apache2-mpm-itk

Discussion in 'Feature Requests' started by Ben, Aug 10, 2008.

  1. Ben

    Ben New Member Moderator HowtoForge Supporter ISPConfig Developer

  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Looks interesting. Does anybody have tested this how it performs for a larger number of vhosts e.g. 100 - 20 performance and ram wise? The project is also marked as experimental at the moment.

    Implementing this in ISPConfig 3 should be easy and could be most likely done by simply changing the apache configuration template without programming.
     
  3. bjarne-j

    bjarne-j New Member

    Would it be possible to add mpm-itk support in ISPConfig 2 ?

    mpm-itk sounds like a great way of dealing with PHP-security without sacrificing too much performance.
     
  4. grungy

    grungy Member HowtoForge Supporter

    I am running mpm-itk for 8 months now and I love it, to ad mpm-itk support to ISPCONFIG it is a matter of modifying apache templates to add:

    <IfModule mpm_itk_module>
    AssignUserId {SUEXEC_USER} {SUEXEC_GROUP}
    </IfModule>

    and for domains/subdomains.

    p.s. you have to install mpm-itk apache - apt-get install apache2-mpm-itk

    and that will remove your current apache
     
  5. archerjd

    archerjd ISPConfig Developer ISPConfig Developer

    Could these settings be applied during the install of ISPC3?
    E.g. the installer auto-detects which mpm you have installed?

    I could see adding this capability definitely, but in the case that a site has an issue with it you should be able to turn it off. This could be done safely by removing the user directives from the vhost. When mpm-itk doesn't see the directives in Debian it just defaults to www-data:www-data.
    I have used it with success and have been very happy with it for the experimental sites I have been testing but I haven't actually put it into production. The advantages you would have are phenomenal not to mention web applications that implement the DAV protocol.
     
    Last edited: Jan 7, 2009
  6. grungy

    grungy Member HowtoForge Supporter

    Last night modified the template ISPCPNFIG vhost template to to add mpm-itk directives ad it works....
     
  7. archerjd

    archerjd ISPConfig Developer ISPConfig Developer

    I noticed that you can't use shared applications, e.g phpMyAdmin. Am I wrong or is there a way around this?
     
  8. grungy

    grungy Member HowtoForge Supporter

    there is a way around this, I know I solved this some time ago, I think it was with phptmp dir - php_admin_value upload_tmp_dir
     
  9. grungy

    grungy Member HowtoForge Supporter


    actually for ispconfig you have to add:

    <IfModule mpm_itk_module>
    AssignUserId <tmpl_var name='system_user'> <tmpl_var name='system_group'>
    </IfModule>
     
  10. grungy

    grungy Member HowtoForge Supporter

  11. ilaidlaw

    ilaidlaw New Member

    You'd likely also want to remove world read/write permissions from the files and remove world execute permissions from directories of the all the document roots for each vhost. I have mpm_itk working in a test environment as well, seems ok so far.
     
  12. SuperQ

    SuperQ New Member

    I'm glad it's easy to add this feature. I use mpm-itk for about 70 virtual hosts running on my system. It has been fairly stable, and helps secure crappy php applications from each other for different users. I have been looking at various ISP packages for a while and am hoping to test out ISPconfig 3 now.

    I'll probably post a bunch of questions soon. :)
     
  13. demia

    demia New Member

    How to change mpm-itk user from php?

    Hi,

    I have somewhat simple problem. i have x.com everyone is welcome, but when you login from a php form you will be able to see your files and folders.

    each users files will be on a separate /x/y/[user id] folder.

    So, on my x.com vhost directive i need to assign guest user at first then when user logs in i have to change the mpm-itk user so that user can work with his files.


    Do you know how to change this user dynamically? and i have thousands of users and each login should change user to corresponding unix-user.

    thanks.
    D
     
  14. SuperQ

    SuperQ New Member

    mpm-itk only works on a per <VirtualHost> directive in the apache config.

    in each <VirtualHost> you can use AssignUserID.

    See the itk docs: http://mpm-itk.sesse.net/
     
  15. Nikolay Ulyanitsky

    Nikolay Ulyanitsky New Member

Share This Page