These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Convert PHP sites to use mod_fcgid with suEXEC on the new forum.
How can I change all my PHP sites to use mod_fcgid in Virtualmin GPL? I have several domains and sub-servers; is there any way to automate the creation of FastCGI wrappers, and make it apply to future sites as well? I already have recompiled suEXEC with docroot /home.
Using the search feature in the Virtualmin interface, I found references to FastCGI PHP5 wrappers, but they link to the documentation/help text. I can't find the actual options.
Thanks!
Howdy,
To enable it for all future sites, go into System Settings -> Server Templates -> Default Settings -> Apache Website, then update the option labeled "Default PHP execution mode".
As for how to automate converting all existing sites?
I'm not sure that you're able to automate that using the GPL version -- the Pro version comes with some command line tools that can do that.
However, you can update it individually for each existing website by first choosing the domain in question, then choosing Server Configuration -> Website Options, and modifying "PHP script execution mode".
-Eric
The easy way mentioned by Eric is actually only available in Professional.
I've asked Jamie about this before, as it should probably be in GPL also...but it's currently part of the Install Scripts code, and apparently not easy to factor out. But when we next chat, I'll mention it again. I'd like to see everybody running applications the same way. It'd just ease support so much.
It can, of course, be done in GPL...and it's not even all that hard:
Add to httpd.conf in the public_html Directory section within the relevant VirtualServer section:
AddHandler fcgid-script .php5
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
Create the wrapper in /home/domainname/fcgi-bin/php5.fcgi:
#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi
The application files, and the fcgi wrapper must be owned by the user, and must not be world or group writable (suexec will not execute them, if they are).
You also need to copy php.ini into the etc/php5 directory within the users home.
--
Check out the forum guidelines!
Hey there I want to use your method to accomplish this ... http://www.virtualmin.com/node/12612
But to tell you the truth I can't understand what you are talking about.
For instance the /etc/apache2/httpd.conf is an empty file.
In this case the file is located /etc/apache2/sites-available/yoursite.conf
You would add the above there. However, in my case, currently right now the latest build is by default setting all php to run in fastcgi, but for me using ubuntu 8.04 I could not get the flush to work, only by switching back to apache thus removing the above could i get flush to work.
I found various suggestions with regard to flush problems and fastcgi but despite trying everything, no joy. But for now im good as php is running back as part of apache.
<b>andreychek wrote:</b>
<div class='quote'>Howdy,
To enable it for all future sites, go into System Settings -> Server Templates -> Default Settings -> Apache Website, then update the option labeled "Default PHP execution mode".
As for how to automate converting all existing sites?
I'm not sure that you're able to automate that using the GPL version -- the Pro version comes with some command line tools that can do that.
However, you can update it individually for each existing website by first choosing the domain in question, then choosing Server Configuration -> Website Options, and modifying "PHP script execution mode".
-Eric</div>
Hey guys I was able to get this going however I have a question How would I turn on and off the php.ini Modules that I want? For instance I need register_globals turbned off for one site but on for another. Would I put an actual php.ini file in the public_html directory?
Thanks,
<b>andreychek wrote:</b>
<div class='quote'>Howdy,
To enable it for all future sites, go into System Settings -> Server Templates -> Default Settings -> Apache Website, then update the option labeled "Default PHP execution mode".
As for how to automate converting all existing sites?
I'm not sure that you're able to automate that using the GPL version -- the Pro version comes with some command line tools that can do that.
However, you can update it individually for each existing website by first choosing the domain in question, then choosing Server Configuration -> Website Options, and modifying "PHP script execution mode".
-Eric</div>
Hey Andy,
Iam sorry I don;t see "default php execution mode" in the location you say it is. I am sure I am looking in the wrong place but I am not sure.
Here is my screen shot of what I see in the location you mentioned.
Thnaks,
hosthoboguy, you'll need to add an /etc/php5 folder containing the php.ini in the /home/domain section, like Joe is describing
the php execution mode is not available in VM GPL hence the manual way of doing this.
Here is what I added to my httpd.conf file:
<Directory /home/centosguru/public_html>
AddHandler fcgid-script .php
FCGIWrapper /home/centosguru/fcgi-bin/php5.fcgi .php
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
I created the fcgi directory under the /home/centosguru directory
drwxr-x--- 11 centosguru centosguru 4096 Oct 9 08:55 .
drwxr-xr-x 11 root root 4096 Sep 28 13:55 ..
drwxr-xr-x 2 centosguru centosguru 4096 Oct 10 09:01 awstats
-rw-r--r-- 1 centosguru centosguru 25 Sep 12 08:25 .awstats-htpasswd
-rw-r--r-- 1 centosguru centosguru 33 Sep 12 08:25 .bash_logout
-rw-r--r-- 1 centosguru centosguru 176 Sep 12 08:25 .bash_profile
-rw-r--r-- 1 centosguru centosguru 124 Sep 12 08:25 .bashrc
drwxr-x--- 2 centosguru centosguru 4096 Sep 17 10:26 cgi-bin
drwxr-xr-x 2 centosguru centosguru 4096 Sep 17 10:26 etc
drwxr-xr-x 2 centosguru centosguru 4096 Oct 9 08:55 fcgi-bin
drwxr-xr-x 2 centosguru centosguru 4096 Sep 12 08:25 homes
drwxr-x--- 2 centosguru centosguru 4096 Oct 5 04:02 logs
drwxr-xr-x 4 centosguru centosguru 4096 Aug 29 10:05 .mozilla
drwxr-x--- 10 centosguru centosguru 4096 Sep 17 10:26 public_html
-rw-r--r-- 1 centosguru centosguru 25 Sep 12 08:25 .stats-htpasswd
drwx------ 3 centosguru centosguru 4096 Sep 12 08:25 .usermin
-rw-r--r-- 1 centosguru centosguru 658 Sep 12 08:25 .zshrc
So I think I am confused sorry for all this but I am really trying ot understand it.
Thanks again,
the dir structure looks good, i.e /etc and /fcgi-bin
this is what i have in the httpd.conf - <virtualhost> don't forget the RemoveHandler
<Directory /home/domain/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/domain/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/domain/fcgi-bin/php5.fcgi .php5
</Directory>
<Directory /home/domain/cgi-bin>
allow from all
</Directory>
RemoveHandler .php
RemoveHandler .php5
IPCCommTimeout 31
Arrgh!! if you could see my head now. :)
It was indeed that. I ran dos2unix on the php5.cgi, changed the permissions and bang, all good.
Thanks Eric for your patience on this, crazy newlines - I used windows to generate the php5.fcgi script and I used Notepad++ to do so and evidently neglected to select 'Convert to UNIX format'.
So solution found:
Dont use Windows!
Easy.
Cheers,
Paul
Correct me if I'm wrong, but seeing as it's even hard to find simplified docs on how to setup FastCGI + SuExec (as opposed to fcgid), can I ask if FastCGI has essentially the same setup as mod_fcgid (namely a fcgi script wrapper)?
Reason I ask is I had a lot of difficulty getting FastCGI tutorials I found online to actually work - so I thought maybe setting it up using the basic tutorials for mod_fcgid here, with the obvious FastCGI config replacements from other sites..?
EDIT: Since then, I have got fastcgi to work. The reason I wanted FastCGI and not fcgid, is because I needed output buffering turned off with the -flush option. Now it seems to work ;-)
Although I do have some questions about the PHPRC variable: 1)is it 'usable' in both FastCGI and Fcgid, and 2) does this get picked up internally somewhere, because when set it in the wrapper script in FastCGI, I don't see the path appear anywhere when i run phpinfo(); under the appropriate vhost? Here's my example setting:
[code:1]PHPRC = /home/user1/conf
export PHPRC
PHP_CGI=/usr/bin/php-cgi
PHP_FCGI_CHILDREN=4
PHP_FCGI_MAX_REQUESTS=1000
### no editing below ###
export PHP_FCGI_CHILDREN
export PHP_FCGI_MAX_REQUESTS
exec $PHP_CGI[/code:1]
Can't seem to edit...
In my /var/log/apache2/error.log I noticed these, maybe the problem lies in here somewhere. I am calling it quits for tonight. Thanks all.
[code:1]...
[Thu May 28 00:20:49 2009] [notice] mod_fcgid: call /home/micahk/public_html/test.php with wrapper /home/micahk/fcgi-bin/php5.fcgi
[Thu May 28 00:20:49 2009] [notice] mod_fcgid: server /home/micahk/public_html/test.php(4928) started
[Thu May 28 00:23:04 2009] [notice] caught SIGTERM, shutting down
[Thu May 28 00:23:05 2009] [notice] mod_fcgid: process /home/micahk/public_html/test.php(4928) exit(shutting down), terminated by calling exit(), return code: 0
...[/code:1]
Check suexec.log. This looks like maybe you have incorrect permissions somewhere (too much, not too little). Be sure the files being run are owned by the user/group, and are not writable by group or world.
--
Check out the forum guidelines!
In my gpl i don't see "Default PHP execution mode" just an add suexec option. If i used virt to nuke alll of the sites and then recreated them would they then have the correct settings for user-level running of scripts tow ork then?
Virtualmin GPL doesn't provide a GUI for managing the PHP execution mode. By default, it typically uses mod_php (which doesn't utilize suexec).
This thread here describes how you can setup suexec along with PHP using Virtualmin GPL:
http://www.virtualmin.com/node/8462
so if i tell it add suexec in gpl and then save that template that does NOT get applied to subsequent servers?
If that's the case what if i simply erased everything and configured that by default would it work then? I jsut need a way to run things 755 instead of 777.
It does get applied to subsequent servers... it doesn't automatically get applied to existing servers.
For existing servers, you could either enable it manually, or even use the command line tools to enable it. Run the command "virtualmin modify-web" to see some options -- you can use the "--suexec" param in order to modify that setting for existing domains.
-Eric
Some of the virtual hosts were updated but this appeared at the bottom of the output:
Updating server *******.org ..
Error: No <Directory> section found for mod_fcgid directives
Error
-----
No <Directory> section found for mod_fcgid directives
-----
Can you suggest what to do? I manually added the
+ExecCGI
part to the<Directory>
directives to work around this, but this problem does make thevirtualmin modify-web --all-domains --mode fcgid
command rather useless.This "location" you mention doesn't exist.
Well, the location does but the label doesn't. Is this still the situation with GPL? Do I have to manually configure the httpd.conf for users (or add it to the server templates settings that I've seen posted in other posts).
if this thread is going to be stickied. Would be nice to have a clearly defined post stating what IS or ISN'T the case... not spread over several posts by replies from non-staff...
Thanks, Joe! I got it working for one of my sites, after fixing a few typos.
The AddHandler line should be .php instead of .php5, and the wrapper script is missing .ini at the end of the PHPRC line. (Mine now says [code:1]export PHPRC=$PWD/../etc/php5.ini[/code:1].)
So this worked for the first site I tried, but unfortunately, when I try it with any other virtual server, I get 403 Forbidden:
[code:1]You don't have permission to access /index.php on this server.[/code:1]
No errors in /var/log/httpd/suexec.log, and just a 403 in the web site's error_log. Upon removing the AddHandler line, it works again (falling back to mod_php). Any ideas?
I'm glad to hear that you're working on adding an interface to this to the GPL version. Right now, I'm a little uncomfortable with hard-coding things like /home/username into the httpd.conf--if the username ever changes (through Virtualmin), will all occurrences be updated?
<div class='quote'>The AddHandler line should be .php instead of .php5, and the wrapper script is missing .ini at the end of the PHPRC line. (Mine now says</div>
Oops on the former, but the latter is correct. PHPRC can be a directory path, containing php.ini. Sorry, I didn't make that one clear. ;-)
<div class='quote'>No errors in /var/log/httpd/suexec.log, and just a 403 in the web site's error_log. Upon removing the AddHandler line, it works again (falling back to mod_php). Any ideas?</div>
Are you sure the ownership of the wrapper and the application files are the user? And they aren't group/world writable?
Those are the obvious candidates for blame.
--
Check out the forum guidelines!
I did a google search, but didn't really come up with anything like what I wanted. I was hoping that someone might have an idea on how to start frank verdin
Howdy,
Well, this is a pretty old thread. Using FCGID and Suexec is actually the default setup in Virtualmin GPL now.
It's something you can configure by going into Server Configuration -> Website Options, and changing the PHP Execution Mode.
-Eric
<div class='quote'>I'm glad to hear that you're working on adding an interface to this to the GPL version. Right now, I'm a little uncomfortable with hard-coding things like /home/username into the httpd.conf--if the username ever changes (through Virtualmin), will all occurrences be updated?</div>
Generally, this kind of change is safe, because Virtualmin actually understands the configuration files it manages--it doesn't regenerate from templates, except when you turn off a feature and then turn it back on. That's why you love Virtualmin. ;-)
You can add this stuff to your Server Template (the AddHandler stuff) and your skel directory (the wrapper script and php etc. directory), and it'll get added to your virtual servers automatically in the future (and in the event you disable the server and re-enable later, causing the server config to be regenerated). So, it can be entirely automatic, just like in Professional. Just the switching from the UI will be missing.
--
Check out the forum guidelines!
Hi,
I'm running into an 'head bang against the wall' problem with suEXEC. I've followed the instructions laid out by the posts, and as far as I can see, everything should work ok......(but of course it isn't!)
<b>Folder/file structure:</b>
/home/domain/etc/php5/php.ini (644) (Owner/Group: domain)
/home/domain/fcgi-bin/php5.cgi (644) (Owner/Group: domain)
<b>php5.fcgi:</b>
#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi
<b>httpd.conf:</b>
SuexecUserGroup "#503" "#504"
ServerName domain
ServerAlias domain
ServerAlias domain
ServerAlias domain
ServerAlias domain
DocumentRoot /home/domain/public_html
ErrorLog /var/log/virtualmin/domain_error_log
CustomLog /var/log/virtualmin/domain_access_log combined
ScriptAlias /cgi-bin/ /home/domain/cgi-bin/
ScriptAlias /awstats /home/domain/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/domain/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/domain/fcgi-bin/php5.fcgi .php
</Directory>
<Directory /home/domain/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =domain
RewriteRule ^(.*) https://domain:20000/ [R]
RewriteCond %{HTTP_HOST} =domain
RewriteRule ^(.*) https://domain:10000/ [R]
Alias /dav /home/domain/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName domain
AuthUserFile /home/domain/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
</Location>
<Files awstats.pl>
AuthName "domain statistics"
AuthType Basic
AuthUserFile /home/domain/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/]*)(.*) https://domain:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/]*)(.*) https://domain:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RemoveHandler .php
IPCCommTimeout 31
This is a fresh install of Virtualmin GPL on a CentOS 5.2 box, installed using the install.sh script, and I definitely have the vm version of httpd installed.
However, I still get a 500 Internal Server Error when I access a PHP page, and the following error in apache error logs:
[Thu Feb 19 14:00:33 2009] [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[Thu Feb 19 14:00:33 2009] [error] [client 12.34.56.78] Premature end of script headers: index.php
I'm tantalisingly close to it working, but am not sure where to go from here.
Thanks for any help,
Paul
Hi,
I'm running into an 'head bang against the wall' problem with suEXEC. I've followed the instructions laid out by the posts, and as far as I can see, everything should work ok......(but of course it isn't!)
<b>Folder/file structure:</b>
/home/domain/etc/php5/php.ini (644) (Owner/Group: domain)
/home/domain/fcgi-bin/php5.cgi (644) (Owner/Group: domain)
<b>php5.fcgi:</b>
#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi
<b>httpd.conf:</b>
SuexecUserGroup "#503" "#504"
ServerName domain
ServerAlias domain
ServerAlias domain
ServerAlias domain
ServerAlias domain
DocumentRoot /home/domain/public_html
ErrorLog /var/log/virtualmin/domain_error_log
CustomLog /var/log/virtualmin/domain_access_log combined
ScriptAlias /cgi-bin/ /home/domain/cgi-bin/
ScriptAlias /awstats /home/domain/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/domain/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks ExecCGI
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/domain/fcgi-bin/php5.fcgi .php
</Directory>
<Directory /home/domain/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =domain
RewriteRule ^(.*) https://domain:20000/ [R]
RewriteCond %{HTTP_HOST} =domain
RewriteRule ^(.*) https://domain:10000/ [R]
Alias /dav /home/domain/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName domain
AuthUserFile /home/domain/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
</Location>
<Files awstats.pl>
AuthName "domain statistics"
AuthType Basic
AuthUserFile /home/domain/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/]*)(.*) https://domain:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/]*)(.*) https://domain:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RemoveHandler .php
IPCCommTimeout 31
This is a fresh install of Virtualmin GPL on a CentOS 5.2 box, installed using the install.sh script, and I definitely have the vm version of httpd installed.
However, I still get a 500 Internal Server Error when I access a PHP page, and the following error in apache error logs:
[Thu Feb 19 14:00:33 2009] [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[Thu Feb 19 14:00:33 2009] [error] [client 12.34.56.78] Premature end of script headers: index.php
I'm tantalisingly close to it working, but am not sure where to go from here.
Thanks for any help,
Paul
Do you see an suexec log in /var/log/httpd/? Does it by chance contain any info on why things aren't working correctly for you?
-Eric
i checked the log, and at first I thought that you had hit the nail on the head. I found the following error:
file has no execute permission: (/home/online-media/fcgi-bin/php5.fcgi)
However, I think that this was messing with the permissions, so it is still not working even after I have changed the permissions to 755 for the file php5.fcgi.
Once the permissions have been changed, I now get the following the logs:
uid: (503/domain) gid: (504/504) cmd: php5.fcgi
Cheers,
Paul
Okay, that definitely fixed part of it though -- are you seeing a more descriptive error in the Apache error_log now?
-Eric
Doh! i think my brain has decided to stop working. I neglected to look at the /etc/httpd/logs/error_log and instead wad concentrating on the /var/log/virtualmin/domain_error_log.
[Thu Feb 19 15:37:53 2009] [notice] mod_fcgid: call /home/domain/public_html/_site/index.php with wrapper /home/domain/fcgi-bin/php5.fcgi
suexec failure: could not open log file
fopen: Permission denied
Cheers,
Paul
I've check the permissions on /var/log/httpd/suexec.log and they are the following:
-rw-r--r-- 1 root apache
do you happen to know what the group/owner/permissions should be?
Cheers,
Paul
Well, since you're seeing messages in the suexec log file, I'm not sure that's what's being referred to here.. and your permissions look good above.
Does the timestamp for that logfile error correspond with your attempt to call the script?
-Eric
yes. thats is the case. the error messages are definitely being generated everytime.
I'm actually finding quite a number of similar issues with suexec on the web.
I've changed permissions to chmod 4750 suexec.log as per http://httpd.apache.org/docs/2.0/suexec.html#install this, however it is still not working.
Cheers,
Paul
actually the link I posted previously is in reference to executing suexec, not the log file. So if I could edit the post I would :)
Any other ideas, as I'm stumped as to why this isn't working.
Thanks,
Paul
It looks like that issue had come up here in the past:
http://www.virtualmin.com/index.php?option=com_flyspray&Itemid=82&am...
Oddly enough, the problem ended up being that the file being called had Windows format newlines in it -- running the dos2unix program on the file in question resolved it.
-Eric
I tried to install following the steps in turn in this thread. Unfortunately, I have some problems. Why I do not have the directory / var / log / httpd /? Should I install some packages in addition to the installation of Virtualmin?
The directory /var/log/httpd would exist on CentOS / RHEL based distros.
If you're using Ubuntu or Debian, you'd want to look for /var/log/apache2.
-Eric
I created a wrapper ~/fcgi-bin/php5.fcgi. It is owned by the user and is executable and not writable by g/o. I copied php.ini from /etc/php5/apache2 to ~/user/etc/php5. I added 2 lines to the apache directives under the public_html section.
My php scripts still don't work. I get 403 errors on them, although they have the correct user and group and have exec permissions. Any suggestions?
This is my virtual host file:
<VirtualHost 111.111.246.121:80>
SuexecUserGroup "#1001" "#1002"
ServerName robertgrab.com
ServerAlias www.robertgrab.com webmail.robertgrab.com admin.robertgrab.com lists.robertgrab.com server3.robertgrab.com
DocumentRoot /home/grab/public_html
ErrorLog /var/log/virtualmin/robertgrab.com_error_log
CustomLog /var/log/virtualmin/robertgrab.com_access_log combined
ScriptAlias /cgi-bin/ /home/grab/cgi-bin/
ScriptAlias /awstats /home/grab/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/grab/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/grab/fcgi-bin/php5.fcgi .php
</Directory>
<Directory /home/grab/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:10000/ [R]
Alias /dav /home/grab/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName robertgrab.com
AuthUserFile /home/grab/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
</Location>
<Files awstats.pl>
AuthName "robertgrab.com statistics"
AuthType Basic
AuthUserFile /home/grab/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
</VirtualHost>
<VirtualHost 111.111.246.121:443>
SuexecUserGroup "#1001" "#1002"
ServerName robertgrab.com
ServerAlias www.robertgrab.com
ServerAlias webmail.robertgrab.com
ServerAlias admin.robertgrab.com
ServerAlias lists.robertgrab.com
DocumentRoot /home/grab/public_html
ErrorLog /var/log/virtualmin/robertgrab.com_error_log
CustomLog /var/log/virtualmin/robertgrab.com_access_log combined
ScriptAlias /cgi-bin/ /home/grab/cgi-bin/
ScriptAlias /awstats /home/grab/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/grab/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
</Directory>
<Directory /home/grab/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:10000/ [R]
SSLEngine on
SSLCertificateFile /home/grab/ssl.cert
SSLCertificateKeyFile /home/grab/ssl.key
Alias /dav /home/grab/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName robertgrab.com
AuthUserFile /home/grab/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
</Location>
<Files awstats.pl>
AuthName "robertgrab.com statistics"
AuthType Basic
AuthUserFile /home/grab/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
</VirtualHost>
I created a wrapper ~/fcgi-bin/php5.fcgi. It is owned by the user and is executable and not writable by g/o. I copied php.ini from /etc/php5/apache2 to ~/user/etc/php5. I added 2 lines to the apache directives under the public_html section.
My php scripts still don't work. I get 403 errors on them, although they have the correct user and group and have exec permissions. Any suggestions?
This is my virtual host file:
<VirtualHost 111.111.246.121:80>
SuexecUserGroup "#1001" "#1002"
ServerName robertgrab.com
ServerAlias www.robertgrab.com webmail.robertgrab.com admin.robertgrab.com lists.robertgrab.com server3.robertgrab.com
DocumentRoot /home/grab/public_html
ErrorLog /var/log/virtualmin/robertgrab.com_error_log
CustomLog /var/log/virtualmin/robertgrab.com_access_log combined
ScriptAlias /cgi-bin/ /home/grab/cgi-bin/
ScriptAlias /awstats /home/grab/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/grab/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/grab/fcgi-bin/php5.fcgi .php
</Directory>
<Directory /home/grab/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:10000/ [R]
Alias /dav /home/grab/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName robertgrab.com
AuthUserFile /home/grab/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
</Location>
<Files awstats.pl>
AuthName "robertgrab.com statistics"
AuthType Basic
AuthUserFile /home/grab/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
</VirtualHost>
<VirtualHost 111.111.246.121:443>
SuexecUserGroup "#1001" "#1002"
ServerName robertgrab.com
ServerAlias www.robertgrab.com
ServerAlias webmail.robertgrab.com
ServerAlias admin.robertgrab.com
ServerAlias lists.robertgrab.com
DocumentRoot /home/grab/public_html
ErrorLog /var/log/virtualmin/robertgrab.com_error_log
CustomLog /var/log/virtualmin/robertgrab.com_access_log combined
ScriptAlias /cgi-bin/ /home/grab/cgi-bin/
ScriptAlias /awstats /home/grab/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/grab/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
</Directory>
<Directory /home/grab/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:10000/ [R]
SSLEngine on
SSLCertificateFile /home/grab/ssl.cert
SSLCertificateKeyFile /home/grab/ssl.key
Alias /dav /home/grab/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName robertgrab.com
AuthUserFile /home/grab/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
</Location>
<Files awstats.pl>
AuthName "robertgrab.com statistics"
AuthType Basic
AuthUserFile /home/grab/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
</VirtualHost>
I created a wrapper ~/fcgi-bin/php5.fcgi. It is owned by the user and is executable and not writable by g/o. I copied php.ini from /etc/php5/apache2 to ~/user/etc/php5. I added 2 lines to the apache directives under the public_html section.
My php scripts still don't work. I get 403 errors on them, although they have the correct user and group and have exec permissions. Any suggestions?
This is my virtual host file:
<VirtualHost 111.111.246.121:80>
SuexecUserGroup "#1001" "#1002"
ServerName robertgrab.com
ServerAlias www.robertgrab.com webmail.robertgrab.com admin.robertgrab.com lists.robertgrab.com server3.robertgrab.com
DocumentRoot /home/grab/public_html
ErrorLog /var/log/virtualmin/robertgrab.com_error_log
CustomLog /var/log/virtualmin/robertgrab.com_access_log combined
ScriptAlias /cgi-bin/ /home/grab/cgi-bin/
ScriptAlias /awstats /home/grab/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/grab/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/grab/fcgi-bin/php5.fcgi .php
</Directory>
<Directory /home/grab/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:10000/ [R]
Alias /dav /home/grab/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName robertgrab.com
AuthUserFile /home/grab/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
</Location>
<Files awstats.pl>
AuthName "robertgrab.com statistics"
AuthType Basic
AuthUserFile /home/grab/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
</VirtualHost>
<VirtualHost 111.111.246.121:443>
SuexecUserGroup "#1001" "#1002"
ServerName robertgrab.com
ServerAlias www.robertgrab.com
ServerAlias webmail.robertgrab.com
ServerAlias admin.robertgrab.com
ServerAlias lists.robertgrab.com
DocumentRoot /home/grab/public_html
ErrorLog /var/log/virtualmin/robertgrab.com_error_log
CustomLog /var/log/virtualmin/robertgrab.com_access_log combined
ScriptAlias /cgi-bin/ /home/grab/cgi-bin/
ScriptAlias /awstats /home/grab/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/grab/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
</Directory>
<Directory /home/grab/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.robertgrab.com
RewriteRule ^(.*) https://robertgrab.com:10000/ [R]
SSLEngine on
SSLCertificateFile /home/grab/ssl.cert
SSLCertificateKeyFile /home/grab/ssl.key
Alias /dav /home/grab/public_html
Alias /pipermail /var/lib/mailman/archives/public
<Location /dav>
DAV On
AuthType Basic
AuthName robertgrab.com
AuthUserFile /home/grab/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
</Location>
<Files awstats.pl>
AuthName "robertgrab.com statistics"
AuthType Basic
AuthUserFile /home/grab/.awstats-htpasswd
require valid-user
</Files>
RedirectMatch /cgi-bin/mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
RedirectMatch /mailman/([^/]*)(.*) https://robertgrab.com:10000/virtualmin-mailman/unauthenticated/$1.cgi$2
</VirtualHost>
solved! Just added ExecCGI to this line in apache virtualhost directive:
Options -Indexes IncludesNOEXEC FollowSymLinks
became
Options -Indexes IncludesNOEXEC ExecCGI FollowSymLinks
For Debian and Virtualmin GPL the drill is like this:
wget http://software.virtualmin.com/gpl/scripts/install.sh
chmod +x install.sh
./install.sh
apt-get install php5-mysql
mkdir /etc/skel/fcgi-bin
vi /etc/skel/fcgi-bin/php5.fcgi
#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi
chmod +x /etc/skel/fcgi-bin/php5.fcgi
mkdir /etc/skel/etc
mkdir /etc/skel/etc/php5
cp /etc/php5/apache2/php.ini /etc/skel/etc/php5/php.ini
Go to Virtualmin â
For Debian and Virtualmin GPL the drill is like this:
wget http://software.virtualmin.com/gpl/scripts/install.sh
chmod +x install.sh
./install.sh
apt-get install php5-mysql
mkdir /etc/skel/fcgi-bin
vi /etc/skel/fcgi-bin/php5.fcgi
#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi
chmod +x /etc/skel/fcgi-bin/php5.fcgi
mkdir /etc/skel/etc
mkdir /etc/skel/etc/php5
cp /etc/php5/apache2/php.ini /etc/skel/etc/php5/php.ini
Go to Virtualmin â
I forgot to mention that you should install the custom version of apache provided by virtualmin after running the install.sh script.
Add these sources to /etc/apt/sources.list:
deb http://download.webmin.com/download/repository sarge contrib
deb http://software.virtualmin.com/gpl/debian/ virtualmin-etch main
then install custom apache (2.2.3-50vm). I disabled the other repositories and then installed apt-get install apache. But this should also work
apt-get install apache2-mpm-worker
<b>Ok, so this is all a puddle of mud at this point.</b> I have an existing installation of Virtualmin running on Debian and I can't afford the downtime to go through from scratch. I see that apache already has a module for fcgid in the configuration files, and that it is active. So, I'm guessing I just need to, as the first post stated, "recompiled suEXEC with docroot /home." ?
/etc/apache2/httpd.conf is completely empty for me, so I have been editing the /etc/apache2/sites-available/<DOMAINNAME>.conf files. Incorrect?
<b>What I have done:</b>
1) Made a directory and file "/home/DOMAIN-USER/fcgi-bin/php5.fcgi that literally has:
[code:1]#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi[/code:1]
2) Copied the file "/etc/php5/php.ini" to "/home/DOMAIN-USER/etc/php5/php.ini"
3) In the web access portal for my server (which is not in physical proximity), I went to <u>Webmin</u> > <u>Servers</u> > <u>Apache Webserver</u>, clicked on "<u>Global Configuration</u>", clicked on the "<u>Edit Config Files</u>" icon, selected "etc/apache2/sites-available/<DOMAINNAME>.conf" and pressed the <u>Edit Directives in File</u> button. That file looks like this after I added the two lines:
[code:1]...
<Directory /home/DOMAIN-USER/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/DOMAIN-USER/fcgi-bin/php5.fcgi .php
</Directory>
...[/code:1]
I have this PHP script to test it out, and so far here is the only results I get:
PHP Script "test.php"
[code:1]<?php
echo posix_getuid();
print("<br/>\n<br/>\n"«»);
echo getmyuid();
?>[/code:1]
<div class='quote'>33
1004</div>
So, I will keep at it, but I am getting more confused the more I read and would love for someone to shed some light on what I have left to do. Also, I wonder if I should do these steps with each and every virtual server account so that the PHP scripts won't be broken? Anyway, thanks all.
<b>Ok, so this is all a puddle of mud at this point.</b> I have an existing installation of Virtualmin running on Debian and I can't afford the downtime to go through from scratch. I see that apache already has a module for fcgid in the configuration files, and that it is active. So, I'm guessing I just need to, as the first post stated, "recompiled suEXEC with docroot /home." ?
/etc/apache2/httpd.conf is completely empty for me, so I have been editing the /etc/apache2/sites-available/<DOMAINNAME>.conf files. Incorrect?
<b>What I have done:</b>
1) Made a directory and file "/home/DOMAIN-USER/fcgi-bin/php5.fcgi that literally has:
[code:1]#!/bin/bash
PHPRC=$PWD/../etc/php5
export PHPRC
umask 022
SCRIPT_FILENAME=$PATH_TRANSLATED
export SCRIPT_FILENAME
exec /usr/bin/php-cgi[/code:1]
2) Copied the file "/etc/php5/php.ini" to "/home/DOMAIN-USER/etc/php5/php.ini"
3) In the web access portal for my server (which is not in physical proximity), I went to <u>Webmin</u> > <u>Servers</u> > <u>Apache Webserver</u>, clicked on "<u>Global Configuration</u>", clicked on the "<u>Edit Config Files</u>" icon, selected "etc/apache2/sites-available/<DOMAINNAME>.conf" and pressed the <u>Edit Directives in File</u> button. That file looks like this after I added the two lines:
[code:1]...
<Directory /home/DOMAIN-USER/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/DOMAIN-USER/fcgi-bin/php5.fcgi .php
</Directory>
...[/code:1]
I have this PHP script to test it out, and so far here is the only results I get:
PHP Script "test.php"
[code:1]<?php
echo posix_getuid();
print("<br/>\n<br/>\n"«»);
echo getmyuid();
?>[/code:1]
<div class='quote'>33
1004</div>
So, I will keep at it, but I am getting more confused the more I read and would love for someone to shed some light on what I have left to do. Also, I wonder if I should do these steps with each and every virtual server account so that the PHP scripts won't be broken? Anyway, thanks all.
It looks like you're on the right track.
Which version of Debian are you using?
Debian 5 just began making suexec a bit simpler to work with -- first, what does this output:
/usr/lib/apache2/suexec -V
And then, if you're using Debian 5, rather than recompiling, suexec can be tweaked here:
/etc/apache2/suexec/www-data
Thanks for the prompt follow up andreychek. Running Debian 4.0
[code:1]> /usr/lib/apache2/suexec -V
-D AP_DOC_ROOT="/home"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"[/code:1]
So, apparently the doc root is not the problem then, blast. This doesn't help me any. Glad I didn't already try to recompile the code though.
Yeah, that all looks pretty good.
Did you say that the suexec module is definitely being loaded in Apache?
Also, are you seeing any messages in /var/log/apache2/suexec.log?
-Eric
Ok... progress... maybe? I have to restart the apache server to kick in the changes. It's always the simple things in life.
I can toggle between a 403 error and it "working" of sorts (but not as a running process of the user):
403 error:
[code:1]...
<Directory /home/micahk/public_html>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/micahk/fcgi-bin/php5.fcgi .php
</Directory>
...[/code:1]
"working" but w/out using the UID of the domain admin
[code:1]...
<Directory /home/micahk/public_html>
Options -Indexes IncludesNOEXEC ExecCGI FollowSymLinks
allow from all
AllowOverride All
AddHandler fcgid-script .php
FCGIWrapper /home/micahk/fcgi-bin/php5.fcgi .php
</Directory>
...[/code:1]
There has not been a single error in the suexec.log file at any point in this process.
Any easy command to see if suexec and fcgid are actually running? They are both marked as enabled.
Pages