httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Pitts" <invin...@nvinity.net>
Subject Re: [users@httpd] How to run php with virtual host based uid/gid on apache2 ?
Date Thu, 26 Aug 2004 17:10:38 GMT
What is the impact of running individual Apache processes in this
situation? Obviously, would be able to tailor each server's modules and
uid/gid seperately. I've been working on something like this with a PERL
package to manage it all; is this a practical thing to do for a low
traffic server?

Thanks,
Matt Pitts

> There is a huge performance impact when running php as cgi... Usually php
> binaries are big (11 mb in my case), and spawning a new child,  exec() a
> php
> process, and compiling the script  everytime a php page is called is a
> real
> pain for your CPU (and response time for your users).
>
> I am testing fastcgi with php. Running the static php/fastcgi server
> requires at least 2 php processes per UID (1 parent and 1 child), so this
> is
> out of question because it would  use lots of memory (you'd be better off
> running many instances of apache, each under a different UID).
> So, you could run the dynamic version of php/fastcgi. Whenever a php
> script
> is called for the first time under a UID, fastcgi spawns the php processes
> (speed similar to normal cgi), and then they stay alive serving subsequent
> requests (speed very similar to the module). If these processes are not
> being used for a configurable time, they die off.  Basically, you'd  avoid
> exec() php everytime a php script is called. The drawback is that for 2000
> vhosts, you'd never know which site is is gonna use php, and how often, so
> very hard to calculate the memory you gonna use, and the impact this would
> have in the server.
> The good thing is that you could do this for your perl, python, tcl, etc
> scripts as well. I'm having a hard time creating a parent (wrapper)
> process
> for perl though. If someone with more perl skills than myself want to join
> this, just let me know...
>
> cheers
>
>
> ----- Original Message -----
> From: "Robert Andersson" <robert@profundis.nu>
> To: <users@httpd.apache.org>
> Sent: Thursday, August 26, 2004 6:39 AM
> Subject: Re: [users@httpd] How to run php with virtual host based uid/gid
> on
> apache2 ?
>
>
>> Stephan von Krawczynski wrote:
>> > Consider having a setup with around 2000 virtual hosts (with low
>> average
>> > traffic) on linux. Using suexec to provide uid/gid for CGI scripts
>> works
>> very
>> > well. Only real security issue is php as it runs with apache default
>> uid/gid.
>> > How can one change that?
>>
>> Your best bet is to run PHP as CGI (through SuExec, of course).
>>
>> There are also some "safe options" in PHP that limits its permissions
> (what
>> can be executed, files that can be written etc), but I'm not very
>> familiar
>> with securing PHP that way. You could probably read something about this
> in
>> PHP's docs.
>>
>> You cannot get the module version of PHP to serve requests under
>> different
>> uid/gid without using the perchild MPM; which sadly isn't an option
> anyway.
>>
>> Regards,
>> Robert Andersson
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message