Apache issue, help needed. - GoFuckYourself.com

cooldude7 · 09-22-2011, 01:01 PM

Hi, all.,

i have a server setup using php as
Server API - CGI
but i want to switch it to
Server API -Apache 2.0 Handler

cause my new script specifically requires "Server API -Apache 2.0 Handler"

and curently server has running few nubiles tube scripts sites.,

so i am worried what if change my php from cgi to apache , and my sites get fucked up.

so is there any other option ? without fucking my already running sites.

thanks for your time., have agr8 day ahead.,

tical · 09-22-2011, 01:04 PM

making the change shouldn't cause any problems... but just in case save a backup of your httpd.conf file so that you can quickly go back to the original config if anything breaks

cooldude7 · 09-22-2011, 01:06 PM

Quote:

Originally Posted by tical

making the change shouldn't cause any problems... but just in case save a backup of your httpd.conf file so that you can quickly go back to the original config if anything breaks

the thing is that, to test this scenario,

i asked my other vps host running wordpres site to switch it from apache to cgi , ad they did., and then my site fucked up., 500 and / other errors., not even phpinfo file was opening, so i switched it back.,

but backing up config is gr8 advice.,

thanks for your help.

cooldude7 · 09-22-2011, 08:59 PM

bump for more.

Babaganoosh · 09-22-2011, 09:05 PM

Quote:

Originally Posted by cooldude7

the thing is that, to test this scenario,

i asked my other vps host running wordpres site to switch it from apache to cgi , ad they did., and then my site fucked up., 500 and / other errors., not even phpinfo file was opening, so i switched it back.,

but backing up config is gr8 advice.,

thanks for your help.

What was the error from the error log?

cooldude7 · 09-22-2011, 10:38 PM

Quote:

Originally Posted by Babaganoosh

What was the error from the error log?

they did forced redirect to cgi.,

and here is log from suphp

Quote:

[Thu Sep 22 23:34:19 2011] [warn] Mismatch between target GID (1006) and GID (48) of file "/home/admin/scholes-tech.com/index.php"

this is from error log httpd

Quote:

[Thu Sep 22 23:28:52 2011] [notice] caught SIGTERM, shutting down
[Thu Sep 22 23:28:52 2011] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu Sep 22 23:28:52 2011] [warn] RSA server certificate wildcard CommonName (CN) `*.lxlabs.com' does NOT match server name!?
[Thu Sep 22 23:28:52 2011] [notice] Digest: generating secret for digest authentication ...
[Thu Sep 22 23:28:52 2011] [notice] Digest: done
[Thu Sep 22 23:28:52 2011] [warn] RSA server certificate wildcard CommonName (CN) `*.lxlabs.com' does NOT match server name!?
[Thu Sep 22 23:28:52 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 configured -- resuming normal operations

raymor · 09-22-2011, 10:54 PM

The following assumes that you have a dedicated server.
On a shared server, there are concerns addressed by running PHP as a CGI using suphp.
Personally I think those concerns are greatly outweighed by what I'm about to explain, but on a shared server it's at least arguable. Assuming this is a dedicated server:

mod_php is the way to go. Do not run PHP as a CGI. There is no benefit to doing so on a dedicated server, only problems.
The error messages you saw were most likely revealing problems previously hidden by a gigantic security whole from running suphp as yourself, your user name.
The error log you posted was the main server log with some probably inconsequential stuff regarding your SSL cert. The log you want to check is the log specific to that site, tailing it as you hit the pages with errors.
You'll see permissions errors.

Here's what was going on, in all likelihood. Running suphp, you basically said permissions (chmod) don't matter. Any visitor to the site was allowed to change or delete any file they want. Since all of the PHP ran as your FTP user, any script, yours or the hackers, was allowed to do anything you can do via FTP. You saw no permission problems because there were effectively no permission controls. "Hey you're visiting this site, I guess you're allowed to change it any way you want." By (correctly) running PHP using the module, permissions are enforced. The scripts can only change the files you say they can change using chmod 666 and can only create new files within the directories you specify by chmodding those data directories 777. Since you didn't set any specific data files or directories, site visitors weren't allowed to change any and you got errors when the scripts couldn't update the data.

The correct error log, the one for the site, should indicate which files and directories the scripts are trying to change. Check those for reasonableness and chmod those files 666 or those directories 777.
By "check for reasonableness" I mean for example scripts, especially customer facing scripts, shouldn't be adding and removing files from your document root. If they are doing that, the script should be corrected to use it's own dedicated data directory.

Suphp and suexec are for when you are more afraid of the other customers hosted on your server than you are of the crackers who will find your site on the web.

raymor · 09-22-2011, 11:00 PM

let me back up my comments about security with quotes from the suexec and suphp documentation:

The suexec documentation opens by saying:

Quote:

it can cause any number of problems and possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC.

So the creators of suExec highly recommend that you not even consider using it if you aren't familiar with managing the security issues of setuid root.
In other words, if you don't know what setuid root means and the dangers involved, you shouldn't even consider using suExec. That from the authors of the program.

suPHP is essentially the same thing as suExec, but slightly more recklessly coded and documented. The suPHP author does however acknowledge:

Quote:

a security bug in suPHP probably will allow atackers to run commands with root privileges

V_RocKs · 09-23-2011, 01:47 PM

I second Raymor on this one...

My old host INSISTED on suPHP and its benefits for security... It caused some 1K a day blogs on the server to bog down the server and the host blamed Wordpress for this... Changed to my current host and I went from 3.x load to .01x load on that box... then loaded the box with about 300 more blogs since it could handle them ;)

BestXXXPorn · 09-23-2011, 02:03 PM

nginx, php-cgi, *cough*

EukerVoorn · 09-24-2011, 06:46 AM

Cooldude, if you can't sort it out, find a sys admin on www.freelancer.com - there's plenty of people there who can fix this problem in 10 minutes for you, for $25.

Radik · 09-24-2011, 11:42 PM

dump apache it's bloated; lighttpd with spawn-fcgi. all your problems go away.

09-22-2011, 01:01 PM	#1
cooldude7 Confirmed User Industry Role: Join Date: Nov 2009 Location: Heaven Posts: 4,306	Apache issue, help needed. Hi, all., i have a server setup using php as Server API - CGI but i want to switch it to Server API -Apache 2.0 Handler cause my new script specifically requires "Server API -Apache 2.0 Handler" and curently server has running few nubiles tube scripts sites., so i am worried what if change my php from cgi to apache , and my sites get fucked up. so is there any other option ? without fucking my already running sites. thanks for your time., have agr8 day ahead., Last edited by cooldude7; 09-22-2011 at 01:07 PM..

09-22-2011, 01:04 PM	#2
tical Confirmed User Join Date: Feb 2002 Location: Las Vegas Posts: 6,504	making the change shouldn't cause any problems... but just in case save a backup of your httpd.conf file so that you can quickly go back to the original config if anything breaks __________________ 112.020.756

09-22-2011, 10:54 PM	#7
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	The following assumes that you have a dedicated server. On a shared server, there are concerns addressed by running PHP as a CGI using suphp. Personally I think those concerns are greatly outweighed by what I'm about to explain, but on a shared server it's at least arguable. Assuming this is a dedicated server: mod_php is the way to go. Do not run PHP as a CGI. There is no benefit to doing so on a dedicated server, only problems. The error messages you saw were most likely revealing problems previously hidden by a gigantic security whole from running suphp as yourself, your user name. The error log you posted was the main server log with some probably inconsequential stuff regarding your SSL cert. The log you want to check is the log specific to that site, tailing it as you hit the pages with errors. You'll see permissions errors. Here's what was going on, in all likelihood. Running suphp, you basically said permissions (chmod) don't matter. Any visitor to the site was allowed to change or delete any file they want. Since all of the PHP ran as your FTP user, any script, yours or the hackers, was allowed to do anything you can do via FTP. You saw no permission problems because there were effectively no permission controls. "Hey you're visiting this site, I guess you're allowed to change it any way you want." By (correctly) running PHP using the module, permissions are enforced. The scripts can only change the files you say they can change using chmod 666 and can only create new files within the directories you specify by chmodding those data directories 777. Since you didn't set any specific data files or directories, site visitors weren't allowed to change any and you got errors when the scripts couldn't update the data. The correct error log, the one for the site, should indicate which files and directories the scripts are trying to change. Check those for reasonableness and chmod those files 666 or those directories 777. By "check for reasonableness" I mean for example scripts, especially customer facing scripts, shouldn't be adding and removing files from your document root. If they are doing that, the script should be corrected to use it's own dedicated data directory. Suphp and suexec are for when you are more afraid of the other customers hosted on your server than you are of the crackers who will find your site on the web. __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids

09-23-2011, 02:03 PM	#10
BestXXXPorn Confirmed User Join Date: Jun 2009 Location: Asheville, NC Posts: 2,277	nginx, php-cgi, cough __________________ ICQ: 258-202-811 \| Email: eric{at}bestxxxporn.com

09-24-2011, 11:42 PM	#12
Radik Confirmed User Join Date: Sep 2003 Location: Vancouver ICQ: 3588423 Posts: 808	dump apache it's bloated; lighttpd with spawn-fcgi. all your problems go away. __________________ 100% Exclusive, Check Us Out!

09-22-2011, 08:59 PM	#4
cooldude7 Confirmed User Industry Role: Join Date: Nov 2009 Location: Heaven Posts: 4,306	bump for more.

09-23-2011, 01:47 PM	#9
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,391	I second Raymor on this one... My old host INSISTED on suPHP and its benefits for security... It caused some 1K a day blogs on the server to bog down the server and the host blamed Wordpress for this... Changed to my current host and I went from 3.x load to .01x load on that box... then loaded the box with about 300 more blogs since it could handle them ;)

09-24-2011, 06:46 AM	#11
EukerVoorn So Fucking Banned Industry Role: Join Date: Aug 2011 Location: Les Alpes, France Posts: 1,423	Cooldude, if you can't sort it out, find a sys admin on www.freelancer.com - there's plenty of people there who can fix this problem in 10 minutes for you, for $25.