cPanel Profile Advice

Hi there,

As you stated, there many different cPanel configurations that you can go with, but let's try and focus on the following goal:

My end goal is to create a shared hosting environment that is both flexible and secure to host your typical blogs, CMS's and e-commerce sites.

It sounds like you're looking for just a general, all-purpose cPanel setup that might not be optimized for specific scenarios, but should work with most applications out of the box.

First, let's address your question of mpm-itk vs the standard mpm-prefork

mpm-itk allows you to run each of your vhost under a separate uid and gid.

cPanel provides mod_cgi and mod_ruid2 by default. This means that it is not compatible with mpm-itk. While mpm-itk used to be the recommended option, it looks like cPanel themselves have removed the recommendation to use it as of EasyApache4 (source)

While it comes with an upside of convenience since you can choose a different uid/gid for each virtual host without using other modules, there main limitation here is performance as it needs to create a process and destroy it for each query since it has to be running as a different user.

I've opted to go down the PHP-FPM route. Would anyone recommend OpCache?

Personally, I prefer PHP-FPM as well. As for OpCache, I think the consensus that I've personally seen is that you almost always want to have it enabled for performance improvements in a production environment. From some research I've done, it also looks like it is secure:

Opcache w/FPM is secure. OPCache uses shared memory to cache compiled PHP "opcode" between HTTP requests for reuse. A single shared memory object is opened and initialized in a parent process, and child processes inherit its file descriptor. Due to this design, OPCache is intended for use with a SAPI with a persistent parent process, for example php-fpm with its master process, or apache2handler where initialization occurs in the Apache parent process.

(Source)

You may want to consider reading through this serverfault thread here though, for some security concerns about the cache being shared across all users.

Would anyone recommend against MPM ITK? It's my understanding that this creates a more secure environment by running processes under a user's own access rights.

Unless you have a specific reason for wanting to run Apache under specific uid/gids, I prefer to use separate PHP-FPM pools for isolation and separation of user processes. MPM ITK is an older solution which is easy to configure but may be unnecessary unless you have a specific reason for wanting it (Which personally, I'm not aware of any good ones).

To summarize, while I'm no expert on any of this, I have played around with a few of the technologies/modules you've mentioned, and I tend to run PHP-FPM on almost all my stacks (whether it be cPanel or my own LEMP stacks). Hopefully, I was able to provide a little bit of insight and perhaps point you towards possible other sources that you may want to check out. There's a LOT of older resources out there which are a pain to go through, but as obvious as this may sound -- If you left most of the configuration options fairly default, you should be good to go for a "fairly default" setup where you want to maximize compatibility with your different web applications while performing fairly. In regards to security, I would definitely go through the cPanel documentation for any specific flags for a setting you might be looking at, but I would definitely recommend going through this article (here) on hardening your system.