Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Securing PHP in Multi-Website Environment with mod_fcgid |
|
| Author |
|
jmweb
Joined: 08 Jun 2017
Posts: 8
Location: USA, Charlotte
|
 Posted: Wed 23 Oct '19 7:51 Post subject: Securing PHP in Multi-Website Environment with mod_fcgid |
 |
|
As the title states, how would one go about securing PHP in a multi-website environment using mod_fcgid? What I am attempting to achieve is a setup similar to what one would do using PHP-FPM - separate pools assigned to specific users that restrict file system access. My WAMP setup is pretty straightforard. One VirtualHost per website with:
| Code: |
AddHandler fcgid-script php
FcgidInitialEnv PHP_INI_SCAN_DIR "A_DIRECTORY"
FcgidWrapper "PATH_TO__php-cgi.exe"
|
However, I am forced to rely on PHP's open_basedir to restrict cross-website file access. Unfortunately, this setting carries a huge performance cost that has come to bite me. I would love to somehow configure mod_fcgid in such a way to be able to disable open_basedir without losing the file access prevention benefits it provides.
Thanks! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 23 Oct '19 14:26 Post subject: |
|
|
mod_fcgid[1] does not offer that feature to run it with a different user.
Indeed I tried php fpm on windows, but I gave up.
There you could use "Runas" from windows to start the fpm process or install it as a service.
| Code: |
<VirtualHost *:80>
ServerName fpm.example.com
DirectoryIndex index.php
CustomLog "C:\nul" common
<IfModule proxy_fcgi_module>
# Enable http authorization headers
<IfModule setenvif_module>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
ProxyPassMatch ^(.*\.php(.*)?)$ fcgi://127.0.0.1:9000/c:/Users/mario/work/$1
</IfModule>
DirectoryIndex /index.php index.php
DocumentRoot "/Users/mario/work"
<Directory "/Users/mario/work">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
|
[1] https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html |
|
| Back to top |
|
jmweb
Joined: 08 Jun 2017
Posts: 8
Location: USA, Charlotte
|
| Posted: Thu 24 Oct '19 0:57 Post subject: |
|
|
Thanks for replying - it's greatly appreciated.
Correct me if I am wrong, but your example code will require a batch file (or a similar controller) to start php-cgi.exe instances that will wait for connections from each VirtualHost. How would one go about setting this up and, more importantly, at scale?
I like the way mod_fcgid handles this automatically. I wonder if one could specify a batch file for FcgidWrapper and pass options to it which the batch file could interpret as the runas user. Something like: FcgidWrapper "/PATH_TO_PHP-CGI.EXE username".
Any thoughts on this approach? And lastly, what does your setup look like? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 30 Oct '19 9:57 Post subject: |
|
|
| jmweb wrote: | Thanks for replying - it's greatly appreciated.
Correct me if I am wrong, but your example code will require a batch file (or a similar controller) to start php-cgi.exe instances that will wait for connections from each VirtualHost. How would one go about setting this up and, more importantly, at scale?
|
That is true, you need to run it from cmd, but you can run a batch file in windows as a service, too.
| jmweb wrote: |
I like the way mod_fcgid handles this automatically. I wonder if one could specify a batch file for FcgidWrapper and pass options to it which the batch file could interpret as the runas user. Something like: FcgidWrapper "/PATH_TO_PHP-CGI.EXE username".
Any thoughts on this approach? And lastly, what does your setup look like? |
I like mod_fcgid better, too. I recommend it all the time. But like I told you before that is not possible to change the user with mod_fcgid |
|
| Back to top |
|
|
|
|
|
|
