httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gustavo A. Baratto" <gbara...@superb.net>
Subject Re: [users@httpd] How to run php with virtual host based uid/gid on apache2 ?
Date Thu, 26 Aug 2004 16:29:45 GMT
There is a huge performance impact when running php as cgi... Usually php
binaries are big (11 mb in my case), and spawning a new child,  exec() a php
process, and compiling the script  everytime a php page is called is a real
pain for your CPU (and response time for your users).

I am testing fastcgi with php. Running the static php/fastcgi server
requires at least 2 php processes per UID (1 parent and 1 child), so this is
out of question because it would  use lots of memory (you'd be better off
running many instances of apache, each under a different UID).
So, you could run the dynamic version of php/fastcgi. Whenever a php script
is called for the first time under a UID, fastcgi spawns the php processes
(speed similar to normal cgi), and then they stay alive serving subsequent
requests (speed very similar to the module). If these processes are not
being used for a configurable time, they die off.  Basically, you'd  avoid
exec() php everytime a php script is called. The drawback is that for 2000
vhosts, you'd never know which site is is gonna use php, and how often, so
very hard to calculate the memory you gonna use, and the impact this would
have in the server.
The good thing is that you could do this for your perl, python, tcl, etc
scripts as well. I'm having a hard time creating a parent (wrapper) process
for perl though. If someone with more perl skills than myself want to join
this, just let me know...

cheers


----- Original Message ----- 
From: "Robert Andersson" <robert@profundis.nu>
To: <users@httpd.apache.org>
Sent: Thursday, August 26, 2004 6:39 AM
Subject: Re: [users@httpd] How to run php with virtual host based uid/gid on
apache2 ?


> Stephan von Krawczynski wrote:
> > Consider having a setup with around 2000 virtual hosts (with low average
> > traffic) on linux. Using suexec to provide uid/gid for CGI scripts works
> very
> > well. Only real security issue is php as it runs with apache default
> uid/gid.
> > How can one change that?
>
> Your best bet is to run PHP as CGI (through SuExec, of course).
>
> There are also some "safe options" in PHP that limits its permissions
(what
> can be executed, files that can be written etc), but I'm not very familiar
> with securing PHP that way. You could probably read something about this
in
> PHP's docs.
>
> You cannot get the module version of PHP to serve requests under different
> uid/gid without using the perchild MPM; which sadly isn't an option
anyway.
>
> Regards,
> Robert Andersson
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message