LinkBack URL
About LinkBacksI would like to add the mpm-itk ( http://mpm-itk.sesse.net/ ) to EasyApache, using php as DSO.
Does anyone knows what steps should i take for that kind of configuration?
EasyApache with mpm-itk
I would like to add the mpm-itk ( http://mpm-itk.sesse.net/ ) to EasyApache, using php as DSO.
Does anyone knows what steps should i take for that kind of configuration?
It is available in EasyApache using a custom option module. You can read more about that here: http://easyapache.cpanel.net/custom.pl, and mpm-itk can be downloaded for EA here: http://easyapache.cpanel.net/optmods...mpm_itk.tar.gz
I've never tried mpm-itk on a cPanel setup before though, so I can't vouch for how well it works.
Voltar, thank you very much. This is excellent, i'll try it first on disposable production server.Originally Posted by Voltar
mpm-itk easyapache module - where is it?
Hi,
I am looking for the mpm-itk module. Looks like Cpanel changed its website structure and non of my old links work and for the life of me I cant seem to find where mpm-itk easyapache module is. (yes I googled and searhed)
Any help in pointing me to that link will be greatttttlly appreciated
Fujipadam
Is the custom option module for mpm-itk still available? I'd like to give it a try but the links provided don't work.
The custom option module we did was removed because, aside from threading issues w/ PHP, there is a huge root security issue that the module site itself outlines:
apache2-mpm-itk under "Quirks" oddly enough
"Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities where possible) until the request is parsed and the vhost determined. This means that any security hole before the request is parsed will be a root security hole. (The most likely place is probably in mod_ssl.)"
That being the case it is not very likely that we'll provide one in any form.
Many thanks for the update. Crystal clear - message received and understood
mpm-itk w/cpanel easyapache: Very strange that Cpanel is not supporting it.
We have been using it for almost 2 years and most of that with easyapache. you are completely wrong about mpm-itk. MPM-itk has the best possible speed in comparison to any other method and it is by far the most secure highest speed choice available, much more secure then prefork(which is supported by cpanel) which also doesn't support threads(none of the multi-processor modules do) mpm is a far faster and more efficient use of cpu resources than threaded methods. The only problem occurs during the handing off phase which is for a tiny fraction of a second and can be illuminated as a problem by standard measures.
It is extremely safe and reliable and super fast way to go compared to anything out there, the fact that cpanel is not supporting it is a very strange choice that has no footing in reality. This is one of the main reasons to bother using Cpanel and if they abandon it then Cpanel reduces it's usefulness as a product.
Thank you, I've opened an internal case for re-review.
In the meantime, do you have any hard data that exemplifies those assertions and address the concerns of the root security issue and PHP threading problems?
If so it'd be very useful in our re-examination, thanks
Well I think we live in a world where we should all help one another. I couldn't care less only because you must first have a dedication to know the truth of things to make such decisions and to allow yourself to exist in an advisory capacity. I have sat and argued with techs who don't know the first thing about tying shoelaces, perhaps that should be the first priorty.
No threading problems. Mpm-itk and mpm-prefork(fully supported by Cpanel and in easyapache as an example although it has the same basic underlying structure) are non-threaded. This is a good thing but I'd have to teach a course in it to bring you up to speed. In short. you don't need the extremely slow and faulty approach of suphp and suexec to run a vhosts(websites) php scripts as a separate user. It is not the same thing as saying not thread safe for instance. The MPM's are much faster and take advantage of things as they are. There is no danger in the way itk branches off into a special instance of Apache for a fraction of millisecond as root, much less so than the perpetual root state of fork or worker as an example. One can only see a potential for a non-harmful coincidence event which would because of all the factors do nothing but crash(the intrusive event attempt) without harming or breaching anything. Of course this necessitates a properly run server with all the basic security points in place but remember the nature of itk allows for a default security state of an elevated condition over mod_php; suexec or suphp or even other mpm's but I degress... specifically the file permissions needed to allow for properly written php code to be able to say store data securely and disallow such storing by unauthorized elements on proximate data devices. lastly you can't just read from one article and make conclusions as you will end up with a false picture of what is going on. However that is entirely your code to write for yourself as an organisation.
We use mpm-itk with Xcache and it works beautifully. Of course, we are using the latest source version, not the outdated one that was being provided by cPanel officially.
The information in this link, from lystor:
Nikolay Ulyanitsky's Blog: Increase Apache Vhost Security With mpm-itk
assumes an RPM-based Apache installation, which is not used on a cPanel server. Adding a module using RPM packages is not compatible with the Apache that EasyApache builds from source.
For hands-on assistance, please reference our new support information page: Where should I go for support?
cPResources: Support Options - Submit a ticket here - Additional Support Options - Forums Search - Mailing Lists(Alt) - Documentation
-- Jared Ryan, Technical Analyst, cPanel Technical Support
How can I install apache with mpm-itk now?
the file name is custom_opt_mod-apache_2.2_mpm_itk.tar.gz It works perfectly with easyapache and has for years on many of my servers and very securely with speeds on par or better than high speed web servers. There is no php thread problem as the cpanel tried to say and there is no security problem with the way it runs. Many server level processes are launched as root, this doesn't give any person with non-root or wheel access to the server any possible pathway to use php as root. In fact it is an extremely secure way to run a web server because you can set all of the files and folders to the most secure permissions, even folders that are designed to allow users to upload files can be set with secure default permissions rather than the standard world read/write which is used on all other php systems.
Plesk supports mpm-itk fully and is not ashamed of it; I too have cpanel on most of my servers so all I can say is you should get them to repost the above mentioned tar file . you just have to upload it to your web server and place it in the proper folder that way you can keep using cpanel and take advantage of apache running at up to 50 + times the speed of suphp with fantastic security.
Last edited by JamesTorq; 07-27-2010 at 01:06 AM.
Reply With Quote
