MPM ITK Overview
PHP handler options such as suPHP or FCGI only show processes running as the user for PHP processes, while other Apache processes such as HTML pages or download links will run as the user nobody. To overcome this issue, MPM ITK is an MPM for Apache that runs user processes as the user and group set in "AssignUserID" field set in the VirtualHost directive, forcing all user requests to run as that user and group. This MPM also allows setting "MaxClientsVHost" within each VirtualHost to restrict a user's processes at the Apache level.
In order to use MPM ITK until it is in EasyApache itself, there is currently the option to download it from the cPanel documentation site and install it as a Custom Opt Module. Unfortunately, due to the fact that ZTS support is set to on for MPMs other than Prefork, this means that DSO will be disabled during the compile of MPM ITK. Since MPM ITK will only work properly when using mod_php (DSO), this guide will enable using this MPM until it goes into EasyApache.
Please note that MPM ITK and recompiling PHP are both experimental customizations, which are not supported by cPanel itself. This guide would be used at your own risk. If you run into any issues, simply remove the customizations and revert to your prior EasyApache settings.
Adding MPM ITK
Grab the tarfile and install the custom_opt_mods:
At that point, run EasyApache from command line to select the module:
Select MPM itk in Exhaustive Options List for Apache Modules.
Compiling DSO PHP from Source
Grab a copy of PHP 5.3.6 and extract it:
Configure DSO with the proper flags (you may need to add other flags as I've simply used the default flags after switching to DSO on initial cPanel install):
Run make and make install to complete the installation:
Additional Steps for DSO
Copy the libphp5.so file to /root to save a copy of it, since future /scripts/easyapache recompiles will move the file out of /usr/local/apache/modules folder:
Now, before you run /scripts/easyapache in the future, create this file:
Place the following content into the file:
The above code copies libphp5.so back into /usr/local/apache/modules folder at the end of the build, restarts Apache, and re-enables dso for the PHP handler as it will switch to suPHP during the EasyApache build but dso will become available again after the libphp5.so is copied back to /usr/local/apache/modules folder. If you use PHP 4 as well, you may need to revise the last line to put something other than none for the PHP 4 handler.
After saving the file, ensure it can execute:
Of note, I previously was adding the LoadModule to /usr/local/apache/conf/includes/pre_main_global.conf file, but this isn't necessary due to the fact that it will be added to /usr/local/apache/conf/php.conf file once libphp5.so is moved back to /usr/local/apache/modules folder.
Adding MPM ITK VirtualHost Directives
Finally, to enable individual VirtualHost directives for MPM ITK, use the following steps:
Above, please replace username with the cPanel username for each instance.
If you would also like to limit the MaxClients for that user, you can do:
Here replace both username and # where # is the number you wish to limit for the MaxClients for that VirtualHost such as 50 or 25.
Setting the PHP handler before the next EasyApache recompile
In WHM > Apache Configuration > PHP and SuExec Configuration area, set the PHP 5 handler to dso.
Alternatively, run this via command line:
As noted previously, if you are using PHP 4 as well via another handler, you'll need to change none to whatever handler PHP 4 should have.
Working Examples
To see a working example of my html page, PHP page and rails application page running under my username via MPM ITK, here are some process outputs:
1. HTML page loaded in a browser returns 1 Apache process as the user
2. PHP page loaded in a browser returns 2 Apache processes as the user
3. Rails page loaded in a browser returns 5 Apache processes as the user
PHP handler options such as suPHP or FCGI only show processes running as the user for PHP processes, while other Apache processes such as HTML pages or download links will run as the user nobody. To overcome this issue, MPM ITK is an MPM for Apache that runs user processes as the user and group set in "AssignUserID" field set in the VirtualHost directive, forcing all user requests to run as that user and group. This MPM also allows setting "MaxClientsVHost" within each VirtualHost to restrict a user's processes at the Apache level.
In order to use MPM ITK until it is in EasyApache itself, there is currently the option to download it from the cPanel documentation site and install it as a Custom Opt Module. Unfortunately, due to the fact that ZTS support is set to on for MPMs other than Prefork, this means that DSO will be disabled during the compile of MPM ITK. Since MPM ITK will only work properly when using mod_php (DSO), this guide will enable using this MPM until it goes into EasyApache.
Please note that MPM ITK and recompiling PHP are both experimental customizations, which are not supported by cPanel itself. This guide would be used at your own risk. If you run into any issues, simply remove the customizations and revert to your prior EasyApache settings.
Adding MPM ITK
Grab the tarfile and install the custom_opt_mods:
Code:
cd /root
wget http://docs.cpanel.net/twiki/pub/EasyApache3/CustomMods/MPMitk.tar.gz
tar -C /var/cpanel/easy/apache/custom_opt_mods -xzf MPMitk.tar.gz
Code:
/scripts/easyapache
Compiling DSO PHP from Source
Grab a copy of PHP 5.3.6 and extract it:
Code:
cd /root
wget http://www.php.net/get/php-5.3.6.tar.gz/from/ar.php.net/mirror
tar xzf php-5.3.6*
cd php-5.3.6
Code:
./configure \
--disable-fileinfo \
--disable-pdo \
--enable-bcmath \
--enable-calendar \
--enable-ftp \
--enable-libxml \
--enable-magic-quotes \
--enable-sockets \
--prefix=/usr/local \
--with-apxs2=/usr/local/apache/bin/apxs \
--with-curl=/opt/curlssl/ \
--with-gd \
--with-imap=/opt/php_with_imap_client/ \
--with-imap-ssl=/usr \
--with-jpeg-dir=/usr \
--with-kerberos \
--with-libdir=lib64 \
--with-libxml-dir=/opt/xml2/ \
--with-mysql=/usr \
--with-mysql-sock=/var/lib/mysql/mysql.sock \
--with-mysqli=/usr/bin/mysql_config \
--with-openssl=/usr \
--with-openssl-dir=/usr \
--with-pcre-regex=/opt/pcre \
--with-pic \
--with-png-dir=/usr \
--with-xpm-dir=/usr \
--with-zlib \
--with-zlib-dir=/usr
Code:
make && make install
Copy the libphp5.so file to /root to save a copy of it, since future /scripts/easyapache recompiles will move the file out of /usr/local/apache/modules folder:
Code:
cp /usr/local/apache/modules/libphp5.so /root
Code:
vi /scripts/posteasyapache
Code:
#!/bin/bash
cp /root/libphp5.so /usr/local/apache/modules/
/etc/init.d/httpd restart
/usr/local/cpanel/bin/rebuild_phpconf 5 none dso enabled
After saving the file, ensure it can execute:
Code:
chmod +x /scripts/posteasyapache
Adding MPM ITK VirtualHost Directives
Finally, to enable individual VirtualHost directives for MPM ITK, use the following steps:
Code:
mkdir -p /usr/local/apache/conf/userdata/std/2/username
echo "AssignUserID username username" >> /usr/local/apache/conf/userdata/std/2/username/mpm.conf
/scripts/ensure_vhost_includes --user=username
If you would also like to limit the MaxClients for that user, you can do:
Code:
echo "MaxClientsVHost #" >> /usr/local/apache/conf/userdata/std/2/username/mpm.conf
/scripts/ensure_vhost_includes --user=username
Setting the PHP handler before the next EasyApache recompile
In WHM > Apache Configuration > PHP and SuExec Configuration area, set the PHP 5 handler to dso.
Alternatively, run this via command line:
Code:
/usr/local/cpanel/bin/rebuild_phpconf 5 none dso enabled
Working Examples
To see a working example of my html page, PHP page and rails application page running under my username via MPM ITK, here are some process outputs:
1. HTML page loaded in a browser returns 1 Apache process as the user
Code:
tristan 28413 0.0 0.2 111600 5864 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
Code:
tristan 28463 0.0 0.3 112232 7140 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28464 0.0 0.3 111600 6332 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
Code:
tristan 28512 0.0 0.2 111600 6144 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28514 0.0 0.2 111600 5840 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28516 0.0 0.2 111600 5840 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28517 0.0 0.2 111600 5840 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL
tristan 28518 0.0 0.2 111600 5840 ? S 11:52 0:00 /usr/local/apache/bin/httpd -k start -DSSL