Hey there I want to use your method to accomplish this … http://www.virtualmin.com/node/12612
But to tell you the truth I can’t understand what you are talking about.
For instance the /etc/apache2/httpd.conf is an empty file.
This directory is created for each virtual server, but you need the fcgi wrapper only once per user.
This “location” you mention doesn’t exist.
Well, the location does but the label doesn’t.
Is this still the situation with GPL? Do I have to manually configure the httpd.conf for users (or add it to the server templates settings that I’ve seen posted in other posts).
if this thread is going to be stickied. Would be nice to have a clearly defined post stating what IS or ISN’T the case… not spread over several posts by replies from non-staff…
But what happens if the user has ftp access? Than he is able to change the variables in the php-starter. How do i prevent this?
Don’t add the user to apache… that’s prob the worst thing you can do.
Apache is meant to run AS user, not user run AS apache… that means they could access other users on the server.
If you are doing it for just yourself then it shouldn’t be much of an issue I would think.
You cannot. Not that you’re losing much.
Remember that somebody with FTP access can always install a CGI script written in Perl, C, or whatever he likes (or anybody who stole his FTP password). Scripts written in these languages do not limit resource usage.
To limit per-process RAM usage, you can use ulimits.
To limit disk usage, use quotas.
To limit things like HTTP request or answer size, you can configure Apache. Note that there are traps for the unwary here, it’s easy to limit request sizes to 10K only to find out that nobody can upload a file of 10K or more - be careful what you limit.
Have suhosin installed. It is quite intelligent about plugging security holes that typical PHP code leaves - but, as said, it’s not going to help against malicious users or hackers who cracked an innocent user’s account.
What you need is user-based resource management (where a “resource” is any of CPU cycles, RAM usage, and network traffic).
Users that use more than their share of each resource get lower priority on the resource, so the others have a chance to catch up on usage.
I do not know of anything for Linux that does that though. (I’d like to have it myself!)
Instead, I have set up service monitoring, installed atop, and whenever the machine gets slow, I look which user is causing CPU or RAM overload, and tell them off.
But its not recommend to save the php-fcgid inside users home. Thats a big securityhole. Sure i can limit processes but first off all it must be a “save” setup. The php-fcgid starters must be outside users home for example in /home/php-fcgbin or something like that.
So it’ll be fine to call these fcgid and php.ini settings from outside of the users /home/ directories?
I’ll change that myself then if that’s the case.
I think so. If thats the case users with FTP access cant change the settings from php.ini and php5.fcgi. I think this is to handle with a litte script, thats called after the virtualserver creation.
Ok i wrote two little very dirty script.
http://pastebin.com/m167f7d41
http://pastebin.com/d493d706e
Goto to /etc/skel
mkdir fcgi-bin
cp path/to/your/php.ini .
create php5.fcgi with this content http://pastebin.com/d493d706e
chmod 755 php5.fcgi
create /usr/local/bin/php5.fcgi with this content http://pastebin.com/m167f7d41
chmod 0755 /usr/local/bin/php5.fcgi
Goto to Virtualmin Modul Config --> Actions upon server and user creation --> Command to run after making changes to a server /usr/local/bin/php5.fcgi
Goto Server Templates --> Apache website --> Directives and settings for new websites and paste http://pastebin.com/d8df4bd2
Permissions on website subdirectory 755
Now PHP-Fcgid should work. As i said its a very dirty script. I hope someone with better bashskills could improve the script.
Not putting php-fcgid inside a user’s home is roughly equivalent to a road bump.
I enumerated the reasons in the post before; I won’t repeat them here.
php.fcgi needs to be owned by the user.
And Unix permissions being what they are, there is no way you can prevent a user from overwriting the file contents with something of his liking.
(Well, there is, but it will create more problems at other levels.)
Please. Let the operating system take care of itself, and it will do just fine.
For example, you cannot monitor the resource usage of Mysql anyway. Anybody running monster SQLs in his PHP scripts will bog down your server no matter what. And these monster SQLs can look very innocent, until you realize there’s an index missing in the database.
Either know what you’re doing (or learn it), or trust your users.
Hi guys,
Thank you for your help!
I tried to do that with my virtualmin: to use suExec but it doesn’t work.
Steps:
- my apache config in the server template:
SuexecUserGroup “#540” “#538”
ServerName mydomain
[…]
<Directory /home/mydomain/public_html>
Options -Indexes +IncludesNOEXEC ExecCGI +FollowSymLinks
allow from all
AllowOverride All
AddHandler fcgid-script .php5
FCGIWrapper /home/mydomain/fcgi-bin/php5.fcgi .php5
[…]
<Directory /home/mydomain/cgi-bin>
allow from all
RemoveHandler .php - the structure of the domains folder:
cgi-bin
etc
fcgi-bin
homes
public_html
[…] - in the fcgi-bin:
-rwxr-xr-x php5.fcgi
-rw-r–r-- php.ini
Well, did I miss something?
Thank you
Yoong
There are so many ways that this could go wrong that “is doesn’t work” doesn’t tell us what to fix.
You’ll need to check the logs for error messages.
Hello,
I have a question regarding this setup (mod_fcgid).
I have set up my server like this some while ago. I am running Ubuntu 8.04.
I have several virtual servers on the machine, each running its own php.ini (as explained in the earlier posts of this thread).
I would like to install Zend Optimizer to be able run encoded PHP script.
How do I proceed?
If I understand it right, when I install Zend Optimizer, the installation will make some changes to php.ini, it will make a symlink to its own php.ini, etc…
But the php.ini for each user (virtual server) is unique for each, located in the users home directory.
Does anybody know how to make this work? Did anybody installed Zend Optimizer with this setup please?
I will answer my own question. Just in case somebody need it.
Well, it is very simple.
I have downloaded the Zend Optimizer and unpacked it in my home directory.
Then I edited php.ini file on website where I did need the Zend Optimizer and pointed it to location in home directory.
Instructions from Zend: http://kb.zend.com/index.php?View=entry&EntryID=424
Can you repost the content? Pastebin links are dead/expired…
Zend Optimizer will do all that we want with a simple click?
I’m new to Virtualmin GPL (only had my Linode VPS for 3 days) and can’t get this to work. I’m running 32 bit Ubuntu 8.04 LTS and Virtualmin installed with the script. Here is what I have done.
I copied the php.ini file to /home/jeromehamilton/etc/php5/php.ini
I then created php.fcgi in /home/jeromehamilton/fcgi-bin/php.fcgi with the following text
#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi
I then edited jeromehamilton.com.conf in the /etc/apache2/sites-available/jeromehamilton.com.conf with the following text
<VirtualHost 173.230.146.106:80>
SuexecUserGroup “#1001” “#1002”
ServerName jeromehamilton.com
ServerAlias www.jeromehamilton.com
DocumentRoot /home/jeromehamilton/public_html
ErrorLog /var/log/virtualmin/jeromehamilton.com_error_log
CustomLog /var/log/virtualmin/jeromehamilton.com_access_log combined
ScriptAlias /cgi-bin/ /home/jeromehamilton/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/jeromehamilton/public_html>
Options -Indexes +IncludesNOEXEC +FollowSymLinks +ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/jeromehamilton/fcgi-bin/php.fcgi .php
<Directory /home/jeromehamilton/cgi-bin>
allow from all
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.jeromehamilton.com
RewriteRule ^(.) https://jeromehamilton.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.jeromehamilton.com
RewriteRule ^(.) https://jeromehamilton.com:10000/ [R]
Alias /dav /home/jeromehamilton/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName jeromehamilton.com
AuthUserFile /home/jeromehamilton/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RewriteEngine off
RedirectMatch /cgi-bin/mailman/([^/.])(.cgi)?(.) https://jeromehamilton.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$3
RedirectMatch /mailman/([^/.])(.cgi)?(.) https://jeromehamilton.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$3
I also had to add the following to /etc/apache2/httpd.conf
ServerName lvthunder.com
lvthunder.com is my Fully Qualified Domain Name. I’m just starting with my new site I’m building and will be moving the old ones when I get it all working right.
So when I run phpinfo it still shows php.ini being run in /etc/php5/apache2/php.ini and the Apache user as www-data. I don’t know what to do now. Can someone please help me?
Thanks,
Hi,
Did you make the “php.fcgi” script executable? (chmod 0755)
This is an often overlooked step. Also once you’ve completed the changes to Apache, you need to restart it to make the settings active.
If you’ve done the steps above, then can you provide a snippet of the error_log file which is produced upon accessing a PHP file on your server.
I’ve setup tons of servers using PHP via FCGI, and have had no issues.
If needed, I can be hired to resolve your issue for a modest fee.
-Peter