The following provides a brief outline of the procedure for getting FastCGI (with SuExec and PHP) working on an EC2 instance running Amazon’s Linux distribution (AMI) under Apache 2.2…
Compile the Module:
(dependencies include the httpd-devel package)
sudo -i yum install httpd-devel cd /usr/local/src wget http://www.fastcgi.com/dist/mod_fastcgi-current.tar.gz tar -xzvf mod_fastcgi-2.4.6.tar.gz cd mod_fastcgi-2.4.6 cp Makefile.AP2 Makefile make top_dir=/usr/lib/httpd make top_dir=/usr/lib/httpd install
(Instead of including ‘top_dir’ in the last two lines, you could edit Makefile, and set top_dir=/usr/lib/httpd)
Allow suexec to be run by users other than apache:
chmod 4755 /usr/sbin/suexec
Create and set ownership on a directory for FCGI to run from:
mkdir -p /var/www/fcgi_ipc/tmp chown apache:apache /var/www/fcgi_ipc/tmp
In /etc/httpd/conf/httpd.conf:
Add or uncomment the following:
LoadModule fastcgi_module modules/mod_fastcgi.so
Add:
FastCgiIpcDir /var/www/fcgi_ipc/tmp FastCgiSuexec /usr/sbin/suexec FastCgiConfig -singleThreshold 100 -killInterval 600 -minProcesses 5 -maxProcesses 50 -maxClassProcesses 15 -autoUpdate -idle-timeout 180 -pass-header HTTP_AUTHORIZATION AddHandler fastcgi-script .fcgi AddHandler php-fastcgi .php Action php-fastcgi /cgi-bin/php.fcgi
Disable php5_module:
Either uncomment the line(s) “LoadModule php5_module …” if they are found in httpd.conf
OR, as was the case for me, rename the file /etc/httpd/conf.d/php.conf to php.conf.bak
If you go with the latter, you will have to make two changes to your httpd.conf:
- Add ‘index.php’ to your DirectoryIndex line
- Add back the mimetype for php: AddType text/html .php
Create the FCGI wrapper (/var/www/cgi-bin/php.fcgi):
#!/bin/bash export PHP_FCGI_CHILDREN=2 export PHP_FCGI_MAX_REQUESTS=1000 exec /usr/bin/php-cgi
The file above must be copied into the cgi-bin directory of every virtualhost. Ownership must be set to the virtual user (and make immutable to prevent changes):
chown -R vuser:vgrp /var/www/vhost/cgi-bin chmod -R 750 cgi-bin chattr +i /var/www/vhost/cgi-bin/php.fcgi
If you are using virtualmin, it will copy the file and set permissions for you, if the file is copied to its skeleton directory:
mkdir /etc/skel/cgi-bin cp /var/www/cgi-bin/php.fcgi /etc/skel/cgi-bin/
For each virtualhost, add:
SuexecUserGroup "#UID" "#GID" (replace UID and GID with numbers) ScriptAlias /cgi-bin/ /var/www/html/vhost/cgi-bin/
Restart apache for the new settings to take effect:
service httpd restart
You can verify that php files are being served using FastCGI by checking the Server API entry in phpinfo. Previously it was set to ‘Apache 2.0 Handler’, now it reads ‘CGI/FastCGI’
A good test of suexec is to upload a file through a webpage – if the script is executed with suexec, the uploaded file should be owned by the owner set in SuExecUserGroup, instead of the default owner (apache).
Great article! But had a few problems:
1. Needed to add a “LoadModule” in httpd.conf to load the fastcgi module
2. I had some permissions problems with the FastCgiIpcDir /var/www/fcgi_ipc/tmp directory. Apache wanted to run the as UID=-1 GID-1. I don’t know why – but needed to set the directory to 777 to get it to work. (There is probably a better way to fix the issue).
@Brad: Thanks for the comment. I have updated the article to mention the necessity for the LoadModule directive.
With regards to your other point, I am not sure what the underlying problem could be. My settings have
httpd running as apache:apache
/var/www/fcgi_ipc ownership set to root:root (0755)
/var/www/fcgi_ipc/tmp ownership set to apache:apache (0755)
My only suggestion might be to check out what user httpd is running as (try
ps -ef | grep httpd) – it should be set in your httpd.conf file (typically either apache or www-data). In my case (and I think it is typical), apache runs as UID 48 (id apache)