Multi-SSH Key Manager
Disabling The PHP Interpreter
There is a php_engine directive that Apache exposes, it can be used in both .htaccess files and the main Apache config, this directive tells the PHP interpreter to just not run.
Usefully this can be placed in a Directory or DirectoryMatch block. This effectively allows us to sandboxing a directory, uploads for example.
Disabling File Handers
Next we tell Apache to handle all files the same, as though they were static content that doesn't need interpreting.
SetHandler none SetHandler default-handler RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo RemoveType .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
Disabling Overrides
As these settings can be defined in an .htaccess we also prevent Apache reading any .htaccess files in the directory we are sandboxing. This prevents malicious .htaccess files disabling all protection we've added.
This is easily done by setting the AllowOverride directive to None.
Put It All Together
<DirectoryMatch ^/path/to/(one|many)/directories>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
RemoveType .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
RemoveType .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</DirectoryMatch>