From owner-freebsd-questions@FreeBSD.ORG Thu Nov 3 18:53:18 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3748316A41F for ; Thu, 3 Nov 2005 18:53:18 +0000 (GMT) (envelope-from lists@servingpeace.com) Received: from smtp.servingpeace.com (servingpeace.com [69.55.225.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CEAA43D6B for ; Thu, 3 Nov 2005 18:53:14 +0000 (GMT) (envelope-from lists@servingpeace.com) Received: from [10.0.0.30] (adsl-68-125-161-145.dsl.pltn13.pacbell.net [68.125.161.145]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.servingpeace.com (Postfix) with ESMTP id 9F598BA224; Thu, 3 Nov 2005 10:53:13 -0800 (PST) Message-ID: <436A5C95.4000506@servingpeace.com> Date: Thu, 03 Nov 2005 10:53:09 -0800 From: Sam Nilsson User-Agent: Thunderbird 1.4.1 (Macintosh/20051006) MIME-Version: 1.0 To: jonas References: <43470F58.6070609@celeritystorm.com> <43471845.4070806@servingpeace.com> <200511031705.29411.jonas@schiebtsich.net> In-Reply-To: <200511031705.29411.jonas@schiebtsich.net> Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: suPHP - secure/reliable? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Nov 2005 18:53:18 -0000 jonas wrote: > I'd be really intrested to hear some few details about installation through > the ports. From what I saw in the FastCGI documentation you need to do some > strange configuration changes to your httpd.conf, so that .php files are > properly passed to the FastCGI handler and that they'll be executed under the > correct user. Could you share a quick overview what you did to get this up > and running, apart from makeing install? > > Thanks! Sure. Here is the basic method that I used to build apache2 with suexec, fastcgi, and php5. These instructions come from my notes, so there are probably some mistakes and typos. Setting this stuff up is a process: -- Install Ports: Edit /usr/local/etc/pkgtools.conf. Add the following to the MAKE_ARGS section: 'www/apache2*' => 'WITH_SUEXEC=yes SUEXEC_DOCROOT=/usr/local/www SUEXEC_USERDIR=public_html', 'www/mod_fastcgi*' => 'WITH_APACHE2=yes', 'www/php5-cgi*' => 'WITH_FASTCGI=yes', $ portupgrade -pNi www/apache2 $ portupgrade -pNi www/mod_fastcgi $ portupgrade -pNi www/php5-cgi -- Setup Apache: Add the following to the /usr/local/etc/apache2/httpd.conf - global section FastCgiIpcDir /usr/local/fastcgi-ipc FastCgiWrapper sbin/suexec Edit any virtual hosts in httpd.conf following this example: ServerName virtual-domain.tld DocumentRoot /usr/local/www/virtual/virtual-domain.tld/public_html ... SuexecUserGroup username groupname # alternatively # SuexecUserGroup #userid #groupid AddHandler php-fastcgi .php Alias /cgi-bin/ /usr/local/www/virtual/virtual-domain.tld/cgi-bin/ SetHandler fastcgi-script Options ExecCGI Action php-fastcgi /cgi-bin/php AddType application/x-httpd-php .php Other Apache Config Issues In order for php to work with this setup, each virtual host must have its own cgi-bin directory. * The cgi-bin directory must be owned by the customer's uid and gid (from /etc/passwd). * All cgi scripts must be owned by the customer's uid/gid. * The cgi-bin directory must contain the following script which must also be owned by the customer's uid/gid. $ cat /usr/local/www/virtual/virtual-domain.tld/cgi-bin/php #!/bin/sh PHPRC="/usr/local/etc/php/php.ini" # or any custom php.ini file export PHPRC #PHP_FCGI_CHILDREN=4 #export PHP_FCGI_CHILDREN exec /usr/local/bin/php ---- Now you can run a script like /usr/local/www/virtual/virtual-domain.tld/public_html/test.php and it will be run using suexec and fastcgi. It doesn't matter who owns the test.php script file, just the ownership of /cgi-bin and /cgi-bin/php. If you want to run normal cgi scripts from public_html, then the script and its parent directory must be owned exactly as indicated by the SuexecUserGroup directive. Let me know if you need any clarifications or if you have any more questions. - Sam