CosmoCode is a Berlin based IT service provider focusing on CMS, Wikis and Web2.0
Mail info@cosmocode.deTel +49 (30) 814504070
Setting up Apache2, SuExec, PHP5/FastCGI
Tags:
Sometimes you want to set up multiple virtual hosts to run PHP code under different users. One way to do that is suPHP. Unfortunately this is rather slow because it runs PHP in standard CGI mode and needs to spawn a new process for each request. A faster way to invoke PHP is to use FastCGI which will reuse spawned PHP processes. To make those processes run under different users for different virtual hosts (vhosts) you can use SuExec.
The following will give a quick overview ho to do that. I assume certain knowledge of configuring Apache and setting up virtual hosts. I will only describe the things needed for the special FastCGI/SuExec setup here.
Let's start with installing the needed packages from the current etch distribution:
#> apt-get install apache2 libapache2-mod-fcgid php5-cgi
Now we can create our virtual host entries as usual. Here is an example to start with:
<virtualhost *> ServerName www.example.com DocumentRoot /www/example.com # some settings for fastCGI PHP_Fix_Pathinfo_Enable 1 MaxRequestsPerProcess 500
SuexecUserGroup example example
<directory /www/example.com/htdocs/>
AddHandler fcgid-script .php
Options +ExecCGI
FCGIWrapper /var/www/fastcgi-example/php5-cgi .php
</directory>
</virtualhost>
Okay, the first two lines are the usual vhost setup. What follows are two options recommended for running PHP in FastCGI mode. The first one makes sure the $_SERVER['PATH_INFO'] environment is setup correctly for your scripts. The second lets each FastCGI process die after having handled 500 requests. This ensures no possible memory leak will tear down your server.
The next line sets up the suexec mechanism and tells it to execute CGIs as user example and group example. This will be the user your PHP processes for this vhost will run under.
The last step is to bind the .php file extension to the FastCGI module and to tell it how to start the FastCGI process. This last line is the special trick. In a normal FastCGI setup (without suexec) you would point it to your PHP binary. In our case this is a small wrapper script.
Why a wrapper script? Because there is a security restriction in suexec: it will only execute scripts below the document root compiled into the Apache binary. In Debian this is /var/www/. So we need to have our PHP binary below /var/www/. SuExec won't accept symlinks. A hardlink would work, but there is another catch. The executable needs to be owned by the user and group we defined earlier in the SuexecUserGroup line. But we want different users for our different vhosts which wouldn't work with hard links. So we use a wrapper script with the following content:
#!/bin/sh exec /usr/bin/php5-cgi "$@"
You see, it simply replaces the running shell process with the correct PHP5 call.
The script needs to be owned by the correct user and group and has to have execution permissions and there is another restriction: it needs to be inside a directory owned by the same user which is not writable by anyone else.
So in our example case we have /var/www/fastcgi-example owned by example:example and permissions 755 and /var/www/fastcgi-example ownd by example:example and permissions 755 as well.
That's it - start up apache and have your vhosts run under different users 
Comments
Nice. I got it working. But do I have to create a wrapper for every other user that'll be on my server?
Htbaa, yes you'll need a wrapper for each user you want to run a VirtualHost under.
Alright thank you.
Couldnt' get it working, the wrapper will be called but obviously with no parameter so always “No input file specified” will be displayed only. Any idea? (I'm using debian etch, mod_fgcid version seems to be 1.10)
jwg : not that mod_fcgid and mod_fastcgi hasn't the same config.
hi! thanks for this, it works perfectly. Too bad it is quite a hassle to configure the directories for the wrapper per user. Can this be circumvented by now as this post is one year old? :) Thanks and regards, Wouter
So what exactly is the difference between mod_fastcgi and mod_fcgid? I want to be able to use the -flush command but why if the two modules are 'the same' then why are the configurations so different? I've still to get a straight answer to this…xD
About CosmoCode
Subscribe
Like our blog? Stay up to date via RSS
Htbaa
2007/08/30 17:06
Nice. I got it working. But do I have to create a wrapper for every other user that'll be on my server?