Let’s say you are dealing with a shared Apache server running PHP as an Apache module, you have several websites running, and you don’t want to let some php directives being changed. You allow the modifications of the directives such as display_errors but you don’t want memory_limit to be changed by any of the users (let’s say 128M) also, you don’t want to say that your server runs PHP (i.e expose_php off).
It’s possible to change the values of the php.ini directives in three differents ways:
- apache configuration (i.e virtualhost(s), apache2.conf, etc …)
- .htaccess (if AllowOverride Options or AllowOverride All)
- ini_set function
There are two ways to force the values of the php directives and make them unchangeable from .htaccess or with ini_set function.
–php_admin_value <setting> <value>
This one forces a directive to a certain value (non boolean), for example:
php_admin_value memory_limit 128M
We force memory_limit to 128M.
–php_admin_flag <setting> <on|off>
This one does the same but for a boolean value, for example:
php_admin_flag expose_php off
There the directive expose_php will be unset.
To do this for ALL the websites on your server, you can edit your /etc/apache2/apache2.conf (may change if you have httpd) and put this content at the end:
Create the file /etc/apache2/php_restrictions, and add this content:
php_admin_value memory_limit 200M php_admin_flag expose_php off
You can add as many rules as you wish, then reload your webserver like that (may change if you have httpd):
To do this for only ONE specific website (i.e virtualhost), just set the rules inside the virtualhost like that:
NameVirtualHost www.test.com:80 <VirtualHost www.test.com:80> ServerName test.com ServerAlias www.test.com DocumentRoot /var/www/test # now the rules php_admin_value memory_limit 128M php_admin_flag expose_php off </VirtualHost>
This will apply only to the www.test.com website.
Then you need to reload the webserver too.
Voilà, you have restricted some directives and some others are still changeable.
Though, some directives cannot be changed inside apache2.conf or virtualhost(s), you may check the documentation.