Log file for outgoing PHP requests (like access.log)

log-files

Is there a way to log all outgoing requests of PHP to a log file?

I'm not looking for a way to debug a single script with tcpdump but to continuously log all PHP requests, so I can review them later - i.e., very similar to the web servers access.log but for all outgoing requests that are made from any PHP script on the server.

I want to do two things with this:

  1. Confirm if my website is secure/GDPR-compliant and no scripts try to "phone home".
  2. Our server is supposed to make one external request per day. I want to validate that those requests happen, and ideally also see the response code that was returned by the remote site.

Solution 1:

If you don't want to use tcpdump, providing you are running GNU/Linux on your server, you can use iptables owner match target.

First you need to check under which user your scripts are executed. If you are running Apache/mod_php this will be the same as apache user (usually apache or httpd). If you are running nginx/fastcgi/etc these might have other process owner (suid). Anyways mostly always this will be separate user id (uid), or at least you can change your configuration that way. Once you know your php uid, you can do an iptable owner match with LOG target. Something like this:

iptables -I OUTPUT -o eth0 -m owner --uid-owner apache -j LOG --log-prefix "PHP-CONN: "

Make sure to change interface you the one looking on the Internet side (to avoid logging localhost dummy requests). By default the example above will log every packet, including TCP handshakes, etc. You can add additional iptables options for more filtering. For example adding state match to filter only NEW connections (with netfilter conntrack):

iptables -I OUTPUT -o eth0 -m owner --uid-owner apache -m state --state NEW -j LOG --log-prefix "PHP-CONN: "

Then all those requests from your process will be logged to a syslog facility (depending on your distro setup, those are usually logged to dmesg + /var/log/messages or /var/log/syslog). Those will look similar to this:

PHP-CONN: IN= OUT=eth0 SRC=192.168.9.235 DST=195.201.201.32 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=37120 DF PROTO=TCP SPT=56812 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0

Related

Cron Help in Amazon Linux 2 EC2 [duplicate]
ntpq -pn gets timeout, (because i think) nptd doesn't bind to ::1, why?
Anyone know of a script, program, etc... to check folder/file permissions and repair/restore?
Hardware token/UUID for authentication of software
Does Software RAID-1 Double The Writes Over The Controller/Interface?
What is the meaning of [security] on the Debian packages web
grep -P negative lookahead does not work [closed]
Self-Signed SSL: Subject Alternative Name (SAN) are not respected by my web browsers
nginx redirect params to php index in subfolder?
ZFS pool continually DEGRADED or FAULTED
JQuery.ajax not using HTTPS
std::variant template deduction when isolating containing type