Patching mod_fastcgi to support chroot setting under Ubuntu 12.04

When running PHP through PHP-FPM you have option to chroot FastCGI PHP server. Unfortunately, Apache is not aware of chrooting and therefore pass wrong script path to the server.

This patch supposed to help with it - http://orfika.net/src/mod_fastcgi-chroot-patch/

Below are steps I've run in order to apply this patch to my server. First, you want to remove installed mod_fastcgi package:

apt-get purge libapache2-mod-fastcgi

You will also need some additional packages to do whole source building thing:

apt-get install build-essential dpkg-dev debhelper cdbs apache2-prefork-dev dpatch libapr1-dev pkg-config

You do not want to use "apt-get build-dep libapache2-mod-fastcgi" if you use fork MPM, because this will try to install threaded MPM and remove fork one. Which might stop your sites from working.

Now you will need to download package source code, patch from the link above and apply this patch to source code. Once this is done, you will need to create a .deb package and install it with dpkg as usual.

apt-get source libapache2-mod-fastcgi
cd libapache-mod-fastcgi-2.4.7~0910052141
wget http://orfika.net/src/mod_fastcgi-chroot-patch/mod_fastcgi-2.4.6-chroot-patch-rev3-20120131.patch
patch -p1 --dry-run < mod_fastcgi-2.4.6-chroot-patch-rev3-20120131.patch
patch -p1 < mod_fastcgi-2.4.6-chroot-patch-rev3-20120131.patch
dpkg-buildpackage -rfakeroot -uc -b
cd ..
dpkg -i libapache2-mod-fastcgi_2.4.7~0910052141-1_amd64.deb

Obviously, adjust paths to latest versions of the patch and packages. And if the are any dependency errors during package build step - just "apt-get" them manually and try again.

At this point new mod_fastcgi should be installed. You can use -chroot parameter to specify path prefix for scripts based on where FPM process was chrooted. For example my sample configuration is below:

Virtual Host config:

<VirtualHost *:80>
        ServerAdmin admin@domain.com
        ServerName domain.com
        ServerAlias www.domain.com
        DocumentRoot /home/www/web/domain.com
 
        Action php5-fcgi /php
        Alias /php /home/www/php
        FastCgiExternalServer /home/www/php -chroot /web/domain.com -host 127.0.0.1:9000
 
        <Directory /home/www/web/domain.com/>
                <Files *.php>
                        SetHandler php5-fcgi
                </Files>
 
                Options -Indexes MultiViews +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>
 
        ErrorLog ${APACHE_LOG_DIR}/domain.com-error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/domain.com-access.log combined
</VirtualHost>

FPM Pool config:

[www]
prefix = /home/$pool
user = $pool
group = $pool
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 2
pm.max_spare_servers = 8
chroot = /home/www

Now, there are few caveats:

First: Anything PHP using date() function will throw fatal error:

"PHP Fatal error:  strtotime(): Timezone database is corrupt - this should *never* happen!"

This happens due PHP process being chroot'ed and not being able to access /usr/share/zoneinfo/. Just copy this folder. In my example it was:

cd /home/www
sudo -u www mkdir -p usr/share
cd usr/share
cp -avr /usr/share/zoneinfo ./

Second: In my particular case I had to rewrite different environment variables. Patch above rewrites SCRIPT_FILENAME based on chroot setting and SCRIPT_URL variable. In my setup I had to rewrite PATH_TRANSLATED based on PATH_INFO. I am running Ubuntu 12.04 server with packaged Apache 2.2 pre-fork MPM and PHP 5.3.10. So this likely apply to all Ubuntu-based LAMP installs. You can get patch I actually used to patch my copy of libapache2-mod-fastcgi at https://github.com/hippich/mod_fastcgi_chroot_patch . I would say - try original patch first. And if it will not work - try mine. If it will not work as well, then, well, get strace and see what is being passed to FPM worker script. Likely answer to a problem will be there.

More details about this patch settings can be read on patch's homepage - http://orfika.net/src/mod_fastcgi-chroot-patch/

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

To submit this form you need to use Internet Explorer v10+ or recent version of Chrome, Firefox or Safari.