Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
apache + fastcgi + fpm Why is suexec required? [Solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
KWhat
l33t
l33t


Joined: 04 Sep 2005
Posts: 660
Location: Los Angeles

PostPosted: Fri Sep 07, 2012 5:24 pm    Post subject: apache + fastcgi + fpm Why is suexec required? [Solved] Reply with quote

So I have the following *WORKING* virtualhost:

Code:

<VirtualHost 192.168.128.20:80>
        ServerName euclid.domain.tld

        #LogLevel debug
        ErrorLog /var/www/euclid/logs/error_log

        SuexecUserGroup fastcgi www_euclid
        FastCgiExternalServer /var/www/euclid/htdocs/cgi-bin -socket /var/run/php-fpm/euclid.sock -user fastcgi -group www_euclid
        AddHandler php-fastcgi .php
        Action php-fastcgi /cgi-bin
        Alias /cgi-bin /var/www/euclid/htdocs/cgi-bin

        <Location /cgi-bin>
                Order Deny,Allow
                Deny from All
                # Prevent accessing this path directly
                Allow from env=REDIRECT_STATUS

                Options +ExecCGI +FollowSymLInks +SymLinksIfOwnerMatch
        </Location>

        DocumentRoot /var/www/euclid/htdocs
        <Directory /var/www/euclid/htdocs>
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>


What I cant seem to figure out is why I need to have either/both SuexecUserGroup fastcgi www_euclid and FastCgiExternalServer with the -user fastcgi -group www_euclid flags. FPM has pooling enabled and each pool is running under its own user/group. This works correctly, no issue. If i remove SuexecUserGroup and/or the -user fastcgi -group www_euclid arguments, I get the following error and I have no idea why. Additionally what uid and gid is used to access the socket file by fastcgi? Its certainly not fastcgi:ww_euclid.

Code:
(13)Permission denied: FastCGI: failed to connect to server "/var/www/euclid/htdocs/cgi-bin": connect() failed
FastCGI: incomplete headers (0 bytes) received from server "/var/www/euclid/htdocs/cgi-bin"


Last edited by KWhat on Fri Sep 07, 2012 10:37 pm; edited 1 time in total
Back to top
View user's profile Send private message
KWhat
l33t
l33t


Joined: 04 Sep 2005
Posts: 660
Location: Los Angeles

PostPosted: Fri Sep 07, 2012 10:37 pm    Post subject: Reply with quote

Ok I believe I have figured out what the problem was. The simple answer is; mod_fastcgi sucks. Its old, unmaintained and poorly documented. Why it keeps coming up when looking up how to run php-fpm is beyond me. Save your self the headache and just don't use it!

The real solution is rather simple:

Code:

<VirtualHost 192.168.128.20:80>
            ServerName euclid.domain.tld
   
            #LogLevel debug
            ErrorLog /var/www/euclid/logs/error_log
   
            <IfDefine PROXY>
                    #If you want to use mod_proxy (Probably the best option)
                    ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://localhost:9000/var/www/euclid/htdocs/$1
            </IfDefine>

            <IfDefine FASTCGI_HANDLER>
                    #If you want to use mod_fastcgi_handler (3rd party)
                    AddHandler fcgi:/var/run/php-fpm-euclid.sock .php
            </IfDefine>

   
            DocumentRoot /var/www/euclid/htdocs
            <Directory /var/www/euclid/htdocs>
                    AllowOverride all
                    Order allow,deny
                    Allow from all
            </Directory>
</VirtualHost>
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum