May
15th

WHM – Recompiling Apache With Sensible Defaults

Filed under The Server Room | Posted by Gary

I’m probably going to regret using the wording ‘sensible defaults’ … what may seem sensible to me may well be not-sensible to others. Still, at the very least I’ll be able to explain how I recompile apache and why I choose certain settings. If you’ve never recompiled Apache on a WHM server then it can be a very scary task – so many options to choose from.

Before we get started you need to understand that if you are recompiling Apache on a server that already has several live sites then you need to look at the scripts that run on those sites. I’m going to suggest that you use PHP5 and suPHP but this could break some older scripts that won’t run on PHP5 and suPHP will cause ‘Server Errors’ if you have any world writable directories or files, or the ownership of the files does not match the CPanel account owner(s). If you are unsure about any of that, then please read the article: Upgrading WHM Apache To Use suPHP and PHP 5 as you will need to follow those instructions after the recompile.

If you are recompiling Apache on a shiny new server then there isn’t much that can go wrong! Regardless of that, this guide does carry a standard disclaimer. If anything breaks, that’s not my fault. These instructions are given in good faith and no warranty or guarantees are either implied or provided.

Step 1: Profile

This is the first screen you will see when you click on Software->Apache Update. By default the ‘Previously Saved Config’ profile will be selected. Click on the ‘PHP Security’ option as this will compile the suPHP module when we get to that step. After selecting the PHP Security profile, click on the ‘Start customizing based on profile’ button.

Step 2: Apache Version

For the Apache version, select Apache 2.2. This is the latest stable version and the version that works best with PHP5. It also has some performance improvements over version 2.0. After selecting Apache 2.2, click on the ‘Next Step’ button.

Step 3: PHP Major Version

Tick the box next to PHP 5. PHP 4 is a ‘dead duck’ and is no longer actively supported by the PHP developers (though they have said they may provide security fixes until Aug. 8 2008). PHP 5 is the current ‘stable’ and actively developed version of PHP. Do check though, if you have some scripts running, that they will work with PHP 5. You can generally find this out from the script developer’s website. After choosing PHP 5 click on the ‘Next Step’ button.

Step 4: PHP Minor Version

Choose the most recent release. These will always be ‘stable’ releases and it’s quite likely your server is running the previous version. At the time of writing this guide, PHP 5.2.6 is the most recent version. After choosing the minor version click on the ‘Next Step’ button.

Step 5: Short Options List

Unless you are positive that someone is going to NEED Microsoft Frontpage support, untick that sucker RIGHT NOW!. Yes..I was shouting when I said that. Seriously, frontpage extensions are a potential security risk and should never be enabled if they will not be used.

I generally tick the Mod suPHP, Ioncube Loader, Mod Security and Zend Optimizer and untick the rest. Whilst it adds a little extra ‘baggage’ to your web server there are many scripts that use Ioncube or Zend encoding so it may save you a little time and hair pulling some time in the future. suPHP and Mod Security will help protect your web server from attacks and exploits. As the CPanel docs say:

“ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.”

Security is good. Say that a few times until you feel REALLY comfortable with it!

Don’t be too concerned by the ‘Are you fully aware…’ messages that pop up when you click on ‘More Info’ for Ioncube and Zend – these options generally don’t need any further tweaking or alterations after Apache is recompiled and even in the rare cases where something goes wrong there are plenty of good support docs around, online forums etc and Google is your friend :).

Once you’ve selected the 4 aforementioned options, click on the ‘Exhaustive Options List’ button.

Step 6: Exhaustive Options List

Ok now… remember your breathing exercises. Take a few deep breaths. Sure, there are ALOT of options there, but whose scared of of a bunch of tick boxes eh?

The first thing you will notice is that some of the options have orange text. These are options that are enabled by default in Apache and you can leave them all ticked, so we won’t mention them other than to say if it is orange – it should be enabled. Now, lets look at the other options I always enable.

Expires – this allows the generation of cache control and expires headers. This can be useful when someone is coming through a caching proxy as you can let the caching proxy know that it should fetch the current page instead of serving up an old page from the cache.

Fileprotect – remember that we said security is good? The fileprotect module prevents other users on your server from reading other peoples web root folders.

Headers – Not used extensively but this allows you to customize HTTP response and request headers. It’s the sort of thing that a script developer may use.

Imagemap – You don’t see imagemaps as often as in years gone by but there are still plenty of web pages and scripts that use them, so it would be silly not to include the imagemmap module.

Mod suPHP – We talked about this earlier. Security is good. Mod suPHP is good! You can find out all about it at http://suphp.org/

You should be able to skip past the ‘Other Modules’ section as those are the ones we set earlier. Now we move on to the PHP options.

Bcmath & Calendar – These are used by some popular scripts out there so I always enable them.

Curl & CurlSSL – Curl is often used for scripts such as PayPal IPN scripts and scripts that need to post information to another web site. Also, many hosts now disable the allow_fopen_url option in PHP and the alternative they do allow is Curl. Most script developers are aware of this, so Curl is often used as either the primary or ‘fallback’ option when posting forms or data to other sites.

FTP – Again, I include this because there are scripts that make use of PHP’s FTP functions so it is better to do it now than to have to re-compile again later.

Force CGI Redirect – This option is required in order for our suPHP option to work.

GD – This is a graphics library that is used in many, many PHP scripts.

Magic Quotes – This option helps prevent some SQL injection attacks, so it is basically an added security feature. If you have a script that falls over because of it, you can turn it off in the php.ini file. However, most well written scripts will check whether magic quotes is enabled and adapt accordingly.

Mbstring – Provides some multi-byte character encoding functions. Yep – that’s quite a mouthful but .. long story short .. there are scripts that use it and no harm in enabling it.

Mcrypt & Mhash – These options provide encrypting and hashing functions that are used by many scripts.

MySQL & MySQL of the system – Guess where WordPress stores its data .. in a MySQL database. Guess what language WordPress is written in … PHP. Need I say more? There are a huge number of PHP scripts that will need to access a MySQL database so these options are a no-brainer. MySQL of the system just means that it will use the MySQL libraries that are installed on your server rather than the built-in support that PHP has. Without going into details .. ‘of the system’ is better ticked than unticked. So, make sure you check both of these options.

Sockets – This is another often used feature in PHP so it’s best to turn it on now rather than have to recompile again later.

TTF – This option provides support for Freetype fonts which are used by some scripts.

Zlib – I usually leave this enabled though there aren’t all that many scripts out there that use it. It provides gzip compatible file compression/decompression functions.

Finally, you should make sure the ‘Proxy’ option is NOT enabled (unless you plan on providing some proxy services .. which the vast majority of us do not). and tick the box labelled ‘Save my profile with appropriate PHP 5 options set so that it is compatible with cpphp’.

Preferences

Enable the following:

Always do latest PHP
Report Errors to cPanel

Now… take another deep breath and click on the ‘Save and build‘ button. Read the two popup windows – one is the confirmation and the other tells you that you shouldn’t interrupt the build. The build will take quite a while…perhaps an hour or more, so leave your web browser open and go make a cup of your favourite beverage … then sit back while the compiler does its thing.

As I said at the beginning … there’s no such thing as the perfect build and there is no ‘one build fits all’ solution. The defaults that I use should work for most servers. Feel free to comment and/or criticize though – I’m always open to suggestions and improvements.

You must be logged in to post a comment.