Trade Secret #1

Because I’ve gotten about the 124th request today as to how I do Suexec’ed PHP-FastCGI under Apache2 (ala Zeus—but it works), I thought I would go ahead and share.

There’s nothing particularly special about it, it’s one of the methods in PHP’s FastCGI.README (the dynamic one, you can also externally spawn PHP with php -b and have it listen as a port).

You’ll want to have Apache2 installed, the FastCGI developer kit and mod_fastcgi.

Then you’ll compile PHP with FastCGI support, and copy that binary to somewhere like /usr/local/www/php5-fcgi. Within the PHP directory where you just ran make, you’ll

cp sapi/cgi/php /usr/local/www/cgi-bin/php5-fcgi

And then you’ll see cgi-fcgi in your version

> /usr/local/www/cgi-bin/php5-fcgi -v
PHP 5.0.3 (cgi-fcgi) (built: Dec 30 2004 22:44:32)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.3, Copyright (c) 1998-2004 Zend Technologies
with eAccelerator v0.9.2, Copyright (c) 2004-2004 eAccelerator,by eAccelerator
with Zend Extension Manager v1.0.6, Copyright (c) 2003-2004, by Zend Technologies
with Zend Optimizer v2.5.7, Copyright (c) 1998-2004, by Zend Technologies

Now to tie this into Apache2 and suexec it by putting the following in 

SuexecUserGroup ${USER} ${GROUP}
ScriptAlias /php-fastcgi/ ${HOME}/php-fastcgi/ 
AddType application/x-httpd-fastphp .php
Action application/x-httpd-fastphp /php-fastcgi/php5-fcgi

What this does is call up a text-based wrapper (a file literally called php5-fcgi) in a person’s home directory, this is required for the suexecing to really work:

> cat ${HOME}/php-fastcgi/php5-fcgi
	
#!/bin/sh
PHPRC="/usr/local/etc"
export PHPRC
PHP_FCGI_CHILDREN=8
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_MAX_REQUESTS
exec /usr/local/www/cgi-bin/php5-fcgi

Now at this point you’re at least at suexec’ed PHP-CGI and you can set the PHPRC variable to be the directory that is scanned for a php.ini file. The nice thing about using AddType is that you can still have mod_php centrally installed with

AddType application/x-httpd-php .php

and this will be the fallback to any virtualhost that doesn’t have the php-fcgi for .php in it. You can also see that you can control it extension-by-extension and location-by-location by differentially using both of these.

In order to FastCGI your PHP, you need to config FastCGI in httpd.confg

<IfModule mod_fastcgi.c>
FastCgiIpcDir /usr/local/www/fcgi_ipc/tmp
AddHandler fastcgi-script .fcgi
FastCgiSuexec /usr/local/sbin/suexec
FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION
</IfModule>

And finally tell mod_fastcgi to execute anything the in the php-fastcgi location as fastcgi. 

<Location /php-fastcgi/>
Options ExecCGI        
SetHandler fastcgi-script
</Location>

With this active, your suexec’ed PHP will be FastCGI and with it commented out, it will be straight PHP-CGI.

Have Fun! And now go off and start yourself a web hosting company.

·:· Posted 8 March 2005, 23:14 by Jason Hoffman to Server geek  |  

  1. Thanks for this article! It’s extremely helpful for setting up a fast and secure PHP environment!

    Miguel Saturnino    9 March 2005, 22:37    #
  2. Yeah, but why haven’t you 600 or whatever php processes living all the time? ;-)

    Florian Munz    10 March 2005, 22:42    #
  3. They’re dynamic, you control it in the wrapper and take a look at the FastCGI config: old ones are aggressively killed off.

    Jason Hoffman    11 March 2005, 18:59    #