Apache Mod Fastcgi PHP

Default apache running from one UID/GID isn’t too secure. Users can look into all virtuals hosted on server. No one can stop them if PHP/CGI is allowed.

One of solutions of this problem is to run PHP as CGI. With suexec this will allow to run PHP under certain UID/GID. Unfortunately running PHP as CGI slows things down. FastCGI comes with help here.

What do you need? mod_fastcgi and php compiled with FastCGI mode enabled (in PLD you have apache-mod_fastcgi and php-fcgi packages with that). I will not describe compilation/installation proces for them. It’s docummented so you can read yourself.

Example apache 2.0 configuration:

FastCgiWrapper /usr/sbin/suexec-fcgi
FastCgiServer /home/services/httpd/cgi-bin/php -user pubhttp -group pubhttp
AddHandler php-fastcgi .php

SetHandler fastcgi-script

Action php-fastcgi /cgi-bin/php
AddType application/x-httpd-php .php

/home/services/httpd/cgi-bin/php is shell script:

#!/bin/sh
PHPRC=”/etc/php/”
export PHPRC
PHP_FCGI_CHILDREN=4
export PHP_FCGI_CHILDREN
exec /usr/bin/php.fcgi

PHPRC allows to specify configuration file for php while PHP_FCGI_CHILDREN limits number of FastCGI PHP servers on one pool.

/usr/sbin/suexec-fcgi is modified apache suexec to disable checking of UID/GID against directory/script file owner. Here is ApacheSuEexecPatch.

In each context you also need to specify proper username/group or UID/GID for example:

ServerAdmin admin@somehost.pl
DocumentRoot /home/virtuals/virtual01
#SuexecUserGroup virtual01-user virtual-group
SuexecUserGroup “#50000” “#5000”

It’s also good to specify SuexecUserGroup defaultapacheuser defaultapachegroup in global context. I had problems with mod_fastcgi trying to user root/root without this directive.I’ve also modified mod_fastcgi in the way that allows using it with UID/GID only (so no proper entries in /etc/{passwd,group}. Here is ModFastCgiPatch.

As result you will get something like this:

|-httpd(22368)-+-httpd(22388,http)-+-php.fcgi(26822,artwol)-+-php.fcgi(26823)
| | | -php.fcgi(26824)
| | |-php.fcgi(22657,powiat9)-+-php.fcgi(22658)
| | | |-php.fcgi(22659)
| | | |-php.fcgi(22660)
| | |
-php.fcgi(22661)
| | |-php.fcgi(22489,sebastian)-+-php.fcgi(15654)
| | | |-php.fcgi(15809)
| | | |-php.fcgi(15810)
| | | -php.fcgi(15828)
| | |-php.fcgi(24300,piochaj)-+-php.fcgi(24301)
| | |
-php.fcgi(24302)
| | |-php.fcgi(22496,gazetas01)-+-php.fcgi(22497)
| | | |-php.fcgi(22498)
| | | |-php.fcgi(22499)
| | | -php.fcgi(22500)
| | |-php.fcgi(25690,design)-+-php.fcgi(25691)
| | |
-php.fcgi(25692)
| | |-php.fcgi(24613,marbo3)-+-php.fcgi(24614)
| | | -php.fcgi(24615)
| | |-php.fcgi(3208,emawoz)-+-php.fcgi(3209)
| | |
-php.fcgi(3210)
| | |-php.fcgi(26503,arhen01)-+-php.fcgi(26504)
| | | -php.fcgi(26505)
| | |-php.fcgi(17300,thomson)-+-php.fcgi(17301)
| | |
-php.fcgi(17302)
| | |-php.fcgi(22482,pereko)-+-php.fcgi(22483)
| | | |-php.fcgi(22484)
| | | |-php.fcgi(22485)
| | | -php.fcgi(22486)
| | |-php.fcgi(22468,pubhttp)-+-php.fcgi(22469)
| | | |-php.fcgi(22470)
| | | |-php.fcgi(22471)
| | |
-php.fcgi(22472)
| | -php.fcgi(16126,szpaner)-+-php.fcgi(16127)
| |
-php.fcgi(16128)
| |-httpd(1699,http)—httpd(1700)-+-httpd(1702)
| | |-httpd(1703)
| | |-httpd(1704)
| | |-httpd(1705)
| | |-httpd(1706)
| | |-httpd(1707)
| | |-httpd(1708)

3 thoughts on “Apache Mod Fastcgi PHP

  1. Some Visitor says:

    Dude, nobody’s going to comment, if the security image contains such a long “Security code”.
    Then again, I did. Nice article… 🙂

    Reply to Some

Leave a Reply to TheOracle Cancel reply

Your email address will not be published. Required fields are marked *