====== SuExec PHP/FastCGI under Apache 2 ======

===== PHP/FastCGI =====
We need php4/php5 compiled with FastCGI support and `mod_fastcgi`. On Suse (at
least OpenSuse) both are available as packages so we can just install it through
YAST. On OpenSuse, once installed the binary will be placed at
`/srv/www/cgi-bin`:-

<code>
$ cd /srv/www/cgi-bin
$ ./php -v
PHP 4.4.0 (cgi-fcgi) (built: Sep 13 2005 02:19:37)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
$ ./php5 -v
PHP 5.0.4 (cgi-fcgi) (built: Sep 13 2005 02:20:47)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.4-dev, Copyright (c) 1998-2004 Zend Technologies
</code>

Then we edit apache configuration file to have it run PHP through mod_fastcgi.
This is the snipet of apache config (Suse style):-

<code>
$ cat /etc/apache2/httpd.conf.local
<IfModule mod_fastcgi.c>
FastCgiIpcDir /tmp
AddHandler fastcgi-script .fcgi
FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout
240 -pass-header HTTP_AUTHORIZATION
</IfModule>
</code>

<code>
$ cat /etc/apache2/vhosts.d/hadiah.laptop.int
ScriptAlias /fcgi-bin/ /srv/www/cgi-bin/
<Location /fcgi-bin/>
Options ExecCGI
SetHandler fastcgi-script
</Location>

AddType application/x-httpd-fastphp .php
Action application/x-httpd-fastphp /fcgi-bin/php

<Directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
</code>

(actual output trimmed).

This is enough to tell apache that all request to *.php files will be passed to
FastCGI PHP.

You may test this configuration by restarting apache and fire up the virtual
host.

===== Apache2 SuEXEC =====
Now that we have PHP/FCPGI working, let's add suexec so we can execute the php
process under normal userid instead of apache user. Our apache config would look's like:-

<code>
$ cat /etc/apache2/httpd.conf.local
<IfModule mod_fastcgi.c>
FastCgiIpcDir /tmp
AddHandler fastcgi-script .fcgi
FastCgiWrapper /usr/sbin/suexec2 # we specify the suexec wrapper
FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout
240 -pass-header HTTP_AUTHORIZATION
</IfModule>
</code>

<code>
$ cat /etc/apache2/vhosts.d/hadiah.laptop.int
SuexecUserGroup kamal users # execute under this userid
ScriptAlias /fcgi-bin/ /srv/www/cgi-bin/
<Location /fcgi-bin/>
Options ExecCGI
SetHandler fastcgi-script
</Location>

AddType application/x-httpd-fastphp .php
Action application/x-httpd-fastphp /fcgi-bin/kamal/php-wrapper # wrapper to actual php binary

<Directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
</code>
(actual output trimmed) Notice the part that was commented.

I specify a few things here:-
  * specify apache suexec wrapper
  * specify user/group the cgi would run in virtual host config
  * create a wrapper to actual php binary so I can pass some options
    to the binary.

The snippet of php-wrapper:-

<code>
$ cat /srv/www/cgi-bin/kamal/php-wrapper
#!/bin/sh
PHPRC="/etc"
export PHPRC
PHP_FCGI_CHILDREN=8
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_MAX_REQUESTS
/srv/www/cgi-bin/php
</code>

This way I can specify different php.ini to each virtual host that I have.

FIXME: The ideal place to put the wrapper is in user's home directory but suexec
only allow cgi execution from the specified --docroot during compile time. Apache
in Suse had set suexec docroot to /srv/www/ and the only way to change this is by
rebuilding apache. So my temporary solution is to create a directory under /srv/www
to put the wrapper and chown it to the user I specified in vhost config.

/Edited by seb

Just wanted to let you know it's quite easy to modify suexec to reflect your personal preferences.
I did it in 30 seconds with Apache22 on FreeBSD6 but it's probably not much different for your situation :)

To check where Apache expects to find the suexec binary..
<code>$ apachectl -V</code>
To check your current suexec settings..
<code>$ suexec -V</code>

Configure Apache with your current suexec settings but change the docroot option..
<code>
$ cd ~
$ fetch http://www.apache.org/dist/httpd/httpd-2.0.58.tar.bz2
$ tar -zxvf httpd-2.0.58.tar.bz2
$ cd httpd-2.0.58
$ ./configure --enable-suexec --with-suexec-docroot=/usr/home
$ make
$ cp support/suexec /usr/sbin/suexec2
</code>
And your done..

===== Troubleshooting =====
Make sure to take a look to your apache log file. suexec will log any error to
suexec.log in your apache log directory.

<code>
$ tail -f /var/log/apache2/hadiah-error_log
$ tail -f /var/log/apache2/suexec.log
</code>

Refferences:-

http://fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html\\
http://weblog.textdrive.com/article/36/trade-secret-1\\
http://apache-server.com/tutorials/LPsuexec.html\\
http://httpd.apache.org/docs/2.0/suexec.html\\