Convert PHP sites to use mod_fcgid with suEXEC

How can I change all my PHP sites to use mod_fcgid in Virtualmin GPL? I have several domains and sub-servers; is there any way to automate the creation of FastCGI wrappers, and make it apply to future sites as well? I already have recompiled suEXEC with docroot /home.

Using the search feature in the Virtualmin interface, I found references to FastCGI PHP5 wrappers, but they link to the documentation/help text. I can’t find the actual options.

Thanks!

Howdy,

To enable it for all future sites, go into System Settings -> Server Templates -> Default Settings -> Apache Website, then update the option labeled "Default PHP execution mode".

As for how to automate converting all existing sites?

I’m not sure that you’re able to automate that using the GPL version – the Pro version comes with some command line tools that can do that.

However, you can update it individually for each existing website by first choosing the domain in question, then choosing Server Configuration -> Website Options, and modifying "PHP script execution mode".
-Eric

The easy way mentioned by Eric is actually only available in Professional.

I’ve asked Jamie about this before, as it should probably be in GPL also…but it’s currently part of the Install Scripts code, and apparently not easy to factor out. But when we next chat, I’ll mention it again. I’d like to see everybody running applications the same way. It’d just ease support so much.

It can, of course, be done in GPL…and it’s not even all that hard:

Add to httpd.conf in the public_html Directory section within the relevant VirtualServer section:

AddHandler fcgid-script .php5 FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php

Create the wrapper in /home/domainname/fcgi-bin/php5.fcgi:

#!/bin/bash PHPRC=$PWD/../etc/php5 export PHPRC umask 022 SCRIPT_FILENAME=$PATH_TRANSLATED export SCRIPT_FILENAME exec /usr/bin/php-cgi

The application files, and the fcgi wrapper must be owned by the user, and must not be world or group writable (suexec will not execute them, if they are).

You also need to copy php.ini into the etc/php5 directory within the users home.

Thanks, Joe! I got it working for one of my sites, after fixing a few typos.

The AddHandler line should be .php instead of .php5, and the wrapper script is missing .ini at the end of the PHPRC line. (Mine now says [code:1]export PHPRC=$PWD/…/etc/php5.ini[/code:1].)

So this worked for the first site I tried, but unfortunately, when I try it with any other virtual server, I get 403 Forbidden:

[code:1]You don’t have permission to access /index.php on this server.[/code:1]

No errors in /var/log/httpd/suexec.log, and just a 403 in the web site’s error_log. Upon removing the AddHandler line, it works again (falling back to mod_php). Any ideas?

I’m glad to hear that you’re working on adding an interface to this to the GPL version. Right now, I’m a little uncomfortable with hard-coding things like /home/username into the httpd.conf–if the username ever changes (through Virtualmin), will all occurrences be updated?

The AddHandler line should be .php instead of .php5, and the wrapper script is missing .ini at the end of the PHPRC line. (Mine now says

Oops on the former, but the latter is correct. PHPRC can be a directory path, containing php.ini. Sorry, I didn’t make that one clear. :wink:

No errors in /var/log/httpd/suexec.log, and just a 403 in the web site's error_log. Upon removing the AddHandler line, it works again (falling back to mod_php). Any ideas?

Are you sure the ownership of the wrapper and the application files are the user? And they aren’t group/world writable?

Those are the obvious candidates for blame.

I'm glad to hear that you're working on adding an interface to this to the GPL version. Right now, I'm a little uncomfortable with hard-coding things like /home/username into the httpd.conf--if the username ever changes (through Virtualmin), will all occurrences be updated?

Generally, this kind of change is safe, because Virtualmin actually understands the configuration files it manages–it doesn’t regenerate from templates, except when you turn off a feature and then turn it back on. That’s why you love Virtualmin. :wink:

You can add this stuff to your Server Template (the AddHandler stuff) and your skel directory (the wrapper script and php etc. directory), and it’ll get added to your virtual servers automatically in the future (and in the event you disable the server and re-enable later, causing the server config to be regenerated). So, it can be entirely automatic, just like in Professional. Just the switching from the UI will be missing.

andreychek wrote:

Howdy,

To enable it for all future sites, go into System Settings -> Server Templates -> Default Settings -> Apache Website, then update the option labeled "Default PHP execution mode".

As for how to automate converting all existing sites?

I’m not sure that you’re able to automate that using the GPL version – the Pro version comes with some command line tools that can do that.

However, you can update it individually for each existing website by first choosing the domain in question, then choosing Server Configuration -> Website Options, and modifying "PHP script execution mode".
-Eric

Hey guys I was able to get this going however I have a question How would I turn on and off the php.ini Modules that I want? For instance I need register_globals turbned off for one site but on for another. Would I put an actual php.ini file in the public_html directory?

Thanks,

andreychek wrote:

Howdy,

To enable it for all future sites, go into System Settings -> Server Templates -> Default Settings -> Apache Website, then update the option labeled "Default PHP execution mode".

As for how to automate converting all existing sites?

I’m not sure that you’re able to automate that using the GPL version – the Pro version comes with some command line tools that can do that.

However, you can update it individually for each existing website by first choosing the domain in question, then choosing Server Configuration -> Website Options, and modifying "PHP script execution mode".
-Eric

Hey Andy,

 Iam sorry I don;t see "default php execution mode" in the location you say it is. I am sure I am looking in the wrong place but I am not sure.

Here is my screen shot of what I see in the location you mentioned.

Thnaks,

hosthoboguy, you’ll need to add an /etc/php5 folder containing the php.ini in the /home/domain section, like Joe is describing

the php execution mode is not available in VM GPL hence the manual way of doing this.

Here is what I added to my httpd.conf file:

<Directory /home/centosguru/public_html> AddHandler fcgid-script .php FCGIWrapper /home/centosguru/fcgi-bin/php5.fcgi .php Options -Indexes IncludesNOEXEC FollowSymLinks allow from all AllowOverride All </Directory>

I created the fcgi directory under the /home/centosguru directory

drwxr-x--- 11 centosguru centosguru 4096 Oct 9 08:55 . drwxr-xr-x 11 root root 4096 Sep 28 13:55 .. drwxr-xr-x 2 centosguru centosguru 4096 Oct 10 09:01 awstats -rw-r--r-- 1 centosguru centosguru 25 Sep 12 08:25 .awstats-htpasswd -rw-r--r-- 1 centosguru centosguru 33 Sep 12 08:25 .bash_logout -rw-r--r-- 1 centosguru centosguru 176 Sep 12 08:25 .bash_profile -rw-r--r-- 1 centosguru centosguru 124 Sep 12 08:25 .bashrc drwxr-x--- 2 centosguru centosguru 4096 Sep 17 10:26 cgi-bin drwxr-xr-x 2 centosguru centosguru 4096 Sep 17 10:26 etc drwxr-xr-x 2 centosguru centosguru 4096 Oct 9 08:55 fcgi-bin drwxr-xr-x 2 centosguru centosguru 4096 Sep 12 08:25 homes drwxr-x--- 2 centosguru centosguru 4096 Oct 5 04:02 logs drwxr-xr-x 4 centosguru centosguru 4096 Aug 29 10:05 .mozilla drwxr-x--- 10 centosguru centosguru 4096 Sep 17 10:26 public_html -rw-r--r-- 1 centosguru centosguru 25 Sep 12 08:25 .stats-htpasswd drwx------ 3 centosguru centosguru 4096 Sep 12 08:25 .usermin -rw-r--r-- 1 centosguru centosguru 658 Sep 12 08:25 .zshrc

So I think I am confused sorry for all this but I am really trying ot understand it.

Thanks again,

the dir structure looks good, i.e /etc and /fcgi-bin

this is what i have in the httpd.conf - <virtualhost>
don’t forget the RemoveHandler

<Directory /home/domain/public_html> Options Indexes IncludesNOEXEC FollowSymLinks ExecCGI allow from all AllowOverride All AddHandler fcgid-script .php AddHandler fcgid-script .php5 FCGIWrapper /home/domain/fcgi-bin/php5.fcgi .php FCGIWrapper /home/domain/fcgi-bin/php5.fcgi .php5 </Directory> <Directory /home/domain/cgi-bin> allow from all </Directory> RemoveHandler .php RemoveHandler .php5 IPCCommTimeout 31

Do you see an suexec log in /var/log/httpd/? Does it by chance contain any info on why things aren’t working correctly for you?
-Eric

i checked the log, and at first I thought that you had hit the nail on the head. I found the following error:
file has no execute permission: (/home/online-media/fcgi-bin/php5.fcgi)
However, I think that this was messing with the permissions, so it is still not working even after I have changed the permissions to 755 for the file php5.fcgi.
Once the permissions have been changed, I now get the following the logs:
uid: (503/domain) gid: (504/504) cmd: php5.fcgi

Cheers,

Paul

Okay, that definitely fixed part of it though – are you seeing a more descriptive error in the Apache error_log now?
-Eric

Doh! i think my brain has decided to stop working. I neglected to look at the /etc/httpd/logs/error_log and instead wad concentrating on the /var/log/virtualmin/domain_error_log.

[Thu Feb 19 15:37:53 2009] [notice] mod_fcgid: call /home/domain/public_html/_site/index.php with wrapper /home/domain/fcgi-bin/php5.fcgi
suexec failure: could not open log file
fopen: Permission denied

Cheers,

Paul

I’ve check the permissions on /var/log/httpd/suexec.log and they are the following:
-rw-r–r-- 1 root apache

do you happen to know what the group/owner/permissions should be?

Cheers,

Paul

Well, since you’re seeing messages in the suexec log file, I’m not sure that’s what’s being referred to here… and your permissions look good above.

Does the timestamp for that logfile error correspond with your attempt to call the script?
-Eric

yes. thats is the case. the error messages are definitely being generated everytime.

I’m actually finding quite a number of similar issues with suexec on the web.

I’ve changed permissions to chmod 4750 suexec.log as per http://httpd.apache.org/docs/2.0/suexec.html#install this, however it is still not working.

Cheers,

Paul

actually the link I posted previously is in reference to executing suexec, not the log file. So if I could edit the post I would :slight_smile:

Any other ideas, as I’m stumped as to why this isn’t working.

Thanks,

Paul

It looks like that issue had come up here in the past:

http://www.virtualmin.com/index.php?option=com_flyspray&Itemid=82&do=details&task_id=5047&Itemid=82&dev=64

Oddly enough, the problem ended up being that the file being called had Windows format newlines in it – running the dos2unix program on the file in question resolved it.
-Eric