180 likes | 200 Views
The term u201cPHP handlersu201d refers to a certain type of Apache module and these contain those libraries that are used by the Apache web server for running and interpreting PHP code.
E N D
Table of Contents • FCGI daemon (FCGId) • LSAPI • suPHP • suPHP Security Checks • suPHP Security Checks (Continued) • suPHP Security Checks (Continued I) • The suphp.conf File Warnings • Introduction • Change your PHP Handler • CGI • CGI (Continued) • DSO • DSO (Continued) • FastCGI Process Manager (FPM)
Introduction • PHP (Hypertext Preprocessor) handlers are a type of Apache module. These contain libraries. These libraries are used by the Apache web server for interpreting and running PHP code. The configuration file, /etc/apache2/conf.d/php.conf has the global directives which configure the PHP application handlers of Apache. The php.conf configuration file is loaded by an include command in the httpd.conf Apache configuration file. This ensures that the handlers load on start up. • 6 PHP handlers are offered by cPanel & WHM, by default. Each of these handlers is different from the others in its files and implementation. This impacts the speed and the security aspect with regard to how the PHP requests are handled by Apache. • To digress, cPanel is a web hosting control panel. The service of web hosting is provided by web hosting companies and the most efficient services are usually referred to as the “Best Cloud Hosting”, the “Best Windows Hosting”, the “Best Website Hosting”, etc.
Change your PHP Handler • PHP handler can be changed in the PHP Handlers section in the MultiPHP Manager interface in WHM. Alternatively, rebuild_phpconf script can be used. WHM >> Home >> Software >> MultiPHP Manager
CGI • PHP applications are executed by the CGI handler through the mod_cgi or the mod_cgid Apache modules. When the suEXEC module is installed, PHP applications are executed by the system as the user who owns that VirtualHost which had served the request. When the suEXEC module is uninstalled, PHP applications are executed by the system as the nobody system user. mod_cgi and mod_ruid2 are provided by default by the system. • The settings of the CGI handler can be customized in the PHP file.user.ini • These customizations are inherited by a domain when the domain is set to Inherit in the MultiPHP Manager interface in WHM. WHM >> Home >> Software >> MultiPHP Manager
CGI (Continued) In the context of CGI, the points that need to be mentioned are as follows: • PHP scripts can be executed with permissions of 0400, when a per-user module has been enabled, such as suEXEC or Ruid2. • PHP scripts can be executed with permissions of 0444, when a per-user module has been disabled, such as suEXEC or Ruid2. • Apache directives cannot be used with the mod_cgi or the mod_cgid Apache modules. A custom php.ini file needs to be used instead. • Response headers cannot be set in an .htaccess file, when the mod_cgi or the mod_cgid Apache modules are used. The FPM or suPHP Apache modules need to be used for setting response headers in an .htaccess file.
1-800-123 -8156 Whoa! That’s a big number, aren’t you proud?
DSO • The PHP language is embedded by the DSO handler inside the Apache webserver. The use of Apache directives is allowed by DSO. Unless DSO is used, these directives cannot be used in an .htaccess file. The MPM Prefork Apache Module is required by the DSO handler. When the DSO PHP handler is used, PHP applications are executed as the nobody user. This is the case unless the mod_mpm_itk or mod_ruid2 Apache modules are used. • It needs to be mentioned that the user account which executed the script cannot be easily identified when PHP scripts execute as the nobody user. Moreover, the data can be viewed by unauthorized users.
DSO (Continued) • The DSO handler is not included as a default in EasyApache 4. The PHP package that is to be used needs to be installed for using the DSO handler. • The DSO PHP package can be installed in the PHP Extensions section of the EasyApache 4 interface in WHM. WHM >> Home >> Software >> EasyApache 4 • Certain important points to mention are as follows: • DSO can be used as the handler for one version of PHP on the system. • DSO with PHP 8 is not supported by cPanel & WHM. • The text, DSO, will not be present in the display name of the handler. • PHP scripts need to have permissions of at least 0644 to execute, unless a per-user module, such as Ruid2 or ITK is being used. • Files as the nobody user are created by the PHP scripts which run under DSO. Adequate permissions that are required for accessing and reading the PHP files need to be there with the nobody user. The nobody user needs to have permissions to write to the directories and files which are affected by the script.
FastCGI Process Manager (FPM) • PHP applications are served by FastCGI. This is attained through the mod_proxy_fcgi Apache module. It is a fast method which might require changes to the FastCGI directives for efficient functioning. Emergency restarts, process management, as well as IP address restriction are included in the PHP-FPM (FastCGI Process Manage) implementation of FastCGI. • The mod_proxy_fcgi Apache module is included by default in the EasyApache 4. This module can be installed in the Apache Modules section that exists in the EasyApache 4 interface in WHM. WHM >> Home >> Software >> EasyApache 4 • The settings of the CGI handler can be customized in the PHP file.user.ini • These customizations are inherited by a domain when the domain is set to Inherit in the MultiPHP Manager interface in WHM. WHM >> Home >> Software >> MultiPHP Manager
FCGI daemon (FCGId) PHP applications are served by FCGId through the Apache module, mod_fcgid. An alternative is provided to the Apache module, mod_cgi by the Apache module, mod_fcgid. Multiple instances of a program are launched by FCGId in order to enable the system for handling requests that are multiple and concurrent. The following points need to be mentioned in this context: • Prior to the version 74 of cPanel & WHM, the mod_fcgid Apache module was incompatible with MultiPHP. • If FCGId is used by the default PHP version, then all PHP versions will use FCGId on those systems that run version 76 or earlier of cPanel & WHM. • The mod_fcgid Apache module is recommended only for advanced system administrators as they understand the way in which to modify the mod_fcgid Apache module’s performance. • The Apache module mod_fcgid is not compatible with the Apache modules mod_ruid2 or mod_mpm_itk.
LSAPI • A fast as well as stable way for serving PHP applications is provided by LSAPI. The version of LSAPI of cPanel & WHM is different from that of CloudLinux. Connection pooling, CRIU (Checkpoint/Restore in Userspace) and opcache preservation are disabled by this version. • The Apache module, mod_lsapi, is included by default in EasyApache 4. The mod_lsapi Apache module can be installed in the Apache Modules section of the EasyApache 4 interface in WHM. WHM >> Home >> Software >> EasyApache 4
suPHP • The ability to run PHP scripts as the user with the Apache module, mod_suphp, is ensured by this option. A secure and flexible way for serving PHP requests is provided by this module. It needs to be mentioned that if suPHP is used, then no benefits are provided to the server by the PHP cache management extensions. • The mod_suphp Apache module is complied in paranoid mode by EasyApache. Several patches enhance the Apache UserDir support. Apache directives cannot be used with the mod_suphp module. A php.ini file is placed in that directory which contains the PHP script, in order to specify these values. Alternatively, a php.ini file is placed in the location that is specified by the system administrator. It needs to be noted that the .ini files are loaded in a specific order by suPHP. The mod_suphp Apache module can be installed in the Apache Modules section of the EasyApache 4 interface of WHM. WHM >> Home >> Software >> EasyApache 4 • You need to uninstall suPHP if you need to use the mpm_itk or the mod_ruid2 Apache modules as suPHP is incompatible with these modules. Moreover, permissions need to be at least 0640 in order to execute PHP scripts.
suPHP Security Checks Various security checks are performed by the mod_suphp Apache module, prior to executing a PHP script. The mod_suphp configuration file, /etc/suphp.conf needs to be edited if these checks have to be disabled. The following security checks can be edited: • docroot – This is the directory in which PHP scripts must reside. In order to improve security, this value needs to be changed to /home/. The default value is / • allow_file_group_writable– The execution of PHP scripts with the group write but permission is prevented by this security check. This directive can be changed to true for allowing these scripts to execute. Doing so reduces security. The default value is false. • allow_file_others_writable – The execution of PHP scripts with the others write bit permission is prevented by this security check. This directive can be changed to true for allowing these scripts to execute. Doing so reduces security. The default value is false. • check_vhost_docroot – This security check ensures that suPHP checks if the target script resides in the request-serving VirtualHost’s document root.
suPHP Security Checks (Continued) • userdir_overrides_usergroup – This configuration option is allowed by cPanel-specific patches. The default value is true. • paranoid_uid_check – suPHP can be compiled in different security modes. The paranoid mode is used by EasyApache. A paranoid UID check is performed by the mod_suphp module in order to verify that the script is executed by the user ID which owns it. The default value is true. • paranoid_gid_check – It is verified by this security check that the script is executed by the group ID which owns it. The default value is true. • umask – The default permissions for those files that are uploaded by suPHP to the server are set by this option. 0033, 0077, 0777 need to be used for enhanced security. The default value is 0022.
suPHP Security Checks (Continued I) • min_uid - It is the lowest user ID for executing scripts that is allowed by the server. This value needs to be set to 100 or 500 for improving security. The default value is 1. • min_gid- It is the lowest group ID for executing scripts that is allowed by the server. This value needs to be set to 100 or 500 for improving security. The default value is 1. • full_php_process_display – When this value is set to true, PHP scripts are executed by the mod_suphp module in a way which displays the PHP interpreter and the file name of the script in the process list. The default value is true. • min_uid - It is the lowest user ID for executing scripts that is allowed by the server. This value needs to be set to 100 or 500 for improving security. The default value is 1. • min_gid- It is the lowest group ID for executing scripts that is allowed by the server. This value needs to be set to 100 or 500 for improving security. The default value is 1. • full_php_process_display – When this value is set to true, PHP scripts are executed by the mod_suphp module in a way which displays the PHP interpreter and the file name of the script in the process list. The default value is true.
The suphp.conf File Warnings • The [phprc_paths] section is included in the file, suphp.conf. This section can be used to lock a specific PHP handler to its default php.ini file. However, it is strongly recommended to not do so. • The path to the php.ini file is set by the suPHP_ConfigPath configuration directive. This directive needs to be set in either the file, httpd.conf or in an .htaccess file. The Options parameter needs to be removed from the Apache AllowOverride directive in order to prevent the use of this directive in .htaccess files. The [phprc_paths] settings that are in the suphp.conf file override any suPHP_ConfigPath settings. • It is strongly recommended that the system is allowed to load the .ini files as well as directives as these are found. The most predictable results are ensured by it. It is strongly recommended that the [phprc_paths] section, the suPHP_ConfigPath directive or the PHPRC environmental variable not be set, as this might cause unexpected behaviour.
Thanks! ANY QUESTIONS? www.htshosting.org