Fastcgi + SuExec + APC and is SuExec even needed?

Discussion in 'Installation/Configuration' started by scottrill2, Mar 5, 2011.

  1. scottrill2

    scottrill2 Member

    Hello folks,

    Here comes a novel of epic not attempt to read it all at once. This could cause internal bleeding, anal leakage, or at the very least your IQ will drop by ten points. lol

    Alot of people on the Joomla forums recommend "Alternative PHP Cache" for joomla sites. After some reading it is not quite clear to me how compatible this will be.

    I currently have ISPConfig 3 set up like here:

    I am running fastcgi and suexec together. Now first question:

    Question 1. The tutorial is telling you how to set up APC with fastcgi, but it is a tutorial for a setup using fast cgi by itself NOT with suexec also running correct?

    Question 2. I have a book from the library talking about apache and php. It stated that Suexec is ONLY needed on shared hosting, and that it slows down the web serving. From what I can see on the web almost everytime suexec is mentioned it is discussing shared hosting or scenarios where someone one who already has valid access to the machine can run malicious php /mysql stuff.

    Is the above statement generally true? I look at logs and see all these Chinese IPs constantly pinging the server etc so I automatically want to enable anything that even sounds secure lol But I am such a newb, I never thought to find out if I truly needed that security. So now it has me wondering if I even need SuExec. If I don't then you all have a tutorial for me already for setting up APC with Debian and fast cgi, and those tutorials always come off without a hitch.

    I have a handful of small sites just for my family. My brother in law is in the miltary so I let him host is seargents association or something on it. But aside from him or myself no one else is on there.

    I do electroplating and jewelry in my part time so one day I could forsee myself having a couple ecommerce sites, but the two of us would still be the only people with direct access to the machine.

    Is Suexec really needed in my case? The other thing I have read alot is that Suexec will stop malicious scripts from causing too much harm, but if we are the only two retards with access?? And if a hacker or something forced his way into the server wouldnt he be good enough to just turn off security anyway? As far as injecting code or whatever isnt that what suhosin stops? Which I have enabled.

    So your thoughts and advice on Suexec first then I'll continue from there if need be.

    Also just as a thought, your all's tutorials are so damned perfect, literally taking us new folks by the hand lol Hell I come to howtoforge for any server question before going anywhere else.

    Have you all thought about making like linux, apache, php, mysql educational videos and then selling subscriptions etc to them? Most of these books on linux are so bland I find it similair to nails going across the blackboard as I read them lol

    As always thanks for the help and suggestions folks,

  2. falko

    falko Super Moderator ISPConfig Developer

    That should work for suExec as well.

    You need suExec only if you also host web sites for people you don't know or don't trust. It has to do with people that have access to your server (i.e., people that could upload malicious scripts to your server), but not with remote users (unless your web applications have some vulnerability that could be abused by remote users/hackers).
  3. scottrill2

    scottrill2 Member

    Thanks for the reply.

    I appreciate the input Falko. I was away part of the week so I just now got around to following the tutorial, went like a charm.

    I will go ahead and keep SuExec, only because eventually I will probably throw up a site to offer electroplating services and don't want to get hacked because of a loophole or whatever.

    So tonight I started searching for the "best" recommended settings for APC with fast-cgi and suexec enabled. I came across this site:

    He recommends mod_fastcgi over the newer mod_fcgid to squeeze out the most performance. All of his other settings it appears I can set right in ISPConfig 3's control panel.

    In a nutshell he states: "The fact that PHP spawns its own children is ignored by mod_fcgid. If we use mod_fcgid with our setup, we can only handle one concurrent PHP request. This is not good. A long running request could easily block multiple smaller requests."

    Does what he says make enough sense for me to uninstall mod_fcgid and replace with mod_fastcgi?

    Also how would switching to mod_fastcgi affect ISPConfig 3 in general?

    Thanks as always for the input.


Share This Page