The Linux Blog UNIX, LINUX, BSD, OSX

10Mar/090

How to install Xcache module for Apache

XCache is a fast, stable PHP opcode cacher that has been tested and is now running on production servers under high load. It is tested (on linux) and supported on all of the latest PHP cvs branches such as PHP_4_3 PHP_4_4 PHP_5_0 PHP_5_1 PHP_5_2 HEAD(6.x). ThreadSafe/Windows is also supported. It overcomes a lot of problems that has been with other competing opcachers such as being able to be used with new PHP versions. See Introduction for more information.

You don't have to check the following list yourself, the configure script will do for you, unless you have problem with configure/make.

Check version with cli

$ php-cgi -v
PHP 4.4.3-dev (cgi-fcgi) (built: Mar 10 2006 18:46:02)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies

or setup a file with:

Check version with phpinfo

<?php
phpinfo();
?>

and request it from your browser.

* Get the php works with webserver without XCache first!
* common build tools: c compiler, make, libtool (required by php build env)
* php building env installed. if you've install php yourself, make sure you have do "make install". for some os distro, there is "php-devel" package. check it out with:

Check phpize

$ which phpize
/usr/local/bin/phpize
(or)
/usr/bin/phpize

you output may be vary from this, depending on your installtion of php. if it's not found, you should find it yourself

* m4
* indent (optional)

Building:

~ $ cd ~/src/xcache
~/src/xcache $ ls
(you XCache source is here)

~/src/xcache $ phpize
(generating configure .... everytime you upgrade php, or update to a new XCache, you have to run phpize again)

(it is suggested to build outside of the source directory, so make an build directory first and enter it)
~/src/xcache $ mkdir ../xcache-build
~/src/xcache $ cd ../xcache-build
~/src/xcache-build $ ../xcache/configure --help
......
--enable-xcache         Include XCACHE support.
--enable-xcache-optimizer       XCACHE: (N/A)
--enable-xcache-coverager       XCACHE: Enable code coverage dumper
--enable-xcache-assembler       XCACHE: (N/A)
--enable-xcache-disassembler    XCACHE: Enable opcode to php variable dumper
--enable-xcache-encoder         XCACHE: (N/A)
--enable-xcache-decoder         XCACHE: (N/A)
--enable-xcache-test            XCACHE: Enable self test - FOR DEVELOPERS ONLY!!
......

(run configure with options you selected now)
~/src/xcache-build $ ../xcache/configure --enable-xcache --enable-xcache-coverager
(many output here, if you have problem, read the error message twice)
(and search inside config.log, and check Pre-requirement in this page above)

~/src/xcache-build $ make
(many output here again, check if it success or error out.)

NOTE: It's always better not to enable unnecessary modules for production server unless you're not the maintainer of the server. Play with it locally.

WARNING: If you're using something like /opt/php/bin/phpize which isn't the 1st one found in $PATH, remember to configure --with-php-config=/opt/php/bin/php-config, exactly the same directory as phpiz.

Special path

~/src/xcache-build $ PATH="/opt/php/bin/:$PATH" ../xcache/configure \
--with-php-config=/opt/php/bin/php-config \
--enable-xcache \
--enable-xcache-coverager
(line is broken up for readability)
~/src/xcache-build $ make

Installing

~/src/xcache-build $ su
Password:
(input your root password here. whenever u see a red # in code listing in this wiki, it means you need to be root to do that)

~/src/xcache-build # make install
(many output here, and you can see where the XCache extension is installed into, remember the extension path)

You have to modify php.ini to make XCache enable in your php!

Tagged as: , , , , No Comments
7Mar/090

Red Hat / CentOS: Chroot Apache 2 Web Server

A chroot on Red Hat / CentOS / Fedora Linux operating changes the apparent disk root directory for the Apache process and its children. Once this is done attacker or other php / perl / python scripts cannot access or name files outside that directory. This is called a "chroot jail" for Apache. You should never ever run a web server without jail. There should be privilege separation between web server and rest of the system.

In this exclusive series, you will learn more about:

  • Securing an Apache 2 web server under Red Hat Enterprise Linux / CentOS Linux using mod_chroot
  • Virtual hosting configuration under chrooted jail.
  • Troubleshooting Chrooted Apache jail problem.

Requirements

  1. Server: Apache 2 Web server.
  2. Jail directory: /httpdjail.
  3. User / Group: apache / apache (never ever run chroot using root user).
  4. Virtual domain directory for all domain inside jail: /home/httpd.
  5. PHP is configured via default mod_php.
  6. Instructions are tested under CentOS / RHEL 5.x.

More about Jail directory: /httpdjail

Create a jail directory as follows:
# J=/httpdjail
# mkdir $J

  1. Do not create /dev directory inside your jail.
  2. Do not create special device files inside jail.
  3. Do not copy shell or any other single executable files inside your jail.
  4. Do not run httpd or php / perl / python as root user.
  5. If possible mount $J using a separate partition with nosuid, nodev and noexec options. This will improve security as user will not able to run suid enabled programs and device files inside a jail.

Install Apache, PHP and MySQL

Install required packages using yum command, enter:
# yum install mysql mysql-server httpd php-mysql php-pear php-xml php-mysql php-cli php-imap php-gd php-pdo php-devel php-mbstring php-common php-ldap php httpd-devel
Now, create required directories inside your jail:
# mkdir -p $J/var/run
# chown -R root.root $J/var/run
# mkdir -p $J/home/httpd
# mkdir -p $J/var/www/html
# mkdir -p $J/tmp
# chmod 1777 $J/tmp
# mkdir -p $J/var/lib/php/session
# chown root.apache $J/var/lib/php/session

  1. $J/var/run will store PID and other files.
  2. $J/var/lib/php/session PHP session file path (configured in php.ini).
  3. $J/tmp - Used by many scripts and cms software to upload files.

Install mod_chroot

mod_chroot makes running Apache in a secure chroot environment easy. You don't need to create a special directory hierarchy containing /dev, /lib, /etc. mod_chroot allows you to run Apache in a chroot jail with no additional files. The chroot() system call is performed at the end of startup procedure - when all libraries are loaded and log files open. Download mod_chroot using wget command:
# cd /opt/
# wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
Untar it:
# tar -zxvf mod_chroot-0.5.tar.gz
Compile and install mod_chroot for using apxs, enter:
# cd mod_chroot-0.5
# apxs -cia mod_chroot.c

Configure Apache mod_chroot

Open /etc/httpd/conf/httpd.conf file, type:
# C=/etc/httpd/conf/httpd.conf
# vi $C
Set PidFile path in which the server should record its process identification number when it starts. Find line that reads as follows:

PidFile run/httpd.pid

Replace with:

PidFile /var/run/httpd.pid

Next add ChrootDir directive, enter:

ChrootDir /httpdjail

Find line that read as follows:

ServerRoot "/etc/httpd"

Append following lines:

LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard

Make sure mod_chroot.so line exists. For example, 64 bit Linux should have line as follows:

LoadModule chroot_module      /usr/lib64/httpd/modules/mod_chroot.so

32 bit Linux config line:

LoadModule chroot_module      /usr/lib/httpd/modules/mod_chroot.so

Save and close the file.

Disable SELinux for Apache

You need to disable SELinux for apache, enter:
# setsebool httpd_disable_trans 1
See article "disabling SELinux for only Apache / httpd in Linux" for further details.

Patch up /etc/init.d/httpd

Open /etc/init.d/httpd file, enter:
# vi /etc/init.d/httpd
Find out line that read as follows:

# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}

Add following line (set ROOT to $J):

ROOT=/httpdjail

Find stop() that read as follows:

stop() {
        echo -n $"Stopping $prog: "
        killproc -d 10 $httpd
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}

Replace it as follows (you need to link /var/run/httpd.pid to $J/var/run/httpd.pid; so that stop operation works):

stop() {
        /bin/ln -s $ROOT/var/run/httpd.pid /var/run/httpd.pid
        echo -n $"Stopping $prog: "
        killproc -d 10 $httpd
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}

Save and close the file. Set immutable permission on /etc/init.d/httpd so that file cannot be modified, updated by yum, deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute:
# chattr +i /etc/init.d/httpd

How do I start chrooted httpd?

Type the following command:
# /etc/init.d/httpd start
You should not see any error in /var/log/httpd/error_log file:

[Sun Dec 21 18:43:09 2008] [notice] core dump file size limit raised to 18446744073709551615 bytes
[Sun Dec 21 18:43:09 2008] [notice] SELinux policy enabled; httpd running as context root:system_r:initrc_t
[Sun Dec 21 18:43:09 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Dec 21 18:43:09 2008] [notice] Digest: generating secret for digest authentication ...
[Sun Dec 21 18:43:09 2008] [notice] Digest: done
[Sun Dec 21 18:43:10 2008] [notice] mod_chroot: changed root to /httpdjail.
[Sun Dec 21 18:43:10 2008] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

How do I stop chrooted httpd?

# /etc/init.d/httpd stop

How do I restart chrooted httpd?

# /etc/init.d/httpd restart

Author:  VIVEK GITE via Cyberciti

Tagged as: , , , No Comments
   

Recent Posts

Recent comments

Archives

Tag cloud

Blogroll