mpm-itk is a MPM (multi-processing module) for the Apache web server that allows you to run each virtualhost with it’s own user id and group id. This is basically used to make a shared hosting secured, since you don’t have to make all virtualhosts folders readeable by apache user.
The mpm-itk home page can be found here: http://mpm-itk.sesse.net/
Update: httpd-itk packages are now available on EPEL, just enable the repo and follow installation instructions below.
Since I normally use CentOS, I needed that mpm for the version 6, which is not packaged by anyone.
Following the idea on http://www.webtatic.com/packages/httpd-itk/ I built the CentOS 6 packages for mpm-itk which can be found here: http://www.brancaleoni.com/repos/centos/6/
The packages are built using a private koji ( http://fedoraproject.org/wiki/Koji ) instance we have in our company, to ensure that everything is built correctly and without any issue.
Installation
I will assume that you’ve already your apache setup up & running.
To install mpm-itk, download the httpd-itk rpm following your sistem arch, from http://www.brancaleoni.com/repos/centos/6/
- Install the rpm :
yum install httpd-itk
- Stop your apache instance :
service httpd stop
- Edit /etc/sysconfig/httpd and add the following line:
HTTPD=/usr/sbin/httpd.itk
- If using php with mod_php, don’t forget to add to /etc/httpd/conf.d/php.conf :
<IfModule itk.c> LoadModule php5_module modules/libphp5.so </IfModule>
- Set the default user id and group id, just in case you forget to set on virtualhosts. Normally this user is apache with group apache.
Set it inside the <IfModule itk.c> directive in itk.conf :cat /etc/httpd/conf.d/itk.conf | grep AssignUserId AssignUserId apache apache
- Set your user id and group id to your virtual hosts, for example :
-
... <VirtualHost *:80> ServerName example.com DocumentRoot /path/to/web/root AssignUserId vhost-user vhost-group </VirtualHost> ... - Restart your apache instance :
service httpd start
Don’t forget to set the correct permissions!
For a complete and secure setup, you’ll need 2 users and 1 group for each virtual host.
First user is the “write” user, the one that you (or you customer…) use to upload files. The second user is the user that apache runs the vhost under, the group allows apache to access the files loaded by first user.
With this scenario, other vhosts cannot access your vhost (unless you make files word readeable…) .
For example (owner-user is our upload user) :
cat /etc/httpd/conf.d/vhost.conf | grep AssignUserId # AssignUserId vhost-user vhost-group chown owner-user:vhost-group /path/to/webroot chmod o-rwx /path/to/webroot ls -ald /path/to/webroot # drwxr-x--- 20 owner-user vhost-group 4096 Apr 5 19:38 /path/to/webroot
If you want to set recursively the permissions, do the above steps and then:
cd /path/to/webroot
find . -type f -exec chmod 640 {} \;
find . -type d -exec chmod 750 {} \;
The first one will set all files to user RW and group R, the second will set all directories to user RWX and group RX.
Thanks again to http://www.webtatic.com/packages/httpd-itk/ from which I robbed the idea (and some text) and ported to CentOS 6.
That’s all. Happy vhosting 
I’m soooo happy to have found this. I”ve been using the webtatic packages and was stressed when I found he doesn’t have a CentOS 6 version, and was ecstatic to find your rpm and find that it installed without a hitch.
Thank you Matteo!
~ Oban Lambie
You’re welcome!
I built them for the very same reason
Pingback: 使用mpm-itk模块让 apache 以特定的用户身份运行虚拟主机 [CentOS 5.5] | 北街小巷™ - 开心工作,快乐生活~ 所谓博客,就是要记录一些有用的东西。
Thanks for this.
I’m just struggling a little with the user / group permissions on the vhost after this is set up.
You mention to have 2 users and 1 group per vhost. But I don’t understand who has access to what.
Which user is in the 1 group you created?
You don’t mention granting permissions to the 2nd user – how does this then allow apache access?
Sorry I haven’t been able to get my head around it.
Hi.
First of all, you need 1 group for each website, say vhost1-group.
Then you must create 2 users in this group, say apache-vhost1-user and ftp-vhost1-user.
The first one will be put into the AssignUserId apache config, so will be:
AssignUserId apache-vhost1-user vhost1-group
the second will be the “owner” of the files, the one that (for example) can upload/delete and so on.
The directory of the website and all its subdirs and file of course must be user-writable and group-read (at least).
for example:
drwxr-x—. 17 ftp-vhost1-user vhost1-group 4.0K Jan 15 12:47 ftp-vhost1-user # this is the root dir
and some files/dir in it
-rw-r—–. 1 ftp-vhost1-user vhost1-group 5.6K Mar 25 2010 somefile.txt
drwxr-x—. 2 ftp-vhost1-user vhost1-group 4.0K Sep 17 2010 somedir
as you may notice, files are readeable by the group, and dirs have “execute” bit set, so the group can cd in it.
If you need a dir to be writable by apache (maybe some cache, upload directory) , just make it writable by the group also:
drwxrwx—. 2 ftp-vhost1-user vhost1-group 4.0K Sep 17 2010 uploads
thats all
Thanks you.
This is what I need. But I do not understand, why load php5 module into
because you’re using a different worker, and on standard CentOS httpd php.conf different php module is loaded based on worker type.
Here’s a more complete example from my php.conf
This is really excellent stuff. Well put together. It’s running for me and is blazing fast. Thank you so much for taking the time to share this with the dev community!
Thanks!
Pingback: httpd-itk – zastępca suPHP « inzaghi89 weblog
Pingback: Apache virtual hosts with different users - CentOS 6.2 and Apache 2.2 | IT Solution
“httpd-itk” in EPEL , thanks for the walk through though.
Hi! Thanks, since httpd-itk is on Epel now (and I’m using it, too) I’ve update the small guide.
Hi! Yeah, itk is cool and thank you for the CentOS 6 rpm. Do you plan to update the package? Changelog said that the last build was on mar 26 2012
Hi!
yes that because httpd-itk is now on Epel, please check http://www.brancaleoni.com/blog/?p=44 and http://fedoraproject.org/wiki/EPEL .
Right now I’m using Epel provided httpd-itk on my CentOS 6 servers and is working ok 😉
Hi there,
I really liked your article and tried to apply it on a CentOS 6.5! The problem that came up through, is that there is no
/etc/httpd/conf.d/itk.conffile created. With a little search I came up with a sample file, which contains the following:StartServers 2
MinSpareServers 2
MaxSpareServers 10
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
AssignUserId apache apache
To be honest I tried to apply the following and everything seems to work fine, but any further insight/help would be really appreciated!
Thanks in advance,
Hi,
yes seems that the Epel package does not have even a basic configuration (blah!) .
Currently, your config is correct.
But if you’re using the shipped Epel package you can avoid to create itk.conf,
so in my brief guide you can skip points 4 and 5.
So after editing /etc/sysconfig/httpd, you can skip directly to point 6 where you setup virtual hosts .
Pingback: راه اندازی LAMP سرور همراه با ماژول mpm_itk در CentOs 6.4 | Linux Services Group
Pingback: Change apache mpm to mpm-itk for CentOS7 – Internet and Tecnnology Answers for Geeks
Pingback: [ASK] server - Change apache mpm to mpm-itk for CentOS7 | Some Piece of Information