mod_fcgid, php, and suexec


OK. So I posted for help before but I was so close it wasn’t even funny. The solution was right under my nose. suexec complained that it wasn’t in the doc root. It only checks the cgi that is executed (not what is executed afterwards) for ownership and for location. So…

Here are my configs

fastcgi.conf – we need to load the module

LoadModule fcgid_module modules/

In the section for the host you want this setup on.

  AddHandler fcgid-script .php

  <Directory /path/to/html>
    FCGIWrapper /path/to/html/php.fcgi .php

Contents of php.fcgi

export PHPRC
exec /usr/php4/bin/php

Adjust PHP_FCGI_CHILDREN and PHP_FCGI_MAX_REQUESTS to your server. Keep in mind that PHP_FCGI_CHILDREN will be that number plus one. The starting process plus its children. Change the exec line to point to your php binary location and it can be outside the docroot. It can also be owned by someone other than the user the site is running under. Change PHPRC to point to the folder where your php.ini is located at.

Note that you must put this file in the document root for each website and it cannot be symlinked. It must be chowned to the user that the site runs under. It also should be chmodded with read and execute permission for the owner at the very minimum. That would be chmod 500.


You use FastCGI because you also use suPHP ?

In your case why do you use php4 as a CGI and not an Apache module ?

I may understand this of you also use php5 on the same box (so as a module in this case) but if not …

Maybe your first idea was to use suPHP to secure your server and have all php scripts run under the uid/gid of the account, and then as PHP is run as CGI you thought of FastCGI to do not have less speed php ?

I have a real interest about the goal under this :slight_smile:

Indeed we plan to have php4 as module and php5 as CGI on the same box and for this we are currently testing suPHP/php5 solution and we also were thinking about the potential use of FastCGI to have a speedest and secure php5


I tried suphp but it was too slow for my purposes. On my vps it was only about 10% as fast as mod_php. So I pulled it and looked into fastcgi and suexec as being a really good alternative. Now that it is setup I find it quite close to the speed that mod_php provides without the security implications. Also unlike suphp I can use eaccelerator and it will cache my php scripts. You just have to be very careful not to delete php.fcgi from your html document root.

I also had to build a copy of PHP 4 from source for use on this purpose. That was easy and I built all of the modules as shared modules. So I can (or anyone else) can add/remove modules at will. The only thing that is required is to kill the associated php processes so that it loads up the new ini file.

It’s very good indeed, but I find the php.fcgi not cool. It’s absolutly necessary ?

I’ll surely test this and compare the speed vs suPHP

Thanks shinji for your contrib


You could put a php binary in the doc root but you have to do one or the other or suexec will complain about the script not being in the doc root. It won’t complain if you are calling the system php binary from the script. Also the script has a second purpose of controlling the number of spawned processes and accepted connections before it dies. Alot of sites use it now. Also I probably should mention this now. I had to make some other config settings to get it to work right for my site (it didn’t show until I tried to add files to my gallery).

Well the mod_fcgid docs will be useful information but here is my settings (beyond the ones mentioned in my first post). Also I have each site pointing to their own php.ini file now so one site won’t break the other.

IPCConnectTimeout 20
IPCCommTimeout 300

IPCConnectTimeout n (3 seconds)
The connect timeout to a fastcgi application.

IPCCommTimeout n (20 seconds)
The communication timeout to a fastcgi application. Please increase this value if your CGI have a slow initialization or slow respond.

Increasing IPCCommTimeout was necessary in order to allow Gallery 2 to process the pictures being submitted. It is also likely to be required for other php apps like Wordpress.


I also read from the fastcgi doc this :

Build PHP

First of all, build PHP. All of version 4 supports the FastCGI flag. Simply specify where to get the FastCGI libraries from (download and install them from the website), and do the normal build with whatever other options you require:

./configure --with-fastcgi=/usr/local

This creates a version of PHP which speaks the FastCGI protocol. Unfortunately, it no longer runs as a regular PHP application, so it will fail for use on the command line or in CRON. I recommend doing the configuration and builds twice, once as regular PHP with a full installation, and then a second time as a FastCGI version, but manually installing only the binary into your destination location. I call my regular one “php”, and the other one “php-fcgi”.a

Is it same with fcgid ? you have to install 2 times PHP to have the php binary created without the fastcgi support ?


You will have to rebuild php either from SRPM or from source if you don’t already have fastcgi support. I don’t know how to do it with the available SRPM and did it from source because it was newer and I needed finer control over the compile. So I guess you could say that I have 2 installs of PHP4 on my box now. The one installed using the RPM was kept around because when I tried to remove the package it wanted to get rid of the interworx ones as well.

For the command line I think you can use the cli version which is available after compiling in (from your source code folder) sapi/cli which will contain it. This is after compiling and I would recommend setting the PREFIX to be something like /usr/php4 like I did. ‘make install’ doesn’t install the cli binary but it is compiled. It will install the cgi-fcgi binary.

a few minutes later
I just recompiled to correct a mistake I made earlier when I compile it from source and found out that pear doesn’t like running with register_argc_argv shut off. May be because have a newer version of pear installed since I just did the install straight over top but rename the installed php binary to ‘php-fcgi’ and name the cli version as ‘php’ and it will work then.