Hi All,
I want to replace our current fcgid/suexec/php-cgi/mod_userdir setup with mpm-ITK. Is anyone running Apache with the ITK mpm on Opensuse 11.1, and if so, how did you did it?
I added the repo at Index of /repositories/Apache/openSUSE_11.1 and installed the apache2-itk package… apache2ctl -l still lists the compiled-in mpm as ‘prefork’
I then installed the srpm for this apache2-itk package and changed the spec file to define itk as the default mpm… compiled and installed the packages, apache2ctl -l still lists prefork as the compliled-in mpm, no mention of itk.
On our ubuntu server I just installed the apache-mpm-itk package and it was good to go, I’m sure it can’t be that much more difficult on OpenSUSE.
Am I missing something?
Found it:
edit /etc/sysconfig/apache2 and use the line
APACHE_MPM="itk"
done.
Thanks, that module looked interesting when I searched for it. I learn something everyday. Not sure I’ll have a need for it though. Might come in useful as an alternative to suexec someday.
I’m really surprised that this mpm isn’t more widespread.
If you are doing virtualhosting, then every php script for every website runs as user wwwrun… As I understand it, that means that a trivial php script could access other customer’s files, delete stuff, and generally cause chaos.
Everyone seems to be using fcgid/suexec and using php-cgi to solve this problem, but this has been unreliable for me, not to mention excessively complex… Plus if you serve hosts from /home you need both mod_userdir AND mod_rewrite to handle every_single request… either that or recompile apache to change the suexec docroot (build failed for me last time I tried). The only advantage of fcgid/suexec/php-cgi is the possibility of per-site php.ini, very useful for troubleshooting one website without affecting the rest, also for customers who need it.
With mpm-itk, on the other hand, you just add the “assignuserid user group” directive and your done, very reliable for me and much faster than fcgid with my specific configuration.
There are various barriers that you can set up for virtual hosts. First of all is not to have non-upload areas owned by wwwrun or www so that modifications cannot be done. You can also specify an open path in php.ini and opened files must be in the path. Then you would give each virtualhost a different document root.
Also if you control the virtual hosts, then you can vet what goes in. If you are running a virtual hosting business and allow customers to put their own stuff in, then itk is a good idea.
There is a performance hit for using itk so only people who need to have separate uid spaces need it. Also note that one should avoid fetching resources from different uids on the same connection, e.g. different resources on one page, or the connection will be reopened with performance penalty.
As for substituting for suexec solutions I don’t even remember the last time I needed to use suexec in fact.