Apache 2.4 VHosts with FastCGI and suexec-custom

I have setup at my local machine Ubuntu 22.04 Apache 2.4 with suexec-custom. In fact, this setup was working from Ubuntu 16 up to this update to 22.04. I only load some modules, reload some other and suexec was working fine for a test site say it: /home/test After the update I typed some commands:

sudo apt-get update
sudo apt install libapache2-mod-fcgid
sudo apt-get -y install apache2-suexec-custom
# remove or disable libapache2-mod-php
sudo apt-get remove libapache2-mod-php
# or
# sudo a2dismod php*
sudo a2dismod mpm_prefork
sudo a2enmod mpm_event
sudo systemctl restart apache2

and presto typing localhost/my/test/file gave my all the result I was expected! I even tested:

//index.php
<?php

echo '<b>';
echo php_sapi_name();
echo '</b><br>';
printf("%s<br>", 'parent of DOCUMENT_ROOT=<b>'.\dirname($_SERVER['DOCUMENT_ROOT']).'</b>');
printf("%s<br>", 'DOCUMENT_ROOT=<b>'.$_SERVER['DOCUMENT_ROOT'].'</b>');
printf("%s", 'User=<b>');
system('whoami');
echo '</b>';

/**
 * A front controller redirector.
 */
// ...bla-bla

phpinfo();

The expected result was there:

cgi-fcgi
parent of DOCUMENT_ROOT=/home/test
DOCUMENT_ROOT=/home/test/public_html/
User=test*
PHP Version 8.1.2-1ubuntu2.10
Linux cent 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023
x86_64
Build Date
Jan 16 2023 15:19:49
Build System
Linux
Server API
CGI/FastCGI
Virtual Directory Support
disabled
Configuration File (php.ini) Path
/etc/php/8.1/cgi
Loaded Configuration File
/home/suexec/test/conf/php.ini
Scan this dir for additional .ini files /etc/php/8.1/cgi/conf.d
........

I'm not going to describe the details of how I set up suexec-custom:

/home/suexec/test/cgi-bin/php-fcgi-wrapper
/home/suexec/test/conf/php.ini
/home/test/public_html
/home/test/...<program dirs & files>

The only thing I have to say is when I started to make some modifications on my /etc/hosts I lost my suexec: 404 The requested URL was not found on this server. My previous hosts file

127.0.0.1    localhost
127.0.0.1    localhost.test   localhost.test
# The following lines are desirable for IPv6 capable hosts
::1
ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouter

which does not work anymore, I wonder why (?????). Everything is there though!

Before upgrades and for reasons of development I had changed with success owner of test dir (sudo chown -R cent:cent /home/test) along with the vhost file:

#000-default.conf
<VirtualHost *:80>
  ServerName localhost
  ServerAlias localhost
  ServerAdmin [email protected]
  DocumentRoot /home/test/
  Header set Access-Control-Allow-Origin "*"

<IfModule mod_fcgid.c>
  SuexecUserGroup cent cent
  <Directory /home/test/>
    Options +ExecCGI
    Options -Indexes
    AllowOverride None
    AddHandler fcgid-script .php
    FCGIWrapper /home/suexec/test/cgi-bin/php-fcgi-wrapper .php
    Require all granted
    RewriteEngine On
    RewriteCond "%{REQUEST_URI}" "!=/index.php"
    RewriteRule "^(.*)$" "/index.php?$1" [NC,NE,L,QSA]
  </Directory>
</IfModule>

  # CPU usage limits 5s 10s
  RLimitCPU 5 10
  # memory limits to 10M 20M
  RLimitMEM 10000000 20000000 
  # limit of forked processes 20 30
  RLimitNPROC 20 30 

  LogLevel warn
  ErrorLogFormat connection "[%t] New connection: [%{c}L] [ip: %a]"
  ErrorLogFormat request "[%t] [%{c}L] New request: [%L] [pid %P] %F: %E"
  ErrorLogFormat "[%t] [%{c}L] [%L] [%l] [pid %P] %F: %E: %M"
  ErrorLog /home/test/log/apache_error.log
  CustomLog /home/test/log/apache_access.log combined
  ServerSignature Off

</VirtualHost>

That used to be solid.

Now about what broke it: I made a change at hosts file:

127.0.0.1 test test localhost

What made it work temporarily:

With a broken suexec I decided to revert back my owner:

 sudo chown -R test:test /home/test
# also at vhost file: SuexecUserGroup test test

and there it is but at different url (!!!) test/my/test/file

I decided to play with hosts again and bam: 404

Luckily I recorded a message at /var/log/apache2/:

[Tue Feb 14 10:52:04.708251 2023] [mpm_event:notice] [pid 6335:tid 140549831124864] AH00493: SIGUSR1 received.  Doing graceful restart
[Tue Feb 14 10:52:04.819895 2023] [mpm_event:notice] [pid 6335:tid 140549831124864] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 configured -- resuming normal operations
[Tue Feb 14 10:52:04.819953 2023] [core:notice] [pid 6335:tid 140549831124864] AH00094: Command line: '/usr/sbin/apache2'
[Tue Feb 14 10:52:04.819995 2023] [mpm_event:warn] [pid 6335:tid 140549831124864] AH00488: long lost child came home! (pid 7645)
suexec policy violation: see suexec log for more details

/var/log/suexec.log:

[2023-02-14 10:52:10]: uid: (1000/cent) gid: (1000/cent) cmd: php-fcgi-wrapper
[2023-02-14 10:52:10]: cannot open current working directory

I can't revert suexec back to normal anymore. Should I use a vhost file like test.conf or 000-default.conf? Do we need default file anyway?

Do you see errors in my configurations? Should I kick off pid connected to suexec and make Apache re-create one? I'm puzzled!

PS: I also plan to test FPM with user rights that means different vhost files - if you know how to do it I can skip suexec altogether!

What solved my problems:

sudo apt-get purge apache2
sudo apt-get purge suexec-custom
sudo apt-get purge libapache2-mod-php

then install from start!

sudo apache2ctl configtest
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

to suppress that error open /etc/hosts and add:

# set FQDN from hostname: 
# ip       FQDN      alias
127.0.1.1   cent.machine.com    cent

the format is: [hostname].whatever.you.want [hostname]

then open or create /etc/hostname

cent

the format is [hostname]

About /etc/apache2/sites-enabled/000-default.conf leave it as it is:

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

For vhosts under suexec-custom scheme

Your options are based on how many test sites you want:

• one site with test url localhost/my/path or,

• many sites with test url my-local-url.localhost/my/path?

One site with test url localhost/my/path

You have to enter in hosts:

# that existed:
127.0.0.1 localhost
# that was added:
127.0.0.1 my-local-url my-local-url   localhost

(you loose the ability of multiple local test domains).

Write directive ServerName inside vhost with the localhost url:

ServerName localhost
ServerAlias localhost

Many sites with test url my-local-url.localhost/my/path

In the last case, of multiple local domains, writing inside /etc/hosts

127.0.0.1 my-local-url

is indifferent!

Write directive ServerName inside vhost with url the name of the root folder of your site plus localhost:

ServerName my-local-url.localhost
ServerAlias my-local-url.localhost

Remember: my-local-url = root folder name or home of web user

Test by typing:

my-local-url.localhost/my/path

What I did wrong:

1. I loaded 000-default.conf file where I had added the contents of my vhost file(!) with ServerName: localhost so, I thought Apache was resolving to my vhost file whereas it used the default with the correct directive ServerName!

2. I added at /etc/hosts wrong entries in the form localhost.my-local-url which is easy to debug with a simple(!) ping my-local-url and repeated them in my vhost file under directive ServerName(!) - of course Apache never reached that file and finally,

3. My directive DocumentRoot /home/test was incompatible with my browser url.

The last case is truly interesting with these alternatives:

• leave DocumentRoot at user root and search for a url of localhost/public_html/index.php because there exists the php file or,

• leave DocumentRoot at user root, modify RewriteRule "^(.*)" "/public_html/index.php?$1" [NC,NE,L,PT,QSA] and search for localhost/index.php (preferable!) or,

• modify DocumentRoot /home/test/public_html (the web root), leave RewriteRule as it is and search for localhost/index.php (but you can't add more rules that can pass the handing of media to Apache if that media exist to a directory higher!)

In place of conclusion

Debug Apache vhost file by following some steps:

• Enable LogLevel debug,

• Disable most vhosts directives to debug especially rewrites

• Enable directives one-by-one and check for errors.

Hope that helps someone!

If you know a way to debug Apache it would be very helpful!