PHP as FastCGI only

[Martin Svoboda]

Hi

I want to set PHP run as fastCGI modul only on my hosting server.
Users have permisions: Domain creation, Physical hosting management, limits ... so they can edit theirs domain setup and choose unwanted option (e.g. PHP as apache module).

Is there any way how to disable "PHP as apache module", "CGI" and allow only "PHP as FastCGI" for users?

Thanks Martin

 

[Michael neese]

Can't you run with one domain fcgi and another as apache? Does it make any difference, if so in what way does different domains with different configurations affect things?

Could you make a template?

 

[Martin Svoboda]

I want to run fastcgi only. One of the reasons is that php as apache module runs with webserver UID. When php runs as fastcgi, it runs with domain owners UID.

When I make a domain template, user still can change it.

 

[Michael neese]

yeah i get you, so you have fewer issues with permissions across the board, and i understand that security is enhanced because of that very thing -- scripts run as domain users and not across the board. Thanks for clarifying the dilemma for me.

I heard about a user on one server who had some serious script contamination, but the other web sites were not affected because they were running as cgi (not fcgi) and they were running suPhp, not suExec.

Now, as the administrater of that server explained, suPhp and cgi is more stable for shared hosting, whereas suExec and fcgi can be trouble. I don't know if this is true or that's his defense on his setup.

So, I'm with you on this, how do we set up the whole server to run fcgi with no options for the other way?

Maybe it will have to be something that is enforced by the administrater.

 

[freaky@]

Any plesk people looking at this? This is a SERIOUS issue.

If you need proof here it is:

We have about 30 users running joomla. You know, the popular, buggy and exploitable as hell, CMS. These things get hacked about daily. The kiddies leave things like r57 shell and happily browse all other customers files as well. And as these frequently need write permissions for world in order to get a lot done they can attack those files too. Not to mention reading their sql passwords etc.

 

[Joshua Sortino]

Parallels, please!

Yes, someone from Parallels *please* reply to this thread. This is an issue that has been creating havoc on our server. We're running 50+ websites using CMS systems such as Drupal and Joomla. All sorts of permissions issues and security flaws are created by running PHP as the Apache user.

 

[freaky@]

Yea and this is still assuming friendly users. Nothing is stopping them from uploading things like php shells themselves.

 

[MartinE]

Hello,

i become follow Error Message when i to use PHP as FastCGI

Syntax error on line 154 of /var/www/vhosts/ph0enyx.de/conf/httpd.include:
can't get fastcgi file info: dynamic, errno: 2

thats is the block out from httpd.include

152 <Files ~ (\.php)>
153 SetHandler fcgid-script
154 FCGIWrapper dynamic .php
155 Options +ExecCGI
156 allow from all
157 </Files>

Who can me help and me Say what i make to wrong

System.

CentOS php5.1.6 apache 2.2 Plesk 9.2.1

thx Martin

Excuse my English i not good at this

 

[Loup Artic]

For info :

To benchmark mpm-peruser, I used Apache's ab benchmark to load a
simple phpinfo() page 1,000 times. I ran the benchmark five times, and
averaged the results.

mpm-prefork: average of 6.51 second
mpm-itk: average of 37.01 seconds
mpm-peruser: average of 6.95 seconds
suphp: average of 164.677 seconds
suexec: average of 127.219 seconds
suexec + bash script: average of 134.836 seconds
mod_php: average of 3.753 seconds

 

[Maciej Wojcikowski]

I know what you feel. You can make some cron script that changes every setting to fcgid and regenrates apache config. But as I expirienced mod_fcgid has bugs and makes apache fail to reload config after sth is changed via Plesk, which leads to apache failure and general Fu*k up... So think it trough before you decide to do so.

Other thing is that the gratest thing with fastcgi/fcgid would be to use apache2-mpm-worker... Can't do that due to psa depends on prefork...

 

[ElviCities]

related - Have searched and couldn't find anything..

Where can I increase the max users for fastcgi (the plesk fast-cgi module)? Right now I get alot of:

[Mon Jun 29 00:32:35 2009] [notice] mod_fcgid: too much /var/www/vhosts/xxxxxxxxx.com/httpdocs/blahblah/main.php process(current:8, max:8), skip the spawn request

type notices.

Using plesk 9.2.1 on RHEL4

Would it be: /etc/httpd/conf.d/fcgid.conf ??

Any help would be appreciated

 

[Michael neese]

Martin E...
Please refer to these threads which may have an answer for you:

http://forum.parallels.com/showthread.php?t=89939

http://forum.parallels.com/showthread.php?t=85413

 

[paulieG]

Elvicities,

Yes you would need to edit /etc/httpd/conf.d/fcgid.conf file changing : DefaultMaxClassProcessCount 8

You'd then need to run :

apachectl configtest (Hopefully you'll get "Syntax OK")

then :

/usr/local/psa/admin/bin/websrvmng -a -v (To push through the config change, this also gracefully restarts Apache)

 

[Michael neese]

thanks paul for your precision...

I have looked at my fcgid.cong and i have some confusion regarding the numbers shown:


# added by psa-mod-fcgid-configurator
<IfModule mod_fcgid.c>
IdleTimeout 3600
ProcessLifeTime 7200
MaxProcessCount 64
DefaultMaxClassProcessCount 8
IPCConnectTimeout 30
IPCCommTimeout 45
DefaultInitEnv RAILS_ENV production
</IfModule>


In this case should i change the default, or does the "MaxProcessCount 64" override the "DefaultMaxClassProcessCount 8"?

 

[paulieG]

Hi Michael,

From the fcgi docs :

MaxProcessCount n (1000)

The max count of total fastcgi process count.

DefaultMaxClassProcessCount n (100)

The maximum number of fastcgi application instances allowed to run for any one fastcgi application.

Its up to you whether you want to increase the MaxProcessCount in line with your increase to the DefaultMaxClassProcessCount, if you do remember to increase it by multiples (ie default allows 8 vhosts each to have 8 processes giving a total of 64). In the quote above the figures in brackets are defaults by the way.

This may also prove useful (I've only been using Plesk 9.2.1 for 24 hours so I can't say whether this is an issue) :

MaxRequestsPerProcess n (-1)

(Added in version 1.11, patch from Robert L Mathews)

Adds a MaxRequestsPerProcess parameter that allows mod_fcgid to exit after handling a certain number of requests, similar to the existing ProcessLifeTime option.

This solves a problem with PHP in FastCGI mode. By default, PHP stops accepting new FastCGI connections after handling 500 requests; unfortunately, there is a potential race condition during the PHP cleanup code in which PHP can be shutting down but still have the socket open, so mod_fcgid under heavy load can send request number 501 to PHP and have it "accepted", but then PHP appears to simply exit, causing errors.

If you are using PHP, you should set it to 500. -1 mean fastcgi process will not exit no matter how many requests it has handled.

I'm still struggling to ascertain whether these mod_fcgid processes are included in the Apache prefork settings, ie there's no point in having a MaxProcessCount that exceeds your MaxClients?

In regard to the original issue, its not a trivial thing, but you could disable the two other options through not loading them into Apache, that would enforce your customers used FastCGI, but I can't guarantee it wouldn't eventually (or quickly) break Apache.

An simpler alternative would be using Event Manager to place a custom vhost.conf onto their domain to override their PHP settings and force it to FastCGI.

Paul.

 

[EduardH]

mpm-itk and mod_ruid2 vs. fcgi

Hello,

It's easier and less expensive to use mpm-itk or mod_ruid2 comparing with suPHP or FastCGI.
Run PHP as User

This add-on for Parallels Plesk Panel allows to run PHP scripts as domain FTP user. It only works in conjunction with mpm-itk or mod_ruid2 modules. In this case standard PHP module runs scripts. This is the fastest method unlike suPHP and FastCGI commonly used for the same purpose.

See http://forum.parallels.com/showthread.php?t=106297 for details.