A Stone Bell

Deep and Sonorous, or maybe just a Dull Thud?


Running PHP securely under apache

The Virtual Handler File

I was confused by the descriptions of files in /usr/lib/cgi-bin – I had a few issues I thought were to do with file ownership of /usr/lib/cgi-bin/php7-fcgi-equipel.co.uk and what the heck is meant to be in the file? One site explained what its author thought goes in them, but remember that “virtual” parameter on
Action php7-fcgi-equipel.co.uk /php7-fcgi-equipel.co.uk virtual

The real answer is they don’t have to exist. That’s right, as long as the listen.owner and listen.group (see the next page for what these parameters mean and where they are set) have permission to “pass through” the /usr/lib/cgi-bin folder from notional file /usr/lib/cgi-bin/php7-fcgi-equipel.co.uk to the actual socket then the files are unnecessary.

The 660 permission by www-data has to be set in this virtual manner (don’t change it using chmod) on the /usr/lib/cgi-bin folder and by the Apache Directory directive Require all granted we put into the virtual hosts file

I never claimed that this set-up was obvious.

Also the AddHandler and Action can only be defined once. If you want to use the same PHP user for another site you cannot just add all these lines to a virtual host file again (it gives a startup error in Apache if the handler or its associated action is defined more than once) you only need to add the last two lines to the other site configuration:

Alias /php7-fcgi-equipel.co.uk /usr/lib/cgi-bin/php7-fcgi-equipel.co.uk
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-equipel.co.uk -socket /run/php/php7.0-fpm.equipel.co.uk.sock -pass-header Authorization -flush

I suppose there might be some aspect of alphabetic order involved: is the configuration of a site called aaa.com loaded into Apache before that of bbb.com? Because of the security considerations most of my sites are run by a user which owns just that site, but I have two sites which are ownedby the same user and I was working through a sorted list. I’ve only done this once and it works, so I haven’t revisited it.

- No Comments on this Post -