Can I protect my CRON scripts from remote users?

柔情痞子 提交于 2020-02-20 11:17:27

问题


I am currently working on a new project which involves using CRON jobs.

The CRON script basically runs an SQL query, generates the data into a file, and send that file to another server via FTP.

The script is on a live website (www.website.com/sendOrders.php)

I don't see any security issues or threats, and I think it is highly unlikely that anyone will find the PHP script on the server. However I don't want the script to be executed by any outsiders.

Is there a way I can protect this script?

Thanks Peter


回答1:


You could move your "secret files" into a subfolder, then create a .htaccess file in there that prevents access to that file from everyone, except the server that is running the Cronjob.

Example:

DENY FROM ALL
ALLOW FROM 123.123.123.123

If you have shell access you might also put the scripts outside of the accessible folder and run directly via command line or cronjob like this: php script.php.




回答2:


Why not just move the script outside the Web-root of the server and execute it from CLI? This was there is no chance of anyone else executing it.

If you must have it in the webroot (and there should be no reason for it), just make sure that the client for the request is the server you are running it on, and it should be more than enough.




回答3:


This seems rather silly. Why have cron on machine A invoke a script via HTTP on machine B, when you could simply have machine B's native scheduling system (whatever OS it happens to be) do the job itself?

Then you could have the script tucked away somewhere that's not accessible via HTTP and render your security problem completley moot.




回答4:


If the files are in a folder which shouldn't be locked down completely, wrap those lines in <Files whatever.php>...</Files>

<Files "cron.php">
  Order deny,allow
  Allow from name.of.this.machine
  Allow from another.authorized.name.net
  Allow from 127.0.0.1
  Deny from all
</Files>



回答5:


Here is my solution:

In cron.php check if some specific header is sent

cron.php

if (secure_cron_script() === false) {
    echo 'Unauthorized';
    return;
}
echo 'OK';

functions.php

function secure_cron_script () {
    if (DEBUG)
        return true;

    $http_headers = getallheaders();
    if (empty($http_headers['X-My-Cron-token'])
    || $http_headers['X-My-Cron-token'] !== SECURE_CRON_TOKEN) {
        return false;
    }
    return true;
}

How to call cron with curl:

curl --header "X-My-Cron-token: 321123321sd"  https://example.com/cron.php

No IP restriction. No GET/POST. If dev mode, skips restriction. You can put script wherever you want.



来源:https://stackoverflow.com/questions/13114466/can-i-protect-my-cron-scripts-from-remote-users

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!