suPHP - secure/reliable?
Sam Nilsson
lists at servingpeace.com
Thu Nov 3 18:53:18 GMT 2005
jonas wrote:
> I'd be really intrested to hear some few details about installation through
> the ports. From what I saw in the FastCGI documentation you need to do some
> strange configuration changes to your httpd.conf, so that .php files are
> properly passed to the FastCGI handler and that they'll be executed under the
> correct user. Could you share a quick overview what you did to get this up
> and running, apart from makeing install?
>
> Thanks!
Sure. Here is the basic method that I used to build apache2 with suexec,
fastcgi, and php5. These instructions come from my notes, so there are
probably some mistakes and typos. Setting this stuff up is a process:
-- Install Ports:
Edit /usr/local/etc/pkgtools.conf. Add the following to the MAKE_ARGS
section:
'www/apache2*' => 'WITH_SUEXEC=yes SUEXEC_DOCROOT=/usr/local/www
SUEXEC_USERDIR=public_html',
'www/mod_fastcgi*' => 'WITH_APACHE2=yes',
'www/php5-cgi*' => 'WITH_FASTCGI=yes',
$ portupgrade -pNi www/apache2
$ portupgrade -pNi www/mod_fastcgi
$ portupgrade -pNi www/php5-cgi
-- Setup Apache:
Add the following to the /usr/local/etc/apache2/httpd.conf - global section
FastCgiIpcDir /usr/local/fastcgi-ipc
FastCgiWrapper sbin/suexec
Edit any virtual hosts in httpd.conf following this example:
<VirtualHost *:80>
ServerName virtual-domain.tld
DocumentRoot /usr/local/www/virtual/virtual-domain.tld/public_html
...
SuexecUserGroup username groupname
# alternatively
# SuexecUserGroup #userid #groupid
AddHandler php-fastcgi .php
Alias /cgi-bin/ /usr/local/www/virtual/virtual-domain.tld/cgi-bin/
<Location /cgi-bin/php>
SetHandler fastcgi-script
Options ExecCGI
</Location>
Action php-fastcgi /cgi-bin/php
AddType application/x-httpd-php .php
Other Apache Config Issues
In order for php to work with this setup, each virtual host must have
its own cgi-bin directory.
* The cgi-bin directory must be owned by the customer's uid and gid
(from /etc/passwd).
* All cgi scripts must be owned by the customer's uid/gid.
* The cgi-bin directory must contain the following script which
must also be owned by the customer's uid/gid.
$ cat /usr/local/www/virtual/virtual-domain.tld/cgi-bin/php
#!/bin/sh
PHPRC="/usr/local/etc/php/php.ini" # or any custom php.ini file
export PHPRC
#PHP_FCGI_CHILDREN=4
#export PHP_FCGI_CHILDREN
exec /usr/local/bin/php
----
Now you can run a script like
/usr/local/www/virtual/virtual-domain.tld/public_html/test.php and it
will be run using suexec and fastcgi. It doesn't matter who owns the
test.php script file, just the ownership of /cgi-bin and /cgi-bin/php.
If you want to run normal cgi scripts from public_html, then the script
and its parent directory must be owned exactly as indicated by the
SuexecUserGroup directive.
Let me know if you need any clarifications or if you have any more
questions.
- Sam
More information about the freebsd-questions
mailing list