cPanel & WHM no longer develops EasyApache 3 and only releases security updates for it. We will deprecate EasyApache 3 on December 31, 2018. After that date, we will no longer update EasyApache 3. In cPanel & WHM version 78, we will remove support for EasyApache 3. For more information, read our cPanel Long-Term Support documentation. If you do not upgrade to EasyApache 4, you cannot upgrade to cPanel & WHM version 78. We strongly recommend that you upgrade to EasyApache 4. For more information, read our EasyApache 4 documentation.
Apache PHP Request Handling - EasyApache - cPanel Documentation
EasyApache
Page tree
Skip to end of metadata
Go to start of metadata

Overview

The php.conf file contains the global directives that configure the PHP page handlers. An include command in the Apache configuration file (httpd.conf) loads the php.conf file.

To select the PHP handler that you wish to use, navigate to WHM's Configure PHP and SuExec interface (Home >> Service Configuration >> Configure PHP and SuExec). You may also select a PHP handler from the command line with the /usr/local/cpanel/bin/rebuild_phpconf script.

Both methods update the php.conf file and copy any necessary PHP binaries from the /usr/bin/php directory to the /usr/local/cpanel/cgi-sys directory. 

PHP application execution methods

cPanel & WHM offers several PHP handlers: 

PHP HandlerDescription
NoneThis option disables PHP.
DSO

This option provides PHP through the libphp5.so module, which is also known as the mod_php module. This option is usually the fastest way to execute PHP requests. However, this option uses the nobody system user to serve all PHP requests, unless you use the MPM ITK.

Note:

We recommend that you use DSO with the MPM ITK option. The system runs PHP requests as the user that called the script with MPM ITK and DSO.

suPHP (default)

This option provides PHP through the mod_suphp module and is a flexible and secure way to serve PHP requests. If you select suPHP, the owner of the VirtualHost that serves the request executes the PHP scripts. If you do not create your own custom configuration, suPHP is the default PHP handler.

Note:

If you use suPHP as your PHP handler, cache management extensions (such as EAccelerator and XCache) do not provide any benefits to your server.

FCGI

This option serves PHP through the mod_fcgid module. This method is fast, but may require changes to the FCGI directives to work efficiently. If you enable suEXEC, suEXEC executes PHP scripts as the user who owns the VirtualHost that serves the request. If you disable suEXEC, the system serves PHP requests as the nobody system user.

Warning:

We recommend this option only for advanced system administrators who understand how to modify the performance of the mod_fcgid module.

CGI

This option provides PHP through the mod_cgi or mod_cgid modules. If you select this option and enable suEXEC, the system executes PHP scripts as the user who owns the VirtualHost that serves the request. If you disable suEXEC, the system executes PHP scripts as the nobody system user. UserDir requests do not function properly with the setup provided by cPanel. 

Warning:

You should only use this option when both DSO and suPHP are not available. If you use CGI to serve PHP, it is neither fast or secure, even if you enable suEXEC. 

mod_ruid2This option provides PHP through the mod_ruid2 Apache module. The mod_ruid2 Apache module improves on the SuEXEC module and uses POSIX.1e capabilities to improve performance. You should only use DSO (mod_php) with the mod_ruid2 Apache module.

Default PHP Version

The Default PHP Version setting in WHM's Apache PHP Request Handling interface (Home >> Service Configuration >> Configure PHP and SuExec) controls which version of PHP handles the .php filename extension.

PHP 5 always handles files with the .php5 extension.

You can override this setting through individual VirtualHosts. 

DSO considerations

The libphp module provides Apache directives such as php_value and php_admin_value. DSO is the only option where these directives are valid inside the .htaccess files or the httpd.conf file.

For PHP scripts to execute, permissions of 0644 are sufficient. The nobody user must have sufficient permissions to access and read the PHP files. The nobody user creates the files that the PHP scripts create. This means that the files and directories that will receive the output must be writable by the nobody user. This does not apply if you use MPM ITK with the DSO handler. If you use MPM ITK with the DSO handler, the PHP scripts execute and create any files as the user who calls the script. 


suPHP considerations

EasyApache compiles the mod_suphp module in paranoid mode, with several patches to improve Apache UserDir support.

The mod_suphp module provided by cPanel behaves very differently from the pristine upstream version. Apache directives such as php_value are not valid for the mod_suphp module. You can place a php.ini file in the directory that contains the PHP script to specify these values.

Note:

PHP does not merge the php.ini files together. To use a custom php.ini file, you must make sure that it contains all of the required directives from the main php.ini file. For example, if you require Zend Optimizer, the new php.ini file must load the extension.

For PHP scripts to execute, permissions of 0644 are sufficient. Scripts run as the user who owns the VirtualHost. If the user has permissions sufficient to write to a file or directory, so do their PHP scripts.

The mod_suphp module performs various security checks before it executes a PHP script. You can disable most of the checks in the mod_suphp configuration file, located at /opt/suphp/etc/suphp.conf. The security checks are as follows:

Security CheckDescription
docrootPHP scripts must reside in this directory. The default is value is /. To improve security, change this value to /home/.
allow_file_group_writableThis security check prevents execution of PHP scripts set with the group write bit. The default setting is false. You can change this directive to true in order to allow these scripts to execute, but this reduces security.
allow_file_others_writableThis security check prevents execution of PHP scripts set with the others write bit. The default setting is false. You can change this directive to true in order to allow these scripts to execute, but this reduces security.
allow_directory_group_writableIf you previously ran PHP as DSO, you may have PHP scripts that reside in a directory that is writable by group members. Your server will not execute these scripts if this security check is set to false. The default setting is  false . You can change this to true in order to allow these scripts to execute, but this reduces security.
allow_directory_others_writableIf you previously ran PHP as DSO, you may have PHP scripts in a directory that is writable by anyone. If this security check is set to false, your server will not execute those scripts. The default setting is false. You can change this to true in order to allow these scripts to execute, but this reduces security.
check_vhost_docrootThis security check causes suPHP to check that the target script resides in the document root of the VirtualHost that serves the request. For a UserDir request, suPHP considers the domain part of the URL to be the VirtualHost that serves the request. The default setting is  false . If you set this setting to  true,  it causes UserDir requests and some types of PHP aliases to fail but significantly improves security.
userdir_overrides_usergroupThis is a configuration option allowed by cPanel-specific patches. When set to true, suPHP determines which user will execute a script from the UserDir portion of the URL. When set to false, your server executes PHP scripts as the user specified by the domain portion of the URL. The default setting is true.
paranoid_uid_checkYou can compile suPHP in different security modes. EasyApache uses the paranoid mode. Force mode may be better in some cases. The paranoid UID check that the mod_suphp module performs verifies that the user ID that owns a script executes it. Change this setting to false in order to disable the UID check and behave like force mode.
paranoid_gid_check

This security check verifies that the group ID that owns a script also executes it. Change this setting to false in order to disable the GID check, and behave as though it were in force mode.

umask

This option sets the default permissions for files that suPHP uploads to your server. This value defaults to 0022. For improved security, use 00330077, or 0777 . 

Note:

The mod_suphp developers set this to a default of 0777 so that all permissions on files must be explicitly specified. This setting is very secure, but causes many problems.

min_uidThe lowest user ID that your server allows to execute scripts. The value defaults to 1. To improve security, set this value to 100 or 500. This value must be set to 0 if you provide shared PHP scripts owned by root to your users.
min_gidThe lowest group ID that your server allows to execute scripts. This value defaults to 1.  To improve security, set this value to 100 or 500. This value must be set to 0 if you provide shared PHP scripts owned by root to your users.
full_php_process_displayWhen this value is set to true, the mod_suphp module executes PHP scripts in a way that displays both the PHP interpreter and the SCRIPT_FILENAME in the process list. To hide the  SCRIPT_FILENAME  and improve security, set this value to false.

The suphp.conf file includes a section called [phprc_paths]. Use this section to lock a particular PHP handler to its default php.ini file. To lock a particular PHP handler to its default php.ini file, uncomment the appropriate line under [phprc_paths].

The configuration directive suPHP_ConfigPath sets the path to the php.ini file. Set the suPHP_ConfigPath  directive in either the httpd.conf file or an .htaccess file. 

  • To prevent the use of this directive in .htaccess files, remove "Options" from the Apache AllowOverride setting.
  • The [phprc_paths] set in the suphp.conf file takes precedence over any suPHP_ConfigPath settings.

FCGI considerations

Warning:

We do not recommend that you use FCGI. FCGI requires you to fine tune the mod_fcgid module to ensure that the server does not become overloaded with idle PHP processes.

Consider the following:

  • If you enable suEXEC, permissions of 0400 are sufficient to execute PHP scripts.
  • If you disable suEXEC, permissions of 0444 are sufficient to execute PHP scripts.
  • Apache directives such as php_value are not valid for the mod_fcgid module. Use a custom php.ini file instead. View the suPHP section for more information.

CGI considerations

Warning:

We do not recommend that you use CGI. The PHP binary is available as a URL in the VirtualHost, but the setup is not secure.

Consider the following:

  • If you enable suEXEC, permissions of  0400  are sufficient to execute PHP scripts.
  • If you disable suEXEC, permissions of  0444  are sufficient to execute PHP scripts.
  • A CGI configuration may not function correctly if you select certain PHP options, in particular the DiscardPath and ForceCGIRedirect options. Disable these options if you experience trouble with this configuration. 
  • UserDir requests do not function with the CGI setup that cPanel provides.
  • Apache directives such as php_value are not valid for the mod_cgi module. You must use a custom php.ini file instead. View the suPHP section for more information.

Apache® and the feather logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries