Apache2 + mod_fastcgi + suexec on debian etch

I know it’s difficult to find good documentation to configure apache2 with mod_fastcgi and suexec to make php websites works. This configuration works well with Debian Etch (4.0).
Here an example of configuration.

The following suppose that your web data are in /var/www/ (there are good reason for this as we’ll see later).
/var/www/toto/: the web account of toto
/var/www/toto/web/: the web dir of the toto’s account
/var/www/toto/conf/php.ini: you own php.ini file
/var/www/toto/cgi-bin/php.fcgi: the fcgi file which allow to run php5-cgi with a specific php.ini file for each virtual host

First of all don’t forget that mod_fastcgi and mod_fcgid are different. Difference between mod_fastcgi and mod_fcgid is mostly at license level, since some might consider mod_fastcgi not to be totally free.

Enable fastcgi and suexec:
#a2enmod fastcgi
#a2enmod suexec

Suexec has no configuration file, because every parameter is hardcoded. Therefore, if you need to configure suexec, do it at apache2 compile time.
Let’s see how…

#/usr/lib/apache2/suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"

AP_DOC_ROOT is set to « /var/www », which is the reason you would want to put your files in /var/www/. You cannot just ignore this fact; if this directory is inconsistently set, it just won’t work. If you want to change this directory, you must recompile apache2 with your own configuration.

/var/www/toto/cgi-bin/php.fcgi:
#!/bin/sh
PHPRC="/var/www/toto/conf/"
export PHPRC
PHP_FCGI_CHILDREN=4
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=200
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php5-cgi

fastcgi.conf: (in /etc/apache2/mods-available/ for Debian)
<IfModule mod_fastcgi.c>
AddHandler fastcgi-script .fcgi
FastCgiWrapper /usr/lib/apache2/suexec
FastCgiIpcDir /var/lib/apache2/fastcgi
FastCgiConfig -singleThreshold 1 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION
</IfModule>

See http://www.fastcgi.com/ if you want to know about all the options possible in fastcgi.conf.

Let’s configure (in /etc/apache2/sites-available/ for debian etch) a virtual host for toto:
<VirtualHost xxx.xxx.xxx.xxx:80>
ServerAdmin webmaster@toto.org
ServerName toto.org
DocumentRoot /var/www/toto/web/

SuexecUserGroup UserName GroupName

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/toto/web/>
Options -Indexes FollowSymLinks -MultiViews
AllowOverride all
Order allow,deny
Allow from all
</Directory>

ScriptAlias /cgi-bin/ /var/www/toto/cgi-bin/
<Directory "/var/www/toto/cgi-bin/">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

AddHandler php-fastcgi .php
AddType application/x-httpd-php .php
DirectoryIndex index.html index.php
Action php-fastcgi /cgi-bin/php.fcgi

ServerSignature On
</VirtualHost>

This virtual host can be enabled in /etc/apache2/sites-enabled/ by creating a symbolic link.
Make sure to set appropriate rights for /var/www/toto/ you set in the virtual host (SuexecUserGroup), since php5-cgi will be executed with these rights.

restart apache2 :
#/etc/init.d/apache2 restart

A maximum of four php5-cgi will be launched when the first visitor will visit the website. They would be killed after a timeout of 240 seconds of inactivity, as set in fastcgi.conf.
It should work.
Please tell me know if you are aware of issue that may arise with such a configuration.

2 thoughts on “Apache2 + mod_fastcgi + suexec on debian etch”

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *