Introduction
In this guide I will compare the default profiles included with EasyApache 4 in cPanel & WHM. You should familiarize yourself with the information in our EasyApache 4 Interface documentation if you have not already done so.
Profiles
Note: The How Scripts Run as User column notes the profile options you can enable to ensure scripts run as the account username.
FAQ
Which profile should I use?
This is ultimately up to you and your needs. You are not required to use any of the profiles we provide, and I would encourage you to customize your own. However, if I had to pick a single one that I would recommend as being the most suitable for most servers, I would suggest All PHP Options + OpCache. This will allow your users to be able to run most PHP software because they are unlikely to need any additional modules.
What's the importance of running scripts as the user?
Scripts installed for a cPanel user's website should be run as the cPanel user, and not as the nobody user (which is what Apache itself runs as on cPanel servers) because it allows better isolation between users on the server. If code for websites runs as nobody and the nobody user has write access to the files and folders for websites, then one user with a hacked or malicious website can result in other websites for other users being compromised as well. Aside from that, if the nobody user does not have write permissions to the files and folders for a website and you are running things as nobody, sites are likely to experience permission related failures (such as being unable to update WordPress because it cannot change the files). For security and to prevent file permission issues, it is best to have website code running as the user that owns the website. There are several different ways of ensuring this. All of our profiles include packages for it, though the exact ones differ between them. If you are making customizations to your own profile, you should ensure that any code from a user's website will be run as the user. The one exception to this is if you have only one user on your server, in which case it is not important. You should have either:
A. mod_ruid2 OR mpm_itk
B. mod_suexec (and any of mod_suphp/PHP-FPM/mod_lsapi/lsphp)
In particular, if you are customizing our Default profile to change the MPM away from Prefork to Worker or Event, mod_ruid2 will be uninstalled. I would suggest that you install at least mod_suexec any time you are uninstalling mod_ruid2.
Which profiles are compatible with HTTP2?
Currently, none of our provided EA4 profiles include mod_http2 installed. If you want HTTP2, it is necessary for you to customize a profile. Since mod_http2 is not compatible with MPM Prefork, it would be easiest to customize one of our profiles that uses Worker, such as the All PHP Options + OpCache profile. To do this you can click the "Customize" button next to that profile, and then under the "Apache Modules" section click the toggle for "mod_http2", then click "Review". On the next page double check the packages that will be installed/uninstalled as a result, and click "Provision" at the bottom if you see the results you want.
Which MPM should I choose?
We have some documentation regarding the differences between MPMs here. You may also want to review Apache's documentation here. In particular, our default profile uses prefork for mod_ruid2, but you may prefer to use Worker or Event. If you want to use Event, it is necessary to customize your profile because the standard ones we provide do not include it. Feel free to change your MPM, but remember my previous note about installing mod_suexec when uninstalling mod_ruid2.
Questions/Feedback
Feel free to click on the Discussion tab to let us know if you have any questions or feedback about the information in this tutorial.
In this guide I will compare the default profiles included with EasyApache 4 in cPanel & WHM. You should familiarize yourself with the information in our EasyApache 4 Interface documentation if you have not already done so.
Profiles
| Profile Name | How Scripts Run as User | MPM | Notes |
|---|---|---|---|
| All PHP Options + OpCache | mod_suexec + mod+suphp | Worker | This is the MPM Worker cPanel profile plus every PHP option (sans recode and zendguard due to incompatibilities). |
| All PHP Options + ZendGuard | mod_suexec + mod_suphp | Worker | This is the default cPanel profile plus every PHP option (sans recode and opcache due to incompatibilities). |
| cPanel Default | mod_ruid2 | Prefork | This is the standard Apache package with up-to-date PHP and modules, including PHP-FPM. |
| cPanel Default + MPM ITK | mpm_itk | Prefork + ITK | This profile includes the modules from the Basic profile but replaces MPM Prefork and Mod Ruid2 with MPM ITK to further increase security for your server. MPM ITK creates a more secure environment than Mod Ruid2, but uses more resources. Note: Some feature of MPM ITK are not compatible with CentOS 6 kernels, see our documentation for more information. |
| No PHP | mod_suexec | Worker | This profile is beneficial for servers hosting static content. This profile does not include PHP support. |
| Ruby via mod_passenger | mod_ruid2 | Prefork | This profile installs standard Apache packages with mod_passenger and ea-ruby24. This profile enables the Application Manager interface in cPanel, which allows users to configure Ruby applications to be deployed via mod_passenger. This profile does not include PHP support. |
| cPanel Worker MPM | mod_suexec + mod_suphp | Worker | This profile uses the worker MPM and includes suexec, suphp and mod_security2 to improve the security of your server. |
Note: The How Scripts Run as User column notes the profile options you can enable to ensure scripts run as the account username.
FAQ
Which profile should I use?
This is ultimately up to you and your needs. You are not required to use any of the profiles we provide, and I would encourage you to customize your own. However, if I had to pick a single one that I would recommend as being the most suitable for most servers, I would suggest All PHP Options + OpCache. This will allow your users to be able to run most PHP software because they are unlikely to need any additional modules.
What's the importance of running scripts as the user?
Scripts installed for a cPanel user's website should be run as the cPanel user, and not as the nobody user (which is what Apache itself runs as on cPanel servers) because it allows better isolation between users on the server. If code for websites runs as nobody and the nobody user has write access to the files and folders for websites, then one user with a hacked or malicious website can result in other websites for other users being compromised as well. Aside from that, if the nobody user does not have write permissions to the files and folders for a website and you are running things as nobody, sites are likely to experience permission related failures (such as being unable to update WordPress because it cannot change the files). For security and to prevent file permission issues, it is best to have website code running as the user that owns the website. There are several different ways of ensuring this. All of our profiles include packages for it, though the exact ones differ between them. If you are making customizations to your own profile, you should ensure that any code from a user's website will be run as the user. The one exception to this is if you have only one user on your server, in which case it is not important. You should have either:
A. mod_ruid2 OR mpm_itk
B. mod_suexec (and any of mod_suphp/PHP-FPM/mod_lsapi/lsphp)
In particular, if you are customizing our Default profile to change the MPM away from Prefork to Worker or Event, mod_ruid2 will be uninstalled. I would suggest that you install at least mod_suexec any time you are uninstalling mod_ruid2.
Which profiles are compatible with HTTP2?
Currently, none of our provided EA4 profiles include mod_http2 installed. If you want HTTP2, it is necessary for you to customize a profile. Since mod_http2 is not compatible with MPM Prefork, it would be easiest to customize one of our profiles that uses Worker, such as the All PHP Options + OpCache profile. To do this you can click the "Customize" button next to that profile, and then under the "Apache Modules" section click the toggle for "mod_http2", then click "Review". On the next page double check the packages that will be installed/uninstalled as a result, and click "Provision" at the bottom if you see the results you want.
Which MPM should I choose?
We have some documentation regarding the differences between MPMs here. You may also want to review Apache's documentation here. In particular, our default profile uses prefork for mod_ruid2, but you may prefer to use Worker or Event. If you want to use Event, it is necessary to customize your profile because the standard ones we provide do not include it. Feel free to change your MPM, but remember my previous note about installing mod_suexec when uninstalling mod_ruid2.
Questions/Feedback
Feel free to click on the Discussion tab to let us know if you have any questions or feedback about the information in this tutorial.