Apache, PHP, SuEXEC

Apache, PHP, SuEXEC: when it just wouldn’t work out.

Looks like I will have a lot to say on this topic still. By now I’ve collected some cases when you can not use PHP in FastCGI mode and to keep the sites running you will need to abandon suEXEC nice and clean privilege separation mechanism in favor of mod_php/ASAPI.

Both discovered situations have their workarounds which mostly require redesign, but if you have commercial application or read-made web site that has to be deployed, you really don’t have any other choice then to switch back to mod_php

  1. Use of apache_note() function – this function is facilitating apache inter-module communication, so obviously PHP has to be apache module for that. In my opinion this seriously breaks PHP scripts portability prohibiting FastCGI API and limiting server to apache. In my case it was used to call Apache mod_geoip from PHP script, while PHP itself has perfectly functional geoip extension.
  2. Another situation is use of auto_prepend_file / auto_append_file on per-directory basis from .htaccess files – there is no configurable alternative with PHP in FastCGI mode, even though you have per-vhost php.ini. In this case to stay with FastCGI you will need to redesign your site to avoid using .htaccess for configuring PHP.

All in all, we will have to adjust our 00-fcgid.conf and Virtualmin vhost template so that we would be able to switch back to mod_php at any time (or even run both – I will add this directive to the template but I will test it later on and update this post).
All changes required are just properly put [cci lang=”apache”][/cci], so that turning off mod_fcgid will not break any apache virtual host definition – unfortunately previous Virtualmin template will not work this way.

Now, for virtual host. We will want something, that looks like this

This is what our virtualmin apache template to achieve such configuration from virtualmin should look like

This will allow to switch from PHP/FastCGI to mod_php by toggling LoadModule on/off.

  1. I got the problem:

    [Fri Aug 19 23:40:00 2011] [error] [client] client denied by server configuration: /var/www/cgi-bin/dev/php-dev
    [Fri Aug 19 23:40:00 2011] [error] [client] File does not exist: /home/dev/public_html/favicon.ico

    I can not find where is the error. I followed every step to install apache and mod_fcgid. But the different is: mod_fcgid is built in apache, I don’t use it as module loaded in configuration.

    I created all directories and set permission/owned as the same in article. Turn off SELinux…

    I use Centos 5.5 on my localhost (virtualbox).

    Please help me!

    • Did you check Apache suexec.log – it looks like something is not right with the permissions/ownership for /var/www/cgi-bin/dev/php-dev or the php script your are trying to execute.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">