MPM-ITK, Mod_Security and cagefs

**cloudlinux** · 09-18-2015, 04:47 AM

We want to convert a server from the following configuration:
MPM-ITK, Mod_Security centos 6 & cpanel

to a server with cloudlinux and cagefs (and MPM-ITK& Mod_Security & cpanel)

We read it is possible but there is need for extra cagefs entries/configuration accourding to cpanel:

https://documentation.cpanel.net/display/EA/Apache+Module%3A+ModSecurity#ApacheModule:ModSecurity-Compatibility

> CageFS
> To build EasyApache with Mod Security and the MPM ITK option on the CloudLinuxâ„¢ operating system, you must either uninstall or properly enable and configure CageFS before you run EasyApache with the Mod Security and MPM ITK options.
> For more information about CageFS, read CloudLinuxs CageFS documentation.

But we cant find the specifics what to do exactly (I could not found it in the documentation of cagefs). As this is a production server I would like to know what I have to do.

And we need MPM-ITK with mod_security for this particular server

So has anyone a idea/simular setup?

**bogdan.sh** · 09-18-2015, 08:03 AM

Apache MPM ITK support CageFS only if properly patched: http://docs.cloudlinux.com/compatiblity_matrix.html and http://docs.cloudlinux.com/mpm_itk_support.html . Really not sure what is the proper way to do it on cpanel server, most probably with some /scripts/before_apache_make .

Overall you can enable cagefs only for one account to test how it is going, and only after confirming all Ok enable it for all users.

**cloudlinux** · 09-28-2015, 12:06 PM

Ok thanks, I will try that. Can you give me a hint what will go wrong if MPM_ITK is not patched? Wil if fail completely and show in the apache logs? Or will only some things go wrong? (so we can test it completely en correctly)

**bogdan.sh** · 10-02-2015, 01:11 PM

Without those patches websites on MPM ITK will work correctly however without CageFS, just like on regular linux server (however with LVE limits).

**cloudlinux** · 10-06-2015, 04:11 AM

Ok the patch isnt nessecary because cPanel was kind enoug to include it in the easyapache:

-- Begin dryrun test Applying CloudLinux patches (if applicable) --
Patch tested at -p1; /home/cpeasyapache/src/cppatch/0002-easy-cloudlinux-itk.patch
Applying patch; /home/cpeasyapache/src/cppatch/0002-easy-cloudlinux-itk.patch
patching file Makefile.in
patching file server/mpm/experimental/itk/itk.c
-- End dryrun test Applying CloudLinux patches (if applicable) --

(it took me a hole day to figure it out why the patch was showing errors when I did it manualy...)

MPM-ITK, Mod_Security and cagefs

MPM-ITK, Mod_Security and cagefs

Comment

Comment

Comment

Comment

Comment