Secure, Fast and ExperimentalPHP Handling
PBWEB.CO.UK
@PHILL_BROWN
What is a PHP Handler?
Interprets code
<?phpecho ‘Hello’;
Hello
DSO (mod_php)• Makes PHP part of Apache
• Oldest and most common
• Runs in the same process as Apache -low CPU and memory usage
• PHP-created files owned by apache user
CGI• Run as a program outside of your server
• Reads php.ini configuration at runtime
• Loads PHP on every request - requires more CPU time and processes
suPHP• Apache runs as the user that owns the
requested PHP script
• Doesn’t support PHP accelerators eg APC
• High CPU usage
FastCGI• Apache runs as the user that owns the
requested PHP script
• Keeps a persistent session in the background
• Lower CPU but high memory usage
SummaryDSO CGI suPHP FastCGI
CPU usage
Memory usage
Run as file owner
Supports PHP Accelerators
The Ultimate Handler Setup
CPU usage
Memory usage
Run as file owner
Supports PHP Accelerators
Enter mod_ruid2
What is mod_ruid2?mod_ruid2 /webrootApache
Tells Apache to run /webroot files as User1
and Group1
Loads a wrapper program that executes your scripts using the configured credentials
Where did mod_ruid2 come from?
mod_suid2 mod_ruid2Faster
Makes use of the Linux kernel to reduce processes
How do we use mod_ruid2 to achieve The Ultimate Handler Setup?
DSO + mod_ruid2
DSO• Low CPU usage
• Low memory usage
• PHP accelerator support
mod_ruid2• Process
ownership control
Site1 files owned by
User1
Apache server
Site2 files owned by
User2
Site3 files owned by
User3
Use
r2
Apache is imprisoned in each website
It gets better...
Apache can write to any file
Site 1
includes
misc
modules
profiles
scripts
sites
themes
index.php
...
But we can lockdown Apacheeven further
Site 1
includes
misc
modules
profiles
scripts
sites/default/files
themes
index.php
...
Create a separate user for Apache
Group
User ApacheUser
‐rw‐r‐‐‐‐‐ User Group index.php
drwxrwx‐‐‐ User Group sites/default/files
This isThe Ultimate Handler Setup
Thank you for listening!Handling questions...
PBWEB.CO.UK
@PHILL_BROWN