httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gustavo A. Baratto" <gbara...@superb.net>
Subject Re: [users@httpd] How to run php with virtual host based uid/gid on apache2 ?
Date Thu, 26 Aug 2004 17:57:44 GMT
I guess you mean one apache server for each individual UID, right? If yes, I
guess the impact would be in the memory usage. In theory, any shared object
opened with mmap(), should be shared in memory between all processes using
the library.  But this seems to be very platform dependent, and people don't
recommend to rely on the fact that SOs are going to be shared if they have
different parents. This information I got from the freebsd developers
mailing list, and of course, I mean memory shared between two processes that
have nothing to do with each other... Of course, mod_php.so would be shared
between apache processes that have the same parent. But I'm not sure it
would be shared between 2 sets of apache processes, each set spawned by a
different parent (like running two httpd severs with different conf files).

If someone knows this, please enlighten us :)

When you say your perl package manages it all, I'm not sure if you mean it
manages running individual apache servers under different UIDs, or the
fastcgi stuff I described. Which one?

Take care ;)


----- Original Message ----- 
From: "Matthew Pitts" <invinity@nvinity.net>
To: <users@httpd.apache.org>
Sent: Thursday, August 26, 2004 10:10 AM
Subject: Re: [users@httpd] How to run php with virtual host based uid/gid on
apache2 ?


> What is the impact of running individual Apache processes in this
> situation? Obviously, would be able to tailor each server's modules and
> uid/gid seperately. I've been working on something like this with a PERL
> package to manage it all; is this a practical thing to do for a low
> traffic server?
>
> Thanks,
> Matt Pitts
>
> > There is a huge performance impact when running php as cgi... Usually
php
> > binaries are big (11 mb in my case), and spawning a new child,  exec() a
> > php
> > process, and compiling the script  everytime a php page is called is a
> > real
> > pain for your CPU (and response time for your users).
> >
> > I am testing fastcgi with php. Running the static php/fastcgi server
> > requires at least 2 php processes per UID (1 parent and 1 child), so
this
> > is
> > out of question because it would  use lots of memory (you'd be better
off
> > running many instances of apache, each under a different UID).
> > So, you could run the dynamic version of php/fastcgi. Whenever a php
> > script
> > is called for the first time under a UID, fastcgi spawns the php
processes
> > (speed similar to normal cgi), and then they stay alive serving
subsequent
> > requests (speed very similar to the module). If these processes are not
> > being used for a configurable time, they die off.  Basically, you'd
avoid
> > exec() php everytime a php script is called. The drawback is that for
2000
> > vhosts, you'd never know which site is is gonna use php, and how often,
so
> > very hard to calculate the memory you gonna use, and the impact this
would
> > have in the server.
> > The good thing is that you could do this for your perl, python, tcl, etc
> > scripts as well. I'm having a hard time creating a parent (wrapper)
> > process
> > for perl though. If someone with more perl skills than myself want to
join
> > this, just let me know...
> >
> > cheers
> >
> >
> > ----- Original Message -----
> > From: "Robert Andersson" <robert@profundis.nu>
> > To: <users@httpd.apache.org>
> > Sent: Thursday, August 26, 2004 6:39 AM
> > Subject: Re: [users@httpd] How to run php with virtual host based
uid/gid
> > on
> > apache2 ?
> >
> >
> >> Stephan von Krawczynski wrote:
> >> > Consider having a setup with around 2000 virtual hosts (with low
> >> average
> >> > traffic) on linux. Using suexec to provide uid/gid for CGI scripts
> >> works
> >> very
> >> > well. Only real security issue is php as it runs with apache default
> >> uid/gid.
> >> > How can one change that?
> >>
> >> Your best bet is to run PHP as CGI (through SuExec, of course).
> >>
> >> There are also some "safe options" in PHP that limits its permissions
> > (what
> >> can be executed, files that can be written etc), but I'm not very
> >> familiar
> >> with securing PHP that way. You could probably read something about
this
> > in
> >> PHP's docs.
> >>
> >> You cannot get the module version of PHP to serve requests under
> >> different
> >> uid/gid without using the perchild MPM; which sadly isn't an option
> > anyway.
> >>
> >> Regards,
> >> Robert Andersson
> >>
> >>
> >> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP Server
> >> Project.
> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message