Apache2-PHP-FastCGI-SuExec

Submitted by Nilesh on Fri, 05/02/2010 - 10:54pm

Posted in

Yeah this is one of the most irritating type of thing to setup. I had a tough time with this, but ultimately got it right after a lot of researching.

Follow this tutorial and you'll successfully set the environment up - PHP running via FastCGI within an SuExec Environement in Apache 2 !

So lets start with a case study. What was my case, and how I solved it -

I have a server in which Apache 2 is configured with FastCGI globally without SuExec support on Linux.

Apache runs as user www and group www.

Data is stored at /srv/htdocs.

Now you want to add a new user but you want to be sure that his scripts aren't able to write to your data area (i.e. /srv/htdocs).

To ensure that he's not able to write into your area, you've to use SuExec to run his PHP/CGI scripts.

You could also use mod_suphp and do off with the thing, but that hits performance. You want both performance and security.

Now here's what to do -

Recompile Apache with suexec support
I assume that your Apache installation is located at /usr/local/apache2.

BACKUP YOUR CONFIGURATION BEFORE RECOMPILATION !!

Extract httpd-.tar.gz or .tar.bz2 downloaded from httpd.apache.org

Then type this on the shell-
```
> /usr/local/apache2/build/config.nice --enable-suexec \

--with-suexec-bin=/usr/local/apache2/bin/suexec --with-suexec-caller=www \

--with-suexec-docroot=/srv --with-suexec-uidmin=500 --with-suexec-gidmin=www;

> make

> sudo make install #(or simply make install if you are root)
```
This will configure apache with suexec. Run make and them make install (sudo make install if you're not root) to compile and install it.

Main Configuration

Now comes the real part - Configuration

In the module section add these two lines -

LoadModule suexec_module modules/mod_suexec.so
LoadModule fastcgi_module modules/mod_fastcgi.so

The following configuration assumes that you want PHP on all of your Virtual Hosts. If you don't you've to configure it little differently.

ScriptAlias "/srv/cgi-bin/" "/cgi-bin/"
 
<Directory "/srv/cgi-bin/">
  
  Options None
  Order allow,deny
  Allow from All
 
</Directory>
 
# This directive must appear before any other FastCGI directives
 
FastCgiSuexec bin/suexec
 
# Change FastCgiConfig directive values as needed.
# Read docs at http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html
 
FastCgiConfig -singleThreshold 100 -killInterval 600 -minProcesses 5 -maxProcesses 50 -maxClassProcesses 15 -autoUpdate -idle-timeout 180 -pass-header HTTP_AUTHORIZATION
 
AddHandler fastcgi-script .fcgi
 
AddHandler php-fastcgi .php
 
Action php-fastcgi /cgi-bin/php.fcgi
 
<FilesMatch "\.php$">
  Options +ExecCGI
</FilesMatch>

Create /srv/cgi-bin/php.fcgi
```
#!/bin/bash
 
# In most cases you don't want any stuff here ;)
# Just pass the filename to PHP interpreter
 
PHP=$(type -p php-cgi)
 
exec $PHP $@
```
This file /srv/cgi-bin/php.fcgi should be owned by www:www with permissions of 0755 (including the cgi-bin directory)

This php.fcgi must exist in cgi-bin for every virtualhost. It must be owned by user:group specified in SuexecUserGroup directive and must be writeable ONLY by the owner (not even by group). The directory /cgi-bin must be also ONLY writeable by owner.

i.e. Directory cgi-bin should have permissions of 755 and php.fcgi the permissions of 755

Configure VirtualHost

<VirtualHost aa.bb.cc.dd:80>
  ServerName example.com
  
  # Because we've now enabled suexec, the document root of ANY virtualhost must be under /srv
 
  DocumentRoot "/srv/DOCROOT-OF-example.com/public"
  ScriptAlias "/srv/DOCROOT-OF-example.com/cgi-bin"
 
  <Directory "/srv/DOCROOT-OF-example.com/cgi-bin">
    Options None
    Order allow,deny
    Allow from All
  </Directory>
  
  SuexecUserGroup vuser vgroup
  
  # other config stuff..
</VirtualHost>