[php-maint] Bug#685340: Bug#685340: php5-common: provide one /etc/apache2/conf.d/php5.conf for all SAPIs
Ondřej Surý
ondrej at debian.org
Mon Aug 20 11:18:06 UTC 2012
On Mon, Aug 20, 2012 at 1:11 AM, Christoph Anton Mitterer
<calestyo at scientia.net> wrote:
> This would have the advantages:
> - All SAPIs share the same config, thus no surprises.
I am not sure it that's a good idea (even when I drop your mix of
AddType and SetHandler). I'll try to come with something else which
doesn't involve installing apache configuration files when install
php5-cli package.
> - No longer the need for manually configuring Apache with respect to PHP when using CGI/FCGI
That's simply not true.
- You will have to configure Apache manually for CGI/FastCGI, because
you can install mod_php along with php5-cgi - and having both serving
PHP files would create just a mess.
- For FastCGI using php5-cgi - you have to create a fastcgi wrapper,
so again it needs manual configuration.
- And FPM doesn't work with libapache2-mod-fcgid at all and needs
libapache2-mod-fastcgi from non-free, so again manual intervention is
required.
> We can largely drop the special section about CGI from README.Debian
Not much can be dropped.
> I personally, would strongly recommend AGAINST also having the Action/ScriptAlias directive there;
> admins or package maintainers should place them in the <Directory> definitions where this
> is needed.
I agree on that, but from different reasons (as documented in
README.Debian) - the php5-cgi is webserver agnostic and we don't want
it to conflict with libapache2-mod-php5(filter).
> It's simply unclean and even dangerous to enable interpretation of PHP files server-wide, as
> it's now done by mod_php packages.
Why? You keep pushing your opinions without giving any technical
reason. Default Debian configuration is secure (it allows only files
in /var/www to be accessed).
> #Note: The following is a security measure to remove any possible mappings that would also apply on “middle extensions” (for example “test.php.png”).
> RemoveType php
You keep repeating this, but Apache manual says:
http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext
> If more than one extension is given that maps onto the same type of meta-information, then the one to the right will be used, except for languages and content encodings. For example, if .gif maps to the MIME-type image/gif and .html maps to the MIME-type text/html, then the file welcome.gif.html will be associated with the MIME-type text/html.
So either you or Apache manual is wrong.
> <Files ?*.php>
> AddType application/x-php php
> </Files>
Again you keep pushing Files vs FilesMatch, but did you do or see any
performance tests. I would guess that processing the PHP file in most
common scenarios would be much longer than the performance hit induced
by using FilesMatch.
I would rather have the configuration files simple to read than tuned
to max performance.
Compare:
<FilesMatch ".+\.ph(p[345]?|tml|t)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
to
<Files ?*.php>
SetHandler application/x-httpd-php
</Files>
<Files ?*.pht>
SetHandler application/x-httpd-php
</Files>
<Files ?*.php3>
SetHandler application/x-httpd-php
</Files>
<Files ?*.php4>
SetHandler application/x-httpd-php
</Files>
<Files ?*.php5>
SetHandler application/x-httpd-php
</Files>
<Files ?*.phtml>
SetHandler application/x-httpd-php
</Files>
<Files ?*.phps>
SetHandler application/x-httpd-php-source
</Files>
The FilesMatch form is much simpler to read and modify en masse.
--
Ondřej Surý <ondrej at sury.org>
More information about the pkg-php-maint
mailing list