建体彩网|中彩网双色球连号|
?
快捷搜索:  as  test  1111  test aNd 8=8  test++aNd+8=8  as++aNd+8=8  as aNd 8=8

齊發國際官網網站:Apache + Chroot + FastCGI + PHP FAQ

?

Apache + Chroot + FastCGI + PHP FAQ

Contents

I : Introduction

A : Summary and Scope

B : What is a chroot?

C : Why use chroot?

D : Why not CGI?

E : Why FastCGI + Chroot?

II : Apache + Chroot + FastCGI Configuration

A : Apache with chroot’d webspaces

B : FastCgiWrapper

C : Apache + FastCGI

D : How does it all work?

III : Adding PHP to the mix

A : The PHP Wrapper and What it Does

B : Configuring the VirtualHost

C : Enabling FastCGI in PHP

D : Configuring php.ini

E : eAccelerator

F : Configuring Other Interpreters

IV : Troubleshooting

A : Troubleshooting Apache

B : Troubleshooting suexec (or your own wrapper)

C : Troubleshooting FastCGI齊發國際官網網站

D : Troubleshooting FastCGI enabled PHP

E : Troubleshooting the PHP Wrapper

F : Troubleshooting FastCGI PHP Scripts

V : Comments, Caveats, Questions

VI : Credits

I : Introduction

A : Summary and Scope

This faq intends to cover the general setup of Apache with mod_fastcgi with chroot user environments. Both Apache and mod_fastcgi are extremely well documented, as is using them together. This is mainly intended to show how chroot + Apache + FastCGI can be used in concert, not to show how each can be used individually. It is also not intended to be the authority on methods of doing this. It merely attempts to show how it can be done, and illustrate the various necessities of a functional configuration.

In this faq the FastCGI application we will focus on is PHP, partly due to popularity, partly due to that’s what I am using it for now. Also, this is because other CGI’s should be applicable in a similar manner.

B : What is a chroot?

From Wikipedia :

"A chroot on Unix operating systems is an operation which changes the root

directory. It affects only the current process and its children. "chroot" itself

can refer to the chroot(2) system call or the chroot(8) wrapper program.

A program that is re-rooted to another directory cannot name files outside that

directory. This provides aconvenient way to sandbox an untrusted, untested or

otherwise dangerous program. It is also a simple kind of jail mechanism."

-- http://en.wikipedia.org/wiki/Ch齊發國際官網網站root

C : Why use chroot?

Mainly security. In a couple different ways, first it segments your users from one another. If user X “chmod 777″’s all his files, he is still protected from user Y. User Y’s scripts are chroot()’d when they run, his ssh or telnet is chroot()’d when he logs in. He can only see and interact with his own mini-environment.

This segmentation is not just a positive for user to user problems. It can prevent a single breach from becoming larger. For instance, our troublesome user Y writes a script with a security flaw that allows upload and execution of files. Or perhaps he just installs a faulty script. A malicious client visits user Y’s site and uploads files and executes them, he is running as user Y, and he may be able to damage user Y’s files. However, user X, from the previous example, is still safe, so are our system files that might have allowed privilege escalation.

Chroot is not the absolute in security, but I have seen one site get defaced and exploits uploaded that were never able to gain privileges because 齊發國際官網網站of the chroot environment.

D : Why not CGI?

The way I initially was using Apache with chroot environments was with CGI. Using the binfmt_misc module, we could set all .php scripts to execute with /usr/bin/php. Thus, inside each chroot existed a /usr/bin/php. For instance, /www/host.com/usr/bin/php or however you have defined your chroot VirtualHosts.

Apache would call suexec, which would chroot to the user passed to it from Apache’s VirtualHost directive; it would then execute the PHP script, which would in turn call the interpreter /usr/bin/php. Hashbang (#! /usr/bin/php) at the top of the script achieves the same effect, binfmt_misc just saves your users a step).

There are several drawbacks to this scenario. The main being that, every time a script is called, PHP must load itself up into memory, process the script, output the result, and tear down. This is a lot of overhead for one script. Try Apache benchmark with 10 concurrent requests, and watch the CPU load as each PHP process executes. It is quite a load on the system, and it is also very slow compared to mod_php or FastCGI.

This leads us to several of the “PHP accelerators” out there, such as APC and eAccelerator. These will not work in CGI mode, because they try to cache compiled scripts in memory, however, as each CGI starts and stops for every script, there is no way to retain storage in the system’s memory. This is another major drawback because these accelerators can offer quite an improvement in speed, through less disk access and less cpu cycles needed for each script.

Another speed improvement can be gained with persistent MySQL connections. However, as with the accelerators, nothing can be retained in memory, so persistent connections are not possible when using PHP as CGI.

All these are major drawbacks to running PHP, Perl, Python or anything as a CGI. In almost every category they are slower, require more CPU and memory, and make serving a large number of requests nearly untenable. The next section will cover how FastCGI eliminates all these problems, greatly improves performance, yet still maintains the advantages of the chroot environment.

E : Why FastCGI + Chroot?

First of all, mod_fastcgi spawns an application called “fcgi-pm” (FastCGI Process Manager), it in turn spawns the persistent FastCGI enabled application. Fcgi-pm pipes information back and forth between Apache and the FastCGI enabled application.

This way, only one running process is needed to execute PHP scripts, where previously we needed one CGI application running for each script that was processing. This saves on CPU, speed, and memory, since the binary is preloaded, and ready to process scripts.

Also, as discussed above, since it is persistent in memory, eAccelerator or APC will work with it, caching compiled scripts in memory. Thus, Eliminating compile time and disk access. Persistent MySQL connections will also function correctly with this setup.

These are all major improvements in CPU usage and speed of application of scripts. Speed improvement is dependent on the script, but the faster it executes and gets out of the way, the faster the next request can be processed.

As齊發國際官網網站 to the chroot, before we had the advantages of the security of segmenting users from users, as well as users and clients from other users and their clients. With FastCGI the process is very similar to chroot’ing with Apache. FastCGI provides for a wrapper that will execute the interpreter, in this case PHP.

Depending on your wrapper, it will run the FastCGI PHP process as the user specified in the VirtualHost directive as well as chroot’ing the FastCGI enabled process to their web space. There are chroot suexec wrappers out there that you can use if you do not already have one.

II : Apache + Chroot + FastCGI Configuration

A : Apache with chroot’d webspaces

As mentioned above, Apache allows for a wrapper when it runs CGI applications. You can specify the UID and GID of the user for the CGI to run as in the VirtualHost directive. Finding the proper location to chroot to is the wrapper’s job. The suexec wrapper always runs as root, no matter who calls it. When called it chroot’s itself to the calling user’s directory, then drops privileges to that user, closes the file descriptor for the log file, and then runs the CGI in the chroot environment. Again, the user is passed from the VirtualHost Directive, which looks like this :

ServerName www.host.com

ServerAdmin [email protected]

SuexecUserGroup "user" "group"

...

I use chrootssh (http://chrootssh.sf.net) which allows for ssh sessions to be chroot’ed as well. It looks for “/./” in the user’s home dir path specified in /etc/passwd.

For instance, in /etc/passwd it looks like this :

domain_admin:x:UID:GID:USER NAME:/www/h/o/host.com/./:/bin/bash

The Suexec wrapper then gets the home directory and uses “/./” to find where it should chroot() to. (Basically, it finds “/./” in the user’s path, terminates the string there, and uses it as the chroot path. This should be a simple modification to your Apache and FastCGI wrappers if you know basic C.)

This way you can have :

domain_user:x:UID:GID:USER NAME:/www/h/o/host.com/./users/domain_user:/bin/bash

And domain_user exists within the same chroot, so you can have multiple users for each VirtualHost, with their own home directories, yet separated from other domain’s users. This way a website can have several real users, giving the domain administrator the ability to add other users. They can share the same GID as well, and quotas can be applied to the user, and over the whole domain.

But this all just depends on how you set up your system.

I don’t want to go too in-depth into suexec and Apache, because they have very detailed documentation already :

Suexec information for Apache 1.3 : http://httpd.apache.org/docs/1.3/suexec.html

Suexec information for Apache 2.0 : http://httpd.apache.org/docs/2.0/suexec.html

B : FastCgiWrapper

Just like Apache, FastCGI allows for a wrapper for execution of the FastCGI enabled applications. It will probably be very similar to Apache’s wrapper, but there are two main differences between Apache’s wrapper and FastCGI’s wrapper.

First, the FastCGI application, in this case PHP, will most likely not be owned by the user. It will be owned by root, but does not have to be. By default, Apache’s suexec wrapper checks for the proper ownership on a file before it is executed. This check will have to be disabled to allow a non-user owned FastCGI version of PHP to run. Also, since it will be owned by someone else, that means it will be writable by someone else, most likely root. So the checks for ownership, group writable and user writable files will have to be disabled. This will allow suexec to execute the wrapper even though it is owned by root and writable by root.

Secondly, the wrapper is only executed when an fcgi-pm (FastCGI process manager) needs to start a process, not for every CGI script that runs. This won’t make a large amount of difference to you, but it is good to keep this in mind when troubleshooting your wrapper. Once it has started a FastCGI process to handle requests for scripts, it won’t run again until you need a new FastCGI process, or until Apache is restarted, which necessitates the creation of a new process, since they are all terminated when Apache is terminated.

(For install information, http://www.fastcgi.com)

Note : Some people have requested I provide my wrapper. The main problem with this, is that I have a pretty unique wrapper and I had modified it heavily to allow specific things about my setup to work. The changes that need to be made have been enumerated above.

But for those who are interested, Gasior has made his wrapper available here. It is a modification of sbox (http://stein.cshl.org/software/sbox/).

Hopefully this and the information this FAQ provides will allow you to adjust an existing chroot wrapper to your FastCGI configuration. I strongly suggest that you get your setup working as CGI (Apache + Suexec + Chroot) first. Then, install mod_fastcgi and work on getting a working wrapper and functional setup. It’s much easier to do it in this order, 齊發國際官網網站and much less overwhelming. Also, refer to section IV-B for FastCGI wrapper troubleshooting tips.

免責聲明:以上內容源自網絡,版權歸原作者所有,如有侵犯您的原創版權請告知,我們將盡快刪除相關內容。

您可能還會對下面的文章感興趣:

建体彩网
云南快乐10分走势图今 河南22选5 海南飞鱼走式图 百人牛牛出牛牛规律 辽宁微乐麻将官方网站 福彩快乐双彩走势图 上海时时乐跨度走势图 河北时时彩开奖号码走势图表 盈丰彩票群 北京赛车pk平台代理