Apache PHP Request Handling

PHP’s configuration is divided into separate files so that it is more simple to use and understand. PHP’s main configuration file is located at /usr/local/apache/conf/php.conf.

The php.conf file is called by the Apache configuration file (httpd.conf) by means of an include command. While PHP is referenced elsewhere, both in httpd.conf and the files in /usr/local/apache/conf/includes, these directives should function regardless of the way PHP is configured.

WHM provides an interface that can assist you in configuring PHP. It is located in Service Configuration >> Apache Configuration >> PHP and SuExec Configuration. You are also able to access a command line interface that provides the same options through the following script:

  • /usr/local/cpanel/bin/rebuild_phpconf

Both interfaces function by rewriting php.conf and, when necessary, copying PHP binaries from /usr/bin/php and /usr/php4/bin/php to /usr/local/cpanel/cgi-sys.

WHM offers 5 ways to configure PHP

  • None — Selecting this option will disable PHP.
  • DSO — Provides PHP through libphp4.so or libphp5.so (aka, mod_php). This option is usually the fastest way to execute PHP requests; however, this option uses the system user called “nobody” to serve all PHP requests. It is also important to note that if you wish to use both versions of PHP via DSO, you must apply the concurrent DSO patch at build time.
  • suPHP (default) — Provides PHP through mod_suphp. Using this option is probably the most flexible way of serving PHP requests and is generally very secure. Under this option, PHP scripts will be executed by the user who owns the VirtualHost serving the request. If you do not create your own custom configuration, suPHP is the default PHP handler.
  • FCGI — This option serves PHP through mod_fcgid. This is a fast way of serving PHP requests but will most likely require that you tweak php.conf. You can enable suEXEC to execute PHP scripts under the user who owns the VirtualHost that is serving the request or, if suEXEC is disabled, PHP will be served by the system user “nobody.”
    • Important: This method is only recommended for advanced administrators who understand how to tune the performance of mod_fcgid. UserDir requests do not function when Apache SuExec is enabled.
  • CGI — This option provides PHP through mod_cgi or mod_cgid. Using this option, you can enable suEXEC so that PHP scripts will be executed as the user who owns the VirtualHost that is serving the request. If suEXEC is disabled, the system user “nobody” will execute PHP scripts. UserDir requests will not function properly with the setup provided by cPanel.
    • This option is only intended as a fallback for when DSO or suPHP is not available. Serving PHP as CGI is not especially fast or secure, even if suEXEC is enabled.

Default PHP version

This setting controls which version of PHP will be configured to handle the .php filename extension.

If both versions of PHP are enabled, .php4 will always be handled by PHP 4 and .php5 will always be handled by PHP 5.

You can override this setting through individual VirtualHosts. You can read about that here.

DSO considerations

libphp provides Apache directives such as php_$value and php_admin_$value. DSO is the only option where these directives will be valid inside .htaccess files or httpd.conf. When these directives are compiled with the concurrent DSO patch, they should be named php4_$value and php5_$value instead.

File permissions of 0644 are generally sufficient for PHP scripts. However, the user “nobody” must have sufficient permissions to access and read the PHP script. It is also important to note that files created by PHP scripts will be created by “nobody.” That means files and directories that will receive the output must be writable by the system user “nobody.”

suPHP considerations

EasyApache compiles mod_suphp in paranoid mode, with several patches to improve Apache UserDir support.

Please note that mod_suphp as shipped by cPanel behaves very differently from the pristine upstream version. Apache directives like php_$value are not valid for mod_suphp. It is possible to place a php.ini file in the directory containing the PHP script and specify these types of values in it.

Note: PHP does not merge the php.ini files together, so when a custom php.ini is used, it must contain all of the required directives from the main php.ini file (for example, if Zend Optimizer is required, the new php.ini must load the extension).

For PHP scripts to execute, permissions of 0644 are sufficient. Scripts are run as the user who owns the VirtualHost, and as long as this user has permissions sufficient to write to a file or directory, PHP scripts will also have the ability to do so.

mod_suphp performs various security checks before executing PHP scripts. Most can be disabled in the mod_suphp configuration file, /opt/suphp/etc/suphp.conf. The security checks are:

  • docroot — PHP scripts must reside in this directory. The default is /; change this to /home/ to improve security.
  • allow_file_group_writable — This prevents execution of PHP scripts with the group write bit set. This setting is false by default. Changing this to true will allow these scripts to execute, but will reduce security.
  • allow_file_others_writable — This prevents execution of PHP scripts with the others write bit set. This setting is false by default. Changing this to true will allow these scripts to execute, but will reduce security.
  • allow_directory_group_writable — If you have previously run PHP as DSO, you may have PHP scripts residing in a directory that is writable by group members. This security check prevents those scripts from executing. This setting is false by default. Changing this to true will allow these scripts to execute, but will reduce security.
  • allow_directory_others_writable — If you have previously run PHP as DSO, you may have PHP scripts residing in a directory that is writable by anyone. This security check prevents those scripts from executing. This setting is false by default. Changing this to true will allow these scripts to execute, but will reduce security.
  • check_vhost_docroot — This directive causes suPHP to check that the target script resides in the document root of the VirtualHost serving a request. For a UserDir request, suPHP considers the domain part of the URL to be the VirtualHost serving the request. Setting this to true will cause UserDir requests and some types of PHP aliases to fail. However, security will be significantly improved. This setting is false by default.
  • userdir_overrides_usergroup — This is a configuration option allowed by cPanel-specific patches.
    • Setting this to true allows suPHP to determine which user should execute a script from the UserDir portion of the URL.
    • Setting it to false will provide the normal mod_suphp behavior of executing scripts as the user specified by the domain portion of a URL.
  • paranoid_uid_check — suPHP can be compiled in different security modes. EasyApache uses the "paranoid" mode, although some scenarios are better served by the "force" mode. The paranoid UID check performed by mod_suphp verifies that the user ID that owns a script is the same one that is executing it. Setting this to false disables the UID check, as though it were in force mode.
  • paranoid_gid_check — Verifies that the group ID that owns a script is the same as the one that is executing it. Setting this to false disables the GID check, as though it were in force mode.
  • note Note: On some BSD systems, it may be necessary to disable this check, because files inherit the GID that owns the directory. Disabling this check will not significantly reduce security, as long as the allow_file_group_writable and allow_directory_group_writable checks are left at their default values.
  • umask — The mod_suphp developers set this to a default of 0777 meaning that all permissions on files must be explicitly specified. This is a very secure setting, but causes many problems. The cPanel default is 0022. Use 0033, 0077, or 0777 for improved security.
  • min_uid — The lowest user ID that can own scripts being executed. The default value is 1. Set this value to 100 or 500 to greatly improve security. If you provide your users with shared PHP scripts that are owned by root, this value will need to be lowered to 0.
  • min_gid — The lowest group ID that can own scripts being executed. The default value is 1. Set this value to 100 or 500 to greatly improve security. If you provide your users with shared PHP scripts that are owned by root, this value will need to be lowered to 0.
  • full_php_process_display — When this value is set to true, mod_suphp will execute PHP scripts in a way that displays both the PHP interpreter and the SCRIPT_FILENAME in the process list, generated by the ps command. Setting this to false will improve security by hiding the SCRIPT_FILENAME.

The suphp.conf file includes a section called [phprc_paths] that can be used to override the standard handling of php.ini. To lock a particular PHP handler to its default php.ini file, simply uncomment the appropriate line under [phprc_paths].

There is also a configuration directive, supported by mod_suphp in httpd.conf and .htaccess files, called suPHP_ConfigPath. This directive sets the path to the php.ini file.

  • To prevent the use of this directive in .htaccess files, remove "Options" from the Apache !AllowOverride setting.
  • Note that the [phprc_paths] set in suphp.conf takes precedence over any suPHP_ConfigPath settings.

FCGI considerations

ALERT! Warning: FCGI is not a recommended configuration for PHP. It requires fine tuning of mod_fcgid to ensure that the server does not become overloaded with idle PHP processes.

Please note that:

  • Permissions of 0400 are sufficient to execute PHP scripts when running under suEXEC.
  • Permissions of 0444 are sufficient to execute PHP scripts when running with suEXEC disabled.
  • With the standard cPanel FCGI configurations, the PHP binary is available as a URL in the VirtualHost. This is not considered a very secure setup.
  • UserDir requests do not function when Apache SuExec is enabled.
  • Apache directives like php_$value are not valid for mod_fcgid. A custom php.ini file should be used instead, as detailed in the suPHP section above.

CGI considerations

PICK Important: Like FCGI, CGI is not a recommended configuration for PHP. The PHP binary is available as a URL in the VirtualHost, and the setup is not very secure.

Please note that:

  • Permissions of 0400 are sufficient to execute PHP scripts when running under suEXEC.
  • Permissions of 0444 are sufficient to execute PHP scripts when running with suEXEC disabled.
  • Several PHP options may prevent the CGI setup from functioning correctly, particularly DiscardPath and ForceCGIRedirect. If you are having trouble with this configuration, please verify that these options are disabled.
  • UserDir requests do not function when Apache SuExec is enabled.
  • Apache directives like php_$value are not valid for mod_cgi. A custom php.ini file should be used instead, as detailed in the suPHP section above.

WHM offers 6 ways to configure PHP

Method Description Considerations
None Selecting this option will disable PHP. PHP will not be available to your users.
DSO Provides PHP through libphp4.so or libphp5.so (aka, mod_php). This option is usually the fastest way to execute PHP requests; however, this option uses the system user called “nobody” to serve all PHP requests. It is also important to note that if you wish to use both versions of PHP via DSO, you must apply the concurrent DSO patch at build time.
suPHP (default) Provides PHP through mod_suphp. Using this option is probably the most flexible way of serving PHP requests and is generally very secure. Under this option, PHP scripts will be executed by the user who owns the VirtualHost serving the request. If you do not create your own custom configuration, suPHP is the default PHP handler.
FCGI Serves PHP through mod_fcgid. This is a fast way of serving PHP requests but will most likely require that you tweak php.conf. You can enable suEXEC to execute PHP scripts under the user who owns the VirtualHost that is serving the request or, if suEXEC is disabled, PHP will be served by the system user “nobody.”
PICK Important: This method is only recommended for advanced administrators who understand how to tune the performance of mod_fcgid. UserDir requests will not function correctly with the basic mod_fcgid setup.
CGI This option provides PHP through mod_cgi or mod_cgid. Using this option, you can enable suEXEC so that PHP scripts will be executed as the user who owns the VirtualHost that is serving the request. If suEXEC is disabled, the system user “nobody” will execute PHP scripts. UserDir requests will not function properly with the setup provided by cPanel. This option is only intended as a fallback for when DSO or suPHP is not available. Serving PHP as CGI is not especially fast or secure, even if suEXEC is enabled.
mod_ruid2 Provides PHP through the mod_ruid2 Apache module. mod_ruid2 is an improvement on the SuEXEC module that uses POSIX.1e capabilities to improve performance. You should only use DSO (mod_php) with mod_ruid2.
Topic revision: r7 - 12 Nov 2012 - 18:03:19 - Main.LaurenceSimon
EasyApache3.ApachePHPRequestHandling moved from Sandbox.ApachePHPRequestHandling on 08 Jun 2009 - 14:44 by Main.JustinSchaefer - put it back