LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

PHP 5.4.0 released

PHP 5.4.0 released

Posted Mar 3, 2012 7:47 UTC (Sat) by Cato (subscriber, #7643)
In reply to: PHP 5.4.0 released by rfunk
Parent article: PHP 5.4.0 released

If you want some degree of security, you need to use CGI not mod_php on any host with more than one application owner, e.g. shared web hosting. And CGI is slow, so it's better to use FastCGI (i.e. separate PHP server to web server) so your web app can run as the right userid yet not pay the CGI startup overhead. This is essential for more complex apps or higher volume websites, which also tend to require some security.

I believe Ruby and Python are often deployed in the same way.

(Log in to post comments)

PHP 5.4.0 released

Posted Mar 3, 2012 14:50 UTC (Sat) by rfunk (subscriber, #4054) [Link]

PHP-FPM is a much better solution than fastcgi if you need that sort of thing; people who are running Apache (and therefore don't have huge traffic issues) generally don't though. For shared hosting, suPHP improves security greatly by running as the user who owns the file. (However, I haven't really paid much attention to shared hosting myself.)

I can't speak for Python, but the Ruby world abandoned fastcgi years ago because of its many problems, in favor of Java-style middleware layers.

PHP 5.4.0 released

Posted Mar 3, 2012 15:28 UTC (Sat) by Cato (subscriber, #7643) [Link]

Actually PHP-FPM is a FastCGI implementation, with the F standing for FastCGI: http://php-fpm.org/

suPHP is similar to suexec and often used with CGI but that doesn't change my point that mod_php is not used on shared hosting (or at least responsible shared hosting).

On Python and Ruby, I just meant the principle of having a persistent interpreter process running outside the web server, not FastCGI specifically.

PHP 5.4.0 released

Posted Mar 3, 2012 15:47 UTC (Sat) by rfunk (subscriber, #4054) [Link]

Ah, sorry, I was actually thinking of suexec when I said suPHP. Either way, I'm not very much concerned with shared hosting.

I see a big difference between fastcgi and using an application server, possibly because I remember the pain of using fastcgi with Ruby, and the major differences when I set up an application server instead.

PHP 5.4.0 released

Posted Mar 5, 2012 8:39 UTC (Mon) by colo (subscriber, #45564) [Link]

Not necessarily true; using Apache's mpm-itk, you can achieve the same level of security/privilege separation that you have with (f)cgi and suexec with e. g. mod_php as well.

PHP 5.4.0 released

Posted Mar 5, 2012 8:50 UTC (Mon) by anselm (subscriber, #2796) [Link]

Privilege separation isn't the only advantage of setups like FastCGI or WSGI that keep the language interpreter separate from the web server. Another advantage is that you get to proxy only those requests to the language interpreter that actually need it, while requests for, say, small static image files don't occupy expensive language-interpreter-containing Apache processes. This is probably the #1 thing you can do to speed up dynamic web sites.

There are of course other ways of achieving this – e.g., by putting a more lightweight web server in front of your Apache/mod_php to serve any static content and have that server proxy only the PHP stuff to the actual Apache, or by serving static content from a different server altogether –, but mpm-itk isn't one of them.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds