[OpenAFS] suEXEC/FastCGI/OpenAFS question
Ken Dreyer
ktdreyer@ktdreyer.com
Wed, 23 Nov 2011 13:41:22 -0700
On Wed, Nov 23, 2011 at 1:16 PM, Aaron Knister <aaronk@umbc.edu> wrote:
> I've devised another approach, dropping the mpm-itk patches and using suEXEC
> and fastcgi for php instead.
I'm trying to research the same problem, but I haven't come up with a
working solution yet. I'm using mod_php, and I'd really like to move
to FastCGI for more safety / flexibility.
> The one piece to the puzzle that I'm missing is having fastcgi
> obtain AFS tokens. Because the fastcgi processes aren't spawned by the httpd
> worker handling the request waklog isn't able to pass along any credentials.
Are you using mod_fcgid ? Looking over
https://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html , I was planning
to make the FcgidWrapper script run aklog (well, with k5start), and
use a slightly different FcgidWrapper for each vhost.
I'm really only beginning to look into it, so I'd like to hear about
setups at other sites. There was a presentation at the European AFS
conference recently where one of the sites provides isolation by
running entirely separate Apache daemons... and I guess they use
mod_proxy to tie them all together? For my site, that would be a bit
painful for a few reasons, but that does sound like a solution that
"works".
- Ken