Comments on: Can You Secure A Shared Server With PHP + FastCGI?

By: Nginx support

Nginx support — Wed, 10 Dec 2008 08:11:48 +0000

good benchmarsk, but why was failures in tests ?
This schemes very good for shared hosting, cause useful and secure.

By: Travers Carter

Travers Carter — Sun, 12 Oct 2008 00:59:39 +0000

I run a similar setup to the one you describe here on several of our servers both for security, and the ability to run parallel PHP versions (the main difference in my config is I use a custom suexec replacement that removes the need to have a wrapper script per vhost) and initially had a similar problem with request failures.

I believe your 1 in 500 failure rate comes from two things:
1) In your wrapper script there is a typo “PHP_FGCI_MAX_REQUESTS=5000″ should be “PHP_FCGI_MAX_REQUESTS=5000″, if this typo is in the actual script PHP would be defaulting to 500 requests maximum per process

2) With php you need to use the mod_fcgid “MaxRequestsPerProcess” option to avoid a race condition in php’s shutdown when it reaches the last request, see the last part of http://fastcgi.coremail.cn/doc.htm (it should be tuned to match your PHP_FCGI_MAX_REQUESTS)

Also as far as I understand mod_fcgid will never send a request to a worker until is has finished with the previous one, so setting PHP_FCGI_CHILDREN=4 will just add unnecessary startup overhead, you are better off letting mod_fcgid start multiple php processes itself.

By: Michael VanDeMar

Michael VanDeMar — Thu, 09 Oct 2008 17:58:04 +0000

I have been trying for a week now to get this running on my server, with some frustrating results. Now I’m getting this in suexec.log:

[2008-10-09 09:13:33]: uid: (500/kitten-art) gid: (501/501) cmd: kitten-art-wrapper

where kitten-art is the user and kitten-art-wrapper is the FCGIWrapper, but then getting a 500 error with this in the httpd error log:

[Thu Oct 09 09:13:33 2008] [notice] mod_fcgid: call /var/www/html/domain.com/public_html/index.php with wrapper /var/www/fastcgi-kitten-art/kitten-art-wrapper
suexec failure: could not open log file
fopen: Permission denied
[Thu Oct 09 09:13:36 2008] [notice] mod_fcgid: process /var/www/html/domain.com/public_html/index.php(17346) exit(communication error), terminated by calling exit(), return code: 1

Since all of the logs are in fact getting written to as far as I can tell (both Apache and site specific ones), I’m not sure what the error is referring to. Any ideas?

By: Stuart Herbert’s Blog: Can You Secure A Shared Server With PHP + FastCGI? : Dragonfly Networks

Wed, 08 Oct 2008 10:32:06 +0000

[...] a new post today Stuart Herbert asks the question “is it possible to secure a shared server with PHP and [...]

By: ah83

ah83 — Wed, 08 Oct 2008 09:35:15 +0000

we use php as cgi with suexec and a php-wrapper written in c.
the performance is really good on a dell server with 2 quadcore opterons and 8 GB RAM.

even typo3 runs great on this platform.

i like the apache suexec cgi setup, because it is simple and well understood and i’m not relying on some esoteric thirdparty apache module.

this setup is ideal for masshosting, but on a server with only 30 sites and a lot of requests i would run apache instances for every site.

litespeed is also a good option, because it works like the fastcgi solution but more
stable.

By: Radical

Radical — Wed, 08 Oct 2008 07:18:08 +0000

Great article.
I was working on a similar setup but for LigHTTPD.

Nice to know this is working in Apache also.

By: Enlaces interesantes

Enlaces interesantes — Tue, 07 Oct 2008 19:32:51 +0000

[...] Can You Secure A Shared Server With PHP + FastCGI? [...]

By: Lafriks

Lafriks — Tue, 07 Oct 2008 18:01:08 +0000

I’m also using lighttpd and php-fcgi for shared hosting security and had no problems with such configuration. I have to help out clients with porting apache mod_rewrite syntax to lighttpd but it’s usually only once for new client.

By: Martin Fjordvald

Martin Fjordvald — Tue, 07 Oct 2008 11:22:12 +0000

Have you considered perhaps using a different web server such as lighttpd? I use lighttpd 1.5.0 without any problems. The downside would be no mod_rewrite through .htaccess though, so I’m not sure how well it would work for your average shared hosting server.

By: Chris Kelly

Chris Kelly — Tue, 07 Oct 2008 10:30:10 +0000

I haven’t experienced the 2/1000 failure rate that you have! All of my problems have been a result of the previous version of APC which would cause pages to show up blank until httpd was gracefully restarted, but the most recent version of APC hasn’t caused these problems. hmm.