This is an old revision of the document!
PHP SuEXEC mode
PHP SuEXEC enabled on control panel by default
If you run shared hosting services with a control panel, it is necessary to use SuEXEC mode for security reasons. Our LSWS installation script will enable PHP SuEXEC by default for all control panels hence LSWS will run PHP SuEXEC out of the box. In SuEXEC mode, each PHP process will run as the owner of the virtual host's document root.
To manually enable SuEXEC on LSWS for cPanel, Plesk, or another control panel, Admin Console → Server → Server General → Using Apache Configuration File → PHP suEXEC should be set to Yes. However, Enabling PHP suEXEC for the control panels is default setup during the installation and you have no need to manually change it here. Once it is set, generally you should not make change anymore to avoid permission problem, since PHP SuEXEC will generally run as “user:user” while non-PHP SuEXEC will run as “nobody:nobody”.
Enable PHP SuEXEC for LSWS native mode or OpenLiteSpeed
To enable SuEXEC for LSWS native or on OpenLiteSpeed, you will need to create external apps (name should be unique and different than server level external apps and other virtual host external apps, for example, lsphp_$vhost; also set it to run as username:usergroup to implement PHP SuEXEC) and script handler pointing to the newly created external app under each virtual host.
Which PHP setup am I using?
LiteSpeed Web Server comes with a number of PHP setups. Less experienced users may be confused as to which PHP setup they are using. Follow the steps in this wiki to determine which PHP setup you're using.
Prerequisites
This wiki is for LSWS users using LSAPI (the default and recommended SAPI for PHP).
suEXEC or non-suEXEC?
- Is the PHP suEXEC setting set to
YesorUser's Home Directory Only? If so, then you are using suEXEC. If not, then you are not using suEXEC.
Which suEXEC mode am I using?
- Is the Run on Start Up setting set to
suEXEC Daemon? If so, then you are running suEXEC Daemon mode. If not, then you are running suEXEC Worker mode. (Also see next step.) - Do you have an LSPHP_ProcessGroup on directive in your Apache configuration files? If so, then users with that configuration are using suEXEC ProcessGroup. (This can be set at the server or virtual host level.)
- Is your Instances setting set to
1? If so, you are running ProcessGroup. If not, you are running Worker. (These setups are explained in the Environment Variables section of the PHP LSAPI Configuration documentation.)
PHP suEXEC Setups: Worker/Daemon/Process Group mode
LiteSpeed Web Server offers a number of different PHP suEXEC setups for the various needs and goals of shared hosting providers: suEXEC Worker mode, suEXEC Daemon mode, and suEXEC ProcessGroup mode.
suEXEC Worker mode
suEXEC Worker: Standard suEXEC PHP with LSAPI. Creates new processes when needed. PHP suEXEC Worker is compatible with custom php.ini files, including CloudLinux’s CageFS php.ini files, and thus allows the use of CloudLinux's PHP Selector. suEXEC Worker is incompatible with opcode caching. suEXEC Worker is enabled by default when PHP suEXEC is configured in your Apache configs.
suEXEC Daemon mode
suEXEC Daemon mode is automatically set up to run processes as the site owner, makes great use of opcode caching, and spawns processes dynamically, using resources when and where you need them. suEXEC Daemon mode does not allow a customized per-user php.ini. If a user has a customized php.ini, LiteSpeed WebServer will automatically switch to suEXEC Worker mode (LiteSpeed's default suEXEC setup) at the server level. Because of the incompatibility with custom php.ini's, suEXEC Daemon mode is not compatible with CloudLinux's PHP Selector.
To set up suEXEC Daemon mode, just adjust your server-level LSPHP external application settings. WebAdmin console > Configuration > External App > your LSPHP external application: Set Auto Start to Yes and Run On Start Up to suEXEC Daemon.
suEXEC ProcessGroup mode
suEXEC ProcessGroup mode allows for LiteSpeed's most powerful suEXEC opcode caching. Each process group has its own parent process which makes PHP suEXEC ProcessGroup compatible with custom php.ini files. A custom php.ini allows the use of CloudLinux’s PHP Selector. ProcessGroup is set through a directive in your httpd.conf files at either the server or virtual host level. (See the Configuration section.) Using this directive at the virtual host level allows you to decide which users get a personal opcode cache.
Prerequisites:
Auto Start (in WebAdmin console > Configuration > External App > your external application) must be set to Yes or Through CGI Daemon. Setting Auto Start to Through CGI Daemon may save resources by not starting parent processes for idle process groups at startup.
If you wish to use suEXEC Daemon mode for some users while using ProcessGroup for others, change Run On Start Up (in WebAdmin console > Configuration > External App > your external application) to suEXEC Daemon. If Run On Start Up is set to suEXEC Daemon, ProcessGroup will override Daemon mode wherever ProcessGroup is enabled.
If Run On Start Up (in WebAdmin console > Configuration > External App > your external application) is set to No, LSWS will start a parent process for each process group only when a user receives traffic. This is recommended. Setting Run On Start Up to Yes may result in errors. When Run on Start Up is set to yes or suEXEC Daemon, Max Idle Time (lsphp parent process max idle time) default value is 10. You can even set it to a very large number like 3600 so that PHP will not be stopped by the server in short time. Don't set “Max Idle time” to “-1”, since it will be converted to default 30 seconds for process group. “Run on start up” won't keep LSPHP parent process running and LSPHP parent process will still follow the timeout.
In control panel environment, processGroup is enabled by placing the directive LSPHP_ProcessGroup in an httpd.conf file. This can be done at the server or virtual host level. If done at the server level, all virtual hosts will use ProcessGroup. If done at the virtual host level, only that virtual host will use ProcessGroup. While in LSWS native environment, processGroup can be enabled by setting Instances to 1 and setting LSAPI_CHILDREN to a number greater than 1, such as 15.
Example configuration for control panel environment:
<IfModule LiteSpeed> LSPHP_ProcessGroup on LSPHP_Workers 15 </IfModule>
Note the <IfModule LiteSpeed>. The two directives, LSPHP_ProcessGroup and LSPHP_Workers, are LiteSpeed-specific directives. Apache will not understand them and may crash if they are not protected.
Additional configurations:
LSPHP_Workers sets the maximum number of child processes that the parent process can spawn. This is optional. If set, it will override the PHP suEXEC Max Conn setting (in WebAdmin console > Configuration > Server > General > Using Apache Configuration File).
Per-user opcode cache size is set in your php.ini file. The steps to set this depends on which opcode cache you’re using.
The Max Idle Time setting (in WebAdmin console > Configuration > External App > your external application) will control how long before idle parent processes are killed.
Special notes for use with cPanel:
The ProcessGroup directive should be put in an include file, otherwise it will be overwritten when you upgrade WHM.
When configuring ProcessGroup at the server level, the directive should be placed in /usr/local/apache/conf/includes/pre_virtualhost_global.conf.
When configuring ProcessGroup at the virtual host level, the directive should be placed in a virtual host-level include file.
Guides for adding include files can be found on this page from cPanel's site.
Process Group Mode is similar to Apache php-fpm mode. The difference is: with Apache, the parent process of php-fpm is not controlled by Apache, and it keeps running; with LiteSpeed, LiteSpeed uses LSAPI, and the PHP will exit if idle for a while (in a shared hosting environment and set at "Max Idle time"). For LSWS 5.2.8 and lower versions, PHP processes will stop when LSWS restarts, and the opcode cache will be reset. Starting from LSWS 5.3RC2 and above, LSPHP will run in detached mode and an LSWS restart won't stop PHP processes. The LSPHP parent will just follow the timeout where "Max Idle time" is set.
References:
https://www.litespeedtech.com/products/litespeed-sapi/php/guide-to-suexec-setups
https://www.litespeedtech.com/products/litespeed-sapi/php/suexec-worker
https://www.litespeedtech.com/products/litespeed-sapi/php/suexec-daemon-mode
https://www.litespeedtech.com/products/litespeed-sapi/php/suexec-processgroup
Config PHP and suEXEC in Cpanel
Please refer to Cpanel documentation:
https://documentation.cpanel.net/display/ALD/Configure+PHP+and+suEXEC