Information on PHP Handlers

1
Information on PHP Handlers
2
Table of Contents

• Introduction
• Change your PHP Handler
• CGI
• CGI (Continued)
• DSO
• DSO (Continued)
• FastCGI Process Manager (FPM)

• FCGI daemon (FCGId)
• LSAPI
• suPHP
• suPHP Security Checks
• suPHP Security Checks (Continued)
• suPHP Security Checks (Continued I)
• The suphp.conf File Warnings

3
Introduction

• PHP (Hypertext Preprocessor) handlers are a type
  of Apache module. These contain libraries. These
  libraries are used by the Apache web server for
  interpreting and running PHP code. The
  configuration file, /etc/apache2/conf.d/php.conf
  has the global directives which configure the PHP
  application handlers of Apache. The
  php.conf configuration file is loaded by an
  include command in the httpd.conf Apache
  configuration file. This ensures that the
  handlers load on start up.
• 6 PHP handlers are offered by cPanel WHM, by
  default. Each of these handlers is different from
  the others in its files and implementation. This
  impacts the speed and the security aspect with
  regard to how the PHP requests are handled by
  Apache.
• To digress, cPanel is a web hosting control
  panel. The service of web hosting is provided by
  web hosting companies and the most efficient
  services are usually referred to as the Best
  Cloud Hosting, the Best Windows Hosting, the
  Best Website Hosting, etc.

4
Change your PHP Handler

• PHP handler can be changed in the PHP Handlers
  section in the MultiPHP Manager interface in WHM.
  Alternatively, rebuild_phpconf script can be
  used.
• WHM gtgt Home gtgt Software gtgt MultiPHP
  Manager

5
CGI

• PHP applications are executed by the CGI handler
  through the mod_cgi or the mod_cgid Apache
  modules. When the suEXEC module is installed, PHP
  applications are executed by the system as the
  user who owns that VirtualHost which had served
  the request. When the suEXEC module is
  uninstalled, PHP applications are executed by the
  system as the nobody system user.
  mod_cgi and mod_ruid2 are provided by default by
  the system.
• The settings of the CGI handler can be customized
  in the PHP file.user.ini 
• These customizations are inherited by a domain
  when the domain is set to Inherit in the MultiPHP
  Manager interface in WHM.
• WHM gtgt Home gtgt Software gtgt MultiPHP
  Manager

6
CGI (Continued)

• In the context of CGI, the points that need to be
  mentioned are as follows
• PHP scripts can be executed with permissions of
  0400, when a per-user module has been enabled,
  such as suEXEC or Ruid2.
• PHP scripts can be executed with permissions of
  0444, when a per-user module has been disabled,
  such as suEXEC or Ruid2.
• Apache directives cannot be used with the mod_cgi
  or the mod_cgid Apache modules. A custom php.ini
  file needs to be used instead.
• Response headers cannot be set in an .htaccess
  file, when the mod_cgi or the mod_cgid Apache
  modules are used. The FPM or suPHP Apache modules
  need to be used for setting response headers in
  an .htaccess file.

7
1-800-123 -8156

• Whoa! Thats a big number, arent you
  proud?

8
DSO

• The PHP language is embedded by the DSO handler
  inside the Apache webserver. The use of Apache
  directives is allowed by DSO. Unless DSO is used,
  these directives cannot be used in an
  .htaccess file. The MPM Prefork Apache Module is
  required by the DSO handler. When the DSO PHP
  handler is used, PHP applications are executed as
  the nobody user. This is the case unless the
  mod_mpm_itk or mod_ruid2 Apache modules are used.
  
• It needs to be mentioned that the user account
  which executed the script cannot be easily
  identified when PHP scripts execute as the nobody
  user. Moreover, the data can be viewed by
  unauthorized users.

9
DSO (Continued)

• The DSO handler is not included as a default in
  EasyApache 4. The PHP package that is to be used
  needs to be installed for using the DSO handler.
• The DSO PHP package can be installed in the PHP
  Extensions section of the EasyApache 4 interface
  in WHM.
• WHM gtgt Home gtgt Software gtgt EasyApache
  4
• Certain important points to mention are as
  follows
• DSO can be used as the handler for one version of
  PHP on the system.
• DSO with PHP 8 is not supported by cPanel WHM.
• The text, DSO, will not be present in the display
  name of the handler.
• PHP scripts need to have permissions of at least
  0644 to execute, unless a per-user module, such
  as Ruid2 or ITK is being used.
• Files as the nobody user are created by the PHP
  scripts which run under DSO. Adequate permissions
  that are required for accessing and reading the
  PHP files need to be there with the nobody user.
  The nobody user needs to have permissions to
  write to the directories and files which are
  affected by the script.

10
FastCGI Process Manager (FPM)

• PHP applications are served by FastCGI. This is
  attained through the mod_proxy_fcgi Apache
  module. It is a fast method which might require
  changes to the FastCGI directives for efficient
  functioning. Emergency restarts, process
  management, as well as IP address restriction are
  included in the PHP-FPM (FastCGI Process Manage)
  implementation of FastCGI.
• The mod_proxy_fcgi Apache module is included by
  default in the EasyApache 4. This module can be
  installed in the Apache Modules section that
  exists in the EasyApache 4 interface in WHM.
• WHM gtgt Home gtgt Software gtgt EasyApache
  4
• The settings of the CGI handler can be customized
  in the PHP file.user.ini 
• These customizations are inherited by a domain
  when the domain is set to Inherit in the MultiPHP
  Manager interface in WHM.
• WHM gtgt Home gtgt Software gtgt MultiPHP
  Manager

11
FCGI daemon (FCGId)

• PHP applications are served by FCGId through the
  Apache module, mod_fcgid. An alternative is
  provided to the Apache module, mod_cgi by the
  Apache module, mod_fcgid. Multiple instances of a
  program are launched by FCGId in order to enable
  the system for handling requests that are
  multiple and concurrent.
• The following points need to be mentioned in this
  context
• Prior to the version 74 of cPanel WHM, the
  mod_fcgid Apache module was incompatible with
  MultiPHP.
• If FCGId is used by the default PHP version, then
  all PHP versions will use FCGId on those systems
  that run version 76 or earlier of cPanel WHM.
• The mod_fcgid Apache module is recommended only
  for advanced system administrators as they
  understand the way in which to modify the
  mod_fcgid Apache modules performance.
• The Apache module mod_fcgid is not compatible
  with the Apache modules mod_ruid2 or mod_mpm_itk.

12
LSAPI

• A fast as well as stable way for serving PHP
  applications is provided by LSAPI. The version of
  LSAPI of cPanel WHM is different from that of
  CloudLinux. Connection pooling, CRIU
  (Checkpoint/Restore in Userspace) and opcache
  preservation are disabled by this version.
• The Apache module, mod_lsapi, is included by
  default in EasyApache 4. The mod_lsapi Apache
  module can be installed in the Apache Modules
  section of the EasyApache 4 interface in WHM.
• WHM gtgt Home gtgt Software gtgt EasyApach
  e 4

13
suPHP

• The ability to run PHP scripts as the user with
  the Apache module, mod_suphp, is ensured by this
  option. A secure and flexible way for serving PHP
  requests is provided by this module. It needs to
  be mentioned that if suPHP is used, then no
  benefits are provided to the server by the PHP
  cache management extensions.
• The mod_suphp Apache module is complied in
  paranoid mode by EasyApache. Several patches
  enhance the Apache UserDir support. Apache
  directives cannot be used with the mod_suphp
  module. A php.ini file is placed in that
  directory which contains the PHP script, in order
  to specify these values. Alternatively, a php.ini
  file is placed in the location that is specified
  by the system administrator. It needs to be noted
  that the .ini files are loaded in a specific
  order by suPHP. The mod_suphp Apache module can
  be installed in the Apache Modules section of the
  EasyApache 4 interface of WHM.
• WHM gtgt Home gtgt Software gtgt EasyA
  pache 4
• You need to uninstall suPHP if you need to use
  the mpm_itk or the mod_ruid2 Apache modules as
  suPHP is incompatible with these modules.
  Moreover, permissions need to be at least 0640 in
  order to execute PHP scripts.

14
suPHP Security Checks

• Various security checks are performed by the
  mod_suphp Apache module, prior to executing a PHP
  script. The mod_suphp configuration file,
  /etc/suphp.conf needs to be edited if these
  checks have to be disabled. The following
  security checks can be edited
• docroot This is the directory in which PHP
  scripts must reside. In order to improve
  security, this value needs to be changed to
  /home/. The default value is /
• allow_file_group_writable The execution of PHP
  scripts with the group write but permission is
  prevented by this security check. This directive
  can be changed to true for allowing these scripts
  to execute. Doing so reduces security. The
  default value is false.
• allow_file_others_writable The execution of PHP
  scripts with the others write bit permission is
  prevented by this security check. This directive
  can be changed to true for allowing these scripts
  to execute. Doing so reduces security. The
  default value is false.
• check_vhost_docroot This security check ensures
  that suPHP checks if the target script resides in
  the request-serving VirtualHosts document root.

15
suPHP Security Checks (Continued)

• userdir_overrides_usergroup This configuration
  option is allowed by cPanel-specific patches. The
  default value is true.
• paranoid_uid_check suPHP can be compiled in
  different security modes. The paranoid mode is
  used by EasyApache. A paranoid UID check is
  performed by the mod_suphp module in order to
  verify that the script is executed by the user ID
  which owns it. The default value is true.
• paranoid_gid_check It is verified by this
  security check that the script is executed by the
  group ID which owns it. The default value is
  true.
• umask The default permissions for those files
  that are uploaded by suPHP to the server are set
  by this option. 0033, 0077, 0777 need to be used
  for enhanced security. The default value is 0022.

16
suPHP Security Checks (Continued I)

• min_uid - It is the lowest user ID for executing
  scripts that is allowed by the server. This value
  needs to be set to 100 or 500 for improving
  security. The default value is 1.
• min_gid - It is the lowest group ID for executing
  scripts that is allowed by the server. This value
  needs to be set to 100 or 500 for improving
  security. The default value is 1.
• full_php_process_display When this value is set
  to true, PHP scripts are executed by the
  mod_suphp module in a way which displays the PHP
  interpreter and the file name of the script in
  the process list. The default value is true.
• min_uid - It is the lowest user ID for executing
  scripts that is allowed by the server. This value
  needs to be set to 100 or 500 for improving
  security. The default value is 1.
• min_gid - It is the lowest group ID for executing
  scripts that is allowed by the server. This value
  needs to be set to 100 or 500 for improving
  security. The default value is 1.
• full_php_process_display When this value is set
  to true, PHP scripts are executed by the
  mod_suphp module in a way which displays the PHP
  interpreter and the file name of the script in
  the process list. The default value is true.

17
The suphp.conf File Warnings

• The phprc_paths section is included in the
  file, suphp.conf. This section can be used to
  lock a specific PHP handler to its default
  php.ini file. However, it is strongly recommended
  to not do so.
• The path to the php.ini file is set by the
  suPHP_ConfigPath configuration directive. This
  directive needs to be set in either the file,
  httpd.conf  or in an .htaccess file. The Options
  parameter needs to be removed from the
  Apache AllowOverride directive in order to
  prevent the use of this directive in .htaccess
  files. The phprc_paths settings that are in the
  suphp.conf file override any suPHP_ConfigPath sett
  ings.
• It is strongly recommended that the system is
  allowed to load the .ini files as well as
  directives as these are found. The most
  predictable results are ensured by it. It is
  strongly recommended that the phprc_paths sectio
  n, the suPHP_ConfigPath directive or the PHPRC
  environmental variable not be set, as this might
  cause unexpected behaviour.

18
Thanks!

• ANY QUESTIONS?

• www.htshosting.org