Overview
PHP handlers, a type of Apache module, contain libraries that the Apache web server uses to interpret and run PHP code.
The /etc/apache2/conf.d/
php.conf
configuration file contains the global directives that configure Apache's PHP application handlers. An include command in the Apache configuration file (httpd.conf
) loads the php.conf
configuration file so that the handlers load on startup.
Change your PHP handler
Change your PHP handler in the PHP Handlers section of WHM's MultiPHP Manager interface (WHM >> Home >> Software >> MultiPHP Manager) or use the rebuild_phpconf
script.
Note:
This differs from EasyApache 3, which uses WHM's Configure PHP and suEXEC interface (WHM >> Home >> Service Configuration >> Configure PHP and suEXEC).
PHP handlers
By default, cPanel & WHM offers six PHP handlers. Each handler differs in its files and implementation, which affects how quickly and securely Apache handles the PHP requests.
CGI
The CGI handler executes PHP applications through the
mod_cgi
or the
mod_cgid
Apache modules. If you install the suEXEC module, the system executes PHP applications as the user that owns the VirtualHost that served the request. If you uninstall the suEXEC module, the system executes PHP applications as the nobody
system user. The system provides mod_cgi
and mod_ruid2
by default.
You can customize the CGI handler's settings in the PHP .user.ini
file. A domain inherits these customizations if you set the domain to Inherit in WHM's MultiPHP Manager interface (WHM >> Home >> Software >> MultiPHP Manager). For more information, read our PHP Inheritance documentation.
Important:
- If you enable a per-user module, such as suEXEC or Ruid2, you can execute PHP scripts with permissions of
0400
. - If you disable a per-user module, such as suEXEC or Ruid2, you can execute PHP scripts with permissions of
0444
. - You cannot use Apache directives (for example, the
php_value
directive) with themod_cgi
or themod_cgid
Apache modules. You must use a customphp.ini
file instead. - While CGI meets the needs of most users, for better security handling we recommend that you use DSO with either
mod_ruid2
ormod_mpm_itk
, or DSO withmod_ruid2
and a jailshell account.
DSO
The DSO handler embeds the PHP language inside the Apache webserver. DSO allows you to use Apache directives (for example, the php_value
and php_admin_value
directives). If you do not use DSO, you cannot use these directives in an .htaccess
file. The DSO handler requires the MPM Prefork Apache module. PHP applications execute as the nobody
user when you use the DSO PHP handler, unless you use the mod_mpm_itk
or mod_ruid2
Apache modules.
Note:
If PHP scripts execute as the nobody
user, you cannot easily identify the user account that executed the script and unauthorized users can view your data.
EasyApache 4 does not include the DSO handler by default. To use the DSO handler, install the PHP package that you wish to use.
You can install the DSO PHP package in the PHP Extensions section of WHM's EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).
Warnings:
- You can only use DSO as the handler for one version of PHP on your system.
- The handler's display name will not contain the text
DSO
. For example, the DSO for PHP 7.0 appears asphp70-php
.
- Unless you use a per-user module such as Ruid2 or ITK, your PHP scripts must have permissions of at least
0644
to execute. The PHP scripts that run under DSO create files as thenobody
user. Thenobody
user must have sufficient permissions to access and read the PHP files and permissions to write to the files and directories that the script affects.
FastCGI Process Manager (FPM)
FastCGI serves PHP applications through the mod_proxy_fcgi
Apache module. This method is fast, but may require changes to the FastCGI directives to work efficiently. The FastCGI Process Manager (PHP-FPM) implementation of FastCGI includes process management, emergency restarts, and IP address restriction. For more information about FPM, read our PHP-FPM documentation.
EasyApache 4 includes the mod_proxy_fcgi
Apache module by default. You can install the mod_proxy_fcgi
Apache module in the Apache Modules section of WHM's EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).
You can customize the CGI handler's settings in the PHP .user.ini
file. A domain inherits these customizations if you set the domain to Inherit in WHM's MultiPHP Manager interface (WHM >> Home >> Software >> MultiPHP Manager). For more information, read our PHP Inheritance documentation.
FCGI daemon (FCGId)
FCGId serves PHP applications through the mod_fcgid
Apache module. The mod_fcgid
Apache module provides an alternative to the mod_cgi
Apache module. FCGId launches multiple instances of a program to enable the system to handle multiple concurrent requests.
Warnings:
- The
mod_fcgid
Apache module is not compatible with MultiPHP prior to cPanel & WHM version 74. - On systems that run cPanel & WHM version 76 or earlier, if your default PHP version uses FCGId, then all PHP versions will use FCGId.
- We recommend the
mod_fcgid
Apache module only for advanced system administrators who understand how to modify the performance of themod_fcgid
Apache module. - The
mod_fcgid
Apache module is not compatible with themod_ruid2
ormod_mpm_itk
Apache modules.
For more information, read our Apache Module: FCGId documentation.
LSAPI
LSAPI provides a fast and stable way to serve PHP applications. cPanel & WHM's version of LSAPI differs from the one that CloudLinux provides. This version disables Checkpoint/Restore in Userspace (CRIU), connection pooling, and opcache preservation.
Note:
To utilize this handler's full functionality, your system must run CloudLinux. For more information, read Cloudlinux's Apache mod_lsapi
documentation.
EasyApache 4 includes the mod_lsapi
Apache module by default. You can install the mod_lsapi
Apache module in the Apache Modules section of WHM's EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).
Warning:
The mod_lsapi
Apache module is not compatible with the mod_ruid2
or mod_mpm_itk
Apache modules.
suPHP
This option provides the ability to run PHP scripts as the user with the mod_suphp
Apache module. This module provides a flexible and secure way to serve PHP requests.
Note:
If you use suPHP, PHP cache management extensions do not provide any benefits to your server. For more information, read our PHP Options documentation.
EasyApache compiles the mod_suphp
Apache module in paranoid mode, with several patches to improve Apache UserDir
support. It also includes our PHPRC patch.
The mod_suphp
Apache module that cPanel provides behaves very differently from the pristine upstream version. You cannot use Apache directives (for example, the php_value
directive) with the mod_suphp
module. To specify these values, place a php.ini
file in either the directory that contains the PHP script or in the location that the system administrator specifies.
Note:
suPHP loads your .ini
files in a specific order.
You can install the mod_suphp
Apache module in the Apache Modules section of WHM's EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).
Important:
suPHP is not compatible with the mpm_itk
or the mod_ruid2
Apache module. You must uninstall suPHP if you want to use these modules.
Note:
For PHP scripts to execute, permissions must be at least 0640
. Scripts run as the user who owns the VirtualHost. If the user has permissions that are sufficient to write to a file or directory, so do their PHP scripts.
suPHP security checks
The mod_suphp
Apache module performs various security checks before it executes a PHP script. Edit the mod_suphp
configuration file, /etc/suphp.conf
, to disable these checks. You can edit the following security checks:
Security check | Description | Default |
---|---|---|
docroot | PHP scripts must reside in this directory. To improve security, change this value to /home/ . | / |
allow_file_group_writable | This security check prevents the execution of PHP scripts with the You can change this directive to |
false |
allow_file_others_writable | This security check prevents the execution of PHP scripts with the You can change this directive to | false |
allow_directory_group_writable | If you previously ran PHP as DSO, group members may have write access to the directory that your PHP scripts reside in. Your server will not execute these scripts if this security check has a value of You can change this to | false |
allow_directory_others_writable | If you previously ran PHP as DSO, your PHP scripts may reside in a globally writeable directory. If this security check has a value of You can change this to | false |
check_vhost_docroot | This security check causes suPHP to check whether the target script resides in the document root of the VirtualHost that serves the request. For a UserDir request, suPHP considers the domain part of the URL to be the VirtualHost that serves the request. If you set this setting to true, it causes UserDir requests and some types of PHP aliases to fail but significantly improves security. | false |
userdir_overrides_usergroup | cPanel-specific patches allow this configuration option. If you set this value to true , suPHP determines which user executes a script from the UserDir portion of the URL. If you set this value to false , your server executes PHP scripts as the user that the domain portion of the URL specifies. | true |
paranoid_uid_check | You can compile suPHP in different security modes. EasyApache uses the paranoid mode. In some cases, force mode may be a better option. The Change this setting to | true |
paranoid_gid_check | This security check verifies that the group ID that owns a script also executes it. Change this setting to | true |
umask | This option sets the default permissions for files that suPHP uploads to your server. For improved security, use Note: The | 0022 |
min_uid | The lowest user ID that your server allows to execute scripts. To improve security, set this value to 100 or 500 . You must set this value to 0 if you provide shared PHP scripts that the root user owns to your users. | 1 |
min_gid | The lowest group ID that your server allows to execute scripts. To improve security, set this value to 100 or 500 . You must set this value to 0 if you provide shared PHP scripts that the root user owns to your users. | 1 |
full_php_process_display | When you set this value to true , the mod_suphp module executes PHP scripts in a way that displays both the PHP interpreter and the script's file name in the process list. To hide the script's file name and improve security, set this value to false . | true |
The suphp.conf file warnings
Warnings:
- We strongly recommend that you allow your system to load the
.ini
files and directives as it finds them. This guarantees the most predictable results. - We strongly recommend that you do not set the
[phprc_paths]
section, thesuPHP_ConfigPath
directive or set the PHPRC environmental variable. Unexpected behavior may occur.
The suphp.conf
file includes the [phprc_paths]
section. You can use this section to lock a particular PHP handler to its default php.ini
file, but we strongly recommend against this usage.
The suPHP_ConfigPath
configuration directive sets the path to the php.ini
file. Set the suPHP_ConfigPath
directive in either the httpd.conf
file or an .htaccess
file.
- To prevent the use of this directive in
.htaccess
files, remove theOptions
parameter from the Apache AllowOverride directive. - The
[phprc_paths]
settings in thesuphp.conf
file overrride anysuPHP_ConfigPath
settings.
For more information about suPHP behavior, read our The cPanel PHPRC PHP Patch for EasyApache 4 documentation.
Additional documentation
There is no content with the specified labels