You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Matthew Pitts <in...@nvinity.net> on 2004/08/26 19:10:38 UTC
Re: [users@httpd] How to run php with virtual host based uid/gid
on apache2 ?
What is the impact of running individual Apache processes in this
situation? Obviously, would be able to tailor each server's modules and
uid/gid seperately. I've been working on something like this with a PERL
package to manage it all; is this a practical thing to do for a low
traffic server?
Thanks,
Matt Pitts
> There is a huge performance impact when running php as cgi... Usually php
> binaries are big (11 mb in my case), and spawning a new child, exec() a
> php
> process, and compiling the script everytime a php page is called is a
> real
> pain for your CPU (and response time for your users).
>
> I am testing fastcgi with php. Running the static php/fastcgi server
> requires at least 2 php processes per UID (1 parent and 1 child), so this
> is
> out of question because it would use lots of memory (you'd be better off
> running many instances of apache, each under a different UID).
> So, you could run the dynamic version of php/fastcgi. Whenever a php
> script
> is called for the first time under a UID, fastcgi spawns the php processes
> (speed similar to normal cgi), and then they stay alive serving subsequent
> requests (speed very similar to the module). If these processes are not
> being used for a configurable time, they die off. Basically, you'd avoid
> exec() php everytime a php script is called. The drawback is that for 2000
> vhosts, you'd never know which site is is gonna use php, and how often, so
> very hard to calculate the memory you gonna use, and the impact this would
> have in the server.
> The good thing is that you could do this for your perl, python, tcl, etc
> scripts as well. I'm having a hard time creating a parent (wrapper)
> process
> for perl though. If someone with more perl skills than myself want to join
> this, just let me know...
>
> cheers
>
>
> ----- Original Message -----
> From: "Robert Andersson" <ro...@profundis.nu>
> To: <us...@httpd.apache.org>
> Sent: Thursday, August 26, 2004 6:39 AM
> Subject: Re: [users@httpd] How to run php with virtual host based uid/gid
> on
> apache2 ?
>
>
>> Stephan von Krawczynski wrote:
>> > Consider having a setup with around 2000 virtual hosts (with low
>> average
>> > traffic) on linux. Using suexec to provide uid/gid for CGI scripts
>> works
>> very
>> > well. Only real security issue is php as it runs with apache default
>> uid/gid.
>> > How can one change that?
>>
>> Your best bet is to run PHP as CGI (through SuExec, of course).
>>
>> There are also some "safe options" in PHP that limits its permissions
> (what
>> can be executed, files that can be written etc), but I'm not very
>> familiar
>> with securing PHP that way. You could probably read something about this
> in
>> PHP's docs.
>>
>> You cannot get the module version of PHP to serve requests under
>> different
>> uid/gid without using the perchild MPM; which sadly isn't an option
> anyway.
>>
>> Regards,
>> Robert Andersson
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to run php with virtual host based uid/gid
on apache2 ?
Posted by Matthew Pitts <in...@nvinity.net>.
Thanks for the response and sorry for the lack for clarification.
By 'managing it all' I mean the launching of Apache processes using command line arguments to set
runtime options such as User, Group, ServerName, DocumentRoot, modules to load, etc. Of course,
this allows for the inclusion of fastcgi if you so desire :-).
Thanks for the info. on shared memory. Is there a way to determine amoung many httpd processes
what, if any, memory is shared? My printout from ps shows about 20MB of memory usage for each
parent and child; at least I think that's right.
Thanks,
Matt Pitts
> I guess you mean one apache server for each individual UID, right? If yes, I
> guess the impact would be in the memory usage. In theory, any shared object
> opened with mmap(), should be shared in memory between all processes using
> the library. But this seems to be very platform dependent, and people don't
> recommend to rely on the fact that SOs are going to be shared if they have
> different parents. This information I got from the freebsd developers
> mailing list, and of course, I mean memory shared between two processes that
> have nothing to do with each other... Of course, mod_php.so would be shared
> between apache processes that have the same parent. But I'm not sure it
> would be shared between 2 sets of apache processes, each set spawned by a
> different parent (like running two httpd severs with different conf files).
>
> If someone knows this, please enlighten us :)
>
> When you say your perl package manages it all, I'm not sure if you mean it
> manages running individual apache servers under different UIDs, or the
> fastcgi stuff I described. Which one?
>
> Take care ;)
>
>
> ----- Original Message -----
> From: "Matthew Pitts" <in...@nvinity.net>
> To: <us...@httpd.apache.org>
> Sent: Thursday, August 26, 2004 10:10 AM
> Subject: Re: [users@httpd] How to run php with virtual host based uid/gid on
> apache2 ?
>
>
>> What is the impact of running individual Apache processes in this
>> situation? Obviously, would be able to tailor each server's modules and
>> uid/gid seperately. I've been working on something like this with a PERL
>> package to manage it all; is this a practical thing to do for a low
>> traffic server?
>>
>> Thanks,
>> Matt Pitts
>>
>> > There is a huge performance impact when running php as cgi... Usually
> php
>> > binaries are big (11 mb in my case), and spawning a new child, exec() a
>> > php
>> > process, and compiling the script everytime a php page is called is a
>> > real
>> > pain for your CPU (and response time for your users).
>> >
>> > I am testing fastcgi with php. Running the static php/fastcgi server
>> > requires at least 2 php processes per UID (1 parent and 1 child), so
> this
>> > is
>> > out of question because it would use lots of memory (you'd be better
> off
>> > running many instances of apache, each under a different UID).
>> > So, you could run the dynamic version of php/fastcgi. Whenever a php
>> > script
>> > is called for the first time under a UID, fastcgi spawns the php
> processes
>> > (speed similar to normal cgi), and then they stay alive serving
> subsequent
>> > requests (speed very similar to the module). If these processes are not
>> > being used for a configurable time, they die off. Basically, you'd
> avoid
>> > exec() php everytime a php script is called. The drawback is that for
> 2000
>> > vhosts, you'd never know which site is is gonna use php, and how often,
> so
>> > very hard to calculate the memory you gonna use, and the impact this
> would
>> > have in the server.
>> > The good thing is that you could do this for your perl, python, tcl, etc
>> > scripts as well. I'm having a hard time creating a parent (wrapper)
>> > process
>> > for perl though. If someone with more perl skills than myself want to
> join
>> > this, just let me know...
>> >
>> > cheers
>> >
>> >
>> > ----- Original Message -----
>> > From: "Robert Andersson" <ro...@profundis.nu>
>> > To: <us...@httpd.apache.org>
>> > Sent: Thursday, August 26, 2004 6:39 AM
>> > Subject: Re: [users@httpd] How to run php with virtual host based
> uid/gid
>> > on
>> > apache2 ?
>> >
>> >
>> >> Stephan von Krawczynski wrote:
>> >> > Consider having a setup with around 2000 virtual hosts (with low
>> >> average
>> >> > traffic) on linux. Using suexec to provide uid/gid for CGI scripts
>> >> works
>> >> very
>> >> > well. Only real security issue is php as it runs with apache default
>> >> uid/gid.
>> >> > How can one change that?
>> >>
>> >> Your best bet is to run PHP as CGI (through SuExec, of course).
>> >>
>> >> There are also some "safe options" in PHP that limits its permissions
>> > (what
>> >> can be executed, files that can be written etc), but I'm not very
>> >> familiar
>> >> with securing PHP that way. You could probably read something about
> this
>> > in
>> >> PHP's docs.
>> >>
>> >> You cannot get the module version of PHP to serve requests under
>> >> different
>> >> uid/gid without using the perchild MPM; which sadly isn't an option
>> > anyway.
>> >>
>> >> Regards,
>> >> Robert Andersson
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> The official User-To-User support forum of the Apache HTTP Server
>> >> Project.
>> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> >> For additional commands, e-mail: users-help@httpd.apache.org
>> >>
>> >
>> >
>> > ---------------------------------------------------------------------
>> > The official User-To-User support forum of the Apache HTTP Server
> Project.
>> > See <URL:http://httpd.apache.org/userslist.html> for more info.
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> > " from the digest: users-digest-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>> >
>> >
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to run php with virtual host based uid/gid on
apache2 ?
Posted by "Gustavo A. Baratto" <gb...@superb.net>.
I guess you mean one apache server for each individual UID, right? If yes, I
guess the impact would be in the memory usage. In theory, any shared object
opened with mmap(), should be shared in memory between all processes using
the library. But this seems to be very platform dependent, and people don't
recommend to rely on the fact that SOs are going to be shared if they have
different parents. This information I got from the freebsd developers
mailing list, and of course, I mean memory shared between two processes that
have nothing to do with each other... Of course, mod_php.so would be shared
between apache processes that have the same parent. But I'm not sure it
would be shared between 2 sets of apache processes, each set spawned by a
different parent (like running two httpd severs with different conf files).
If someone knows this, please enlighten us :)
When you say your perl package manages it all, I'm not sure if you mean it
manages running individual apache servers under different UIDs, or the
fastcgi stuff I described. Which one?
Take care ;)
----- Original Message -----
From: "Matthew Pitts" <in...@nvinity.net>
To: <us...@httpd.apache.org>
Sent: Thursday, August 26, 2004 10:10 AM
Subject: Re: [users@httpd] How to run php with virtual host based uid/gid on
apache2 ?
> What is the impact of running individual Apache processes in this
> situation? Obviously, would be able to tailor each server's modules and
> uid/gid seperately. I've been working on something like this with a PERL
> package to manage it all; is this a practical thing to do for a low
> traffic server?
>
> Thanks,
> Matt Pitts
>
> > There is a huge performance impact when running php as cgi... Usually
php
> > binaries are big (11 mb in my case), and spawning a new child, exec() a
> > php
> > process, and compiling the script everytime a php page is called is a
> > real
> > pain for your CPU (and response time for your users).
> >
> > I am testing fastcgi with php. Running the static php/fastcgi server
> > requires at least 2 php processes per UID (1 parent and 1 child), so
this
> > is
> > out of question because it would use lots of memory (you'd be better
off
> > running many instances of apache, each under a different UID).
> > So, you could run the dynamic version of php/fastcgi. Whenever a php
> > script
> > is called for the first time under a UID, fastcgi spawns the php
processes
> > (speed similar to normal cgi), and then they stay alive serving
subsequent
> > requests (speed very similar to the module). If these processes are not
> > being used for a configurable time, they die off. Basically, you'd
avoid
> > exec() php everytime a php script is called. The drawback is that for
2000
> > vhosts, you'd never know which site is is gonna use php, and how often,
so
> > very hard to calculate the memory you gonna use, and the impact this
would
> > have in the server.
> > The good thing is that you could do this for your perl, python, tcl, etc
> > scripts as well. I'm having a hard time creating a parent (wrapper)
> > process
> > for perl though. If someone with more perl skills than myself want to
join
> > this, just let me know...
> >
> > cheers
> >
> >
> > ----- Original Message -----
> > From: "Robert Andersson" <ro...@profundis.nu>
> > To: <us...@httpd.apache.org>
> > Sent: Thursday, August 26, 2004 6:39 AM
> > Subject: Re: [users@httpd] How to run php with virtual host based
uid/gid
> > on
> > apache2 ?
> >
> >
> >> Stephan von Krawczynski wrote:
> >> > Consider having a setup with around 2000 virtual hosts (with low
> >> average
> >> > traffic) on linux. Using suexec to provide uid/gid for CGI scripts
> >> works
> >> very
> >> > well. Only real security issue is php as it runs with apache default
> >> uid/gid.
> >> > How can one change that?
> >>
> >> Your best bet is to run PHP as CGI (through SuExec, of course).
> >>
> >> There are also some "safe options" in PHP that limits its permissions
> > (what
> >> can be executed, files that can be written etc), but I'm not very
> >> familiar
> >> with securing PHP that way. You could probably read something about
this
> > in
> >> PHP's docs.
> >>
> >> You cannot get the module version of PHP to serve requests under
> >> different
> >> uid/gid without using the perchild MPM; which sadly isn't an option
> > anyway.
> >>
> >> Regards,
> >> Robert Andersson
> >>
> >>
> >> ---------------------------------------------------------------------
> >> The official User-To-User support forum of the Apache HTTP Server
> >> Project.
> >> See <URL:http://httpd.apache.org/userslist.html> for more info.
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org