ionCube Loader 5.1 User Guide ----------------------------- This document describes the available php.ini configuration options of the ionCube Loader that relate to processing of PHP encoded files, and also the ionCube24 service. ENCODED FILES ------------- INI entry: ioncube.loader.encoded_paths Purpose: Specify the locations of encoded files The ionCube Loader will normally examine a PHP file before processing to test whether it is encoded, and will run the file itself if necessary. Although this checking is very efficient, restricting which files the Loader tests for being encoded may give extra performance. If set to a series of paths or files, only files in those locations are tested. Entries should be separated by a : on Unix and ; on Windows. A path may be prefixed with + or - to add or remove that path from the possible locations. + is assumed if no character is given. Examples: (... means ioncube.loader.encoded_paths) * Site with a single encoded module in /var/www/html/modules/RSS ... = "/var/www/html/modules/RSS" * As above, with a site configuration file encoded too. ... = "/var/www/html/modules/RSS:/var/www/html/config/config.php" * Encoded files may be anywhere except for /var/www/html/framework ... = "/:-/var/www/html/framework" * Site with most modules encoded except for one ... = "/var/www/html/modules:-/var/www/html/modules/plain" * As above, with an encoded config file in the plain directory ... = "/site/modules:-/site/modules/plain:/site/modules/plain/config.php" Locations: The ioncube.loader.encoded_paths property can be set in a php.ini file, in a .htaccess file (when using Apache), in a .user.ini file (when using CGI PHP 5.3+) or using ini_set within a PHP script. In ini files only the last value will be used for the encoded_paths property. If you wish to build up the value in several lines then, for PHP 5.1+, you can use the following syntax: ioncube.loader.encoded_paths = "/path1" ioncube.loader.encoded_paths = ${ioncube.loader.encoded_paths}":/path2" ; etc... IONCUBE24 : real-time intrusion protection and PHP error reporting --------- ### (Available for Linux 32 and 64 bit servers) ionCube24 (https://ioncube24.com) is an ionCube service that uses the ionCube Loader to provide real-time protection against the exploit of website vulnerabilities and alerting of website errors. Vulnerabilities in PHP applications are common, particularly in sites using Wordpress and other plugin based systems. Exploits result in website defacement or customer data being compromised, and ionCube24 provides a uniquely powerful defense. PHP errors can cause intermittent or even persistent blank pages or errors for visitors until discovered, and without active monitoring this could go undetected indefinitely. ionCube24 active monitoring ensures you are always aware of problems in your website code. ionCube24 is free to get setup and started, with the server side support built into the Linux Loaders as standard. With the Loader installed, ionCube24 can be activated at any time to give active intrusion protection and error reporting. ### php.ini settings There are a number of ini settings, summarised below. The setup process at https://ioncube24.com automatically gives the settings that you need to get started, but you may wish to make changes yourself once setup. The default values are given with each example. #### Global settings INI entry: ic24.enable = 0 ; default off Purpose: Enable or disable all ionCube24 features. This defaults to off, and in this case no ionCube24 behaviour is activated. Example: ic24.enable = 1 ---------- INI entry: ic24.api_access_key ; provided during setup Purpose: A key that is part of the authentication process for adminstration requests. This value is provided when adding a server to ionCube24. ---------- INI entry: ic24.api_check_ip = 1 ; default on Purpose: If set, ionCube24 refuses access to API functions unless the calling IP is a known ionCube IP address. This option should be left with the default setting unless web requests pass through a proxy and your site is accessed from the IP of the proxy instead of the client. Note that access to API functions will still be authenticated by access key. ---------- INI entry: ic24.home_dir ; no default Purpose: The home directory for ionCube24 related system files. A location outside of the web root is recommended. It should be writable by the web server during startup. Example: ic24.home_dir = /var/www/ic24_home ---------- INI entry: ic24.update_domains_retry_interval = 5 ; default 30 Purpose: If fetching the set of domains being managed fails, retry after the specified number of seconds. #### Security related settings INI entry: ic24.sec.enable = 1 ; default on if ic24.enable is on Purpose: Enable the intrusion protection part of ionCube24. This defaults to on, but will automatically be off if the global ic24.enable has not been set. ---------- INI entry: ic24.sec.exclusion_key ; provided during setup Purpose: A key that if present at the start of a file, will identify the file as trusted. This value is provided when adding a server to ionCube24. ---------- INI entry: ic24.sec.trusted_include_paths ; no default Purpose: List paths from where files can be included and automatically trusted. Example: ic24.sec.trusted_include_paths = "/var/cache:/var/cache2" Directories can be excluded from the list by prefixing with a minus character -. e.g. "/var/cache:-/var/cache/subdir" This is useful if your site creates and/or modifies files by itself from time to time, e.g. in a cache directory, though we would recommend producing files that include the exclusion key as an alternative. Requests that *directly* access files from a trusted include path will be blocked but the file itself will not be blocked, so requests that use the file as intended will still work. See ioncube24.com for more details once signed up. ---------- INI entry: ic24.sec.block_uploaded_files = 1 ; default on Purpose: If set, ionCube24 blocks from execution any uploaded files that are processed using the standard PHP mechanism for uploaded files. This applies even if the file is subsequently included and where included files being automatically approved with the previous setting. ---------- INI entry: ic24.sec.block_stdin = 1 ; default on Purpose: Refuse code that PHP sees via stdin. If disabled, code via stdin will run without security checking as there is no filepath. This setting should be left on as PHP would normally never receive a script via stdin. #### PHP Error reporting settings INI entry: ic24.phperr.enable = 1; default on Purpose: Enable reporting of PHP errors to ionCube24. When enabled, any non-ignored errors are reported to ionCube24 in realtime, triggering alerting so errors can be investigated as necessary. ---------- INI entry: ic24.phperr.ignore = ; default none Purpose: Specify error levels to ignore across all files. Example: ic24.phperr.ignore = E_NOTICE | E_DEPRECATED (c) ionCube Ltd. 2016