Hi all,

Hopefully someone can help me sort this issue out..

I am running Apache with MPM-ITK and php-cgi as detailed in the setup guides in the Linode Library.. Each virtual server runs as the users that own the virtual server also as documented..

I want to now switch to using mod_fcgid but I seem to be getting an error..

Chrome throws this error.

Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data.

The virtual server error log shows..

root@server1:~# tail /home/www.site.com/logs/error.log
[Sat Aug 13 19:37:37 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7426
[Sat Aug 13 19:37:39 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7427
[Sat Aug 13 19:37:40 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7428
[Sat Aug 13 19:37:41 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7429
[Sat Aug 13 19:37:45 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7430
[Sat Aug 13 19:40:00 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7442
[Sat Aug 13 19:41:27 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7444
[Sat Aug 13 20:06:56 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7469
[Sat Aug 13 20:07:07 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7470
[Sat Aug 13 20:07:07 2011] [emerg] (13)Permission denied: mod_fcgid: can't get lock in pid 7471

My fcgid config is pretty basic..

I'm running Ubuntu 10.04..
I ran "aptitude install libapache2-mod-fcgid"

Created /etc/apache2/conf.d/php-fcgid.conf

 <IfModule fcgid_module>
AddHandler fcgid-script .fcgi .php

FcgidMaxRequestsPerProcess 1000

FcgidWrapper /usr/bin/php5-fcgid .php

</IfModule>

Created /usr/bin/php5-fcgid

#!/bin/sh
PHP_FCGI_MAX_REQUESTS=1000

export PHP_FCGI_MAX_REQUESTS
export PHPRC="/etc/php5/cgi"

exec /usr/bin/php5-cgi

I made the script executable..

I added +ExecCGI to the virtual server config file..

I restarted Apache..

What am I doing wrong??

Any help would be appreciated..

TIA

Hi.
I've recently started using the mpm_itk module for apache and have had luck using mod_php. This may reduce overhead on your server and free up memory as a result.

That said, should you still wish to go the rout of using mod_fcgid, there are a few things you can check.

What are the permissions of your virtual host directories?
Try:
ls -1l /path/to/directory

Is the file /usr/bin/php5-fcgid able to be executed by the user or users on the system? Can your script execute any other processes it might need to in order to interpret the php code, but still run all of that code under the user you've set in security settings?

I think the mod_php module for apache is easier to use, though that may not be what you need for your particular situation, so there are a few suggestions for you to try. Also, what you're attempting to do may be in conflict. I could be wrong, but here's an example.

Your virtual host configuration tells apache to switch to running under the user and group sample. Next, apache encounters a php script, which then executes your wrapper. The wrapper has insufficient priviliges to execute and/or read data it needs to, since its executing as the user and group sample, which has insufficient priviliges to complete the operations. Therefore, the errors you're getting. I could, of course be wrong about this. If this is what its doing, though, your method of executing php scripts with mod_fcgid may be insecure because of permissions you might need to set. If I'm wrong and its something different, then you may not have to worry so much about security.

If you have any further questions or problems, they are welcome.

Good luck,
Blake

Hi Blake,

Thanks for the reply..

I never did get it to work but what I have found out since is that MPM-ITK and FCGID are not a good combination anyway.. Obviously the benefit of FCGID is that it stays running.. Apparently MPM-ITK on the other hand doesn't.. So the FCGID processes would have been closed down anyway..

I have now tried most combinations..
MPM-ITK + php-cgi = Simple setup for running scripts as the owner, ok performance, can't use APC. Low memory usage.
MPM-ITK + mod_php = Very simple setup, good performance and ability to use APC. Little more memory used.
MPM-ITK + mod_fcgid = Couldn't get it working.
MPM-prefork + suEXEC + php-cgi = More complicated setup, performance similar to MPM-ITK + php-cgi.
MPM-prefork + suEXEC + mod_php = more complicated setup, good performance.
MPM-prefork + suEXEC + mod_fcgid=more complicated setup, excellent performance.
MPM-worker + suEXEC + php-cgi=More complicated setup, better performance than MPM-ITK + php-cgi.
MPM-worker + suEXEC + mod_php=Not recommended because php is apparently not thread safe.
MPM-worker + suEXEC + mod_fcgid=More complicated setup, best performance.

Obviously a lot depends on your load, what you are serving and the tons of configuration parameters.. I found the last setup with everything pretty much let at defaults to be VERY quick.. Especially as load increases..

Hi.
I'm glad you were able to sort out your problems. Some of your setups interest me and I may check them out, too. The only problem I see with some of them is that some only work with php to isolate the apache process from a user account, such as using SuExec. However, mpm_itk will isolate the apache process itself to a specific user. I don't know how it operates under high load yet, but I've benchmarked it and it appears to work okay. I'm going to run some more tests.

Anyway, your other suggestions are good, but do you know of any that will allow execution of other scripts using different scripting languages, perl, python, or others, and keep the scripts isolated to a specific user? I know there are modules for those in Apache and I think they would work with mpm_itk to isolate the scripts to a specific user.

Thanks,
Blake

AFAIK suEXEC can be used with any cgi based execution so it can be used with python, perl or even shell scripts.. As long as they are owned by the user and in the right place (like I said a little more setup than MPM-ITK ) they should work just fine..

If I have to use apache with php I go for worker + fcgi, I tend to skip suexec but it can be used if you want. Here's an excerpt from my stack script that installs mpm-worker with fcgi

function install_php_apache_worker
{
    aptitude -y install apache2-mpm-worker libapache2-mod-fcgid php5-cgi php5-cli php5-curl php5-gd php5-mcrypt php5-mysql php5-sqlite php-apc
    sed -i 's/short_open_tag = On/short_open_tag = Off/' /etc/php5/cgi/php.ini
    sed -i 's/disable_functions =/disable_functions = dl/' /etc/php5/cgi/php.ini
    sed -i 's/expose_php = On/expose_php = Off/' /etc/php5/cgi/php.ini
    sed -i 's/memory_limit = 128M/memory_limit = 32M/' /etc/php5/cgi/php.ini
    sed -i 's/;arg_separator.output = "&"/arg_separator.output = "&"/' /etc/php5/cgi/php.ini
    sed -i 's/;date.timezone =/date.timezone = UTC/' /etc/php5/cgi/php.ini
    sed -i 's/session.name = PHPSESSID/session.name = SESSID/' /etc/php5/cgi/php.ini
    cat <<EOT >/etc/apache2/conf.d/fcgi.conf
    FcgidMaxProcesses 4
    FcgidMaxRequestsPerProcess 5000
    AddHandler fcgid-script .php
    FcgidWrapper /usr/local/bin/php5-fcgi-wrapper .php
EOT

    cat <<EOT > /usr/local/bin/php5-fcgi-wrapper
#!/bin/sh
PHP_FCGI_MAX_REQUESTS=0
export PHP_FCGI_MAX_REQUESTS
PHP_FCGI_CHILDREN=0
export PHP_FCGI_CHILDREN
exec /usr/bin/php-cgi
EOT
    chmod +x /usr/local/bin/php5-fcgi-wrapper



    mkdir -p /etc/monit/conf.d
    cat <<EOT >/etc/monit/conf.d/apache2
     check process apache with pidfile /var/run/apache2.pid
   group www-data
   start program = "/etc/init.d/apache2 start"
   stop  program = "/etc/init.d/apache2 stop"
 if failed port 80 protocol HTTP request / within 5 cycles then restart
  if 5 restarts within 5 cycles then timeout
EOT
    a2dissite default # disable the interfering default virtualhost

   # clean up, or add the NameVirtualHost line to ports.conf
   sed -i -e 's/^NameVirtualHost \*$/NameVirtualHost *:80/' /etc/apache2/ports.conf
   if ! grep -q NameVirtualHost /etc/apache2/ports.conf; then
      echo 'NameVirtualHost *:80' > /etc/apache2/ports.conf.tmp
      cat /etc/apache2/ports.conf >> /etc/apache2/ports.conf.tmp
      mv -f /etc/apache2/ports.conf.tmp /etc/apache2/ports.conf
   fi
}

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue