Stack Overflow
Stack Overflow

Questions tagged [mod-php]

PHP installed as an Apache module

There are (at least) two ways of running PHP, when working with Apache :

  • Using CGI : a PHP process is launched by Apache, and it is that PHP process that interprets PHP code -- not Apache itself
  • Using PHP as an Apache module (called mod_php) : the PHP interpreter is then kind of "embedded" inside the Apache process : there is no external PHP process -- which means that Apache and PHP can communicate better.

When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.

Often, once security is established to the point where the PHP user (in this case, the apache user) has very little risk attached to it, it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing or changing databases. It has equally been secured from writing good and bad files, or entering good and bad database transactions.

A frequent security mistake made at this point is to allow apache root permissions, or to escalate apache's abilities in some other way.

Escalating the Apache user's permissions to root is extremely dangerous and may compromise the entire system, so sudo'ing, chroot'ing, or otherwise running as root should not be considered by those who are not security professionals.

There are some simpler solutions. By using open_basedir you can control and restrict what directories are allowed to be used for PHP. You can also set up apache-only areas, to restrict all web based activity to non-user, or non-system, files.

70 questions
55
votes
3 answers

mod_php vs cgi vs fast-cgi

I have been trying to understand the exact meaning/purpose of loading php as an apache module vs the rest. When php is installed as an apache module, what exactly happens? For example, does reading the php-ini file happen every time the php request…
Karthick
  • 2,844
  • 4
  • 34
  • 55
21
votes
2 answers

Apache's mod_php OR FastCGI? Which is good for Wordpress?

I have basic idea about running PHP in different configurations like mod_php, cgi, FastCGI, etc. In my findings and test I found FastCGI is slightly better. I like FastCGI's support for SuEXEC most. Wait I do not want to get into benchmarking…
rahul286
  • 959
  • 2
  • 10
  • 28
20
votes
3 answers

Disable HTML stack traces by Xdebug

The administrator has installed Xdebug 2.1.1 in our shared PHP 5.3.0 server in order to use its debugger. Now, I can hardly read the stack traces of uncatched exceptions because they are formatted by Xdebug with annoying colours that interact badly…
Álvaro González
  • 142,137
  • 41
  • 261
  • 360
19
votes
6 answers

Is there a difference between apache module vs cgi (concerning security)?

E.g. Is it more secure to use mod_php instead of php-cgi? Or is it more secure to use mod_perl instead of traditional cgi-scripts? I'm mainly interested in security concerns, but speed might be an issue if there are significant differences.
Sarien
  • 6,647
  • 6
  • 35
  • 55
18
votes
4 answers

Long Time to First Byte value for an empty php file

I had such question some months ago. Now to isolate the problem I tried a new approach. I put an empty file to my server. File name is "foobar.php". Its content is as follows:
trante
  • 33,518
  • 47
  • 192
  • 272
12
votes
2 answers

PHP processing speed apache 2.4 mpm-prefork mod_php 5.4 vs nginx 1.2.x PHP-FPM 5.4

I've been looking for days to see if someone has done a good, documented, PHP processing speed comparison between apache-mpm-prefork 2.4 with mod_php 5.4 and nginx 1.2.x + PHP-FPM 5.4 Why I'm looking: The only test I saw are abount benchmarks,…
petermolnar
  • 1,626
  • 14
  • 23
10
votes
1 answer

Running Apache mod_php and mod_fastcgi in seperate vhosts on one Apache server

So, I need to run multiple php apps/sites on one server. One or many should run using apache and mod_php5, and one or many should be able to run using mod_fastcgi and php-fpm. The mod_php5 ones are currently fine, and the fastcgi ones work if i…
Pharaoh Tools
  • 161
  • 3
  • 7
7
votes
3 answers

Detect browser connection closed in PHP

Does anyone know if it is possible to detect whether the browser has closed the connection during the execution of a long PHP script, when using apache and mod_php? For example, in Java, the HttpOutputStream will throw an exception if one attempts…
Cheekysoft
  • 35,194
  • 20
  • 73
  • 86
5
votes
3 answers

PHP can't use 300MB of RAM

I'm trying to increase the allowed memory for certain PHP script. No matter what I do, for instance this: ini_set('memory_limit', '512M'); ... the script always runs out of memory at around 300MB: Fatal error: Out of memory (allocated 25165824)…
Álvaro González
  • 142,137
  • 41
  • 261
  • 360
5
votes
2 answers

Call PHP from virtual/custom "web server"

Basically, I'm trying to figure out how PHP can be called from a "web server". I've read the documentation, but it didn't help much. As far as I can tell, there are three ways to invoke PHP: via command line (eg: php -f "/path/to/script.php") via…
Christian
  • 27,509
  • 17
  • 111
  • 155
5
votes
1 answer

Apache resetting connection (?) on large file uploads

I have a site that used to be able to upload large files (large being > 10 or 20mb) but no longer can. I've been debugging this for hours at this point. All php values are set ludicrously high: post_max_size = 512M upload_max_filesize =…
Pez
  • 1,251
  • 16
  • 32
5
votes
2 answers

Does mod_php honor HEAD requests properly?

The HTTP/1.1 RFC stipulates "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response." I know Apache honors the RFC but modules don't have to. My question is, does mod_php5 honor this? The reason I…
rkulla
  • 2,494
  • 1
  • 18
  • 16
4
votes
1 answer

Apache mod_wsgi and php in the same domain

is it possible to make my webserver run python and php in the same domain? I have a website in python/django that is www.mydomain.com. Now, i have to host a blog in www.mydomain.com/blog in wordpress. Can i make it through? Apache 2.2 mod_wsgi My…
otaviosoares
  • 566
  • 7
  • 17
4
votes
2 answers

How can I tell Apache2, run mod_php5 by default but run this VH in CGI mode?

The Server I have a development server that I'm using to host my current projects. Here are some stats: root@myserver:/usr/bin $ cat /etc/*-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=10.10 DISTRIB_CODENAME=maverick DISTRIB_DESCRIPTION="Ubuntu…
mattalxndr
  • 9,143
  • 8
  • 56
  • 87
4
votes
1 answer

Does Apache really "fork" in mod_php/python way for request handling?

I am a dummy in web apps. I have a doubt regaring the functioning of apache web server. My question is mainly centered on "how apache handles each incoming request" Q: When apache is running in the mod_python/mod_php mode, then does a "fork" happen…
Vivek Jha
  • 1,520
  • 3
  • 16
  • 26
1
2 3 4 5