From c8d27831592ab0d6621108b5f5e18660588cc95b Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Sat, 2 Apr 2016 20:14:53 +0300 Subject: [PATCH] roles/php5-fpm: Update php.ini from latest upstream Debian 8.4 shipped with a new php.ini. It's mostly just updates to comments and default values. Signed-off-by: Alan Orth --- roles/php5-fpm/templates/php.ini.j2 | 200 +++++++++++++++------------- 1 file changed, 109 insertions(+), 91 deletions(-) diff --git a/roles/php5-fpm/templates/php.ini.j2 b/roles/php5-fpm/templates/php.ini.j2 index f3f087d..5496a15 100644 --- a/roles/php5-fpm/templates/php.ini.j2 +++ b/roles/php5-fpm/templates/php.ini.j2 @@ -78,9 +78,9 @@ ; compatibility with older or less security conscience applications. We ; recommending using the production ini in production and testing environments. -; php.ini-development is very similar to its production variant, except it's -; much more verbose when it comes to errors. We recommending using the -; development version only in development environments as errors shown to +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to ; application users can inadvertently leak otherwise secure information. ; This is php.ini-production INI file. @@ -138,16 +138,6 @@ ; Development Value: "GP" ; Production Value: "GP" -; session.bug_compat_42 -; Default Value: On -; Development Value: On -; Production Value: Off - -; session.bug_compat_warn -; Default Value: On -; Development Value: On -; Production Value: Off - ; session.gc_divisor ; Default Value: 100 ; Development Value: 1000 @@ -303,20 +293,17 @@ serialize_precision = 17 ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive makes most sense if used in a per-directory -; or per-virtualhost web server configuration file. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. +; or per-virtualhost web server configuration file. ; http://php.net/open-basedir ;open_basedir = ; This directive allows you to disable certain functions for security reasons. -; It receives a comma-delimited list of function names. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. +; It receives a comma-delimited list of function names. ; http://php.net/disable-functions disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, ; This directive allows you to disable certain classes for security reasons. -; It receives a comma-delimited list of class names. This directive is -; *NOT* affected by whether Safe Mode is turned On or Off. +; It receives a comma-delimited list of class names. ; http://php.net/disable-classes disable_classes = @@ -433,7 +420,7 @@ memory_limit = 128M ; E_NOTICE - run-time notices (these are warnings which often result ; from a bug in your code, but it's possible that it was ; intentional (e.g., using an uninitialized variable and -; relying on the fact it's automatically initialized to an +; relying on the fact it is automatically initialized to an ; empty string) ; E_STRICT - run-time notices, enable to have PHP suggest changes ; to your code which will ensure the best interoperability @@ -466,8 +453,8 @@ error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT ; it could be very dangerous in production environments. Depending on the code ; which is triggering the error, sensitive information could potentially leak ; out of your application such as database usernames and passwords or worse. -; It's recommended that errors be logged on production servers rather than -; having the errors sent to STDOUT. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. ; Possible Values: ; Off = Do not display any errors ; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) @@ -481,8 +468,8 @@ display_errors = Off ; The display of errors which occur during PHP's startup sequence are handled ; separately from display_errors. PHP's default behavior is to suppress those ; errors from clients. Turning the display of startup errors on can be useful in -; debugging configuration problems. But, it's strongly recommended that you -; leave this setting off on production servers. +; debugging configuration problems. We strongly recommend you +; set this to 'off' for production servers. ; Default Value: Off ; Development Value: On ; Production Value: Off @@ -583,7 +570,7 @@ html_errors = On ; http://php.net/error-log ; Example: ;error_log = php_errors.log -; Log errors to syslog (Event Log on NT, not valid in Windows 95). +; Log errors to syslog (Event Log on Windows). ;error_log = syslog ;windows.show_crt_warning @@ -621,13 +608,13 @@ html_errors = On ; http://php.net/variables-order variables_order = "GPCS" -; This directive determines which super global data (G,P,C,E & S) should -; be registered into the super global array REQUEST. If so, it also determines -; the order in which that data is registered. The values for this directive are -; specified in the same manner as the variables_order directive, EXCEPT one. -; Leaving this value empty will cause PHP to use the value set in the -; variables_order directive. It does not mean it will leave the super globals -; array REQUEST empty. +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. ; Default Value: None ; Development Value: "GP" ; Production Value: "GP" @@ -680,21 +667,38 @@ auto_prepend_file = ; http://php.net/auto-append-file auto_append_file = -; By default, PHP will output a character encoding using -; the Content-type: header. To disable sending of the charset, simply -; set it to be empty. +; By default, PHP will output a media type using the Content-Type header. To +; disable this, simply set it to be empty. ; -; PHP's built-in default is text/html +; PHP's built-in default media type is set to text/html. ; http://php.net/default-mimetype default_mimetype = "text/html" -; PHP's default character set is set to empty. +; PHP's default character set is set to UTF-8. ; http://php.net/default-charset -;default_charset = "UTF-8" +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; mbstring or iconv output handler is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = ; Always populate the $HTTP_RAW_POST_DATA variable. PHP's default behavior is -; to disable this feature. If post reading is disabled through -; enable_post_data_reading, $HTTP_RAW_POST_DATA is *NOT* populated. +; to disable this feature and it will be removed in a future version. +; If post reading is disabled through enable_post_data_reading, +; $HTTP_RAW_POST_DATA is *NOT* populated. ; http://php.net/always-populate-raw-post-data always_populate_raw_post_data = -1 @@ -780,8 +784,8 @@ cgi.fix_pathinfo={{ cgi_fix_pathinfo }} ;fastcgi.logging = 0 ; cgi.rfc2616_headers configuration option tells PHP what type of headers to -; use when sending HTTP response code. If it's set 0 PHP sends Status: header that -; is supported by Apache. When this option is set to 1 PHP will send +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send ; RFC2616 compliant header. ; Default is zero. ; http://php.net/cgi.rfc2616-headers @@ -898,9 +902,22 @@ cli_server.color = On ;filter.default_flags = [iconv] -;iconv.input_encoding = ISO-8859-1 -;iconv.internal_encoding = ISO-8859-1 -;iconv.output_encoding = ISO-8859-1 +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < intput_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = [intl] ;intl.default_locale = @@ -909,10 +926,6 @@ cli_server.color = On ; Default is 0, which does not produce any errors. ;intl.error_level = E_WARNING -[sqlite] -; http://php.net/sqlite.assoc-case -;sqlite.assoc_case = 0 - [sqlite3] ;sqlite3.extension_dir = @@ -971,7 +984,7 @@ smtp_port = 25 ; Force the addition of the specified parameters to be passed as extra parameters ; to the sendmail binary. These parameters will always replace the value of -; the 5th parameter to mail(), even in safe mode. +; the 5th parameter to mail(). ;mail.force_extra_parameters = ; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename @@ -980,7 +993,7 @@ mail.add_x_header = On ; The path to a log file that will log all mail() calls. Log entries include ; the full path of the script, line number, To address and headers. ;mail.log = -; Log mail to syslog (Event Log on NT, not valid in Windows 95). +; Log mail to syslog (Event Log on Windows). ;mail.log = syslog [SQL] @@ -1336,9 +1349,9 @@ session.save_handler = files ; ; where N is an integer. Instead of storing all the session files in ; /path, what this will do is use subdirectories N-levels deep, and -; store the session data in those directories. This is useful if you -; or your OS have problems with lots of files in one directory, and is -; a more efficient layout for servers that handle lots of sessions. +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. ; ; NOTE 1: PHP will not create this directory structure automatically. ; You can use the script in the ext/session dir for that purpose. @@ -1353,7 +1366,7 @@ session.save_handler = files ; where MODE is the octal representation of the mode. Note that this ; does not overwrite the process's umask. ; http://php.net/session.save-path -;session.save_path = "/var/lib/php5" +;session.save_path = "/var/lib/php5/sessions" ; Whether to use strict session mode. ; Strict session mode does not accept uninitialized session ID and regenerate @@ -1373,7 +1386,7 @@ session.use_cookies = 1 ; This option forces PHP to fetch and use a cookie for storing and maintaining ; the session id. We encourage this operation as it's very helpful in combating ; session hijacking when not specifying and managing your own session id. It is -; not the end all be all of session hijacking defense, but it's a good start. +; not the be-all and end-all of session hijacking defense, but it's a good start. ; http://php.net/session.use-only-cookies session.use_only_cookies = 1 @@ -1444,31 +1457,6 @@ session.gc_maxlifetime = 1440 ; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): ; find /path/to/sessions -cmin +24 -type f | xargs rm -; PHP 4.2 and less have an undocumented feature/bug that allows you to -; to initialize a session variable in the global scope. -; PHP 4.3 and later will warn you, if this feature is used. -; You can disable the feature and the warning separately. At this time, -; the warning is only displayed, if bug_compat_42 is enabled. This feature -; introduces some serious security problems if not handled correctly. It's -; recommended that you do not use this feature on production servers. But you -; should enable this on development servers and enable the warning as well. If you -; do not enable the feature on development servers, you won't be warned when it's -; used and debugging errors caused by this can be difficult to track down. -; Default Value: On -; Development Value: On -; Production Value: Off -; http://php.net/session.bug-compat-42 -session.bug_compat_42 = Off - -; This setting controls whether or not you are warned by PHP when initializing a -; session value into the global space. session.bug_compat_42 must be enabled before -; these warnings can be issued by PHP. See the directive above for more information. -; Default Value: On -; Development Value: On -; Production Value: Off -; http://php.net/session.bug-compat-warn -session.bug_compat_warn = Off - ; Check HTTP Referer to invalidate externally stored URLs containing ids. ; HTTP_REFERER has to contain this substring for the session to be ; considered as valid. @@ -1498,7 +1486,7 @@ session.cache_limiter = nocache session.cache_expire = 180 ; trans sid support is disabled by default. -; Use of trans sid may risk your users security. +; Use of trans sid may risk your users' security. ; Use this option with caution. ; - User may send URL contains active session ID ; to other person via. email/irc/etc. @@ -1688,23 +1676,34 @@ mssql.secure_connection = Off [mbstring] ; language for internal character representation. +; This affects mb_send_mail() and mbstrig.detect_order. ; http://php.net/mbstring.language ;mbstring.language = Japanese +; Use of this INI entry is deprecated, use global internal_encoding instead. ; internal/script encoding. -; Some encoding cannot work as internal encoding. -; (e.g. SJIS, BIG5, ISO-2022-*) -; http://php.net/mbstring.internal-encoding -;mbstring.internal_encoding = UTF-8 +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = +; Use of this INI entry is deprecated, use global input_encoding instead. ; http input encoding. +; mbstring.encoding_traslation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < intput_encoding < mbsting.http_input ; http://php.net/mbstring.http-input -;mbstring.http_input = UTF-8 +;mbstring.http_input = -; http output encoding. mb_output_handler must be -; registered as output buffer to function +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. ; http://php.net/mbstring.http-output -;mbstring.http_output = pass +;mbstring.http_output = ; enable automatic encoding translation according to ; mbstring.internal_encoding setting. Input chars are @@ -1715,7 +1714,7 @@ mssql.secure_connection = Off ;mbstring.encoding_translation = Off ; automatic encoding detection order. -; auto means +; "auto" detect order is changed according to mbstring.language ; http://php.net/mbstring.detect-order ;mbstring.detect_order = auto @@ -1736,6 +1735,7 @@ mssql.secure_connection = Off ;mbstring.func_overload = 0 ; enable strict encoding detection. +; Default: Off ;mbstring.strict_detection = On ; This directive specifies the regex pattern of content types for which mb_output_handler() @@ -1925,6 +1925,24 @@ opcache.fast_shutdown={{ opcache_fast_shutdown }} ; absolute path. ;curl.cainfo = +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + ; Local Variables: ; tab-width: 4 ; End: