A little somewhere else

To content | To menu | To search

Tag - Apache2

Entries feed - Comments feed

Thursday, August 28 2008

Changing suexec root directory

By Chty on Thursday, August 28 2008, 11:30

Almost one year ago, I wrote an entry about using Apache2 with mod_fastcgi and suexec.
For some security reasons, suexec is using a root directory. By default it's set to /var/www/. To see the problem you can test the following command:

#/usr/lib/apache2/suexec -V
-D AP_DOC_ROOT="/var/www"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"

As you can see AP_DOC_ROOT is set to /var/www/. So if you don't have your files in this directory, you can not use suexec. Moreover, you are probably like me, you don't want to move all your files in this directory. The only way to resolve this problem is to recompile apache2 with the correct configuration. Below, an example on Debian 4.0.

#apt-get update
$mkdir /tmp/apache2
#cd /tmp/apache2
#apt-get source apache2
 -> get the package's source of apache2
#apt-get build-dep apache2
-> get and install the packages required to rebuild the package apache2
#emacs apache2-2.2.3/debian/rules
-> replace the option --with-suexec-docroot with the correct path you want. Now we can actually rebuild the package. We perform a rebuild by using the debuild command. If you are not the maintainer of the package, you will need to add two flags to this, telling the building process not to sign the package. In most cases debuild -us -uc is what you wish to use.
#debuild -us -uc
-> Wait a bit, and if no error happens, you can install the new package.
#dpkg -i apache2_2.2.3-4+etch5_all.deb

Now the AP_DOC_ROOT should be set to the correct directory:

#/usr/lib/apache2/suexec -V
-D AP_DOC_ROOT="/home/myWebDir"
-D AP_GID_MIN=100
-D AP_HTTPD_USER="www-data"
-D AP_LOG_EXEC="/var/log/apache2/suexec.log"
-D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
-D AP_UID_MIN=100
-D AP_USERDIR_SUFFIX="public_html"

Perhaps I made mistakes, tell me if you have suggestions.

4 comments

Thursday, March 20 2008

Generating certificates with openssl

By Chty on Thursday, March 20 2008, 21:55

I'm sometimes using openssl to generate certificates, mostly for apache but not enough to remember the complete shell command each time. So I paste it here, as a reminder.

openssl req -new > server.cert.csr
openssl rsa -in privkey.pem -out server.cert.key
openssl x509 -in server.cert.csr -out server.cert.crt -req -signkey server.cert.key -days 365

Theses commands generate .pem, .crt, .csr and .key files. Note that apache only require .crt and .key files for SSLCertificateFile, SSLCertificateKeyFile directives.

Monday, October 29 2007

Apache2 + mod_fastcgi + suexec on debian etch

By Chty on Monday, October 29 2007, 14:49

I know it's difficult to find good documentation to configure apache2 with mod_fastcgi and suexec to make php websites works. This configuration works well with Debian Etch (4.0).
Here an example of configuration.

Continue reading...

Monday, October 8 2007

Apache2 - mod_fcgid vs mod_fastcgi

By Chty on Monday, October 8 2007, 01:22 - Software

Some time ago, I used mod_fcgid on my server. Everything went fine, except when dotclear2 became needed. After some test, I concluded that it wont work with mod_fcgid given because of certain rewrite rules. This seems to be a known issue, and the only solution at the time of writing it to use mod_fastcgi in its stead. Difference between mod_fastcgi and mod_fcgid is mostly at license level. Although mod_fastcgi is somewhat non-free, and after some troubles with the configuration, I decided to give it a try ;-)[1]

After configuring two vhosts, one with mod_fcgid and one with mod_fastcgi, I benchmarked a simple "Hello world" program on Apache2. Results are speaking by themselves:

Server Software:        Apache/2.2.3
Server Hostname:        xxx
Server Port:            80

Document Path:          /
Document Length:        11 bytes

Concurrency Level:      5
Time taken for tests:   48.867314 seconds
Complete requests:      10000
Failed requests:        13
  (Connect: 0, Length: 13, Exceptions: 0)
Write errors:           0
Non-2xx responses:      13
Total transferred:      2959503 bytes
HTML transferred:       119256 bytes
Requests per second:    204.64 [#/sec] (mean)
Time per request:       24.434 [ms] (mean)
Time per request:       4.887 [ms] (mean, across all concurrent requests)
Transfer rate:          59.14 [Kbytes/sec] received

Connection Times (ms)
             min  mean[+/-sd] median   max
Connect:        0    0   0.0      0       0
Processing:     1   23 360.7      1   12064
Waiting:        1   23 360.7      1   12064
Total:          1   23 360.7      1   12064

Percentage of the requests served within a certain time (ms)
 50%      1
 66%      1
 75%      1
 80%      1
 90%      1
 95%      1
 98%     17
 99%     21
 100%  12064 (longest request)
Server Software:        Apache/2.2.3
Server Hostname:        xxx
Server Port:            80

Document Path:          /
Document Length:        11 bytes

Concurrency Level:      5
Time taken for tests:   18.150717 seconds
Complete requests:      10000
Failed requests:        0
Write errors:           0
Total transferred:      2950000 bytes
HTML transferred:       110000 bytes
Requests per second:    550.94 [#/sec] (mean)
Time per request:       9.075 [ms] (mean)
Time per request:       1.815 [ms] (mean, across all concurrent requests)
Transfer rate:          158.67 [Kbytes/sec] received

Connection Times (ms)
             min  mean[+/-sd] median   max
Connect:        0    0   0.0      0       0
Processing:     1    8 194.4      2   11504
Waiting:        1    8 194.4      2   11504
Total:          1    8 194.4      2   11504

Percentage of the requests served within a certain time (ms)
 50%      2
 66%      3
 75%      3
 80%      3
 90%      4
 95%     12
 98%     17
 99%     20
 100%  11504 (longest request)

I do not know if I'm doing wrong with mod_fcgid, but the fact is that mod_fastcgi operates at 250 request/second faster. No need to say, dotclear2 is coming soon on this blog :-)

[1] thanks Pep :-)