Proper fcgid custom php.ini per user (Easyapache integrated)

[NiN]

While I've found a number of suggestions on configuring a custom php.ini per user, none of which satisfied me.

Most approaches are a bit outdated; as well as not "upgrade friendly" cpanel now has a wrapper at /usr/local/cpanel/cgi-sys/php5 whici is used for the fcgid requests to php, and if there are no customization needed, why not use the default php.ini?

Now my question is, what would be the best approach to setting up a custom php.ini per user, assuming the following:

• Compatible with easyapache; don't fight the current (possible using the apache userdata includes?)
• Upgrade friendly (running easyapache shouldn't break the setup - use the includes, etc)
• New accounts use the "default" secured php.ini (Copy in postwwwacct?)
• Isolated from the user dir (rather not place a wrapper it in every ~/public_html/cgi-bin/)

I'll keep researching the options available, but any feedback is appreciated

[tylerl]

Here's my simple solution. Just update /usr/local/cpanel/cgi-sys/php5 to look like this:

Code:

#!/bin/bash
[[ -f ~/php.ini ]] && exec /usr/bin/php -c ~/php.ini
exec /usr/bin/php

Remember to copy the file to /var/cpanel/conf/apache/wrappers/php5 to make your changes persistent.

Essentially, this uses the "global" php.ini file for everyone who doesn't have a custom one set, but switches to the custom one if it exists.

Remember to restart apache (or just kill the appropriate php process) to load new changes.

[anton_latvia]

Nice example. but this way user's might put custom php.ini files into their homefolder and get whatever configuration they want. Here is how we do it - not sure if this might overlap some other "howto". I think it very obvious how to use this howto to run any version of PHP (you have to compile it yourself, of course).

1. First create custom php.ini.

Code:

mkdir -p /usr/local/apache/conf/custom_php/DOMAINNAME/
cp /usr/local/lib/php.ini /usr/local/apache/conf/custom_php/DOMAINNAME/

Modify copied php.ini.

2. Create custom PHP wrapper.

Code:

cd /usr/local/cpanel/cgi-sys/
cp php5 php5_DOMAINNAME
chown root.wheel php5_DOMAINNAME

3. Edit custom PHP wrapper to use custom php.ini

Inside php5_DOMAINNAME change "exec" line to the following:

Code:

exec /usr/bin/php -c /usr/local/apache/conf/custom_php/DOMAINNAME/php.ini

4. Set to use custom wrapper by webserver

Code:

mkdir -p /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAINNAME
cd /usr/local/apache/conf/userdata/std/2/USERNAME/DOMAINNAME
vi custom.conf

And add the following line:

Code:

FCGIWrapper /usr/local/cpanel/cgi-sys/php5_DOMAINNAME .php

5. Configure httpd.conf - remember to check, that custom configuration file, that you created in step 4 is being included into apache config file. In /usr/local/apache/conf/httpd.conf inside website VirtualHost there should be line like this:

Code:

Include "/usr/local/apache/conf/userdata/std/2/USERNAME/DOMAINNAME/*.conf"

6. Restart webserver and check that website is using correct php.ini. Errors may be in /usr/local/apache/logs/error_log and in /usr/local/apache/logs/suexec_log


7. Important notes

If you are running FastCGI and right now - you are planning to turn off safe_mode, please remember, that we have it because of one reason: we are unable to change open_basedir and restrict customer to a single folder. As with this setup, explained above, we have created separate php.ini file for a single website, we actually can change and set open_basedir. Conclusion: if you are disabling safe_mode, you must set open_basedir in custom php.ini! Search for open_basedir and change to:

Code:

open_basedir = "/home/USERNAME:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"

[NiN]

Hello guys,

Thanks for your replies, but this thread was posted in April of this year. And I actually never remembered this since.

I solved this issue at that time, actually like what anton_latvia suggested, except I placed every custom php wrapper/.ini next to the .conf in /usr/local/apache/conf/userdata/std/2/<user>/

Which is great if I want to move a client along with his .ini settings.

In any case, thanks a lot for your replies, even if it's just for future reference.

[AnthonyG70]

I am attempting to utilize this response, but am unable to locate php5 under /usr/local/cpanel/cgi-sys. Could this post be looked over and corrected if necessary? This seems to be the most precise custom php.ini per user/site in the forums, and most recent.

Thanks!

[NiN]

Hi Anthony,

That's the fcgid wrapper, I believe it's created when you set up easyapache with fcgid support.

In any case you can also create that manually, just paste this inside:
https://gist.github.com/2493142

Remember to set it's permissions like the other files there chown root.wheel & chmod 755 I believe!

[anton_latvia]

ls -la /usr/local/cpanel/cgi-sys/php5
-rwxr-xr-x 1 root wheel 244 Apr 26 11:31 /usr/local/cpanel/cgi-sys/php5*

Yes, without fastcgi support there is no such file. Here is its contents:

#!/bin/sh

# If you customize the contents of this wrapper script, place
# a copy at /var/cpanel/conf/apache/wrappers/php5
# so that it will be reinstalled when Apache is updated or the
# PHP handler configuration is changed

exec /usr/bin/php

[AnthonyG70]

That's what is throwing me for a loop, I did the build and included fcgid, it even stated it included it by default (probably due to another tool). I am running suhosin and suexec, would these cause me to not have php5 in directory? I checked modules, here is output.

Code:

/usr/sbin/httpd -l
Compiled in modules:
  core.c
  mod_authn_file.c
  mod_authn_default.c
  mod_authz_host.c
  mod_authz_groupfile.c
  mod_authz_user.c
  mod_authz_default.c
  mod_auth_basic.c
  mod_auth_digest.c
  mod_include.c
  mod_filter.c
  mod_deflate.c
  mod_log_config.c
  mod_logio.c
  mod_env.c
  mod_expires.c
  mod_headers.c
  mod_usertrack.c
  mod_unique_id.c
  mod_setenvif.c
  mod_version.c
  mod_proxy.c
  mod_proxy_connect.c
  mod_proxy_ftp.c
  mod_proxy_http.c
  mod_proxy_scgi.c
  mod_proxy_ajp.c
  mod_proxy_balancer.c
  mod_ssl.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_dav.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_info.c
  mod_suexec.c
  mod_cgi.c
  mod_dav_fs.c
  mod_vhost_alias.c
  mod_negotiation.c
  mod_dir.c
  mod_imagemap.c
  mod_actions.c
  mod_speling.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_so.c

Code:

/usr/sbin/httpd -M
Loaded Modules:
 core_module (static)
 authn_file_module (static)
 authn_default_module (static)
 authz_host_module (static)
 authz_groupfile_module (static)
 authz_user_module (static)
 authz_default_module (static)
 auth_basic_module (static)
 auth_digest_module (static)
 include_module (static)
 filter_module (static)
 deflate_module (static)
 log_config_module (static)
 logio_module (static)
 env_module (static)
 expires_module (static)
 headers_module (static)
 usertrack_module (static)
 unique_id_module (static)
 setenvif_module (static)
 version_module (static)
 proxy_module (static)
 proxy_connect_module (static)
 proxy_ftp_module (static)
 proxy_http_module (static)
 proxy_scgi_module (static)
 proxy_ajp_module (static)
 proxy_balancer_module (static)
 ssl_module (static)
 mpm_prefork_module (static)
 http_module (static)
 mime_module (static)
 dav_module (static)
 status_module (static)
 autoindex_module (static)
 asis_module (static)
 info_module (static)
 suexec_module (static)
 cgi_module (static)
 dav_fs_module (static)
 vhost_alias_module (static)
 negotiation_module (static)
 dir_module (static)
 imagemap_module (static)
 actions_module (static)
 speling_module (static)
 userdir_module (static)
 alias_module (static)
 rewrite_module (static)
 so_module (static)
 bwlimited_module (shared)
 bw_module (shared)
 qos_module (shared)
 suphp_module (shared)
 security2_module (shared)
Syntax OK

Just trying to get this sorted so I can enable FTP uploads via HTTP/PHP. I am not seeing fcgi in there anywhere, yet I selected it during build. Suggestions?

[cPanelTristan]

If you have mod_fcgid.so in /usr/local/apache/modules, then you have FCGI available. There is not a php5 directory on the machine as previously stated in this thread.

The reason fcgid doesn't appear in the modules list is that, unless you've switched PHP over to FCGI, it isn't loaded. It only loads if you switch the PHP handler to FCGI. Here are examples on my machine:

1. When I was using DSO

Code:

root@host [~]# httpd -l | grep -i fcgi
root@host [~]# httpd -M | grep -i fcgi
Syntax OK

root@host [~]# /usr/local/cpanel/bin/rebuild_phpconf --current
Available handlers: suphp dso fcgi cgi none
DEFAULT PHP: 5
PHP4 SAPI: none
PHP5 SAPI: dso
SUEXEC: enabled
RUID2: not installed

2. Switched to FCGI

Code:

root@host [~]# /usr/local/cpanel/bin/rebuild_phpconf 5 none fcgi 1
php.conf updated to:

# This file was automatically generated by the Cpanel PHP Configuration system
# If you wish to change the way PHP is being handled by Apache on your system,
# use the /usr/local/cpanel/bin/rebuild_phpconf script or the WHM interface.
#
# Manual edits of this file will be lost when Apache is updated.


# Fastcgi configuration for PHP5
LoadModule fcgid_module modules/mod_fcgid.so
MaxRequestsPerProcess 500
AddHandler fcgid-script .php5 .php4 .php .php3 .php2 .phtml
FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php5
FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php4
FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php
FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php3
FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php2
FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .phtml

# End of autogenerated PHP configuration.


Updating user configurable PHP settings.
[info] recursion depth is set to: 2
Restarting Apache

root@host [/usr/local/apache/modules]# httpd -M | grep -i fcgi
Syntax OK
 fcgid_module (shared)

Here it is in the modules folder:

Code:

root@host [/usr/local/apache/modules]# ls -lah
total 15M
drwxr-xr-x  2 root root 4.0K Apr 17 21:44 ./
drwxr-xr-x 16 root root 4.0K Apr 17 23:49 ../
-rw-r--r--  1 root root 9.0K Apr 17 21:37 httpd.exp
-rwxr-xr-x  1 root root  15M Apr 17 21:44 libphp5.so*
-rwxr-xr-x  1 root root 9.3K Apr 17 21:39 mod_bwlimited.so*
-rwxr-xr-x  1 root root 5.7K Apr 17 21:39 mod_disable_suexec.so*
-rwxr-xr-x  1 root root 122K Apr 17 21:39 mod_fcgid.so*
-rwxr-xr-x  1 root root  29K Apr 17 21:39 mod_suphp.so*

Makes a lot of sense it wouldn't load unless it were the PHP handler. Otherwise, it would conflict with the existing handler being used.

Thanks!