The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside. PHP has built-in features to help, but ultimately it s the wrong place to address the problem. Apache has built-in features too, but the performance cost of these features is prohibitive.
This has created a gap that a number of third-party solutions have attempted to fill. One solution you may have heard of is mpm-itk, by Steinar H. Gunderson. How well does it work, and how well does it perform?
- mpm-itk: Running Apache As A Specified User
- Installing mpm-itk
- Configuring Apache
- Some Benchmarks
- Other Considerations
mpm-itk: Running Apache As A Specified User
Like mpm-peruser, mpm-itk is an alternative multi-processing module (MPM) for Apache 2.x. It also allows each website’s PHP scripts to run as a separate user. But the main difference is that it doesn’t maintain separate pools of processes for each user. Instead, after the PHP request has completed, each process is terminated, and new processes must be created to handle new requests.
Until I researched mpm-itk for this article, I didn’t realise that it didn’t recycle processes after each request. This means that there’s no chance at all of it matching mpm-peruser for performance (something I suggested was possible), but that doesn’t mean that mpm-itk is entirely without merit.
mpm-itk needs to be compiled into your Apache installation. It cannot be loaded as a module.
First of all, download the Apache source code, and then download either the mpm-itk patch for Apache 2.0, or the mpm-itk patch for Apache 2.2. For this article, I’m going to focus on Apache 2.2, but the same instructions should apply for Apache 2.0.
Unpack the Apache source code, apply the mpm-itk patch, and rebuild Apache’s build scripts:
$ mkdir -p /tmp/apache-itk $ cd /tmp/apache-itk $ wget http://www.mirrorservice.org/sites/ftp.apache.org/httpd/httpd-2.2.8.tar.gz $ wget http://mpm-itk.sesse.net/apache2.2-mpm-itk-20080105-00.patch $ tar -zxf httpd-2.2.8.tar.gz $ cd httpd-2.2.8 $ patch -p1 < ../apache2.2-mpm-itk-20080105-00.patch $ autoconf
Then, configure the Apache source code to build with mpm-itk as the chosen MPM. Make sure that you run configure with any other configuration switches that you need:
$ ./configure --with-mpm=itk
After that, compile and install Apache:
$ make ; make install
mpm-itk is very easy to configure. For each of your virtual hosts, simply add the AssignUserId entry:
<VirtualHost *:80> ServerName www.example.com ... <IfModule mpm_itk_module> AssignUserId stuart stuart </IfModule> </VirtualHost>
AssignUserId takes two parameters:
- The first parameter is the user ID to run Apache under for this website.
- The second parameter is the group ID to run Apache under for this website.
Remember to restart Apache after adding AssignUserId, and you should be all set.
To benchmark mpm-itk, I used Apache s ab benchmark to load a simple phpinfo() page 1,000 times. I ran the benchmark five times, and averaged the results.
- mpm-itk: average of 37.01 seconds
- mpm-prefork: average of 6.21 seconds
It isn’t just about performance. Both suexec and suphp bring limitations to your PHP applications, but mpm-itk does not. Because mpm_itk puts the job of switching users in the right place – at the heart of Apache – it allows your code to run under mod_php. As a result, your code is free to take advantage of any Apache features that aren’t available to PHP/CGI, such as HTTP authentication support.
Another consideration is the impact on RAM and CPU. Whilst you can definitely use mpm-peruser to provide a faster solution, it does involve a lot of effort in tuning the size of the process pools for each of the websites on a shared server. On a shared hosting server, you can’t necessarily find one tuned configuration that always suits demand – and it may not be worth your time to put the effort in anyway. Although mpm-itk is slower, it doesn’t need tuning for each individual website. It’s more of a fire-and-forget solution that might appeal to hosting providers who don’t know (and don’t really need to care) what your customers websites are.
Although it needs to be compiled from source, mpm-itk provides the security of suexec and suphp with much greater performance than either of these solutions. Although it performs worse than mpm-peruser, mpm-itk doesn’t require as much effort to configure and tune for best performance, and its greater simplicity probably makes it better suited to shared hosting servers running a random collection of websites.
mpm-itk is an option that you should seriously consider when designing your shared hosting server solution.
This article is part of The Web Platform, an on-going series of blog posts about the environment that you need to create and nurture to run your web-based application in. If you have any topics that you d like to see covered in future articles, please leave them in the comments on this page.