Move from /var/www to /home on apache

Operating system: CentOS
OS version: 8

Apache defaults to /var/www

How do I move to /home/user/public_html? I do have SELinux set to enforcing.

Note that I got this from virualmin

SuExec cannot be used to run PHP scripts in CGI or FCGId modes : The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin virtual server home directory is /home. CGI scripts run as domain owners will not be executed.

The following PHP versions are available : 7.2.24 (/bin/php-cgi)
The following PHP-FPM versions are available on this system : 7.2.24 (php-fpm)
The following PHP execution modes are available : fpm

I saw some threads about this, but do not fully understand.

Hi,

The Suexec command on your system is configured to only run scripts under /var/www, but the Virtualmin virtual server home directory is /home. CGI scripts run as domain owners will not be executed.

This is just a warning message and it doesn’t imply that you need to take any extra actions. Your PHP scripts will work just fine and execute as virtual server owner.

Using PHP-FPM will be enough and perhaps be a better choice than FCGI for majority of users. However, if you need to run CGI scripts, we suggest using Debian 10 or Ubuntu 20.04.

@JamieCameron Jamie, do we really need to print this warning message? It rises unnecessary questions.

ok, I just mentioned the message because I was not sure if it mattered.

My question was really regarding the disparity between the Apache default /var/www and the Virtualmin /home/$USER/public_html.

In my mind it makes sense to have it in the home folder in terms of dealing with permissions.
I typically do not allow users to write directly to /var

Do I just change the documentroot in httpd.conf to point to /home? Virtualmin will automatically create the public_html in each users’s home folder and setup the correct SELinux permissions?

No. Don’t change anything.

You cannot configure this message away. It is not an error. It is not a problem you need to fix.

It indicates that suexec is compiled (not configured) to use /var/www as the suexec_docroot. You cannot change it without recompiling Apache. We used to recompile Apache for you (in all versions of CentOS up through 7) because there was no other way to safely run applications in a shared hosting environment. That’s no longer true. Use php-fpm to run your PHP apps. Use an app server and proxying to run your apps in other languages. Forget about suexec.

Don’t change anything? Don’t I at least need to change Virtualmin so that it looks at /var/www? Otherwise, wouldn’t the folders be created in /home? Or does it create symlinks in /home to /var/www?

Please re-read my previous message. I don’t know how to be more clear than “don’t change anything” when I mean to tell you that you should not change anything.

2 Likes

I think it has value as a warning that traditional CGI scripts won’t work. Maybe nobody uses them anymore and we can just drop this message though?

1 Like

CGI still comes up now and then, so, it’s not bad to warn folks. But, somehow it needs to not look like an error they need to (or can, with reasonable effort) fix.

I still don’t understand what the message means. Virtualmin will create folders in /home. Everything will still work fine unless I am using suexec (PHP + fcgid)? Virtualmin takes care of setting the correct permissions and SELinux context?

Yes. That’s always the case.

Virtualmin will not offer fcgid as an option on CentOS 8. Or, at least, it shouldn’t. If it does, that’d be a bug. So, unless you’re doing something manually, you aren’t using suexec.

Permissions are always the same, no matter what kind of execution mode you use, as long as it is a mode that executes as the user (and in a shared hosting environment, you should never use any mode that doesn’t run as the user). Permissions are no different for PHP-FPM, FCGI+suexec, or CGI+suexec.

SELinux is not related to this in any way, and SELinux is disabled in a default installation (Virtualmin can work with SELinux with a few booleans switched, but most users can’t cope with it…it’s too complicated, too opaque, and many problems that arise are unidentifiable and unfixable without root privileges).

In short: The message means FCGI+suexec or CGI+suexec execution modes are unavailable. That isn’t a bad thing. You do not need those modes. You have PHP-FPM. Apps in other languages will require running under an app server (rather than, e.g. CGI), but that’s already the recommendation from every modern web app.

That’s all it means. Don’t make it complicated. You have PHP-FPM. PHP-FPM is always the recommended way to run PHP apps, even when suexec can run things in /home, so you don’t need to care about it. On CentOS 8, we no longer recompile Apache to change the suexec_docroot to /home. On Debian/Ubuntu there is a suexec-custom package that allows configuring suexec_docroot; RHEL/CentOS does not offer such a package, so the only way to make it work with /home is to recompile…but, it does not matter, because you don’t need it. PHP-FPM is all you need.

2 Likes

@JamieCameron Jamie, what about Mail Client Configuration, we’re still using it? I’m afraid we need to come up with something, like to find a way to patch or replace original suexec file or even have custom builds for Apache?

Correct, we’re still using CGIs for the email client auto-config.

Oh, dang. We need to fix that.

I suppose we could switch to using a PHP script? It has to be some kind of dynamic language, as the XML config file can’t be generated as static HTML.

Yeah, that might be the simplest. There are simple Perl app servers, as well, including ways to run CGI scripts unmodified, but we’d still need the proxy rules.

Ok, I’ll take a look into it…