終於安裝了mod security!

In order to secure my Apache using XAMPP, I have install the mod_security and disable some php function:

Install mod security on windows:

1. download mod_security2.so at http://www.apachelounge.com/ (a binary package)
2. unzip the package and you will get mod_security2.so and a libxml2.dll
3. read the readme.txt
4. create a folder .../apache2/modules/mod_security2
5. and copy mod_security2.so and libxml2.dll to this folder
6. Install the Visual C++ 2008 Redistributable Package (Since this binary is make my VC++2008)
7. At httpd.conf:
- LoadModule security2_module modules/mod_security2/mod_security2.so
- LoadModule unique_id_module modules/mod_unique_id.so
8. You can using Include directive to include the mod_security configure file,
(you can take a look on this website.)

but I put all the things under httpd.conf , my configure file is found from the package downloaded - mod_security2.conf-minimal
Like this (under httpd.conf):

### Start Mod_Security ###
LoadModule security2_module modules/mod_security2/mod_security2.so


# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
..........
..........


9. Start and stop the Apache and look at the phpinfo and see it loaded or not.


Disable PHP function:
1. go to php.ini (xampp located at c:\xammp\apache\bin\ )and do the following:
disable_functions = "phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,
proc_close,proc_get_status,proc_open,proc_terminate,system"

2. Besides, open safe mode

3. open_basedir = C:\ foo\bar