12 at 23:32
  • @ShaquinTrifonoff Not really, Apache2 periodically checks .htaccess files for changes and recompiles them. It's true the changes are not detected immediately, but they are detected within a few seconds. One reason not to use .htaccess files is beeing harder to detect and rollback errors (a rollback would be easy, delete, recreate; detection is harder). – oxygen Sep 10 '12 at 07:43
  • I'm talking about the server config (`httpd.conf`), for that you would have to restart the server. – uınbɐɥs Sep 10 '12 at 07:49
  • I was thinking/hoping dynamic changes to the (in-memory) config via APIs would be applied immediately. – oxygen Sep 10 '12 at 07:56
  • I don't think there is something like that, would have to use `.htaccess` files, unfortunately. – uınbɐɥs Sep 10 '12 at 21:27
  • This is an API given from mod_perl. Possibly you need a pair of apache module and php extension - both are to be written in C. This is not so smart, the better idea is as in the answer below, to make mod_rewrite to send all requests to a given php script, where to make execute selection, based on routing and to check the IPs or to use different apache modules for blocking such as mod_security and write some perl/python scripts for their management. I think this would be better way. – Rolice Sep 24 '12 at 16:04
  • @rolice While I do agree the solution below is pretty good, I don't agree on using mod_rewrite+PHP for IP blocking. The server could easily be made to choke. – oxygen Sep 24 '12 at 16:10
  • Yes, that is why I mentioned mod_security. It would gain you some performance points. I think you could use it for IP blocking, but keep in mind, mod_security could be nasty when configured bad way, because of not understanding how it works and how to express your rules over it. The version 2 of mod_security have some improvements. Check it it might be useful for you. – Rolice Sep 25 '12 at 15:27

1 Answers1

5

It is not possible for PHP to alter Apache's config dynamically, although as you noted you can use PHP to edit the configuration or .htaccess files reload the configuration. But I would consider that a big security risk to give your webapp that much power over the web server.

Your example of blocking IPs dynamically can be done with mod_rewrite's RewriteMap directive. Basically, you would write a mod_rewrite rule for your website that will instruct mod_rewrite to look in an external data source that your PHP script could maintain.

The mod_rewrite documentation has an example to start from: Denying Hosts in a Blacklist

Description:
We wish to maintain a blacklist of hosts, rather like hosts.deny,
and have those hosts blocked from accessing our server.

Solution:
RewriteEngine on
RewriteMap hosts-deny txt:/path/to/hosts.deny
RewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteRule ^ - [F]
##
## hosts.deny
##
## ATTENTION! This is a map, not a list, even when we treat it as such.
## mod_rewrite parses it for key/value pairs, so at least a
## dummy value "-" must be present for each entry.
##

193.102.180.41 -
bsdti1.sdm.de -
192.76.162.40 -

Discussion:
The second RewriteCond assumes that you have HostNameLookups turned on,
so that client IP addresses will be resolved. If that's not the case,
you should drop the second RewriteCond, and drop the [OR] flag from
the first RewriteCond.

Your PHP script could maintain those text files (other data stores are available, too) and you could make any number of rulesets for your specific needs to control access dynamically. Would that work?

jimp
  • 16,999
  • 3
  • 27
  • 36
  • 1
    I think this looks like the right way to look at it. Generally you want to get the functionality that you want to dynamically alter **out of Apache** and somewhere, where you can control it. – zzen Sep 19 '12 at 08:23