SuExec PHP/FastCGI under Apache 2
PHP/FastCGI
We need php4/php5 compiled with FastCGI support and `mod_fastcgi`. On Suse (at least OpenSuse) both are available as packages so we can just install it through YAST. On OpenSuse, once installed the binary will be placed at `/srv/www/cgi-bin`:-
$ cd /srv/www/cgi-bin $ ./php -v PHP 4.4.0 (cgi-fcgi) (built: Sep 13 2005 02:19:37) Copyright (c) 1997-2004 The PHP Group Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies $ ./php5 -v PHP 5.0.4 (cgi-fcgi) (built: Sep 13 2005 02:20:47) Copyright (c) 1997-2004 The PHP Group Zend Engine v2.0.4-dev, Copyright (c) 1998-2004 Zend Technologies
Then we edit apache configuration file to have it run PHP through mod_fastcgi. This is the snipet of apache config (Suse style):-
$ cat /etc/apache2/httpd.conf.local <IfModule mod_fastcgi.c> FastCgiIpcDir /tmp AddHandler fastcgi-script .fcgi FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION </IfModule>
$ cat /etc/apache2/vhosts.d/hadiah.laptop.int ScriptAlias /fcgi-bin/ /srv/www/cgi-bin/ <Location /fcgi-bin/> Options ExecCGI SetHandler fastcgi-script </Location> AddType application/x-httpd-fastphp .php Action application/x-httpd-fastphp /fcgi-bin/php <Directory "/srv/www/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory>
(actual output trimmed).
This is enough to tell apache that all request to *.php files will be passed to FastCGI PHP.
You may test this configuration by restarting apache and fire up the virtual host.
Apache2 SuEXEC
Now that we have PHP/FCPGI working, let’s add suexec so we can execute the php process under normal userid instead of apache user. Our apache config would look’s like:-
$ cat /etc/apache2/httpd.conf.local <IfModule mod_fastcgi.c> FastCgiIpcDir /tmp AddHandler fastcgi-script .fcgi FastCgiWrapper /usr/sbin/suexec2 # we specify the suexec wrapper FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION </IfModule>
$ cat /etc/apache2/vhosts.d/hadiah.laptop.int SuexecUserGroup kamal users # execute under this userid ScriptAlias /fcgi-bin/ /srv/www/cgi-bin/ <Location /fcgi-bin/> Options ExecCGI SetHandler fastcgi-script </Location> AddType application/x-httpd-fastphp .php Action application/x-httpd-fastphp /fcgi-bin/kamal/php-wrapper # wrapper to actual php binary <Directory "/srv/www/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory>
(actual output trimmed) Notice the part that was commented.
I specify a few things here:-
- specify apache suexec wrapper
- specify user/group the cgi would run in virtual host config
- create a wrapper to actual php binary so I can pass some options
to the binary.
The snippet of php-wrapper:-
$ cat /srv/www/cgi-bin/kamal/php-wrapper #!/bin/sh PHPRC="/etc" export PHPRC PHP_FCGI_CHILDREN=8 export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS=5000 export PHP_FCGI_MAX_REQUESTS /srv/www/cgi-bin/php
This way I can specify different php.ini to each virtual host that I have.
: The ideal place to put the wrapper is in user’s home directory but suexec only allow cgi execution from the specified –docroot during compile time. Apache in Suse had set suexec docroot to /srv/www/ and the only way to change this is by rebuilding apache. So my temporary solution is to create a directory under /srv/www to put the wrapper and chown it to the user I specified in vhost config.
/Edited by seb
Just wanted to let you know it’s quite easy to modify suexec to reflect your personal preferences. I did it in 30 seconds with Apache22 on FreeBSD6 but it’s probably not much different for your situation :)
To check where Apache expects to find the suexec binary..
$ apachectl -V
To check your current suexec settings..
$ suexec -V
Configure Apache with your current suexec settings but change the docroot option..
$ cd ~ $ fetch http://www.apache.org/dist/httpd/httpd-2.0.58.tar.bz2 $ tar -zxvf httpd-2.0.58.tar.bz2 $ cd httpd-2.0.58 $ ./configure --enable-suexec --with-suexec-docroot=/usr/home $ make $ cp support/suexec /usr/sbin/suexec2
And your done..
Troubleshooting
Make sure to take a look to your apache log file. suexec will log any error to suexec.log in your apache log directory.
$ tail -f /var/log/apache2/hadiah-error_log $ tail -f /var/log/apache2/suexec.log
Refferences:-
http://fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html
http://weblog.textdrive.com/article/36/trade-secret-1
http://apache-server.com/tutorials/LPsuexec.html
http://httpd.apache.org/docs/2.0/suexec.html