logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Other Software View previous topic :: View next topic
Reply to topic   Topic: Securing PHP in Multi-Website Environment with mod_fcgid
Author
jmweb



Joined: 08 Jun 2017
Posts: 8
Location: USA, Charlotte

PostPosted: Wed 23 Oct '19 7:51    Post subject: Securing PHP in Multi-Website Environment with mod_fcgid Reply with quote

As the title states, how would one go about securing PHP in a multi-website environment using mod_fcgid? What I am attempting to achieve is a setup similar to what one would do using PHP-FPM - separate pools assigned to specific users that restrict file system access. My WAMP setup is pretty straightforard. One VirtualHost per website with:

Code:

AddHandler fcgid-script php
FcgidInitialEnv PHP_INI_SCAN_DIR "A_DIRECTORY"
FcgidWrapper "PATH_TO__php-cgi.exe"


However, I am forced to rely on PHP's open_basedir to restrict cross-website file access. Unfortunately, this setting carries a huge performance cost that has come to bite me. I would love to somehow configure mod_fcgid in such a way to be able to disable open_basedir without losing the file access prevention benefits it provides.

Thanks!
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 23 Oct '19 14:26    Post subject: Reply with quote

mod_fcgid[1] does not offer that feature to run it with a different user.

Indeed I tried php fpm on windows, but I gave up.

There you could use "Runas" from windows to start the fpm process or install it as a service.

Code:

<VirtualHost *:80>
   ServerName fpm.example.com

   DirectoryIndex index.php

   CustomLog "C:\nul" common
   
   <IfModule proxy_fcgi_module>
         # Enable http authorization headers
         <IfModule setenvif_module>
               SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
         </IfModule>
ProxyPassMatch ^(.*\.php(.*)?)$ fcgi://127.0.0.1:9000/c:/Users/mario/work/$1
   </IfModule>
   DirectoryIndex /index.php index.php

   DocumentRoot "/Users/mario/work"

   <Directory "/Users/mario/work">
      Options Indexes FollowSymLinks
      AllowOverride All
      Require all granted
   </Directory>
</VirtualHost>


[1] https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
Back to top
jmweb



Joined: 08 Jun 2017
Posts: 8
Location: USA, Charlotte

PostPosted: Thu 24 Oct '19 0:57    Post subject: Reply with quote

Thanks for replying - it's greatly appreciated.

Correct me if I am wrong, but your example code will require a batch file (or a similar controller) to start php-cgi.exe instances that will wait for connections from each VirtualHost. How would one go about setting this up and, more importantly, at scale?

I like the way mod_fcgid handles this automatically. I wonder if one could specify a batch file for FcgidWrapper and pass options to it which the batch file could interpret as the runas user. Something like: FcgidWrapper "/PATH_TO_PHP-CGI.EXE username".

Any thoughts on this approach? And lastly, what does your setup look like?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 30 Oct '19 9:57    Post subject: Reply with quote

jmweb wrote:
Thanks for replying - it's greatly appreciated.

Correct me if I am wrong, but your example code will require a batch file (or a similar controller) to start php-cgi.exe instances that will wait for connections from each VirtualHost. How would one go about setting this up and, more importantly, at scale?

That is true, you need to run it from cmd, but you can run a batch file in windows as a service, too.

jmweb wrote:

I like the way mod_fcgid handles this automatically. I wonder if one could specify a batch file for FcgidWrapper and pass options to it which the batch file could interpret as the runas user. Something like: FcgidWrapper "/PATH_TO_PHP-CGI.EXE username".

Any thoughts on this approach? And lastly, what does your setup look like?


I like mod_fcgid better, too. I recommend it all the time. But like I told you before that is not possible to change the user with mod_fcgid
Back to top


Reply to topic   Topic: Securing PHP in Multi-Website Environment with mod_fcgid View previous topic :: View next topic
Post new topic   Forum Index -> Other Software