Twisted Apache configuration with VirtualDocumentRoot, suExec for PHPs, and binfmts
Comments(0) Here’s an interesting Apache configuration that is going to help us radically cut down on our maintenance of the web sites on Radix. My goal is to be able to do the following:
- Avoid the need for a separate VirtualHost block for every different domain we host (upwards of 50 now)
- Make PHP scripts run as their owners, so that “gallery” installations store files under their owner so that we can effectively control per-user quotas
I found a good solution for #1 using Apache’s VirtualDocumentRoot configuration, and I thought I found an easy way to fix the PHP scripts using suPHP. Unfortunately, there was some incompatibility between the two due to the lack of a defined DocumentRoot, so I was stuck. Luckily I found an interesting idea under Securing PHP on Debian Linux (which is what we are running).
It took quite a bit of fiddling, but I finally came up with a process for getting both solutions working together:
- Enable suExec - One Debian you do this by moving /usr/lib/apache/suexec.disabled to just “suexec”, then you have to do a hard restart on Apache.
- Make sure that the php4-cgi package is installed
- Remove any mod_php and mod_suphp configurations from Apache (they will conflict with the next setting)
- Modify httpd.conf with “AddHandler cgi-script .php”, remove all other PHP-related AddHandlers and AddTypes
- Use the update-binfmts command described on pokey’s page to tell the Linux kernel to execute .php scripts using the PHP interpreter: “update-binfmts –install PHP /usr/bin/php4 –extension php”
- Hard restart Apache, look for the “suEXEC mechanism enabled” in the error log
- chmod a+x all of your PHP scripts and you should be off to the races!
I know this is all a little insane, but it has allowed us to cut our Apache configuration file by almost 300 lines, and removed a whole raft of custom configurations (we just let people override what they need in .htaccess). I thought it was worth documenting.
