fastcgi and php on Debian etch walkthrough

Discussion in 'Tips/Tricks/Mods' started by meemu, Apr 24, 2007.

  1. meemu

    meemu ISPConfig Developer ISPConfig Developer

    Debian 4.0 etch is the new stable distribution. Noteably, Debian has switched to version 2.2 of apache2. The following walkthrough shows how to setup php running inside the fastcgi apache2 module on this new Debian release.

    This walkthrough is based on http://www.howtoforge.com/forums/showthread.php?t=4606 with the following exceptions:

    • use Debian PHP5 or PHP4 pre-compiled binary
    • does not require support for the imuteable bit
    • uses apache 2.2
    • and Debian 4.0 etch
    Refer to the original instructions where this walkthrough does not make sense.



    For simplicity's sake, this is all done as root. Usually, Debian people recommend using a normal unprivileged account for compiling things and getting package sources.

    • Install apache2.2 and download sources
    Code:
    apt-get install apache2.2-common apache2-threaded-dev apache2-mpm-worker
    mkdir /root/install
    cd /root/install
    apt-get source apache2.2-common
    cd apache2-2.2.3/
    debian/rules
    ./configure
    
    The last step will set the configuration options to the Debian defaults.

    • Patch suexec

    Code:
    cd support
    vi suexec.c
    
    Change accordingly, Line 567 (first and last line of this snippet).
    Code:
    /* no file owner check
        if ((uid != dir_info.st_uid) ||
            (gid != dir_info.st_gid) ||
     
     
            (uid != prg_info.st_uid) ||
            (gid != prg_info.st_gid)) {
            log_err("target uid/gid (%ld/%ld) mismatch "
                    "with directory (%ld/%ld) or program (%ld/%ld)\n",
                    uid, gid,
                    dir_info.st_uid, dir_info.st_gid,
                    prg_info.st_uid, prg_info.st_gid);
            exit(120);
        }
      */
    
    • Compile and "install" suexec
    Code:
    make suexec
    mkdir -p /usr/local/lib/apache2/
    cp suexec /usr/local/lib/apache2/suexec-fcgi
    chown root.root /usr/local/lib/apache2/suexec-fcgi
    chmod 4755 /usr/local/lib/apache2/suexec-fcgi
    
    Checking the permissions on the file should look like this
    Code:
    stat /usr/local/lib/apache2/suexec-fcgi
      File: `/usr/local/lib/apache2/suexec-fcgi'
      Size: 24675           Blocks: 56         IO Block: 131072 regular file
    Device: 803h/2051d      Inode: 73997       Links: 1
    Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
    Access: 2007-04-24 07:24:21.000000000 +0100
    Modify: 2007-04-20 13:30:09.000000000 +0100
    Change: 2007-04-23 14:09:09.000000000 +0100
    
    • Install libapache2-mod-fastcgi

    The libapache2-mod-fastcgi package is in the non-free section of the Debian repositories. If it's not there yet change your entry in /etc/apt/sources.list from

    Code:
    deb http://ftp.uk.debian.org/debian/ stable main
    to

    Code:
    deb http://ftp.uk.debian.org/debian/ stable main non-free contrib
    Contrib can be useful too sometimes.

    Then install fastcgi

    Code:
    apt-get install libapache2-mod-fastcgi
    And configure apache to use it

    Code:
    a2enmod fastcgi

    Now to the configuration of mod_fastcgi. The following allows us to keep the php-fastcgi-starter outside of what the user can access or modify.

    Code:
    # /etc/apache2/mods-enabled/fastcgi.conf
    <IfModule mod_fastcgi.c>
             #AddHandler fastcgi-script .fcgi
             #FastCgiWrapper /usr/lib/apache2/suexec2
             #FastCgiIpcDir /var/lib/apache2/fastcgi
    
            #temporary sockets are stored here, this must be at the top!
            FastCgiIpcDir /var/lib/apache2/fastcgi
    
            #config
            FastCgiConfig -pass-header Authorization
    
            FastCgiWrapper /usr/local/lib/apache2/suexec-fcgi
    
            #php
    
            AddHandler php-fastcgi .php .php3 .php4 .php5 .phtml .phps
            <Location /php-fastcgi/php-fcgi-starter>
                    SetHandler fastcgi-script
                    Options +ExecCGI
            </Location>
            Action php-fastcgi /php-fastcgi/php-fcgi-starter
    
            #perl
            #TODO
    
            ##ISPConfig add this by the installtion of it
    
            ##ISPConfig INSTALL## AddType ##ISPConfig INSTALL## application/x-httpd-php .php
    
            <Directory "/var/www/">
                    AllowOverride None
                    Options +ExecCGI -MultiViews -Indexes
                    Order allow,deny
                    Allow from all
            </Directory>
    </IfModule>
    
    • Install PHP4 and PHP5
    Using the PHP from Debian packages makes is easier to maintain and upgrade the system. To install use

    Code:
    apt-get install php4-cgi php5-cgi php4-mysql php5-mysql
    
    Edit the default configuration files and enable safe_mode and set open_basedir to /var/www. More importantly, add this to both files (/etc/php4/cgi/php.ini and /etc/php5/cgi/php.ini)
    Code:
    cgi.fix_pathinfo=1
    (Note: I am not sure this is necessary)

    Create the php-fastcgi starter script
    (at this point worth mentioning that ISPConfig should already be installed)
    Code:
    /root/ispconfig/scripts/php-fcgi-starter
    #!/bin/sh
    PHPRC="/etc/php5/cgi/"
    export PHPRC
    PHP_FCGI_CHILDREN=3
    export PHP_FCGI_CHILDREN
    exec /usr/bin/php5-cgi
    
    and
    Code:
    chown root.root /root/ispconfig/scripts/php-fcgi-starter
    chmod 0755 /root/ispconfig/scripts/php-fcgi-starter
    
    Now patch ISPConfig to use php-fastcgi instead of the php module and create the starter in the right place. This patch also changes the default permissions of new web sites to 750 and adds www-data to every group created by ISPConfig.

    Apply this patch to
    /root/ispconfig/scripts/lib/config.lib.php

    Code:
    1119c1119
    1119c1119
    <
    ---
    >
    1120a1121,1123
    >   //mimo http://www.howtoforge.org/forums/showthread.php?t=4375
    >   // add www user to each new group
    >   $mod->system->add_user_to_group("web".$doc_id,$apache_user);
    1127a1131,1135
    >
    >     //mimo 2nd part
    >     exec("chmod 750 $web_path");
    >     exec("chmod 750 $web_path_realname");
    >
    1385a1394,1405
    >         //FASTCGI (here we could add a handler for different versions of php and php.ini files
    >       //FASTCGI Modification
    >       #$fcgip = $mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"];
    >       $fcgip = $mod->system->server_conf["server_path_httpd_root"]."/php-fastcgi/"."web".$web["doc_id"];
    >       if(!file_exists($fcgip."/php-fcgi-starter")) {
    >               $mod->log->msg("creating $fcgip"."/php-fcgi-starter");
    >               if(!file_exists($fcgip)) {
    >                       exec("mkdir -p $fcgip");
    >               }
    >               exec("cp -p /root/ispconfig/scripts/php-fcgi-starter ".$fcgip."/ && chown root:root ".$fcgip."/php-fcgi-starter");
    >       }
    >
    1387c1407,1410
    <         $php = "AddType application/x-httpd-php .php .php3 .php4 .php5";
    ---
    >       // FASTCGI
    >         //$php = "AddType application/x-httpd-php .php .php3 .php4 .php5";
    >       #$php = "ScriptAlias /php-fastcgi/ ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/\n";
    >       $php = "ScriptAlias /php-fastcgi/ $fcgip\n";
    1390a1414,1415
    >                 #$php = "ScriptAlias /php-fastcgi/ ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/\n";
    >                 $php = "ScriptAlias /php-fastcgi/ $fcgip/\n";
    1423a1449,1450
    > //disbaled FASTCGI
    > /*
    1432a1460
    > */
    2513c2541
    < ?>
    \ No newline at end of file
    ---
    > ?>
    1119c1119
    <
    ---
    >
    1120a1121,1123
    >   //mimo http://www.howtoforge.org/forums/showthread.php?t=4375
    >   // add www user to each new group
    >   $mod->system->add_user_to_group("web".$doc_id,$apache_user);
    1127a1131,1135
    >
    >     //mimo 2nd part
    >     exec("chmod 750 $web_path");
    >     exec("chmod 750 $web_path_realname");
    >
    1385a1394,1405
    >         //FASTCGI (here we could add a handler for different versions of php and php.ini files
    >       //FASTCGI Modification
    >       #$fcgip = $mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"];
    >       $fcgip = $mod->system->server_conf["server_path_httpd_root"]."/php-fastcgi/"."web".$web["doc_id"];
    >       if(!file_exists($fcgip."/php-fcgi-starter")) {
    >               $mod->log->msg("creating $fcgip"."/php-fcgi-starter");
    >               if(!file_exists($fcgip)) {
    >                       exec("mkdir -p $fcgip");
    >               }
    >               exec("cp -p /root/ispconfig/scripts/php-fcgi-starter ".$fcgip."/ && chown root:root ".$fcgip."/php-fcgi-starter");
    >       }
    >
    1387c1407,1410
    <         $php = "AddType application/x-httpd-php .php .php3 .php4 .php5";
    ---
    >       // FASTCGI
    >         //$php = "AddType application/x-httpd-php .php .php3 .php4 .php5";
    >       #$php = "ScriptAlias /php-fastcgi/ ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/\n";
    >       $php = "ScriptAlias /php-fastcgi/ $fcgip\n";
    1390a1414,1415
    >                 #$php = "ScriptAlias /php-fastcgi/ ".$mod->system->server_conf["server_path_httpd_root"]."/"."web".$web["doc_id"]."/\n";
    >                 $php = "ScriptAlias /php-fastcgi/ $fcgip/\n";
    1423a1449,1450
    > //disbaled FASTCGI
    > /*
    1432a1460
    > */
    2513c2541
    < ?>
    \ No newline at end of file
    ---
    > ?>
    
    
    Create the base directory for the php-fastcgi starter scripts. The idea is to have a separate one for each web site so that later on it is possible to chose the version and settings of PHP on a per site basis.

    Code:
    mkdir /var/www/php-fastcgi
    chown root.root /var/www/php-fastcgi
    
    • Finally, start or restart apache2. All done!

    For new web sites ISPConfig will create this structure


    /var/www/--+/webX/ <- normal content, user has full access
    /var/www/--+/php-fastcgi/webX/php-fastcgi-starter
     
    Last edited: May 16, 2007
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thank you for the howto. I moved it to the tipps & tricks forum. I will try to implement your patch in the ISPConfig dev branch as php configuration option.
     
  3. falko

    falko Super Moderator ISPConfig Developer

  4. linickx

    linickx New Member

    Hi Till, out of interest, what would the rough timescales of this be: 1week, 1month, 1year, ? ( *expecting* "when we're ready", but it doesn't hurt to ask )

    I'm currently working on fastcgi packages ( php-binary & httpd_module ) for CentOS 4.4 (As I can't find any pre-build packages, you lucky debian people ! :p ), but I haven't yet figured how to config it properly, this could save me a whole load of hassle :)

    EDIT:
    Found Mod_fastcgi.rpm on this blokes website: http://www.city-fan.org/ftp/contrib/websrv/
    I've built a php-fcgi binary avilable here: http://www.linickx.com/files/rpm/whitebox/4/i386/php-fcgi-4.3.9-3.22.4.1.i386.rpm

    Code:
    [root@www tmp]# /usr/bin/php-fcgi -v
    PHP 4.3.9 (cgi-fcgi) (built: Apr 27 2007 11:41:10)
    Copyright (c) 1997-2004 The PHP Group
    
     
    Last edited: Apr 28, 2007
  5. Taguapire

    Taguapire New Member

    Why

    Why use fastcgi instead PHP module?

    Faster?

    Better security?

    Regards,

    Taguapire
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    fastcgi is not faster the mod_php, but it allows to run php under the admin user of the websites instead of the apache user.
     
  7. linickx

    linickx New Member

    like suphp, except apc ,eaccelerator and xcache appear to support fast-cgi .

    redhat-like users might be interested in reading this php bug before using fast-cgi tho.
     
  8. Ovidiu

    Ovidiu Active Member

    would this be the solution to allow my users who use fastcgi to kill their own processes? sometimes I am required to killall -9 dispatch.fcgi because they make some bigger changes in their scripts...

    also I'd like to ask a question about the settings of fastcgi:

    I am trying to use these config options:

    The first option limits the number of children of a certain script (I guess determined by the name) the second one limits the total number of active children.
    BUT if I set a limit for the first one, this does not work out for me as my different instances all have the same name: dispatch.fcgi so if I set option#1 to 2 because I want each "scritp" running max. 2 times in parallel I won't be able to have more than 2 dispatch.fcgi in total on my system...

    Is there a workaround or did I udnerstand thsi wrong?
     
  9. meemu

    meemu ISPConfig Developer ISPConfig Developer

    did you do ?
    Code:
    cd apache2-2.2.3/
    debian/rules
    
    and
    Code:
    apt-get install apache2.2-common apache2-threaded-dev apache2-mpm-worker
    
    I think it could be apache2-threaded-dev that is missing
     
  10. mtuser

    mtuser New Member

    apt-get source apache2.2-common
    is this any problem?
    i already installed apache2.2-common apache2-threaded-dev apache2-mpm-worker
     
  11. h2o

    h2o New Member

    Thanks for this great howto! Really!

    I was myself trying to compile the patched suexec on a debian/etch and I encourted the same compilation errors reported above by mtuser. Actually, it is just enough to "./configure" before building suexec.

    So, I suggest the following mods to be applyed to the howto;

    apt-get install apache2.2-common apache2-threaded-dev apache2-mpm-worker
    mkdir /root/install
    cd /root/install
    apt-get source apache2.2-common
    cd apache2-2.2.3/
    debian/rules
    ./configure
    cd support
    vi suexec.c
    make suexec

    and voilà.

    Hope that helps.

    Regards,
    --
    h2o
     
  12. mtuser

    mtuser New Member

    Thank you I'll try :)
     
  13. mtuser

    mtuser New Member

    Apache can not start
    line 21:
     
    Last edited: May 21, 2007
  14. meemu

    meemu ISPConfig Developer ISPConfig Developer

    Try enabling the actions module in apache2

    Code:
    a2enmod actions
    
     
  15. mtuser

    mtuser New Member

    php can not be run
    http://myweb.com/phpinfo.php

    500 error - Internal Server Error!

    web error.log
    Apache2/error.log
    hmm it may be too hard for me. nothing done.
    give up.
    Thank you I need to learn more.
     
    Last edited: May 22, 2007
  16. meemu

    meemu ISPConfig Developer ISPConfig Developer

    can you post the content of /var/www/php-fastcgi/web1/php-fcgi-starter ?
     
  17. mtuser

    mtuser New Member

    :( I'm sorry. I can't. I just changed it to suPHP.
     
  18. meemu

    meemu ISPConfig Developer ISPConfig Developer

    per directory settings support

    One thing I noticed about this solution is that you lose the comfort of per directory php settings.
    So today I had a look around and found this:

    http://trac.lighttpd.net/trac/wiki/HowToPhpHtaccess

    It allows for parsing .htaccess files with php settings into directories and parses them for php-cgi. The only thing that it's really missing for a complete replacement of all php module features is a place where to define settings a user cannot override. This one, though, prevents users from overwriting open_basedir and safe_mode stuff (if safe_mode is set).
     
  19. tom

    tom Member

    Why do you patch sussec, does'nt it work like for apache2 from its default?

    Why do you adds www-data to every group created by ISPConfig?

    I'm using apache2.0 together with php-fast-cgi and sussec on sarge3.1 but there was no need to cange something like you told. Is all this different with etch?
     
    Last edited: Jul 31, 2007
  20. jmroth

    jmroth ISPConfig Developer ISPConfig Developer

    Would be cool to know against which version of /root/ispconfig/scripts/lib/config.lib.php this diff was taken like with diff -u or so (includes context) ;)
    From the date of your post I would think
    ISPConfig-2.2.12 (2007-04-17 00:18)
    which I'm going to try now...
     
    Last edited: Oct 6, 2007

Share This Page