Due to the fact that from time to time our Helpdesk meets requests related with some problems with CageFS, PHP Selector, Apache server etc., we present this article to describe how to configure these components using suPHP and FastCGI handlers on non-panel systems.
This is a practical manual of setting up FastCGI and suPHP in conjunction with CageFS + PHP Selector on a server with no panel installed.
It is assumed that our system has been converted and loaded with CloudLinux kernel. Since PHP Selector installation requires CageFS and LVE Manager installed in the system, let’s start with CageFS installation:
CageFS – is a virtual file system that includes a set of tools for each user, located in an isolated environment (cell). Each account has its own fully functional CageFS, with all the necessary system files and tools as if it is working in a real system.
To install CageFS run the command:
yum install cagefs
LVE Manager – is a plugin for most control panels, it is designed to enable setting limits for users and packages, as well as to control PHP Selector work. It must be installed obligatorily, to enable PHP Selector functions control via server console.
To install LVE Manager run the command:
yum install lvemanager
CageFS setup
To create CageFS file system run the command:
cagefsctl --init
CageFS provides two modes of operation:
- Enable all, except disabled.
- Disable all, except enabled.
Select “Enable All” mode, then all current and new users will be added automatically to CageFS:
cagefsctl --enable-all
Add a user (if it does not exist in the system), to configure VirtualHost for:
adduser [username]
Install native PHP:
yum install php
Install PHP Selector:
yum groupinstall alt-php
Open configuration file httpd.conf and make the following changes:
nano /etc/httpd/conf/httpd.conf
In the end of the configuration file add a unit in charge of the neeed web-site, and before this unit, add another one which will handle requests to all the typos and non-existing addresses:
<VirtualHost *:80> ServerName default DocumentRoot /var/www/html </VirtualHost> <VirtualHost *:80> ServerAdmin cl-srv@test.org DocumentRoot "/home/stat/public_html" ServerName stat.local ServerAlias http://www.stat.local ErrorLog "/home/stat/public_html/logs/error.log" CustomLog "/home/stat/public_html/logs/access.log" common ScriptAlias /cgi-bin/ "/home/stat/public_html/cgi-bin/" SuexecUserGroup stat stat <Directory "/home/stat/public_html/"> Options -Indexes FollowSymLinks +ExecCGI AllowOverride AuthConfig FileInfo AddHandler php5-fastcgi .php Action php5-fastcgi /cgi-bin/php.fcgi Order allow,deny Allow from all </Directory> <Directory "/home/stat/public_html/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </VirtualHost>
NOTE! You must uncomment NameVirtualHost*:80 option, otherwise only the first web-site in the list will work:
NameVirtualHost *:80
Create a directory to locate our web-site, create cgi-bin subdirectory in its user’s home directory:
mkdir -p /home/stat/public_html/cgi-bin mkdir /home/stat/public_html/logs/
Create phpinfo.php file to check your web-site settings:
nano /home/stat/public_html/phpinfo.php
<?php phpinfo(); ?>
Create php-cgi file in cgi-bin folder with the following content:
cd /home/stat/public_html nano cgi-bin/php.fcgi
With content:
#!/bin/bash PHP_CGI=/usr/bin/php-cgi PHP_FCGI_CHILDREN=4 PHP_FCGI_MAX_REQUESTS=1000 export PHP_FCGI_CHILDREN export PHP_FCGI_MAX_REQUESTS exec $PHP_CGI
Give executable access:
chmod +x cgi-bin/php.fcgi
Assign ownership for user directory stat:
chown -R stat: stat ../public_html/
Do not forget to add the rule to iptables for port 80:
nano /etc/sysconfig/iptables
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
service iptables restart
If you have the following error in Apache log:
# Tail -f /home/stat/public_html/logs/error.log
(13) Permission denied: access to / denied
(13) Permission denied: access to /favicon.ico denied
Then, open configuration file /etc/httpd/conf/httpd.conf and change AllowOverride option value from None to All:
<Directory /> Options FollowSymLinks AllowOverride All </Directory>
Then restart httpd:
service httpd restart
If you see the following error in log file:
# tail -f /home/stat/public_html/logs/error.log
(13)Permission denied: /home/stat/.htaccess pcfg_openfile: unable to check htaccess file,
(13)Permission denied: /home/stat/.htaccess pcfg_openfile: unable to check htaccess file,
Give access to user directory (700 by default)
chmod 711 /home/stat/
If you see Internal Server Error on phpinfo page and you see the following errors in the log file:
Premature end of script headers: php.fcgi
suexec policy violation: see suexec log for more details
Premature end of script headers: php.fcgi
This problem stems from the fact that suexec refers to the directory /var/www by default:
suexec -V
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=”public_html”
-D AP_SAFE_DIRECTORY=”/usr/local/safe-bin”
Since we locate users’ sites in /home, we need to rebuild suexec.
Perform the following steps:
Download rpm package:
cd /tmp/ wget http://repo.cloudlinux.com/cloudlinux/6 ... ux.src.rpm
Install additional programs which we will need to build the package:
yum install rpm-build -y yum install redhat-rpm-config -y yum install gcc libselinux-devel apr-devel apr-util-devel pcre-devel openssl-devel -y
Install Suexec:
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir /root/rpmbuild' > ~/.rpmmacros
rpm -ivh httpd-2.2.15-29.el6_4.cloudlinux.src.rpm
cd ~/rpmbuild/SPECS/
rpmbuild -ba httpd.spec
cd ../BUILD/httpd-2.2.15/
./configure --with-pcre=/usr/bin/pcre-config --enable-suexec --with-suexec --with-suexec-caller=apache --with-suexec-docroot=/home --with-suexec-logfile=/var/log/httpd/suexec.log --with-suexec-bin=/usr/sbin/suexec --with-suexec-uidmin=500 --with-suexec-gidmin=500 --enable-pie --with-pcre-with-pcre
make
cp ./support/suexec /usr/sbin/suexec
chown root:apache /usr/sbin/suexec
chmod 4510 /usr/sbin/suexec
service httpd restart
Method 2 (package rebuild from tar.gz archive).
yum install gcc libselinux-devel apr-devel apr-util-devel pcre-devel openssl-devel -y cd ~ wget https://archive.apache.org/dist/httpd/httpd-2.4.6.tar.gz tar -zxvf httpd-2.4.6.tar.gz cd httpd-2.4.6/ find . -name suexec.h nano ./support/suexec.h
Change value for parameter:
#define AP_DOC_ROOT DEFAULT_EXP_HTDOCSDIR –>> #define AP_DOC_ROOT “/home”
#define AP_HTTPD_USER “www” –>> #define AP_HTTPD_USER “apache”
#define AP_UID_MIN 100 –>> #define AP_UID_MIN 500
#define AP_LOG_EXEC DEFAULT_EXP_LOGFILEDIR “/suexec_log” /* Need me? */ –>> #define AP_LOG_EXEC “/var/log/httpd/suexec.log” /*Need me?*/
./configure make suexec cp ./support/suexec /usr/sbin/suexec chown root:apache /usr/sbin/suexec chmod 4510 /usr/sbin/suexec service httpd restart
Finally, we can check phpinfo page to make sure everything is configured fine:
To change PHP version from console, use the command:
cl-selector --select=php --version=5.3 --user=stat
Installation and setup of a server using suPHP
To switch on suPHP, you should install mod_suphp package on the server from CloudLinux repository, as it already contains all the necessary patches:
yum install mod_suphp
After installation check /etc/suphp.conf file for correct matching the lines:
If something is wrong then present them to a form as is in the figure, all the rest settings remain unchanged:
[global] logfile=/var/log/httpd/suphp_log loglevel=info webserver_user=apache docroot=/ env_path=/bin:/usr/bin umask=0077 min_uid=500 min_gid=500 ; Security options allow_file_group_writeable=false allow_file_others_writeable=false allow_directory_group_writeable=false allow_directory_others_writeable=false ;Check wheter script is within DOCUMENT_ROOT check_vhost_docroot=true ;Send minor error messages to browser errors_to_browser=false [handlers] ;Handler for php-scripts x-httpd-php="php:/usr/bin/php-cgi" ;Handler for CGI-scripts x-suphp-cgi="execute:!self"
Open file /etc/httpd/conf.d/suphp.conf and comment in it all the lines except:
LoadModule suphp_module modules/mod_suphp.so
Open our file /etc/httpd/conf/httpd.conf and present VirtualHost to a form:
<VirtualHost *:80> ServerAdmin cl-srv@test.org DocumentRoot "/home/stat/public_html" ServerName stat.local ServerAlias http://www.stat.local ErrorLog "/home/stat/public_html/logs/error.log" CustomLog "/home/stat/public_html/logs/access.log" common suPHP_Engine on suPHP_UserGroup username group AddHandler x-httpd-php .php .php3 .php4 .php5 suPHP_AddHandler x-httpd-php </VirtualHost>
After that save the settings and restart Apache:
service httpd restart
The installation is finished.
To check suPHP use the following script:
# nano w.php
<?php
echo "Output of the 'whoami' command:<br /><br />";
echo exec('/usr/bin/whoami');
?>
At the end update :
cagefsctl --force-update
If you get 500 Internal Server Error addressing php page and you see the following error in site log:
Premature end of script headers: w.php
Then check access type: directories access type should be 755, files access type should be 644.
Make sure you are in user’s folder and run the following commands:
find . * -type d -exec chmod 0755 {} +
find . * -type f -exec chmod 0644 {} +
Patching Apache with suexec not from CLN repository
yum remove httpd -y
cd /tmp
wget http://vault.centos.org/6.5/updates/Sou ... os.src.rpm
wget http://repo.cloudlinux.com/cloudlinux/s ... hes.tar.gz
tar -xzvf cl-apache-patches.tar.gz
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir /root/rpmbuild' > ~/.rpmmacros
rpm -ivh httpd-2.2.15-31.el6.centos.src.rpm
cd ~/rpmbuild/SPECS/
rpmbuild -ba httpd.spec
cd ../BUILD/httpd-2.2.15/
cp /tmp/suexec.patch ./
patch -p1 < suexec.patch
autoconf
./configure --with-pcre=/usr/bin/pcre-config --enable-suexec --with-suexec --with-suexec-caller=apache --with-suexec-docroot=/home --with-suexec-logfile=/var/log/httpd/suexec.log --with-suexec-bin=/usr/sbin/suexec --with-suexec-uidmin=500 --with-suexec-gidmin=500 --enable-pie --with-pcre-with-pcre
make
cp ./support/suexec /usr/sbin/suexec
chown root:apache /usr/sbin/suexec
chmod 4510 /usr/sbin/suexec