Apache related - what is causing this?

[Samuël van Laere]

I've got this in in my .htaccess file:
ErrorDocument 404 /mypage/404.php

But this will result in a 500 Internal Server Error.
When i change the extension to:
ErrorDocument 404 /mypage/404.html
Its works just fine.

Now you should now that the php file doesn't contain
any code, just plain html.

What is causing this, and more important what can i do about it?
It seems to be related with the file extension?


Regards,
Samuël van Laere
the Netherlands

 

[Edward Alfert]

I've got this in in my .htaccess file:
ErrorDocument 404 /mypage/404.php

But this will result in a 500 Internal Server Error.
When i change the extension to:
ErrorDocument 404 /mypage/404.html
Its works just fine.

Now you should now that the php file doesn't contain
any code, just plain html.

What is causing this, and more important what can i do about it?
It seems to be related with the file extension?


Regards,
Samuël van Laere
the Netherlands

Does your host use mod_php or PHP CGI?

We use Ensim Webppliance Pro and all our customers are set to High Security
mode. This mode forces customers websites to use PHP CGI instead of
mod_php. Apache calls an interpreter script that then calls PHP CGI.

Almost 100% of the time that a customer gets a 500 error related to .php
file it is because of permissions. In High Security mode, Ensim does not
allow the .php file be owned by anybody except the site admin and the group
and other permissions cannot have write permission enabled.

If you go to http://www.youdomain.tld/404.php does it also generate a 500
error? or only when you call it from .htaccess? If it also generates a 500
error when called directory, it is probably a permission/security issue
(since you say it is basically an html file with a .php extension and
contains no php code).

 

[Cameron]

@amsnews02.chello.com:




Does your host use mod_php or PHP CGI?

We use Ensim Webppliance Pro and all our customers are set to High Security
mode. This mode forces customers websites to use PHP CGI instead of
mod_php. Apache calls an interpreter script that then calls PHP CGI.

<snip>

Does the PHP CGI offer more security? I have read that the PHP CGI
should only really be used for development and debugging

 

[Edward Alfert]

<snip>

Does the PHP CGI offer more security? I have read that the PHP CGI
should only really be used for development and debugging

It offers more security because you can call it from another script which
can do some checks before running .php script.

Apache -> Interpreter (with checks) -> PHP CGI

PHP CGI uses more system resources and is slower compared to mod_php.
These are the two reasons not to use PHP CGI. To compensate for this
slower performance, our servers are dual Xeon with atleast 2GB of RAM (RAM
is increased as needed) and we do not overload the servers with too many
users.

But the way Ensim does it, it is very nice. Each apache process is
chrooted and runs as the site admin for each website (does not run as the
user "nobody" or "apache". It uses a different user for each site, not the
same for all sites). Then ensim uses suexec to check permissions and
ownership of .php files. The benefit of this setup is that you don't have
to enable safe_mode or other php restrictive settings. This is a nice
because many scripts want safe_mode off...and many hosts want it on. Know
you get to please both the user (safe_mode off) and the host (security).

 

[Cameron]

It offers more security because you can call it from another script which
can do some checks before running .php script.

Apache -> Interpreter (with checks) -> PHP CGI

PHP CGI uses more system resources and is slower compared to mod_php.
These are the two reasons not to use PHP CGI. To compensate for this
slower performance, our servers are dual Xeon with atleast 2GB of RAM (RAM
is increased as needed) and we do not overload the servers with too many
users.

But the way Ensim does it, it is very nice. Each apache process is
chrooted and runs as the site admin for each website (does not run as the
user "nobody" or "apache". It uses a different user for each site, not the
same for all sites). Then ensim uses suexec to check permissions and
ownership of .php files. The benefit of this setup is that you don't have
to enable safe_mode or other php restrictive settings. This is a nice
because many scripts want safe_mode off...and many hosts want it on. Know
you get to please both the user (safe_mode off) and the host (security).

Ahhh, thanks I thought it was a case of if at all possible use mod_php
rather than the CGI, but I will keep what you said in mind.

~Cameron

 

[Jeffrey Silverman]

I've got this in in my .htaccess file:
ErrorDocument 404 /mypage/404.php

But this will result in a 500 Internal Server Error.
When i change the extension to:
ErrorDocument 404 /mypage/404.html
Its works just fine.

Now you should now that the php file doesn't contain
any code, just plain html.

What is causing this, and more important what can i do about it?
It seems to be related with the file extension?


Regards,
Samuël van Laere
the Netherlands

Do other PHP files work? If not, add the proper AddHandler and AddType
directives to the .htaccess file, if your host will let you.

Also, if it contains no code, why use the .php extension? It is actually
using more resources by pre-processing with PHP than if it were a plain
..html file.