“The act of contemplation then creates the thing created.” — Isaac D’Israeli
My last post, “An Apache Implementation,” went through the steps of setting up a secure web server. The posting ended with the server having no CGI capabilities. While this might be secure, the usefulness is somewhat limited. In the next few posts we are going to install PHP three different ways. First, as a an Apache module. The second way is using PHP as a CGI. Finally by running PHP over FastCGI. Paul Hudson, author of PHP in a Nutshell maintains a wiki “Practical PHP Programming.” Like his book, the site is a fantastic source of information. Paul has a section titled, “PHP as a CGI or a module?” where he outlines the advantages and disadvantage of both approaches:
Running PHP as a CGI means that you basically tell your web server the location of the PHP executable file, and the server runs that executable, giving it the script you called, each time you visit a page. That means each time you load a page, PHP needs to read php.ini and set its settings, it needs to load all its extensions, and then it needs to start work parsing the script – there is a lot of repeated work.When you run PHP as a module, PHP literally sits inside your web server – it starts only once, loads its settings and extensions only once, and can also store information across sessions. For example, PHP accelerators rely on PHP being able to save cached data across requests, which is impossible using the CGI version.
The obvious advantage of using PHP as a module is speed – you will see a big speed boost if you convert from CGI to a module. Many people, particularly Windows users, do not realise this, and carry on using the php.exe CGI SAPI, which is a shame – the module is usually three to five times faster.
There is one key advantage to using the CGI version, though, and that is that PHP reads its settings every time you load a page. With PHP running as a module, any changes you make in the php.ini file do not kick in until you restart your web server, which makes the CGI version preferable if you are testing a lot of new settings and want to see instant responses.
One other advantage of running PHP as a CGI is that you can do so with an execution wrapper. PHP as a module will perform all operations as the Apache user. It is a choice between speed verses privilege separation. Running PHP over FastCGI will add speed while keeping privilege separation.
Sources of Information
There are many great sources of information on PHP. There are even sites dedicated to trying to list them. Below are just a few sources that proved most helpful when setting up PHP.
- Paul Hudson, author of PHP in a Nutshell has created the wiki Practical PHP Programming where he has made available all the valuable information from his book.
- Apache Security by Ivan Ristic. I have mentioned before what a great resource Ivan’s book is. From his Apache Security blog, Ivan has made Chapter 3: PHP available to everyone.
- PHP Manual. The best source for most up-to-date information. Pay particular attention to chapters on “Installation and Configuration” and “Security.” The security chapter does have sections on “Installed as CGI binary” and “Installed as an Apache module.”
- FastCGI by Brian Nickel
- Apache + Chroot + FastCGI + PHP FAQ. While I am not going to use Chroot with this implementation, that FAQ is a good resources and discusses additional security measure that are very useful.
- PHP Security Blog by Stefan Esser. Stefan is the developer of Suhosin. While he has not been posting lately, it is good to look over his site. Back in December of 2006, Stefan decided to leave the PHP Security Response Team. His post, “Retired from security@php.net” provides great insight.
Hardened-PHP
Additional security for PHP can be found through the Hardened-PHP project. The project was “founded to protect PHP users and servers against present and future security holes. Therefor we can help you to protect your application and/or your server.” Of particular interest is the project’s development of Suhosin. Suhosin is “an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.” Please see the “Feature List” page for a listing of all the additional functionality/protection Suhosin adds to PHP. We are not going to be installing Suhosin today because the latest version of Suhosin is only for PHP 5.1.6. Because of the bug and security fixes, we will be installing PHP 5.2.5.
Installing PHP
Most operating systems have PHP already installed. This post is going to demonstrate three different ways PHP can be installed on a Linux or Mac OS X system.
Download PHP
The first step is to download the latest source code for PHP.
root# cd /usr/local/src /usr/local/src root# wget http://us.php.net/get/php-5.2.5.tar.gz/from/www.php.net/mirror |
At this point, check the integrity. Calculate the MD5 sum of the source and compare it to the signature file. Mac OS X users, please note use the command /sbin/md5 instead of md5sum.
/usr/local/src root# md5sum php-5.2.5.tar.gz 61a0e1661b70760acc77bc4841900b7a php-5.2.5.tar.gz |
Uncompress and untar the sources.
/usr/local/src root# tar xzf php-5.2.5.tar.gz |
Final Words
In the next post, we will examine configuring PHP as a module.
[...] Comments « PHP Implementation [...]
[...] the initial post, “PHP Implementation” three ways to implement PHP were outlined. In the previous post, PHP as a Module, PHP [...]
[...] is progress. Working together is success.” — Henry Ford Previously, posts discussed PHP Implementation, PHP as a Module, PHP as a CGI, and PHP over FastCGI. This final post discusses some configuration [...]