apache mass virtual hosting with suexec and mod_fcgid

Question

I followed Falco's tutorial and everything now works as expected for 2 users (e.g. john and alice) with their relevant directories (/var/www/john and /var/ww/alice).

Now, I want to go to the next level: instead of defining different vhosts at /etc/apache2/sites-available/<username> and restarting Apache, I need dynamically configured mass virtual hosting. Say, my DNS server has records for: another.site.example.com, I want it's home directory to be at /var/www/another.site/web.

The problem is all these configuration settings for suexec and mod_fcgid. I ended to this draft of my httpd.conf (or should I create a file like /etc/apache2/sites-available/mass_virtual ?):

NameVirtualHost *:80

#default virtual host
<VirtualHost *:80>
  ServerName www.example.com
  ServerAlias example.com
  ServerAdmin [email protected]
  DocumentRoot /var/www/root/web/

  <IfModule mod_fcgid.c>
    SuexecUserGroup web-admin web-admin
    <Directory /var/www/root/web/>
      Options +ExecCGI
      Options -Indexes
      AllowOverride All
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/root/php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

</VirtualHost>

#3rd-level subdomain virtual hosts
<VirtualHost *:80>
  UseCanonicalName Off
  ServerAlias *.example.com
  #problematic email!
  ServerAdmin [email protected]
  #is this /var/www/another.site/web or /var/www/www.another.site/web for
  #a request for www.another.site.example.com ?
  VirtualDocumentRoot /var/www/%-3+/web

  <IfModule mod_fcgid.c>
    #problematic group and user!
    SuexecUserGroup web1 web1
    <Directory /var/www/*/web/>
      Options +ExecCGI
      Options -Indexes
      AllowOverride All
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/php-fcgi-scripts/*/php-fcgi-starter .php
      Order allow,deny
      Allow from all
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

</VirtualHost>

1. As you can see from the comments I have a problematic ServerAdmin [email protected], a SuexecUserGroup web1 web1 and a VirtualDocumentRoot /var/www/%-3+/web configuration!

2. Moreover, to ensure security I think IfModule shouldn't exist-if mod_fcgid can't load then neither should the server and,

3. instead of Alow from all, I think I should have Deny from all and open-up a php-library directory instead!

Thanks.

Answer 1

OK, as I have no replies I'll try the half part of my proposed solution(?): use of mod_userdir to force execution of suexec

1. Let's create the following /etc/apache2/httpd.conf

   ##########################################
   ### mod_fcgid configuration directives ###
   ##########################################
   #values should be tuned depending on server memory
   FcgidMaxProcesses 1000
   FcgidMaxProcessesPerClass 100
   FcgidMinProcessesPerClass 3
   #see 'export PHP_FCGI_MAX_REQUESTS=5000' at '/var/www/php-fcgi-scripts/<user>/php-fcgi-starter'
   FcgidMaxRequestsPerProcess 5000
   FcgidIOTimeout 40
   FcgidProcessLifeTime 3600
   FcgidMaxRequestInMem 65536
   FcgidMaxRequestLen 131072
   FcgidOutputBufferSize 65536
   

2. Let's create a mass_virtual at /etc/apache2/sites-available/

   #NameVirtualHost *:80
   
   #default virtual host
   <VirtualHost *:80>
     ServerName www.example.com
     ServerAlias example.com
     ServerAdmin [email protected]
     DocumentRoot /var/www/web-admin/web/
   
     SuexecUserGroup web-admin web-admin
     <Directory /var/www/web-admin/web/>
       Options +ExecCGI
       Options -Indexes
       AllowOverride All
       AddHandler fcgid-script .php
       #FCGIWrapper /var/www/php-fcgi-scripts/web-admin/php-fcgi-starter .php
       FcgidWrapper /var/www/php-fcgi-scripts/web-admin/php-fcgi-starter .php
       Order allow,deny
       Allow from all
     </Directory>
   
     # ErrorLog /var/log/apache2/error.log
     # CustomLog /var/log/apache2/access.log combined
     ServerSignature Off
   
   </VirtualHost>
   
   #3rd-level subdomain virtual hosts
   <VirtualHost *:80>
     ServerAlias *.example.com
     ServerAdmin [email protected]
     ##################
     ### solution 1 ###
     ##################
     #mod_vhost_alias directives: needs parameterized SuexecUserGroup(?)
     #UseCanonicalName Off
     #VirtualDocumentRoot /var/www/%-3+/web
     ##################
     ### solution 2 ###
     ##################
     #mod_userdir directives for requests: http://www.example.com/~user
     UserDir disabled root
     UserDir /var/www/*/public_html
   
     #reduntant if using requests: http://www.example.com/~user
     #SuexecUserGroup web1 web1
     <Directory /var/www/*/public_html>
       Options +ExecCGI
       Options -Indexes
       AllowOverride All
       AddHandler fcgid-script .php
       #move to .htaccess
       #FCGIWrapper /var/www/php-fcgi-scripts/*/php-fcgi-starter .php
       #FcgidWrapper /var/www/php-fcgi-scripts/*/php-fcgi-starter .php
       Order allow,deny
       Allow from all
     </Directory>
   
     # ErrorLog /var/log/apache2/error.log
     # CustomLog /var/log/apache2/access.log combined
     ServerSignature Off
   
   </VirtualHost>
   

   Problem: If I uncomment first line I get a warning on server restart that there are no virtual hosts!!

3. Let's create my user bob

4. Let's create a .htaccess at /var/www/bob/public_html

   FcgidWrapper /var/www/php-fcgi-scripts/bob/php-fcgi-starter .php
   

5. Let's hit my browser to www.example.com/info.php or example.com/info.php

   web-admin
   

   ...as expected but,

6. let's move to www.example.com/~bob/info.php

   ...trying to open info.php!!!
   

   let's see errors

   <root># cat /var/log/apache2/error.log
   [notice] caught SIGTERM, shutting down
   [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
   [notice] Apache/2.2.20 (Ubuntu) mod_fcgid/2.3.6 configured -- resuming normal operations
   

   As you can see there are NO errors BUT mod_fcgid is NOT enabled to run the .php file and apache tries to send it as normal file!!! Any ideas how to solve this?