|
Size: 6322
Comment:
|
← Revision 19 as of 2022-07-15 12:03:03 ⇥
Size: 5794
Comment: Update webbi03 to webbi10
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #rev 2018-09-25 pmeier #rev 2020-09-01 pmeier |
|
| Line 6: | Line 8: |
| In April 2005, we implemented some changes affecting the integration of PHP into the Apache Web server. With many installations, PHP runs as a module (`libphp4.so` or `libphp5.so`) within Apache. While this is good for performance reasons, it has some serious drawbacks as far as Web server security is concerned - every PHP application runs under the same account (in our case, it's the `httpd` user). Other users on the people.ee.ethz.ch Web server might therefore interfere with your PHP applications, all your PHP files have to be readable by the `httpd` user, safe mode needs to be enabled in order to prevent further damage etc. ... but fortunately, all this no longer applies to the setup on the people.ee.ethz.ch Web server. We're now using [[http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html|mod_fastcgi]] to link PHP to Apache. ##(If you're interested in the gory details these [[http://isg.ee.ethz.ch/events/j2005/papers/ap2suexecfcgiphp.pdf|slides]] have some more information.) The following list of questions and answers should help to clear things up. |
We're using [[http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html|mod_fastcgi]] to link PHP to Apache. The following list of questions and answers should help to clear things up. |
| Line 13: | Line 12: |
| == PHP Wrapper == In order for your PHP website to work properly with suexec, you need to configure a PHP wrapper. The suexec feature provides users of the Apache HTTP Server the ability to run PHP under their own user ID. Normally, when a PHP program executes, it runs as the same user who is running the web server. /!\ The apache standard suexec module does not accept implicitly (index.php) or directly called php-scripts with write permissions for group ! Please create a .htaccess file in your public_html directory with the following content and replace <account> with your personal account: {{{ FCGIWrapper /home/<account>/public_html/.fcgi/php-wrapper .php }}} Please also create the .fcgi directory and create there the php-wrapper file with content: {{{#!highlight sh #!/bin/sh # exec /usr/bin/php-cgi # }}} Both files ( .htaccess and php-wrapper ) need to be readable by world: {{{ chmod 644 .htaccess chmod 755 .fcgi chmod 755 .fcgi/php-wrapper }}} <<BR>> |
|
| Line 16: | Line 38: |
`/usr/galen/netvar/apache/logs/error_log.people` `/usr/galen/netvar/apache/logs/error_log.people_ee_ssl` These directories (automounted by NFS) might not be available on all UNIX workstations; if you can't find them simply log in to galen (with `ssh people.ee.ethz.ch`), where they are available under `/var/log/apache`. |
<<BR>><<BR>> `/var/log/apache2/people.error.log` <<BR>><<BR>> Simply log in to webbi10(with `ssh people.ee.ethz.ch`). |
| Line 24: | Line 46: |
| Create a `.php` subdirectory in your home directory (`mkdir ~/.php`) and put a `php.ini` file in this subdirectory. For a list of the parameters you can set in php.ini, have a look at http://www.php.net/manual/en/ini.php | Create a `.user.ini` file in your public_html (`touch ~/public_html/.user.ini`). For a list of the parameters you can set in .user.ini, have a look at http://www.php.net/manual/en/ini.php |
| Line 26: | Line 48: |
| Please note that PHP only reads the settings from your `php.ini` when the PHP interpreter starts for the first time, so to make sure your changes to your `php.ini` become effective, you can either wait for the next day (see the question below about the lifetime of your PHP processes) or manually kill your current PHP process(es) - they are automatically restarted by `mod_fastcgi`: | Please note that PHP only reads the settings from your `.user.ini` when the PHP interpreter starts for the first time, so to make sure your changes to your `.user.ini` become effective, you can either wait for the next day (see the question below about the lifetime of your PHP processes) or manually kill your current PHP process(es) - they are automatically restarted by `mod_fastcgi`: |
| Line 29: | Line 51: |
| joe@galen:~> pkill -u $USER -f php }}} You can use `pgrep -u $USER -fl php` to see whether you have any persistent PHP processes running. And make sure that you are running this command on the `people.ee.ethz.ch` Web server itself (i.e. on `galen`). |
joe@webbi10:~> pkill -u $USER -f php }}} You can use `pgrep -u $USER -fl php` to see whether you have any persistent PHP processes running. And make sure that you are running this command on the `people.ee.ethz.ch` Web server itself (i.e. on `webbi10`). |
| Line 34: | Line 56: |
Note that we still recommend to run your PHP applications under safe mode (see http://www.php.net/manual/en/features.safe-mode.php). After all, the PHP code now runs with the rights of your account, and you have to take the responsibility for the proper use for this (cf. http://computing.ee.ethz.ch/overview/rules.en.html). To enable safe mode, put this line into your `~/.php/php.ini` file: {{{ safe_mode = On }}} and then restart your PHP process, if necessary (see above). |
|
| Line 61: | Line 74: |
| wget -O installer.php http://pear.php.net/go-pear | wget -O installer.phar http://pear.php.net/go-pear.phar |
| Line 63: | Line 76: |
| php installer.php | php installer.phar |
| Line 70: | Line 83: |
| # A) modify /home/YOURUSERNAME/.php/php.ini and set the include_path to let it | # A) modify /home/YOURUSERNAME/public_html/.user.ini and set the include_path to let it |
| Line 75: | Line 88: |
| ---- [[CategoryWEBA]] |
Running PHP applications
Another option for creating dynamic Web content is PHP - the PHP: Hypertext Preprocessor, a very popular HTML-embedded scripting language (see http://www.php.net).
We're using mod_fastcgi to link PHP to Apache. The following list of questions and answers should help to clear things up.
Contents
-
Running PHP applications
- PHP Wrapper
- My PHP application doesn't work. What should I do?
- Can I have my own PHP settings (php.ini)?
- What about PHP security (file permissions etc.)?
- How long will "my" PHP process survive?
- Why does my PHP based page take so long to show up in the browser?
- How can I use/install additional PEAR modules?
PHP Wrapper
In order for your PHP website to work properly with suexec, you need to configure a PHP wrapper. The suexec feature provides users of the Apache HTTP Server the ability to run PHP under their own user ID. Normally, when a PHP program executes, it runs as the same user who is running the web server.
![/!\](/static/comp/img/alert.png "/!\"){kind=small}
The apache standard suexec module does not accept implicitly (index.php) or directly called php-scripts with write permissions for group !
Please create a .htaccess file in your public_html directory with the following content and replace <account> with your personal account:
FCGIWrapper /home/<account>/public_html/.fcgi/php-wrapper .php
Please also create the .fcgi directory and create there the php-wrapper file with content:
Both files ( .htaccess and php-wrapper ) need to be readable by world:
chmod 644 .htaccess chmod 755 .fcgi chmod 755 .fcgi/php-wrapper
My PHP application doesn't work. What should I do?
The first thing you should do is to have a look at the error log file written by Apache. You can find the error log files under
/var/log/apache2/people.error.log
Simply log in to webbi10(with ssh people.ee.ethz.ch).
Can I have my own PHP settings (php.ini)?
Yes you can. That's one of the advantages of our setup.
Create a .user.ini file in your public_html (touch ~/public_html/.user.ini). For a list of the parameters you can set in .user.ini, have a look at http://www.php.net/manual/en/ini.php
Please note that PHP only reads the settings from your .user.ini when the PHP interpreter starts for the first time, so to make sure your changes to your .user.ini become effective, you can either wait for the next day (see the question below about the lifetime of your PHP processes) or manually kill your current PHP process(es) - they are automatically restarted by mod_fastcgi:
joe@webbi10:~> pkill -u $USER -f php
You can use pgrep -u $USER -fl php to see whether you have any persistent PHP processes running. And make sure that you are running this command on the people.ee.ethz.ch Web server itself (i.e. on webbi10).
What about PHP security (file permissions etc.)?
Security has definitely improved with the new setup. You no longer have to make your PHP scripts (with passwords for database access or similar) readable for the httpd user, nor does a directory have to be writable for httpd. You can set the permissions for your .php files to a mode as tight as 0400 (-r--------, for read-only access) or 0600 (-rw-------, read-write access). No fiddling with ACLs (setfacl) is required any more.
To learn more about PHP and security we recommend these URLs as starting points:
http://www.php.net/manual/en/security.php (the Security chapter in the official PHP manual)
http://phpsec.org/projects/guide/ (the PHP Security Guide, published by the PHP Security Consortium)
How long will "my" PHP process survive?
There is no exact answer to this question. The minimum lifetime of your PHP process depends on how many other users have concurrent PHP processes running (with the current setting, mod_fastcgi will probably first kill those which have been idle for the longest amount of time). Depending on our experience with the platform, we might modify these settings from time to time, so we can't really give you an exact answer, as stated above. The maximum lifetime of a PHP process, BTW, is 24 hours - at 0:10 a.m. every day Apache's log files are rotated, which will also result in your PHP process being shut down.
Why does my PHP based page take so long to show up in the browser?
Probably because it's the first time you open the page on this very day. Apache first checks if there is already a PHP process available which runs under your account, and if it doesn't find one, there is some overhead to get an initial process started. After the first request to a PHP based page on your Web site, the PHP performance should be much higher.
How can I use/install additional PEAR modules?
With our PHP installation, we're providing basic PEAR modules. If you require additional modules for your project, follow these steps in your login shell:
# switch to your home directory cd ~ # download PEAR installer wget -O installer.phar http://pear.php.net/go-pear.phar # run the installer php installer.phar # the installer asks for a install prefix, we recommend /home/YOURUSERNAME/pear. # the installer will put the pear binary (used to install modules) into the 'bin' directory # below the install prefix. either add that directory to your PATH environment or # call it with the absolute path to install packages, e.g. to install the HTTP_Client package: pear install HTTP_Client # to make your PHP application find the additional PEAR packages, you can either # A) modify /home/YOURUSERNAME/public_html/.user.ini and set the include_path to let it # point to /home/YOURUSERNAME/pear/PEAR or # B) do it inside your scripts, e.g. # <? set_include_path(get_include_path().PATH_SEPARATOR.'/home/YOURUSERNAME/pear/PEAR'); ?>