Andy's Blog » » SuExec PHP/FastCGI under Apache 2

SuExec PHP/FastCGI under Apache 2

SuExec PHP/FastCGI under Apache 2

PHP/FastCGI

We need php4/php5 compiled with FastCGI support and `mod_fastcgi`. On Suse (at least OpenSuse) both are available as packages so we can just install it through YAST. On OpenSuse, once installed the binary will be placed at `/srv/www/cgi-bin`:-

$ cd /srv/www/cgi-bin
$ ./php -v
PHP 4.4.0 (cgi-fcgi) (built: Sep 13 2005 02:19:37)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
$ ./php5 -v
PHP 5.0.4 (cgi-fcgi) (built: Sep 13 2005 02:20:47)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.4-dev, Copyright (c) 1998-2004 Zend Technologies

Then we edit apache configuration file to have it run PHP through mod_fastcgi. This is the snipet of apache config (Suse style):-

$ cat /etc/apache2/httpd.conf.local

<ifmodule mod_fastcgi.c>
FastCgiIpcDir /tmp
AddHandler fastcgi-script .fcgi
FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout
240 -pass-header HTTP_AUTHORIZATION
</ifmodule>

$ cat /etc/apache2/vhosts.d/hadiah.laptop.int

ScriptAlias /fcgi-bin/ /srv/www/cgi-bin/
<location /fcgi-bin/>
Options ExecCGI
SetHandler fastcgi-script

AddType application/x-httpd-fastphp .php
Action application/x-httpd-fastphp /fcgi-bin/php

<directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</directory>

(actual output trimmed).

This is enough to tell apache that all request to *.php files will be passed to FastCGI PHP.

You may test this configuration by restarting apache and fire up the virtual host.

Apache2 SuEXEC

Now that we have PHP/FCPGI working, let’s add suexec so we can execute the php process under normal userid instead of apache user. Our apache config would look’s like:-

$ cat /etc/apache2/httpd.conf.local

<ifmodule mod_fastcgi.c>
FastCgiIpcDir /tmp
AddHandler fastcgi-script .fcgi
FastCgiWrapper /usr/sbin/suexec2 # we specify the suexec wrapper
FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout
240 -pass-header HTTP_AUTHORIZATION
</ifmodule>

$ cat /etc/apache2/vhosts.d/hadiah.laptop.int

SuexecUserGroup kamal users # execute under this userid
ScriptAlias /fcgi-bin/ /srv/www/cgi-bin/
<location /fcgi-bin/>
Options ExecCGI
SetHandler fastcgi-script

AddType application/x-httpd-fastphp .php
Action application/x-httpd-fastphp /fcgi-bin/kamal/php-wrapper # wrapper to actual php binary

<directory "/srv/www/cgi-bin">
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</directory>

(actual output trimmed) Notice the part that was commented.

I specify a few things here:-

* specify apache suexec wrapper
* specify user/group the cgi would run in virtual host config
* create a wrapper to actual php binary so I can pass some options

to the binary.

The snippet of php-wrapper:-

$ cat /srv/www/cgi-bin/kamal/php-wrapper

#!/bin/sh
PHPRC="/etc"
export PHPRC
PHP_FCGI_CHILDREN=8
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_MAX_REQUESTS
/srv/www/cgi-bin/php

This way I can specify different php.ini to each virtual host that I have.

FIXME: The ideal place to put the wrapper is in user’s home directory but suexec only allow cgi execution from the specified –docroot during compile time. Apache in Suse had set suexec docroot to /srv/www/ and the only way to change this is by rebuilding apache. So my temporary solution is to create a directory under /srv/www to put the wrapper and chown it to the user I specified in vhost config.

Just wanted to let you know it’s quite easy to modify suexec to reflect your personal preferences. I did it in 30 seconds with Apache22 on FreeBSD6 but it’s probably not much different for your situation :)

To check where Apache expects to find the suexec binary..

$ apachectl -V

To check your current suexec settings..

$ suexec -V

Configure Apache with your current suexec settings but change the docroot option..

$ cd ~
$ fetch http://www.apache.org/dist/httpd/httpd-2.0.58.tar.bz2
$ tar -zxvf httpd-2.0.58.tar.bz2
$ cd httpd-2.0.58
$ ./configure --enable-suexec --with-suexec-docroot=/usr/home
$ make
$ cp support/suexec /usr/sbin/suexec2

And your done..
Troubleshooting

Make sure to take a look to your apache log file. suexec will log any error to suexec.log in your apache log directory.

$ tail -f /var/log/apache2/hadiah-error_log
$ tail -f /var/log/apache2/suexec.log

Refferences:-

Incoming search terms:

Tags: PHP, 配置, apache, 服务器, FastCGI, suexec

本文地址: http://blog.21andy.com/20071123/686.html