Hi I am trying to install Joomla 2.5.6 on my server using Mod-PHP handler but the installer goes into an infinite loop after I select the language. When I choose to use FastCGI instead (done through ISPConfig) and wait a bit for the cache/buffer to clear, the Joomla installer DOES NOT loop indefinately but actually makes it to the next screen where it shows me the php setting I have. Here it shows "output_buffering" on and recommends I turn it off. Which I can easily do via the default php.ini for the server. But here is where my dilema starts. The reason for needing to use Mod-PHP rather than FastCGI is that Mod-PHP enables the use of PHP settings inside .htaccess files. This is a critical feature I need at this point in time. You see, I have some scripts that need register_globals and magic_quotes_gpc on for them to work. I am not in a position at the moment to fix them. Perhaps some time in the future, but not right now. Mod-PHP allows me to set my php.ini file for a more secure server setup, ie by having register_globals and magic_quotes_gpc OFF by default, and then turn them on where required via .htaccess inside specific folders. However, if I use FastCGI, I can't control php settings on a per folder basis. I only have the option to set php.ini settings on a site basis. This is unsatisfactory for me. I've been a Joomla (pre-version 2) user for a number of years now on a server running Mod-PHP, and would like to continue with Joomla. But if it's not going to work, then I have to look at another CMS. 1) Has anyone been able to install Joomla 2.5.6 (or similar version) using Mod-PHP? How did you do it? 2) If I've miss understood something here, please feel free to enlighten me. Cheers, Nap
Website specific php settings are avalable for fastcgi in ISPConfig 3, so there is no need to use mod_php for a website at all and its also quite insecure. The security that you think to add by using folder specific php settings are completely lost by the use of mod_php, so at the end your site is more insecure. 1) Change php mode of the website to fastcgi 2) Enable the suexec checkbox in the website settings. 3) Set the php options that you want to have for this specific website in the custom php.ini field on the options tab of the website settings. 4) Install joomla.
Hi Till, thnx. With FastCGI, the install is fine. There are other reasons for needing to use Mod-PHP. I am not satisfied with site specific settings, because from the site owners' point of view, they are global settings. I need the option of being able to loosen up the security on certain folders only, not the whole site. I use register_globals ON for a forked version of an OS web app (located in a sub-folder of the webroot folder) through .htaccess. Is this making my whole site at higher risk? I think it's only that app. that can be attacked with register_globals type exploits. That script has been on a live site for 6 years now without being hacked, so I'm not concerned about it. I have more urgent things to do at the moment (check my postings concerning pure-ftp/TSL issues). Is there something I've misunderstood here about PHP? Nap
Using mod_php is a much higher risk for the following reasons: 1) It runs the site under the apache user and not the website specific user, so if your site gets hacked, then the hacker can infect all other sites on your server easily. 2) With mod_php you have to run very "open" chmod settings to make folders workd writable for joomla which is not required for fastcgi / suexec. 3) If you want to isolate apps, then you put them in a separate subdomain and not a subfolder.
so I can set custom php settings for the sub-domain, like I can for the domain itself? but that doesn't eliminate the risk to the whole server (like you mentioned).
Yes. That reduces the risk a lot because fastcgi runs a separate php process for each website under a separate linux system user while mod_php runs one php process inside apache which is used for all websites and which uses the same linux system user. So with fastcgi and suexec, you have separated php processes and also separate linux users so the full linux file system permission restrictions apply for each website.
I'll have a go at using a sub-domain. I'm looking in the default php.ini file at output_buffer as it was setup by ISPConfig. It has a value of 4096. Joomla is asking that I turn it off. What do you recommend I do?
Forget mod-php and use su-php. So far it suits Joomla best. ISPConfig 3.0.5 comes with php-fpm. Does anyone have any experience using it with Joomla?
With Joomla the best PHP choice so far has been suPHP. All the other PHP choices have led to unexplained installation/configuration/usage problems that keep cropping up and hitting you in the back of your head when you are least looking. Here's hoping that Apache2 with PHP-FPM can replace suPHP. The jury is still out on that one and I personally would not use PHP-FPM with (Joomla) Virtuemart web-shop yet (unless you are looking for trouble.) We will see when we get more experience with it's problems. No PHP is perfect.
Nor will you see that here. But then you could (in theory) build Joomla site using WindowsXP and ModPHP, but why would you? Debian 7 + Apache2 + MySQL + ISPconfig with suPHP & suExec = Very good Joomla site.
You can also use wheezy,apache and fastcgi with suexec. With suphp you can´t use different php-versions.