How to setup Apache2 mpm-itk under Virtualmin?

26 posts / 0 new
Last post
#1 Fri, 11/07/2008 - 02:10
Karl

How to setup Apache2 mpm-itk under Virtualmin?

How can I run/setup Apache2 mpm-itk instead of suEXEC or suPHP on Debian under Virtualmin?

http://mitka.us/articles/mpm-itk/ http://www.debianadmin.com/running-vhosts-with-apache2-mpm-itk-on-debian...

Sun, 06/07/2009 - 07:31
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add "AssignUserID" to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
<Directory ${HOME}/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
<Directory ${HOME}/cgi-bin>
allow from all
</Directory>
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:31
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add "AssignUserID" to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
<Directory ${HOME}/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
<Directory ${HOME}/cgi-bin>
allow from all
</Directory>
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Fri, 11/07/2008 - 07:15
Joe
Joe's picture

Oh, yeah, if you're using Virtualmin Professional, the Install Scripts won't be aware of this new-fangled method of running as a user, and so there <i>may</i> be some permissions issues if setup this way. We'd probably need to add a bit of knowledge to Virtualmin and the Install Scripts code to understand that, even without suexec, the scripts need to be owned by and configured for use by the owner of the virtual server.

Since I've never heard of this module before today, I'm gonna assume it is not all that well-known or popular...so it's probably not a priority to get those changes in place (and I'm not sure it'll be a problem, anyway). I don't find the arguments against suexec compelling in this context...having content read as the user is, perhaps, cool, but having all of Apache run as root makes me less enthusiastic about it. It's also far less tested than suexec...suexec has been heavily vetted for quality and security. I'd be leery of trusting security to something dramatically less vetted.

Just some thoughts.

Let us know how the module works for you.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:31
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add &quot;AssignUserID&quot; to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
&lt;Directory ${HOME}/public_html&gt;
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
&lt;/Directory&gt;
&lt;Directory ${HOME}/cgi-bin&gt;
allow from all
&lt;/Directory&gt;
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:31
Karl

Hi Joe,

thanks for your comments. I'm not shure if mpm-itk is a &quot;newfangled&quot; method. I'm not an Apache nor PHP specialist so I found something interesting about suEXEC versus mpm-itk by Google:

http://blog.stuartherbert.com/php/series-the-web-platform/

&quot;Apache&acirc;

Sun, 06/07/2009 - 07:31
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add &quot;AssignUserID&quot; to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
&lt;Directory ${HOME}/public_html&gt;
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
&lt;/Directory&gt;
&lt;Directory ${HOME}/cgi-bin&gt;
allow from all
&lt;/Directory&gt;
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:31
Karl

Hi Joe,

thanks for your comments. I'm not shure if mpm-itk is a &quot;newfangled&quot; method. I'm not an Apache nor PHP specialist so I found something interesting about suEXEC versus mpm-itk by Google:

http://blog.stuartherbert.com/php/series-the-web-platform/

&quot;Apache&acirc;

Sun, 06/07/2009 - 07:31
Joe
Joe's picture

<div class='quote'>&quot;Apache&acirc;

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:31
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add &quot;AssignUserID&quot; to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
&lt;Directory ${HOME}/public_html&gt;
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
&lt;/Directory&gt;
&lt;Directory ${HOME}/cgi-bin&gt;
allow from all
&lt;/Directory&gt;
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:31
Karl

Hi Joe,

thanks for your comments. I'm not shure if mpm-itk is a &quot;newfangled&quot; method. I'm not an Apache nor PHP specialist so I found something interesting about suEXEC versus mpm-itk by Google:

http://blog.stuartherbert.com/php/series-the-web-platform/

&quot;Apache&acirc;

Sat, 11/08/2008 - 08:51
Joe
Joe's picture

<div class='quote'>How do I make sure mod_php is the execution type for PHP scripts, and suexec is disabled?</div>

In Virtualmin GPL, mod_php is pretty much all there is, unless you follow some HOWTOs I've posted here in the forums. So, you're already using mod_php.

Suexec can be enabled in GPL, but it will only apply to non-PHP applications, so may not be relevant to you. You can find that option in the &quot;Server Templates:Apache website&quot; section. Note that it only applies to new virtual servers, if you edit Server Templates. Existing ones can be modified in the Server Configuration:Website Options. &quot;Run as domain owner?&quot; is the suexec option.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:31
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add &quot;AssignUserID&quot; to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
&lt;Directory ${HOME}/public_html&gt;
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
&lt;/Directory&gt;
&lt;Directory ${HOME}/cgi-bin&gt;
allow from all
&lt;/Directory&gt;
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Sat, 11/08/2008 - 14:48
Karl

<b>Joe wrote:</b>
<div class='quote'>Let us know how the module works for you.</div>

I'm sorry but I can't install the apache2 mpm-itk under Virtualmin. The installation doesn't work because of your special package 2.2.3-50vm. I always get the error:
&quot;Die folgenden Pakete haben nichterfuellte Abhaengigkeiten:
apache2-mpm-itk: Haengt ab: apache2.2-common (= 2.2.3-4+etch6) aber 2.2.3-50vm soll installiert werden
E: Kaputte Pakete&quot;. (Sorry about the language)

Sat, 11/08/2008 - 14:50 (Reply to #14)
Joe
Joe's picture

Since you're not using suexec, you don't need our package. Setup apt-get to not pull apache2 from our repository, and downgrade to the one from Debian.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:31
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add &quot;AssignUserID&quot; to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
&lt;Directory ${HOME}/public_html&gt;
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
&lt;/Directory&gt;
&lt;Directory ${HOME}/cgi-bin&gt;
allow from all
&lt;/Directory&gt;
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Sat, 11/08/2008 - 15:37
Karl

Thanks.

How do I downgrade? I already removed &quot;deb http://software.virtualmin.com/gpl/debian/ virtualmin-etch main&quot; from sources.list.

Sat, 11/08/2008 - 15:40 (Reply to #17)
Joe
Joe's picture

<div class='quote'>I already removed &quot;deb http://software.virtualmin.com/gpl/debian/ virtualmin-etch main&quot; from sources.list.</div>

That's not what I had in mind...I meant to exclude the apache2 packages from that repo. You probably want to be able to get all of your other Virtualmin-related updates.

As for downgrading. I dunno. I'm not an expert on apt-get or dpkg. ;-)

On a CentOS system, the easiest option would be to download the packages manually, and install them using the --old-package option. I don't know what the equivalent in dpkg or apt-get is. But there are some Debian experts around these parts...hopefully they'll chime in.

--

Check out the forum guidelines!

Mon, 11/10/2008 - 08:36 (Reply to #18)
andreychek

Regarding Debian packages, you can specify that a specific version be installed using this apt-get syntax:

apt-get install package=version

so in your case:

apt-get install apache-common=2.2.3-4+etch6

You may have to do something similar for the other Apache related packages.

Also, you'll want to make sure it continues to pull Apache from Debian's repository, and not Virtualmin's. If you find that it does try to pull from Virtualmin's repository after you install the Debian Apache, you may need to &quot;pin&quot; the software to use a specific repository.

You can see some information on how to do that here under the section &quot;3.10 How to keep specific versions of packages installed&quot;:

http://www.debian.org/doc/manuals/apt-howto/ch-apt-get.en.html

Sun, 06/07/2009 - 07:35
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add &quot;AssignUserID&quot; to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
&lt;Directory ${HOME}/public_html&gt;
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
&lt;/Directory&gt;
&lt;Directory ${HOME}/cgi-bin&gt;
allow from all
&lt;/Directory&gt;
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Sun, 06/07/2009 - 07:35
robpomeroy

<b>Joe wrote:</b>
<div class='quote'>Sounds to me like you'd just want to disable Suexec in Virtualmin, and add &quot;AssignUserID&quot; to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:
[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
...
[/code:1]</div>
Just FYI, I don't think this is quite correct. The AssignUserID directive needs to be of the form:

[code:1]
AssignUserID ${USER} ${GROUP}
[/code:1]I'm using mpm-itk (I prefer its benchmarks to suexec's, even with mod_fcgid) and discovered the above along the way. See the official docs here: <a href='http://mpm-itk.sesse.net/' target='_blank'>http://mpm-itk.sesse.net/</a> (section &quot;Configuration Variables&quot;). Hope this helps anyone else who's as far off the beaten track as me!

Sun, 06/07/2009 - 07:35
Joe
Joe's picture

Sounds to me like you'd just want to disable Suexec in Virtualmin, and add &quot;AssignUserID&quot; to the Apache website Server Template section. You can get to the UID for the user with the ${UID} variable.

So, it'd look something like this:

[code:1]
ServerName ${DOM}
ServerAlias www.${DOM}
AssignUserID ${UID}
DocumentRoot ${HOME}/public_html
ErrorLog ${HOME}/logs/error_log
CustomLog ${HOME}/logs/access_log combined
ScriptAlias /cgi-bin/ ${HOME}/cgi-bin/
&lt;Directory ${HOME}/public_html&gt;
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
&lt;/Directory&gt;
&lt;Directory ${HOME}/cgi-bin&gt;
allow from all
&lt;/Directory&gt;
[/code:1]

And you'd want to make sure mod_php is the execution type for PHP scripts, and suexec is disabled.

--

Check out the forum guidelines!

Tue, 01/13/2009 - 06:11
Karl

@ robpomeroy:

Thanks for your hint. I already gave up installing mpm-itk.

What do you think about this?

<b>Joe wrote:</b>
<div class='quote'>So, I'm going to tell you something astonishing: Sometimes things you find on the Internet are wrong. ;-)

Suexec + mod_fcgid is roughly equivalent to mod_php in performance. Memory usage is somewhat higher, but not dramatically so. Many people simply don't realize that suexec and FastCGI work together just fine, and that fact removes almost every argument against using suexec.

And, whether mdm-itk is good or not is not related to whether it is new-fangled. It's much newer than suexec, and has far fewer users and time in the field (and thus far less reliable security history to judge it by). So, it's still new-fangled, even if it's awesome.</div>

Tue, 01/13/2009 - 06:31 (Reply to #23)
robpomeroy

All I can say Karl is that <b>everywhere</b> I read, the performance metrics for PHP through some kind of CGI were worse by <i>at least</i> a factor of ten. I don't, alas have time to verify this for myself, but this combined with some security analysis I undertook for my company convinced me that mpm-itk or mpm-peruser were better solutions to the virtual hosting security issues I was facing. I chose mpm-itk because it appears to be the more mature solution at the moment.

My first build has gone very well indeed, so if you ever want to give it another shot, here are some pointers:

Start with CentOS 5+
Follow http://hostby.net/home/2008/07/12/centos-5-and-mpm-itk for the mpm-itk install
Use the notes in this thread to configure VirtualMin to be mpm-itk-aware
Optionally install and configure VSFTPd and the Virtualmin VSFTPd module (my preference for more secure FTP service)
If so, configure VSFTPd to bind only to local IP address (needed by Virtualmin)

Incidentally, mpm-itk is not new-fangled at all - it was part of the Apache development tree for a long time but was never production ready. Steinar Gunderson picked it up and forked at and the rest is history - yes, history. ;-)

I'd be interested to know if there are any <i>known</i> vulnerabilities, running an up to date security-patched Apache daemon as root, of course...

Cheers,

Rob

Sat, 05/01/2010 - 07:39
Tue, 08/03/2010 - 09:38
kenlyle

Agreeing with robpomeroy...In chat with a hosting provider who runs over 10K Joomla sites, they are running ITK exclusively. They consider it the optimal solution, and ready for production, obviously.

It would be nice to see some consideration of http://mpm-itk.sesse.net/ in Virtualmin.

Topic locked