Config Apache with PHP5-fcgi and SuExec

Thanks to http://wiki.hetzner.de/index.php/Apache_PHP5_fcgi_und_SuExec

Introduction / Abstract

Almost every server operator is (at least if he has customers) want to use a Web server or need.

In the simplest version with mod-php PHP interpreter with the same rights as the webspace is running. Is convenient, it can read and write everything you need nothing (?) Set.

Disadvantage: it can actually read and write everything. For example, the directories of another customer. If you like testing with webadmin whether one comes out from its directory.

Then there are mod-suphp, which starts an extra page for each PHP interpreter with appropriate user rights.

That’s better! But unfortunately very very slow because really once for each page view is loaded and the PHP interpreter is terminated after

A better (in my eyes) solution is to start php as fastcgi. This PHP per user but once started and then reused.This allows each user their own php.inis but also own php versions (PHP4 anyone?) To use and is much faster – only the first call will take a little longer.

In my eyes the best solution even if one should go for really large number of customers tend to suphp. since for each user (account) a php is held, which can use in the long run some RAM.

I use this configuration in a suExec + fcgid, that is, each domain runs under a user.

This harmonizes beautifully with the individual FTP users in my PureFTPd HowTo

For discussion / corrections please use forum thread use

Notes

Vorneweg some limitations:

This is because there is no copy and paste howto. It may have been forgotten individual sub-steps, and spelling errors have occurred. Who does not know a broken system will possibly create – test (VMWare) and you should be able to debug.

If you want to use this configuration a system is obtained, which is much safer than a standard mod_php installation.

There are also disadvantages:

  • It is slower than mod_php (after first starting the process but not excessively)
  • You can not install web applications as Debian packages. More precisely, one can not install Debian packages without after its configuration (vhost / php.ini) to tackle it.

The Debian packages use Apache as www-data display properly, suexec and open_base_dir play there without further with. On stresfreiesten to install phpmyadmin and Co by heruntergeläd and installed it myself.To update one must then take care of itself but.

  • The memory requirements can be very large for many users. Who should 1,000 different planning domains and that 1000 users and PHP instances to his crate to have possibly look for other options.

Installation

We install apache2, php5 as cgi / fcgi and mod-fcgid (should work with all the mod-fastcgi etc) to prevent suexec works, we also need the (alternative: apache2-suexec-custom)

aptitude install libapache2-mod-fcgid php5-cgi apache2 apache2-mpm-worker apache2-suexec

Not surprised the php version is also compatible fcgi despite the name.

Then activate the fcgid module. Suexec must also be started.

a2enmod fcgid
a2enmod suexec

User created

Now we need a web account per user, under whose rights then PHP is running.

adduser example

So that Apache can also read later that the user associated with html pages he must belong to the appropriate group:

adduser www-data example

Create directories

In the directory structure, the rights are very important for suexec must be in the Debian variant everything under / var / www and the users IDs are to be greater than 1000.

I suggest the following structure, so that all the important data are together:

/ Var / www / example.com / conf / php.ini # here is for this domain
/ Var / www / example.com / docs / # here the normal Webroot
/ Var / www / example.com / logs / logfiles #
/ Var / www / example.com / tmp / session data # / temporary data
/ Var / www / example.com / php-fcgi / # startup script for fcgid

(In my case I have both users and the directories under / var / www a domain name or something like that .. that facilitates the mapping.

So create and set the (correct) rights:

mkdir-p / var / www / example.com / conf
mkdir / var / www / example.com / docs
mkdir / var / www / example.com / logs
mkdir / var / www / example.com / tmp
mkdir / var / www / example.com / php-fcgi
chown root: example / var / www / example.com
chmod 750 / var / www / example.com
chown example: example / var / www / example.com / *
chmod 750 / var / www / example.com / *
chmod 550 / var / www / example.com / conf

Customize php.ini

We copy the php.ini from / etc/php5/cgi / our directory:

cp / etc/php5/cgi/php.ini / var / www / example.com / conf /

We adapt to our needs and php provide a little security:

open_basedir = / var / www / example.com / docs / :/ var / www / example.com / tmp /
upload_tmp_dir = / var / www / example.com / tmp
session.save_path = / var / www / example.com / tmp

The most important setting is the OpenBasedir, which imprisons the php process in the two relevant directory.the other two will make sure that this instance of their session data, uploads, etc. invests in its own tmp directory.

For more suggestions, I’m open (docroot? More memory?)

So that the php.ini is used must adjust the rights

chown example: example php.ini
chmod 440 php.ini

Concerns should be the module that reads it automatically installed in every vhost active (mysql, pdo, xcache, etc.) because Debian default / etc/php5/cgi/conf.d. This can prevent by symlink removes the conf.d to. But after that you have to install separately per vhost, which at least in often needed modules / extensions (GD or mysql) is annoying any necessary modules. Alternatively, you can remove individual extensions from the conf.d and accessible only to certain vhost php.ini make about their (Xcache etc.)

Creating fcgi starter

In / var / www / example.com / php-fcgi we create a file called php-fcgi-starter:

cat> / var / www / example.com / php-fcgi / php-fcgi-starter << EOF
# / Bin / sh
PHPRC = "/ var / www / example.com / conf /"
export PHPRC
export TMPDIR = / var / www / example.com / tmp
exec / usr/bin/php5-cgi
EOF

Give all the users, otherwise suexec complaining and it does not work:

chown example: example / var / www / example.com / php-fcgi / php-fcgi-starter

Put even have the proper privileges otherwise makelt suexec – 750 comes to us just right:

chmod 750 / var / www / example.com / php-fcgi / php-fcgi-starter

So that the user can not change it but we set the immutable bit:

chattr + i-v / var / www / example.com / php-fcgi / php-fcgi-starter

Creating Apache vhost

Apache has this for a certain directory (our domain) can be said for a specific startup script is responsible for fcgi.

I’ve had good experiences with the following version,

cat> / etc/apache2/sites-available/example.com << EOF
<VirtualHost *:80>
   Server Admin me@example.com
   ServerName example.com
   ServerAlias ​​www.example.com
   SuexecUserGroup example example
   AddHandler fcgid-script. Php
   DocumentRoot "/ var / www / example.com / docs"
   DirectoryIndex index.php index.html index.htm
<Directory />
   Options FollowSymLinks
   AllowOverride None
</ Directory>
<Directory "/var/www/example.com/docs">
   Options Indexes FollowSymLinks MultiViews + ExecCGI
   FCGIWrapper / var / www / example.com / php-fcgi / php-fcgi-starter. Php
   Order allow, deny
   allow from all
</ Directory>
ErrorLog / var / www / example.com / logs / error.log
LogLevel warn
CustomLog / var / www / example.com / logs / access.log combined
ServerSignature On
</ VirtualHost>
EOF

Then activate the site:

a2ensite example.com

The SuexecUserGroup specifies the user runs under the whole course, and must match the owner of the respective directories.

Troubleshooting

  • If the permissions?
  • What do the log files / var / www / example.com / logs / error.log or / var/log/apache2/suexec.log
  • Apache kannphp holders no html files -> is www-data belonging to the group?