Help - going from PHP-CGI to PHP Apache Module

software development

#1

I’ve decided to go from PHP-CGI to PHP as a Apache Module, simply for one of my web sites that will get a lot of hits - thus a lot of mysql queries.

Really what I’m after is a bit more info (I’ve read the Wiki) about secuirty and if I can run PHP 5 as an Apache Module as it doesn’t state that.

What problems have people encountered doing this and what solutions did you need to put in place.

What extra security did you need to take into account of ?

Many thanks in advance.

Miss Pixie


#2

Miss Pixie,

As far as I know (and according to Dreamhost), it is not possible to run PHP5 as an Apache Module on Dreamhost. There used to be a choice from the panel for running PHP as a module or as cgi. That was removed sometime ago, and all new installations are “forced” to run as PHP-CGI (though now you can choose whether you want to run PHP4 or PHP5)

Depending on the server you are on (older server?) or how long you have had your account (before the “end” of mod_php), you may still be able to run PHP4 as mod_php. For further details on this situation, and how to run PHP4 as mod_php if it is available on your server (even though you can’t “select” it from the Panel anymore), check out this article on the Unofficial Dreamhost Blog about the end of PHP as an Apache module..

Similar information can be found by searching this forum (there are other threads about this) and/or checking the “Discussion” pages of related PHP articles in the wiki. Please understand that this information was “current” in April and May of 2006 - and, as is always the case with such things, is subject to change by Dreamhost at anytime. That said, here is a quote from a Dreamhost employee (from the article linked above):

–rlparker


#3

Thanks rlparker,

Do you know if I can build the source for a php 5 module on my web space and use it that way, that seems the only solution. :frowning:

The reason for all this is my post “MYSQL Connections” a few days ago, which noone seems able to answer! :slight_smile: lol

Miss Pixie
being difficult as usual


#4

You can’t install your mod_php5 yourself because, unlike CGI binaries, Apache modules have to be loaded by the web server. You are unable to modify the web server configuration on a shared server, si you have no way of telling the server to load the module you installed.

Was your code written using PHP 5? If it will run under PHP 4, enabling mod_php4 using the instructions referenced above is probably your best option.


If you want useful replies, ask smart questions.


#5

I’m looking to move my work to PHP5… and see that phpinfo tells me that I’m running 4.4.4 on my DH site.
Call me Blind, but I don’t see where in the control panel one may change this. ?Help anyone?

PS: so why would DH be using PHP only via CGI anyway? Do they ever keep users posted on the why-for of their choices?
Thanks in advance…


#6

Ok, “You’re blind.” Ha Ha, old joke, and I’m just kidding :wink: .

The place to change the PHP setting is not obvious to many, especially if you are new to the Dreamhost Panel. A choice was offered when you added the domain, but after that it is hard to find (to change your original choice).

You can change which version of PHP5 your domain uses, and what user it runs under. as well as things like whether “Extra Web Security” (mod_security) and FastCGI are enabled for the domain as follows:

  1. Go to Domains–>Manage Domains on the COntrol Panel

  2. Look at the list of hosted domains, and find the “edit” link to the right of the domain you wish to change, and click that link.

  3. Make changes in the resulting screen, as desired, for the above mentioned settings (and anything else you want to change) and “submit” the form via the submit button at the bottom of the page.

Allow time for the changes to take effect - usually within 10 or 20 minutes, but it sometimes takes longer. You can check whether of not the changes have taken effect by again visiting the Manage Domain screen and seeing if the “clock” icon (which indicates a change has been requested and is “waiting” to be completed) is present next to the domain name. When the “clock” icon disappears, upon a subsequent visit to the page or a refresh, the changes are “good to go”.

The main reason that Dreamhost uses PHP-CGI is that running it under suEXEC, as Dreamhost does, enhances security considerably by allowing PHP to run as your user as opposed to running as the Apache user (which it would do if run as mod_php). This allows you to keep much tighter permissions on your files and directories, and allow Dreamhost to track resource usage by user (which is very important for all of us on a shared server).

There have been other reasons pointed out from time to time, including the fact that a reasonably secure mod_php requires disabling many more php functions that on running as CGI.This from the Dreamhost wiki:

I think Dreamhost has done a pretty good job of keeping users informed of the reasons and logic behind their decisions in this regards. You might find certain articles in the Dreamhost Wiki enlightening on all this, for example, the following is found in this Dreamhost WIki Article on CGI, PHP & Databases:

The benefits of running PHP-CGI are:

  • It is more secure. The PHP runs as your user rather than dhapache. That means you can put your database passwords in a file readable only by you and your php scripts can still access it!

  • It is more flexible. Because of security concerns when running PHP as an Apache module (which means it runs as our dhapache user), we have disabled a number of commands with the non-CGI PHP. This will cause installation problems with certain popular PHP scripts (such as Gallery) if you choose to run PHP not as a CGI!

  • It’s just as fast as running PHP as an Apache module, and we include more default libraries.

Note: This article is somewhat dated. It is my understanding that “newly created” accocunts (within the last “several months”) no longer have the ability to “switch” to running mod_php as described in the wiki article article. This is because the Apache module is not installed on the newer servers. While that ability is (or was) present on some of the older server configurations, and was left there to avoid breaking installed scripts that were originally configured to run under mod_php for “back in the day”, the article warns that such “swithcing” is unsupported and may not always be available. As servers are “upgraded”, and for all “new” servers,
mod_php is no longer available.

There is quite a bit of discussion of all this in various threads in the forum (including my earlier post in this thread - note the link in that post to “the end of mod_php” discussion in the “archive” of the old “Dreamhost Knowledge Base” (replaced by the wiki) but still available for “historical purposes” at blog.dreamhosters.com

–rlparker


#7

Note, however, that this statement is not true.


If you want useful replies, ask smart questions.


#8

Very True! Thanks for pointing that out. I remember thinking when I read that, “What? how do they figure that one?” :open_mouth:

–rlparker