问题
I am currently working on a new project which involves using CRON jobs.
The CRON script basically runs an SQL query, generates the data into a file, and send that file to another server via FTP.
The script is on a live website (www.website.com/sendOrders.php)
I don't see any security issues or threats, and I think it is highly unlikely that anyone will find the PHP script on the server. However I don't want the script to be executed by any outsiders.
Is there a way I can protect this script?
Thanks Peter
回答1:
You could move your "secret files" into a subfolder, then create a .htaccess file in there that prevents access to that file from everyone, except the server that is running the Cronjob.
Example:
DENY FROM ALL
ALLOW FROM 123.123.123.123
If you have shell access you might also put the scripts outside of the accessible folder and run directly via command line or cronjob like this: php script.php.
回答2:
Why not just move the script outside the Web-root of the server and execute it from CLI? This was there is no chance of anyone else executing it.
If you must have it in the webroot (and there should be no reason for it), just make sure that the client for the request is the server you are running it on, and it should be more than enough.
回答3:
This seems rather silly. Why have cron on machine A invoke a script via HTTP on machine B, when you could simply have machine B's native scheduling system (whatever OS it happens to be) do the job itself?
Then you could have the script tucked away somewhere that's not accessible via HTTP and render your security problem completley moot.
回答4:
If the files are in a folder which shouldn't be locked down completely, wrap those lines in <Files whatever.php>...</Files>
<Files "cron.php">
Order deny,allow
Allow from name.of.this.machine
Allow from another.authorized.name.net
Allow from 127.0.0.1
Deny from all
</Files>
回答5:
Here is my solution:
In cron.php check if some specific header is sent
cron.php
if (secure_cron_script() === false) {
echo 'Unauthorized';
return;
}
echo 'OK';
functions.php
function secure_cron_script () {
if (DEBUG)
return true;
$http_headers = getallheaders();
if (empty($http_headers['X-My-Cron-token'])
|| $http_headers['X-My-Cron-token'] !== SECURE_CRON_TOKEN) {
return false;
}
return true;
}
How to call cron with curl:
curl --header "X-My-Cron-token: 321123321sd" https://example.com/cron.php
No IP restriction. No GET/POST. If dev mode, skips restriction. You can put script wherever you want.
来源:https://stackoverflow.com/questions/13114466/can-i-protect-my-cron-scripts-from-remote-users