apache + fastcgi + fpm Why is suexec required?

advertisements

So I have the following WORKING virtualhost:

<VirtualHost 192.168.128.20:80>
        ServerName euclid.domain.tld 

        #LogLevel debug
        ErrorLog /var/www/euclid/logs/error_log 

        SuexecUserGroup fastcgi www_euclid
        FastCgiExternalServer /var/www/euclid/htdocs/cgi-bin -socket /var/run/php-fpm/euclid.sock -user fastcgi -group www_euclid
        AddHandler php-fastcgi .php
        Action php-fastcgi /cgi-bin
        Alias /cgi-bin /var/www/euclid/htdocs/cgi-bin 

        <Location /cgi-bin>
                Order Deny,Allow
                Deny from All
                # Prevent accessing this path directly
                Allow from env=REDIRECT_STATUS 

                Options +ExecCGI +FollowSymLInks +SymLinksIfOwnerMatch
        </Location> 

        DocumentRoot /var/www/euclid/htdocs
        <Directory /var/www/euclid/htdocs>
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>

What I cant seem to figure out is why I need to have either/both SuexecUserGroup fastcgi www_euclid and FastCgiExternalServer with the -user fastcgi -group www_euclid flags. FPM has pooling enabled and each pool is running under its own user/group. This works correctly, no issue. If i remove SuexecUserGroup and/or the -user fastcgi -group www_euclid arguments, I get the following error and I have no idea why. Additionally what uid and gid is used to access the socket file by fastcgi? Its certainly not fastcgi:ww_euclid.

(13)Permission denied: FastCGI: failed to connect to server
"/var/www/euclid/htdocs/cgi-bin": connect() failed  FastCGI:
incomplete headers (0 bytes) received from server
"/var/www/euclid/htdocs/cgi-bin"


Ok I believe I have figured out what the problem was. The simple answer is; mod_fastcgi sucks. Its old, unmaintained and poorly documented. Why it keeps coming up when looking up how to run php-fpm is beyond me. Save your self the headache and just don't use it!

The real solution is rather simple:

<VirtualHost 192.168.128.20:80>
        ServerName euclid.domain.tld 

        #LogLevel debug
        ErrorLog /var/www/euclid/logs/error_log 

        <IfDefine PROXY>
                #If you want to use mod_proxy (Probably the best option)
                ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://localhost:9000/var/www/euclid/htdocs/$1
        </IfDefine>

        <IfDefine FASTCGI_HANDLER>
                #If you want to use mod_fastcgi_handler (3rd party)
                AddHandler fcgi:/var/run/php-fpm-euclid.sock .php
        </IfDefine>

        DocumentRoot /var/www/euclid/htdocs
        <Directory /var/www/euclid/htdocs>
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>