PHP 7.2 Secure Transition

grayloon · Nov 12, 2018

I'm currently running PHP 5.6 with the CGI handler for PHP-FPM. I'm also running suexec. I may have some sites that are not compatible with PHP 7.2 by the end of the year, so I want to make sure I have all sites isolated from one another as much as possible. Would it make sense to switch to mod_ruid2? If so, are there any caveats to switching from PHP 5.6 using CGI to PHP 7.2 using DSO?

cPanelMichael · Nov 12, 2018

Hello @grayloon,

Could you clarify if you are using PHP-FPM for these domain names? If so, note that PHP-FPM becomes the PHP handler for domain names it's enabled on, despite the fact that a different handler (e.g. CGI) is configured as the default handler for a PHP version.

Thank you.

grayloon · Nov 12, 2018

Yes – I'm currently using PHP-FPM for all domains right now.

cPanelMichael · Nov 12, 2018

Hello,

If all of the domains are assigned PHP-FPM, then switching the default handler from CGI to DSO would have no impact. You can have PHP-FPM installed on the server along with DSO/Ruid2, though while you can have both readily available for use with your accounts, you can't actually use PHP-FPM and Ruid2 at the same time for a domain name. You'd have to use one or the other for each domain name (e.g. enabling PHP-FPM for a domain name disables DSO/Ruid2 for that domain name). If you are open to using CloudLinux, there's a thread here you may find helpful:

Cloudlinux, EA4 and PHP Handlers. Impossible Triangle?

Thank you.

grayloon · Nov 13, 2018

So, this is what you're suggesting?

Add Ruid2 to my custom profile and provision.
Switch the default handler to DSO
Turn off PHP-FPM for individual domains to force them to use Ruid2

Unfortunately, Cloudlinux isn't an option right now.

cPanelMichael · Nov 13, 2018

Hello @grayloon,

I suggest simply keeping PHP-FPM enabled on the domains. Is there anything specific about PHP-FPM on PHP 7.2 as it pertains to the compatibility of your websites that's leading you to make the change to the handler?

Thank you.

grayloon · Nov 13, 2018

No. I thought Ruid2 required the DSO handler.

cPanelMichael · Nov 13, 2018

grayloon said:
No. I thought Ruid2 required the DSO handler.

That is correct. However, is there a specific reason you prefer to use DSO with Ruid2 over PHP-FPM?

Thank you.

grayloon · Nov 13, 2018

I was under the impression that Ruid2 was more secure than suexec I'm using now. I'm open to suggestions to isolate my sites as much as possible.

cPanelMichael · Nov 13, 2018

Hello @grayloon,

There are pros and cons to each PHP handler in terms of security and usability. Here are a few links to review when making the decision:

PHP Handlers - EasyApache 4 - cPanel Documentation
Apache vhosts are not segmented or chroot()ed
suPHP vs CGI with PHP-FPM

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
	Server suexec cmd: ea-php70 in: /var/log/secure	Web Servers and Applications	1	Dec 14, 2017
T	Secure or private php.ini ea4	Web Servers and Applications	3	Aug 31, 2017
M	Most secure PHP configuration	Web Servers and Applications	3	Jun 15, 2009
T	Is SuPHP really secure?	Web Servers and Applications	1	Oct 12, 2008
A	Ea3 and secure php	Web Servers and Applications	3	Nov 12, 2007

Search

Search

PHP 7.2 Secure Transition

grayloon

Well-Known Member

cPanelMichael

Administrator

grayloon

Well-Known Member

cPanelMichael

Administrator

grayloon

Well-Known Member

cPanelMichael

Administrator

grayloon

Well-Known Member

cPanelMichael

Administrator

grayloon

Well-Known Member

cPanelMichael

Administrator