Chty blog - Apache2

Generating certificates with openssl

Chty — Thu, 20 Mar 2008 21:55:00 +0100

I'm sometimes using openssl to generate certificates, mostly for apache but not enough to remember the complete shell command each time. So I paste it here, as a reminder.

openssl req -new > server.cert.csr openssl rsa -in privkey.pem -out server.cert.key openssl x509 -in server.cert.csr -out server.cert.crt -req -signkey server.cert.key -days 365

Theses commands generate .pem, .crt, .csr and .key files. Note that apache only require .crt and .key files for SSLCertificateFile, SSLCertificateKeyFile directives.

Apache2 + mod_fastcgi + suexec on debian etch

Chty — Mon, 29 Oct 2007 14:49:00 +0100

I know it's difficult to find good documentation to configure apache2 with mod_fastcgi and suexec to make php websites works. This configuration works well with Debian Etch (4.0).
Here an example of configuration.

The following suppose that your web data are in /var/www/ (there are good reason for this as we'll see later).
/var/www/toto/: the web account of toto
/var/www/toto/web/: the web dir of the toto's account
/var/www/toto/conf/php.ini: you own php.ini file
/var/www/toto/cgi-bin/php.fcgi: the fcgi file which allow to run php5-cgi with a specific php.ini file for each virtual host

First of all don't forget that mod_fastcgi and mod_fcgid are different. Difference between mod_fastcgi and mod_fcgid is mostly at license level, since some might consider mod_fastcgi not to be totally free.

Enable fastcgi and suexec:

#a2enmod fastcgi
#a2enmod suexec

Suexec has no configuration file, because every parameter is hardcoded. Therefore, if you need to configure suexec, do it at apache2 compile time.
Let's see how...

#/usr/lib/apache2/suexec -V 
 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www-data"
 -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"

AP_DOC_ROOT is set to "/var/www", which is the reason you would want to put your files in /var/www/. You cannot just ignore this fact; if this directory is inconsistently set, it just won't work. If you want to change this directory, you must recompile apache2 with your own configuration.

/var/www/toto/cgi-bin/php.fcgi:

#!/bin/sh
PHPRC="/var/www/toto/conf/"
export PHPRC
PHP_FCGI_CHILDREN=4
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=200
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php5-cgi

fastcgi.conf: (in /etc/apache2/mods-available/ for Debian)

<IfModule mod_fastcgi.c>
 AddHandler fastcgi-script .fcgi
 FastCgiWrapper /usr/lib/apache2/suexec
 FastCgiIpcDir /var/lib/apache2/fastcgi
 FastCgiConfig -singleThreshold 1 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION
</IfModule>

See http://www.fastcgi.com/ if you want to know about all the options possible in fastcgi.conf.

Let's configure (in /etc/apache2/sites-available/ for debian etch) a virtual host for toto:



<VirtualHost xxx.xxx.xxx.xxx:80>
        ServerAdmin webmaster@toto.org
        ServerName toto.org
        DocumentRoot /var/www/toto/web/

        SuexecUserGroup UserName GroupName

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/toto/web/>
                Options -Indexes FollowSymLinks -MultiViews
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /var/www/toto/cgi-bin/
        <Directory "/var/www/toto/cgi-bin/">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        AddHandler php-fastcgi .php
        AddType application/x-httpd-php .php
        DirectoryIndex index.html index.php
        Action php-fastcgi /cgi-bin/php.fcgi

        ServerSignature On
</VirtualHost>

This virtual host can be enabled in /etc/apache2/sites-enabled/ by creating a symbolic link.
Make sure to set appropriate rights for /var/www/toto/ you set in the virtual host (SuexecUserGroup), since php5-cgi will be executed with these rights.

restart apache2 :
#/etc/init.d/apache2 restart

A maximum of four php5-cgi will be launched when the first visitor will visit the website. They would be killed after a timeout of 240 seconds of inactivity, as set in fastcgi.conf.
It should work.
Please tell me know if you are aware of issue that may arise with such a configuration.

Apache2 - mod_fcgid vs mod_fastcgi

Chty — Mon, 08 Oct 2007 01:22:11 +0000

Some time ago, I used mod_fcgid on my server. Everything went fine, except when dotclear2 became needed. After some test, I concluded that it wont work with mod_fcgid given because of certain rewrite rules. This seems to be a known issue, and the only solution at the time of writing it to use mod_fastcgi in its stead. Difference between mod_fastcgi and mod_fcgid is mostly at license level. Although mod_fastcgi is somewhat non-free, and after some troubles with the configuration, I decided to give it a try ;-)^[1]

After configuring two vhosts, one with mod_fcgid and one with mod_fastcgi, I benchmarked a simple "Hello world" program on Apache2. Results are speaking by themselves:

mod_fcgid benchmark test:

Server Software:        Apache/2.2.3
Server Hostname:        xxx
Server Port:            80

Document Path:          /
Document Length:        11 bytes

Concurrency Level:      5
Time taken for tests:   48.867314 seconds
Complete requests:      10000
Failed requests:        13
  (Connect: 0, Length: 13, Exceptions: 0)
Write errors:           0
Non-2xx responses:      13
Total transferred:      2959503 bytes
HTML transferred:       119256 bytes
Requests per second:    204.64 [#/sec] (mean)
Time per request:       24.434 [ms] (mean)
Time per request:       4.887 [ms] (mean, across all concurrent requests)
Transfer rate:          59.14 [Kbytes/sec] received

Connection Times (ms)
             min  mean[+/-sd] median   max
Connect:        0    0   0.0      0       0
Processing:     1   23 360.7      1   12064
Waiting:        1   23 360.7      1   12064
Total:          1   23 360.7      1   12064

Percentage of the requests served within a certain time (ms)
 50%      1
 66%      1
 75%      1
 80%      1
 90%      1
 95%      1
 98%     17
 99%     21
 100%  12064 (longest request)

mod_fastcgi benchmark test:

Server Software:        Apache/2.2.3
Server Hostname:        xxx
Server Port:            80

Document Path:          /
Document Length:        11 bytes

Concurrency Level:      5
Time taken for tests:   18.150717 seconds
Complete requests:      10000
Failed requests:        0
Write errors:           0
Total transferred:      2950000 bytes
HTML transferred:       110000 bytes
Requests per second:    550.94 [#/sec] (mean)
Time per request:       9.075 [ms] (mean)
Time per request:       1.815 [ms] (mean, across all concurrent requests)
Transfer rate:          158.67 [Kbytes/sec] received

Connection Times (ms)
             min  mean[+/-sd] median   max
Connect:        0    0   0.0      0       0
Processing:     1    8 194.4      2   11504
Waiting:        1    8 194.4      2   11504
Total:          1    8 194.4      2   11504

Percentage of the requests served within a certain time (ms)
 50%      2
 66%      3
 75%      3
 80%      3
 90%      4
 95%     12
 98%     17
 99%     20
 100%  11504 (longest request)

I do not know if I'm doing wrong with mod_fcgid, but the fact is that mod_fastcgi operates at 250 request/second faster. No need to say, dotclear2 is coming soon on this blog :-)

[1] thank's Pep :-)