Apache mpm-itk for CentOS 6

mpm-itk is a MPM (multi-processing module) for the Apache web server that allows you to run each virtualhost with it’s own user id and group id. This is basically used to make a shared hosting secured, since you don’t have to make all virtualhosts folders readeable by apache user.

The mpm-itk home page can be found here: http://mpm-itk.sesse.net/

Update: httpd-itk packages are now available on EPEL, just enable the repo and follow installation instructions below.

Since I normally use CentOS, I needed that mpm for the version 6, which is not packaged by anyone.
Following the idea on http://www.webtatic.com/packages/httpd-itk/ I built the CentOS 6 packages for mpm-itk which can be found here: http://www.brancaleoni.com/repos/centos/6/

The packages are built using a private koji ( http://fedoraproject.org/wiki/Koji ) instance we have in our company, to ensure that everything is built correctly and without any issue.

Installation
I will assume that you’ve already your apache setup up & running.
To install mpm-itk, download the httpd-itk rpm following your sistem arch, from http://www.brancaleoni.com/repos/centos/6/

  • Install the rpm :
yum install httpd-itk
  • Stop your apache instance :
service httpd stop
  • Edit /etc/sysconfig/httpd and add the following line:
HTTPD=/usr/sbin/httpd.itk
  • If using php with mod_php, don’t forget to add to /etc/httpd/conf.d/php.conf :
<IfModule itk.c>
   LoadModule php5_module modules/libphp5.so
</IfModule>
  • Set the default user id and group id, just in case you forget to set on virtualhosts. Normally this user is apache with group apache.
    Set it inside the <IfModule itk.c> directive in itk.conf :

    cat /etc/httpd/conf.d/itk.conf | grep AssignUserId
    AssignUserId apache apache
  • Set your user id and group id to your virtual hosts, for example :
  • ...
    <VirtualHost *:80>
        ServerName example.com
        DocumentRoot /path/to/web/root
    
        AssignUserId vhost-user vhost-group
    </VirtualHost>
    ...
  • Restart your apache instance :
service httpd start

Don’t forget to set the correct permissions!
For a complete and secure setup, you’ll need 2 users and 1 group for each virtual host.
First user is the “write” user, the one that you (or you customer…) use to upload files. The second user is the user that apache runs the vhost under, the group allows apache to access the files loaded by first user.
With this scenario, other vhosts cannot access your vhost (unless you make files word readeable…) .
For example (owner-user is our upload user) :

cat /etc/httpd/conf.d/vhost.conf | grep AssignUserId
# AssignUserId vhost-user vhost-group

chown owner-user:vhost-group /path/to/webroot
chmod o-rwx /path/to/webroot

ls -ald /path/to/webroot
# drwxr-x--- 20 owner-user vhost-group 4096 Apr 5 19:38 /path/to/webroot

If you want to set recursively the permissions, do the above steps and then:

cd /path/to/webroot
find . -type f -exec chmod 640 {} \;
find . -type d -exec chmod 750 {} \;

The first one will set all files to user RW and group R, the second will set all directories to user RWX and group RX.

Thanks again to http://www.webtatic.com/packages/httpd-itk/ from which I robbed the idea (and some text) and ported to CentOS 6.

That’s all. Happy vhosting :)

20 Responses to Apache mpm-itk for CentOS 6

  1. Oban Lambie says:

    I’m soooo happy to have found this. I”ve been using the webtatic packages and was stressed when I found he doesn’t have a CentOS 6 version, and was ecstatic to find your rpm and find that it installed without a hitch.

    Thank you Matteo!

    ~ Oban Lambie

  2. Pingback: 使用mpm-itk模块让 apache 以特定的用户身份运行虚拟主机 [CentOS 5.5] | 北街小巷™ - 开心工作,快乐生活~ 所谓博客,就是要记录一些有用的东西。

  3. David says:

    Thanks for this.
    I’m just struggling a little with the user / group permissions on the vhost after this is set up.
    You mention to have 2 users and 1 group per vhost. But I don’t understand who has access to what.
    Which user is in the 1 group you created?
    You don’t mention granting permissions to the 2nd user – how does this then allow apache access?

    Sorry I haven’t been able to get my head around it.

    • mbrancaleoni says:

      Hi.

      First of all, you need 1 group for each website, say vhost1-group.
      Then you must create 2 users in this group, say apache-vhost1-user and ftp-vhost1-user.
      The first one will be put into the AssignUserId apache config, so will be:

      AssignUserId apache-vhost1-user vhost1-group

      the second will be the “owner” of the files, the one that (for example) can upload/delete and so on.

      The directory of the website and all its subdirs and file of course must be user-writable and group-read (at least).

      for example:
      drwxr-x—. 17 ftp-vhost1-user vhost1-group 4.0K Jan 15 12:47 ftp-vhost1-user # this is the root dir

      and some files/dir in it
      -rw-r—–. 1 ftp-vhost1-user vhost1-group 5.6K Mar 25 2010 somefile.txt
      drwxr-x—. 2 ftp-vhost1-user vhost1-group 4.0K Sep 17 2010 somedir

      as you may notice, files are readeable by the group, and dirs have “execute” bit set, so the group can cd in it.

      If you need a dir to be writable by apache (maybe some cache, upload directory) , just make it writable by the group also:

      drwxrwx—. 2 ftp-vhost1-user vhost1-group 4.0K Sep 17 2010 uploads

      thats all :)

  4. halh says:

    Thanks you.
    This is what I need. But I do not understand, why load php5 module into

    • mbrancaleoni says:

      because you’re using a different worker, and on standard CentOS httpd php.conf different php module is loaded based on worker type.
      Here’s a more complete example from my php.conf

       <IfModule prefork.c>
        LoadModule php5_module modules/libphp5.so
       </IfModule>
       <IfModule worker.c>
        LoadModule php5_module modules/libphp5-zts.so
       </IfModule>
       <IfModule itk.c>
        LoadModule php5_module modules/libphp5.so
       </IfModule>
  5. This is really excellent stuff. Well put together. It’s running for me and is blazing fast. Thank you so much for taking the time to share this with the dev community!

  6. Pingback: httpd-itk – zastępca suPHP « inzaghi89 weblog

  7. Pingback: Apache virtual hosts with different users - CentOS 6.2 and Apache 2.2 | IT Solution

  8. Dick Davies says:

    “httpd-itk” in EPEL , thanks for the walk through though.

    • mbrancaleoni says:

      Hi! Thanks, since httpd-itk is on Epel now (and I’m using it, too) I’ve update the small guide.

  9. cron says:

    Hi! Yeah, itk is cool and thank you for the CentOS 6 rpm. Do you plan to update the package? Changelog said that the last build was on mar 26 2012 :(

  10. Ioannis Gkoutsidis says:

    Hi there,

    I really liked your article and tried to apply it on a CentOS 6.5! The problem that came up through, is that there is no /etc/httpd/conf.d/itk.conf file created. With a little search I came up with a sample file, which contains the following:

    StartServers 2
    MinSpareServers 2
    MaxSpareServers 10
    ServerLimit 256
    MaxClients 256
    MaxRequestsPerChild 4000
    AssignUserId apache apache


    To be honest I tried to apply the following and everything seems to work fine, but any further insight/help would be really appreciated!

    Thanks in advance,

    • mbrancaleoni says:

      Hi,
      yes seems that the Epel package does not have even a basic configuration (blah!) .

      Currently, your config is correct.

      But if you’re using the shipped Epel package you can avoid to create itk.conf,
      so in my brief guide you can skip points 4 and 5.
      So after editing /etc/sysconfig/httpd, you can skip directly to point 6 where you setup virtual hosts .

  11. Pingback: راه اندازی LAMP سرور همراه با ماژول mpm_itk در CentOs 6.4 | Linux Services Group

  12. Pingback: Change apache mpm to mpm-itk for CentOS7 – Internet and Tecnnology Answers for Geeks

  13. Pingback: [ASK] server - Change apache mpm to mpm-itk for CentOS7 | Some Piece of Information

Leave a Reply to halh Cancel reply

Your email address will not be published. Required fields are marked *