mpm-itk is a working alternative to the b0rked perchild mpm, but in
prefork mode. It’s currently maintained by Steinar H. Gunderson. Please
for more details.
It has been developed for apache 2.0.x and been ported to apache 2.2
recently.Since I enjoy apache 2.2 this little howto is made under
apache 2.2.x but works for apache 2.0.x too.

First of all CVSup your ports tree. Go to apache22 port and build
apache with “itk” as MPM :

$ cd /usr/ports/www/apache22
$ sudo make WITH_MPM=itk
< output...>
$ sudo make install clean

Let’s check we have te good MPM.

$ /usr/local/sbin/httpd -V | grep MPM
Server MPM:     ITK
-D APACHE_MPM_DIR="server/mpm/experimental/itk"

Nice! We can now see how our apache22 reacts :)

$ sudo /usr/local/etc/rc.d/apache22 forcestart
Performing sanity check on apache22 configuration:
Syntax OK
Starting apache22.
$ ps auxwww | grep httpd
root    92484  0.0  0.7 73452  7116  ?? Ss    4:18PM   0:00.09 /usr/local/sbin/httpd -DNOHTTPACCEPT
root    92485  0.0  0.7 73484  7132  ?? S     4:18PM   0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT
root    92486  0.0  0.7 73484  7132  ?? S     4:18PM   0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT
root    92487  0.0  0.7 73484  7132  ?? S     4:18PM   0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT
root    92488  0.0  0.7 73484  7132  ?? S     4:18PM   0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT
root    92489  0.0  0.7 73484  7132  ?? S     4:18PM   0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT

Ohoh! apache is owned by root. No I didn’t put a backdoor ;) apache runs as root because until the request get parsed, we don’t know which virtual host is required and, so, the final user. Security risk exists: Any bug before request parsing can lead to root compromise. If there is a major flaw in mod_ssl, pray and update ASAP.

Still here? Not scared? you should be :)
mpm-itk uses 2 Directives:
AssignUserID, UID/GID assigned to child process and MaxClientsVHost, the maximum number of children alive at the same time for this virtual host

Don’t uncomment ‘#Include etc/apache22/extra/httpd-vhosts.conf’ in
${PREFIX}/etc/apache22/httpd.conf, the config file is b0rked (it’s on
my ToDo list).

Instead edit ${PREFIX}/etc/apache22/Includes/100.NameVirtualHost.conf
and put:

NameVirtualHost *:80

(I usually leave 0xx for modules configurations)

Add something like this to

<VirtualHost *:80>
    DocumentRoot /usr/local/www/apache22/data
    AssignUserID  nobody nogroup
    MaxClientsVHost 10

Now add a different vhost. My vhost is “”, So
in ${PREFIX}/etc/apache22/Includes/ I

<VirtualHost *:80>
    ServerAdmin [email protected]
    DocumentRoot /home/www/
    AssignUserID  clement clement
    MaxClientsVHost 50
    <Directory /home/www/>
            Order allow,deny
            Allow from all

I’ve also install PHP5 to perform some basic testing. Let’s restat

$ sudo /usr/local/etc/rc.d/apache22 forcerestart

I run this simple script:


We run _the_ *basic* test…

$ fetch -q -o -
uid=65534(nobody) gid=65534(nobody) egid=65533(nogroup) groups=65533(nogroup)
$ fetch -q -o -
uid=1000(clement) gid=1000(clement) groups=1000(clement)

And it works! I don’t even have to keep the o+x bit on directories :)

Have fun!

1 Kommentar zu “FreeBSD, Apache 2.x and itk mpm”  

  1. 1 Edwin

    I’ve tried it and the shown things work. It’s running as the designated user.
    However I’m facing 2 strange problems.
    1. the phpinfo is show user/group as #-1/-1
    2. all hostname resolvings seems to have stopped working.
    include(“”) is not working but
    include(“”) is working.
    It’s also with fopen fsockopen etc. All that requires nameresolution.
    Anybody have any ideas about this ?
    Running Apache 2.2.8 with_mpm=itk compiled and php-5.2.5.

Kommentar hinterlassen

Log-In | Wordpress | Cappuccino