A Stone Bell

Deep and Sonorous, or maybe just a Dull Thud?


Running PHP securely under apache

What do these entries mean?

None of the sites I’ve found explain these lines. I’m now going to explain the links and give what I think is the rationale behind it all. If I’m wrong, I apologize, but the entries still work, so you can skip this page if you think this is too much information or a little dubious.

The pattern of these entries is:

AddHandler AAA .php
Action AAA BBB virtual
FastCgiExternalServer CCC -socket DDD -pass-header Authorization -flush

I’ve used “php7-cgi-” in all the names, AAA, BBB and CCC – I didn’t bother to find out if that was strictly necessary (I doubt that it is) but it seemed good in-line documentation for me.

The name BBB is the same as AAA but with a leading / and CCC is AAA prefixed by /usr/lib/cgi-bin/ while DDD is the slightly different (with a php7.0-fpm. not php7-cgi-) and it is in /run/php (apparently) with a .sock suffix.

It is this “DDD” name in the Apache virtual host configuration file which must be the same as the value of the listen parameter in the pool configuration file (more on that later) to link things together.

Here;s’s my understanding of all of this. Firstly we need a new Handler entry point (if that’s the correct term in this case) for Apache:

AddHandler php7-fcgi-equipel.co.uk .php

This tells Apache that when it encounters files with a .php suffix it should invoke an external handler, which is as yet unspecified. Then we must instruct Apache what action to take when this handler gets invoked, by linking it to an “actual” file

Action php7-fcgi-equipel.co.uk /php7-fcgi-equipel.co.uk virtual

The “/” prefix on the second parameter tells Apache that this is a file and now we have to tell it where to find this file. The virtual parameter means don’t check that this file exists now, so it isn’t really an “actual” file at all – you’ll see what I mean by that on the next page.

Alias /php7-fcgi-equipel.co.uk /usr/lib/cgi-bin/php7-fcgi-equipel.co.uk

The location is the shared script folder, which I’ll also explain on the next page. Finally (for Apache’s links that is, we aren’t there yet), we define an external CGI script server by saying references to this file are diverted to a socket

FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-equipel.co.uk -socket /run/php/php7.0-fpm.equipel.co.uk.sock -pass-header Authorization -flush

- No Comments on this Post -