apache suexec和suphp的安裝及配置
使用suphp來執行php
yum安裝環境
apache php 都是用Yum安裝
# yum install httpd php php-cli
保證php有php-cgi,因為suphp需要php的執行模式為cgi/fastcgi
#php -v
PHP 5.2.6 (cli) (built: May 5 2008 10:32:59)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
#php-cgi -v
PHP 5.2.6 (cgi-fcgi) (built: May 5 2008 10:29:53)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
Suphp安裝
# wget http://www.suphp.org/download/suphp-0.7.1.tar.gz
# tar zvxf suphp-0.7.1.tar.gz
# cd suphp-0.7.1
Suphp的編譯參數有2種 主要是setid-mode的區別
1、測試模式,沒有任何安全所言
# ./configure --prefix=/usr/local/suphp \
--sysconfdir=/usr/local/suphp/etc \
--with-apache-user=apache \
--with-setid-mode=owner \
--with-apxs=/usr/sbin/apxs \
--with-apr=/usr/bin/apr-1-config
2、生產模式使用下面的配置
# ./configure --prefix=/usr/local/suphp \
--sysconfdir=/usr/local/suphp/etc \
--with-apache-user=apache \
--with-setid-mode=paranoid \
--with-apxs=/usr/sbin/apxs \
--with-apr=/usr/bin/apr-1-config
具體2者的區別 將在後面apache配置那裡說明
# make
# make install
# mkdir /usr/local/suphp/etc
# cp doc/suphp.conf-example /usr/local/suphp/etc/suphp.conf
編輯suphp.conf
# vi /usr/local/suphp/etc/suphp.conf
###########----------------------------------
;日誌文件的產生路徑
logfile=/var/log/httpd/suphp.log
;日誌級別"info", "warn", "error", "none".
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/
;Path to chroot() to before executing script
;chroot=/mychroot
; 安全選項,根據自己需要開啟
;allow_file_group_writeable=false
allow_file_group_writeable=true
allow_file_others_writeable=false
;allow_directory_group_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;check_vhost_docroot=false
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
;最小uid和最下gid是指web運行的用戶和組必須大於等於這個數,否則由於安全員應無法運行,這個設置根據自己來設置,一般uid=500 gid=100
min_uid=1000
min_gid=1000
;必須執行cgi模式的php,這個很重要
;x-httpd-php="php:/usr/bin/php"
x-httpd-php="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"
##################---------------------------------------
整合apache
註銷所有原先php和apache的配置選項,包括模塊
# vi /etc/httpd/conf.d/suphp.conf
####--------------
LoadModule suphp_module modules/mod_suphp.so
NameVirtualHost *:80
<VirtualHost *:80>
ServerName 127.0.0.1
DocumentRoot /var/www/svnadmin
DirectoryIndex index.php
#開啟suphp引擎
suPHP_Engine on
#指定/var/www/svnadmin的運行用戶和組
suPHP_UserGroup webtest1 suphp
#指定執行的擴展名
AddHandler x-httpd-php .php .php3 .php4 .php5
suPHP_AddHandler x-httpd-php
#指定php的配置文件
suPHP_ConfigPath /etc/php.ini
</VirtualHost>
###########-------------
需要注意的事項
假設apache設置的DocumentRoot "/var/www/html",那麼/var/www的目錄的所有者和組必須是root:root 許可權一般設置755
所有的虛擬主機web目錄,必須放置在/var/www下,不能放置在apache設置的DocumentRoot目錄下
假設我有一個/webserver/www/test的虛擬主機,此時/webserver/www的宿主和組必須是root:root
測試是否成功
編寫index.php
<?
Phpinfo();
?>
打開web瀏覽發現
Server API CGI/FastCGI
就表示成功
源碼安裝
suphp比suexec(就是原來dv3.0升php5的方法)要快一點;比suphp更快的還有suphp_mod_php;再快一些的是mpm-peruser,不過安裝配置的麻煩程度也隨之遞增。
相比而言,suPHP速度還算可以接受(對於負載不是很大的站),配置方便,不用修改每個virtualhost的參數(就是$HOME/conf/vhost.conf),直接改apache的總conf就ok了,當然也比上面fastcgi方式下用event觸髮腳本來實現更加簡潔。
Apache Suexec
1、yum安裝
# cd /etc/yum.repos.d/# wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
... and set gpgcheck to 0 and enabled to 1 in the section:
[...]
name=CentOS.Karan.Org-EL$releasever - Testing
gpgcheck=0
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/
# yum install httpd mod_fcgid php-cli
整合apache
註銷所有原先php和apache的配置選項,包括模塊
在php.ini的最後加上下面的語句
cgi.fix_pathinfo = 1
# groupadd web1# useradd -s /bin/false -d /var/www/web1 -m -g web1 web1# chmod 755 /var/www/web1
# mkdir -p /var/www/web1/web# chown web1:web1 /var/www/web1/web
We will run PHP using suExec; suExec's document root is /var/www, as the following command shows:
# /usr/sbin/suexec -V -D AP_DOC_ROOT="/var/www" -D AP_GID_MIN=100 -D AP_HTTPD_USER="apache" -D AP_LOG_EXEC="/var/log/httpd/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=500 -D AP_USERDIR_SUFFIX="public_html"
Therefore we cannot call the PHP binary (/usr/bin/php-cgi) directly because it is located outside suExec's document root. As suExec does not allow symlinks, the only way to solve the problem is to create a wrapper script for each web site in a subdirectory of /var/www; the wrapper script will then call the PHP binary /usr/bin/php-cgi. The wrapper script must be owned by the user and group of each web site, therefore we need one wrapper script for each web site. I'm going to create the wrapper scripts in subdirectories of /var/www/php-fcgi-scripts, e.g. /var/www/php-fcgi-scripts/web1
# mkdir -p /var/www/php-fcgi-scripts/web1
# vi /var/www/php-fcgi-scripts/web1/php-fcgi-starter
#!/bin/sh
PHPRC=/etc/
export PHPRC
export PHP_FCGI_MAX_REQUESTS=5000
export PHP_FCGI_CHILDREN=8
exec /usr/bin/php-cgi
# chmod 755 /var/www/php-fcgi-scripts/web1/php-fcgi-starter# chown -R web1:web1 /var/www/php-fcgi-scripts/web1
# vi /etc/httpd/conf.d/fcgid.conf
#######################--------------------------------
# This is the Apache server configuration file for providing FastCGI support
# through mod_fcgid
#
# Documentation is available at http://fastcgi.coremail.cn/doc.htm
LoadModule fcgid_module modules/mod_fcgid.so
# Use FastCGI to process .fcg .fcgi & .fpl scripts
# Don't do this if mod_fastcgi is present, as it will try to do the same thing
#<IfModule !mod_fastcgi.c>
# AddHandler fcgid-script fcg fcgi fpl
#</IfModule>
# Sane place to put sockets and shared memory file
SocketPath run/mod_fcgid
SharememPath run/mod_fcgid/fcgid_shm
IPCConnectTimeout 10
IPCCommTimeout 20
OutputBufferSize 0
MaxRequestsPerProcess 500
#AddHandler fcgid-script .fcgi .php
NameVirtualHost *:80
<VirtualHost *:80>
ServerName fcgi.test.com
DocumentRoot /var/www/fcgi
SuexecUserGroup webcgi fcgi
PHP_Fix_Pathinfo_Enable 1
AddHandler fcgid-script .php
<Directory /var/www/fcgi/>
Options +ExecCGI
AllowOverride All
FCGIWrapper /var/www/php-fcgi-scripts/web1/php-fcgi-starter .php
Order allow,deny
Allow from all
</Directory>
ServerSignature Off
</VirtualHost>
Q:Apache reports "SuexecUserGroup directive requires SUEXEC wrapper." warning during startup.A: warning, 原因是錯誤的suEXEC許可權設置。查看 : # ls -la /usr/sbin/suexec 應該為: -rwsr-xr-x 1 root root 12064 2008-04-17 01:15 /usr/sbin/suexec主要是s許可權即UID。如果許可權和上面的不一樣,修改:# sudo chown root:root /usr/sbin/suexec# sudo chmod 4755 /usr/sbin/suexec
《解決方案》
不錯,
發貼的時候,,最好禁用 Smilies
《解決方案》
謝謝。歡迎大家測試驗證
《解決方案》
原帖由 liang3391 於 2009-7-21 17:07 發表 http://bbs3.chinaunix.net/images/common/back.gif
使用suphp來執行php
yum安裝環境
apache php 都是用Yum安裝
# yum install httpd php php-cli
保證php有php-cgi,因為suphp需要php的執行模式為cgi/fastcgi
#php -v
PHP 5.2.6 ...
確實不錯。嘿嘿
