[ubuntu-uk] PHP security
Tyler J. Wagner
tyler at tolaris.com
Fri Jun 11 22:06:34 BST 2010
On Friday 11 June 2010 17:47:08 Chris Rowson wrote:
> Here's the my current level of understanding! If anyone can fill in
> the gaps (or correct me if I'm wrong) I'd be really grateful.
(snipped for brevity)
Your stated understanding is correct, as far as I know it.
> What I'm still hazy on is this:
>
> cgi is slower than fastcgi because it (a bit like prefork MPM) has one
> process per thread (whereas fastcgi can service multiple requests with
> one process).
>
> However...... we want each virtual host to have its own waiting
> fastcgi process (to separate out script execution to enhance security)
> standing by to execute PHP scripts. How do we do that?
That's easy. Again, webmin + virtualmin will set it up for each domain/account
pretty easily. But here are the packages you need:
apache2-mpm-worker libapache2-mod-fcgid php5-cgi
You can also use libapache2-mod-fastcgi, with slightly different settings.
Enable the fcgid module. Then create a php handler in apache2.conf or a file in
conf.d/, with:
AddType application/x-httpd-php .php
<Directory /var/www>
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
Options +ExecCGI
</Directory>
<Directory /usr/share>
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
Options +ExecCGI FollowSymlinks Indexes
</Directory>
Then in each site's definition (/etc/apache2/sites-available/domainname):
ScriptAlias /cgi-bin/ /home/domainname/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
SuexecUserGroup "#1005" "#1005"
Where 1005 is the user and groupid of this domain's user. Finally, create an
executable file /home/domainname/cgi-bin/php5.cgi containing:
#!/bin/bash
export PHPRC=$PWD/../etc/php5
umask 022
export SCRIPT_FILENAME=$PATH_TRANSLATED
exec /usr/bin/php-cgi
This allows each user to have their own /home/domainname/etc/php5/php.ini and
cgi-bin directory. This is the virtualmin way. You could do it another way,
but it works for me.
The attached samples are:
/etc/apache2/sites-available/domainname.conf
/etc/apache2/conf.d/local.conf
/home/domainname/cgi-bin/php5.cgi
I put this last file in my domain-user skel directory so new domain accounts
get it.
Regards,
Tyler
--
"I have never killed a man, but I have read many obituaries with great
pleasure."
-- Clarence Darrow
-------------- next part --------------
<VirtualHost *:80>
ServerName domainname.com
ServerAlias www.domainname.com
ServerAlias webmail.domainname.com
ServerAlias admin.domainname.com
Redirect / http://www.domainname.net/
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.domainname.com
RewriteRule ^(.*) http://domainname.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.domainname.com
RewriteRule ^(.*) https://domainname.com:10000/ [R]
</VirtualHost>
-------------- next part --------------
# 2008-08-04 tyler - basic settings
NameVirtualHost *:80
NameVirtualHost *:443
ServerTokens ProductOnly
ServerSignature Off
TraceEnable Off
# 2008-11-10 tyler - FastCGI + PHP settings
AddType application/x-httpd-php .php
<Directory /var/www>
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
Options +ExecCGI
</Directory>
<Directory /usr/share>
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php
Options +ExecCGI FollowSymlinks Indexes
</Directory>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: php5.cgi
Type: application/x-shellscript
Size: 114 bytes
Desc: not available
Url : https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20100611/c1bf32e8/attachment-0001.bin
More information about the ubuntu-uk
mailing list