Apache2-PHP-FastCGI-SuExec

Printer-friendly versionSend to friend

Yeah this is one of the most irritating type of thing to setup. I had a tough time with this, but ultimately got it right after a lot of researching.

Follow this tutorial and you'll successfully set the environment up - PHP running via FastCGI within an SuExec Environement in Apache 2 !

So lets start with a case study. What was my case, and how I solved it -

I have a server in which Apache 2 is configured with FastCGI globally without SuExec support on Linux.

Apache runs as user www and group www.

Data is stored at /srv/htdocs.

Now you want to add a new user but you want to be sure that his scripts aren't able to write to your data area (i.e. /srv/htdocs).

To ensure that he's not able to write into your area, you've to use SuExec to run his PHP/CGI scripts.

You could also use mod_suphp and do off with the thing, but that hits performance. You want both performance and security.

Now here's what to do -

  1. Recompile Apache with suexec support

    I assume that your Apache installation is located at /usr/local/apache2.

    BACKUP YOUR CONFIGURATION BEFORE RECOMPILATION !!

    Extract httpd-.tar.gz or .tar.bz2 downloaded from httpd.apache.org

    Then type this on the shell-

    > /usr/local/apache2/build/config.nice --enable-suexec \
    --with-suexec-bin=/usr/local/apache2/bin/suexec --with-suexec-caller=www \
    --with-suexec-docroot=/srv --with-suexec-uidmin=500 --with-suexec-gidmin=www;
    > make
    > sudo make install #(or simply make install if you are root)

    This will configure apache with suexec. Run make and them make install (sudo make install if you're not root) to compile and install it.

  2. Main Configuration

    Now comes the real part - Configuration

    In the module section add these two lines -

    LoadModule suexec_module modules/mod_suexec.so
    LoadModule fastcgi_module modules/mod_fastcgi.so

    The following configuration assumes that you want PHP on all of your Virtual Hosts. If you don't you've to configure it little differently.

    ScriptAlias "/srv/cgi-bin/" "/cgi-bin/"
     
    <Directory "/srv/cgi-bin/">
      
      Options None
      Order allow,deny
      Allow from All
     
    </Directory>
     
    # This directive must appear before any other FastCGI directives
     
    FastCgiSuexec bin/suexec
     
    # Change FastCgiConfig directive values as needed.
    # Read docs at http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html
     
    FastCgiConfig -singleThreshold 100 -killInterval 600 -minProcesses 5 -maxProcesses 50 -maxClassProcesses 15 -autoUpdate -idle-timeout 180 -pass-header HTTP_AUTHORIZATION
     
    AddHandler fastcgi-script .fcgi
     
    AddHandler php-fastcgi .php
     
    Action php-fastcgi /cgi-bin/php.fcgi
     
    <FilesMatch "\.php$">
      Options +ExecCGI
    </FilesMatch>

  3. Create /srv/cgi-bin/php.fcgi

    #!/bin/bash
     
    # In most cases you don't want any stuff here ;)
    # Just pass the filename to PHP interpreter
     
    PHP=$(type -p php-cgi)
     
    exec $PHP $@

    This file /srv/cgi-bin/php.fcgi should be owned by www:www with permissions of 0755 (including the cgi-bin directory)

    This php.fcgi must exist in cgi-bin for every virtualhost. It must be owned by user:group specified in SuexecUserGroup directive and must be writeable ONLY by the owner (not even by group). The directory /cgi-bin must be also ONLY writeable by owner.

    i.e. Directory cgi-bin should have permissions of 755 and php.fcgi the permissions of 755

  4. Configure VirtualHost

    <VirtualHost aa.bb.cc.dd:80>
      ServerName example.com
      
      # Because we've now enabled suexec, the document root of ANY virtualhost must be under /srv
     
      DocumentRoot "/srv/DOCROOT-OF-example.com/public"
      ScriptAlias "/srv/DOCROOT-OF-example.com/cgi-bin"
     
      <Directory "/srv/DOCROOT-OF-example.com/cgi-bin">
        Options None
        Order allow,deny
        Allow from All
      </Directory>
      
      SuexecUserGroup vuser vgroup
      
      # other config stuff..
    </VirtualHost>

    Be sure to set owner of cgi-bin/php.fcgi to vuser:vgroup with permissions 755 for directory as well as php.fcgi !!

ENJOY!

Post comments (and subscribe to them Wink) for any clarification.


Nilesh Govindrajan

Site & Server Administrator
iTech7

Syndicate content