As well as being there to talk about how we built Twittex in 7 days, I’m very interested in meeting up with folks in the UK who are freelance web developers.  I want to know more about what you want from a web hosting solution, especially what you’d like to see but can’t find anywhere in the UK atm.  If that sounds interesting to you, drop me a line before the conference, and we’ll arrange to meet up during the Friday or Saturday evening socials.

And I’m also interested in talking to anyone who’s going to PHPNW08 who’s interested in building apps for VoIP too.

Share This

What would you add to this list?

• Arrange with on-line friends to meet up either the night before or before the presentations start on the day.
• Look for social groups (e.g. PHP Women) you can join before the conference, to see if anyone like-minded is going.
• If the conference has more than one presentation going on at once (== multiple tracks), work out in advance which presentations you’d like to go and see.  You can always change your mind afterwards
• Bring a laptop - a lot of the conversation at the conference happens online (such as on Twitter).
• Bring a mobile broadband card with you too (do you have mobile broadband outside the UK?), as conference wireless systems can be incredibly unreliable.
• Be yourself, but don’t bullshit - the folks you’re trying to impress could be prospective customers, work colleagues or employers.
• Stay for the after-conference drinks & food, where you can socialise and network.

Share This

I’ve already written about a number of solutions that work, but one option I’ve been asked time and time again to look at is using PHP + FastCGI. The belief is that using FastCGI will overcome the performance issues of Apache’s suexec or mod_suphp, because FastCGI processes persist between page views.

But before we can look at performance, the first question is: how exactly do we get PHP and FastCGI running as different users on the one web server in the first place?

Installing And Configuring mod_fcgid for Apache

Stock Apache does not ship with built-in support for FastCGI. You need to download and install a third-party module. There are two choices - the original mod_fastcgi, and the more recent mod_fcgid, which I’ll look at in this article.  Before we start, make sure that you have built and configured Apache to use suexec.  We will reuse suexec to ensure that our FastCGI PHP processes run as different users.

Most Linux distributions already include a package for mod_fcgid; you should be able to install it using your distro’s package manage.  The version I’ve tested for this article is mod_fcgid 2.2 running on Seed Linux (a Gentoo-based distro).

After installing mod_fcgid, make sure that you edit your Apache config files, and comment out any lines that load mod_php.  They will look like this:

LoadModule php5_module modules/libphp5.so

Then, add the following lines to your virtual host.

SuexecUserGroup myuser mygroup

<Directory /var/www/localhost/htdocs>
AddHandler fcgid-script .php
Options ExecCGI
Allow from all
FCGIWrapper /var/www/localhost/cgi-bin/php.fcgi .php
</Directory>

Replace “myuser” with the user who owns the website, and replace “mygroup” with the group that the user belongs to.  This sets the privileges that PHP will run as when this website is visited.

Because suexec is understandably paranoid about what CGI programs it will run for you, to make mod_fcgid work in a shared hosting environment, we need to create a FastCGI wrapper script owned by the same user that owns the website:

#!/bin/bash
PHPRC=/etc/php/apache2-php5
export PHPRC
PHP_FCGI_CHILDREN=4
export PHP_FCGI_CHILDREN
PHP_FGCI_MAX_REQUESTS=5000
export PHP_FCGI_MAX_REQUESTS
exec /usr/lib/php5/bin/php-cgi

Each website needs its own copy of the script.  Place this script in the website’s dedicated cgi-bin directory.  This should be a directory that you control to make sure that malicious scripts cannot be uploaded to take advantage of suexec.  Make sure that the script is owned by the user and group who owns the website, otherwise suexec will refuse to run the script, and you’ll spend quite a bit of time scratching your head wondering what the problem is!

The FastCGI wrapper script gives us an opportunity to set limits on how PHP works as a FastCGI process.  We can tell it how many FastCGI scripts are allowed to run (to make sure one website doesn’t use up all of the web server’s free capacity), and also how many HTTP requests each FastCGI process should handle before terminating (to limit the impact of memory leaks).

At this point, you can restart Apache, and you should find that your websites are now using suexec + FastCGI to run as separate users.

Making Apache Go Even Faster

One of the major benefits of using Apache 2.2 over Apache 1.3 is the ability to switch how Apache works at the fundamental level. Apache MPMs (multi-processing modules) can emulate Apache 1.3’s behaviour (mpm-prefork) … but it can also provide new options.  By default, most (if not all) Linux distributions install Apache 2.2 built with mpm-prefork, but by switching to another MPM, can we make our websites go even faster?

If you are using suexec + mod_fcgid on Linux, there are two MPMs available to you that have the potential to boost performance further: mpm-worker and mpm-event.  Both MPMs turn Apache into a multi-threaded server.  On Linux systems, it is usually much quicker to create new threads than it is to create new processes.  The downside is that software has to be specially written to work correctly in a multi-threaded application (known as being thread-safe).  mod_php doesn’t work reliably with mpm-worker and mpm-event, because it reuses a lot of third-party code that may or may not be thread-safe.  But because we’re running PHP in a separate FastCGI process, we can safely turn Apache into a multi-threaded server.

Some Benchmarks

To benchmark PHP + FastCGI + suexec, I used Apache’s ab benchmark to load a simple phpinfo() page 1,000 times. I ran the benchmark five times, and averaged the results. To compare the results, I repeated the tests against mpm-worker, mpm-event, and mpm-prefork both with and without mod_php.

• mpm-worker + mod_fcgid + PHP/FastCGI + suexec: 7.36 seconds, 0.2% failure rate
• mpm-event + mod_fcgid + PHP/FastCGI + suexec: 7.75 seconds, 0.2 % failure rate
• mpm-prefork + mod_fcgid + PHP/FastCGI + suexec: 7.92 seconds, 0.2% failure rate
• mpm-prefork + mod_fastcgi + PHP/FastCGI + suexec: 8.52 seconds, 0.2% failure rate
• mpm-prefork + mod_php: 7.38 seconds, 0% failure rate

Other Considerations

The performance is good, especially if you switch Apache MPMs.  These benchmarks are extremely simplistic, and what they don’t show is that switching to mpm-worker and mpm-event will probably speed up your websites even further, because these Apache MPMs handle downloading images more efficiently than mpm-prefork can.  You may also be able to scale your websites better before having to upgrade your servers or add additional ones, especially if you use a bytecode cache such as APC or xcache.

But what are the downsides?

• As with straight suexec, you can’t use HTTP authentication in your application.  Hardly any apps rely on this functionality any more (probably because so many shared hosting servers use suexec).
• Your server may require extra RAM to cope with the number of FastCGI processes running simultaneously.  You may need to switch to a 32-bit Linux kernel that supports PAE or to a 64-bit Linux distro.
• Apache + PHP/FastCGI is not 100% reliable in my testing.

Conclusions

It is possible to combine PHP, FastCGI and suexec to produce a solution that secures a shared hosting server and at the same time provides good performance compared to the alternatives. If you’re prepared to compile Apache from source and switch MPMs, you can squeeze even more performance from this combination, and perhaps even out-perform the venerable mod_php.

Unfortunately, my experience was that the PHP + FastCGI combination cannot be trusted to serve pages 100% of the time. The average failure rate was 2 requests per 1000, and the failure rate was consistent no matter which Apache MPM was used, which Apache FastCGI module was used, and how many thousands of requests I used in my testing.  At the time of writing, I haven’t tracked down the cause of this failure, and it may not appear in your own environment, but none of the previous solutions I’ve looked at in this series have displayed this problem, so it’s something to think about before chosing PHP + FastCGI to serve your websites.  I’m hoping to find time in the future to get to the bottom of this problem, if no-one gets there first.

As a result, I can’t recommend using PHP/FastCGI + suexec at this time.  My current recommendation is mpm-itk, which has successfully served millions of page hits for me in production over the last few months.

References

This article was made possible by information already on the internet:

• http://interworx.com/forums/showthread.php?p=8327
• http://ckdake.com/projects/documentation/php_security

This article is part of The Web Platform, an on-going series of blog posts about the environment that you need to create and nurture to run your web-based application in. If you have any topics that you’d like to see covered in future articles, please leave them in the comments on this page.

Share This

Share This

The last time I spoke at a conference was on Marco’s first php|cruise back in 2004, where we enjoyed a great view from the bar.  There wasn’t really a UK PHP scene back then, so I’m looking forward to seeing how that’s changed in the last four years.  We built twittex in-house, but we also outsource PHP development, and I’m very interested in meeting up with folks offering PHP and symfony development who are interested in VoIP (we’re the UK’s third largest VoIP provider) and social apps, and also with anyone interested in integrating VoIP into their apps too.

See you in Manchester in November!

Share This

Six days later, thanks to the power of symfony, PHP, mysql and q4m, we’ve built and launched a replacement service called twittex.com.  This is a very simple-to-use prepay service that allows you to follow the friends of your choice on the mobile phone of your choice via SMS, and it’s now live

Share This

Where are the benchmarks for phar?

Share This

Most Recommendations

There were six Firefox extensions that folks repeatedly recommended …

1. ColorZilla - advanced eyedropper, color picker, page zoomer and other colorful goodies.
2. FireBug - live DOM & CSS inspector.  The single greatest web developer add-on for Firefox.
3. Live HTTP Headers - view HTTP headers of a page and whilst browsing.
4. Web Developer Toolbar - adds a menu and a toolbar with various web developer tools.
5. YSlow - Yahoo’s tool for analysing web pages and telling you why they are slow.  Requires Firebug.
6. Zend Studio Toolbar - debugging assistance for Zend Studio 5.5 and earlier.  Isn’t mentioned on the Zend Studio 6 pages, so does that mean it is now obsolete?

… and after that, there was a lot of variety amongst the other extensions that were recommended.

Also Recommended

1. Cache Status - easy cache status & management from the status bar.
2. ChatZilla - IRC client for Firefox.
3. Duplicate Tab - clone a tab along with its history.
4. Edit Cookies - edit your cookies right in Firefox.
5. Fasterfox - performance and network tweaks for Firefox.
6. Firefox Accessibility Extension - test your web pages for functional accessibility features based on the iCITA HTML Best Practices.
7. FirePHP - print to your Firebug console using a simple PHP function call.
8. FireShot - take screenshots of web pages, and a whole lot more.
9. Google Toolbar - Google’s famous in-browser search toolbar.
10. GreaseMonkey - customise the way a web page displays using your own Javascript add-ons.  See also Lifehacker’s Top 10 Greasemonkey User Scripts, and their Better GMail and Better Flickr add-ons to get an idea of just what can be done with Greasemonkey as a Firefox extension tool.
11. HTML Validator - add HTML validation to your browser.
12. IE Tab (Windows only) - open Firefox tabs using IE’s rendering engine.  See also the popular IE View alternative.
13. LocationBar2 - adds additional features to Firefox’s address bar.
14. Lorem Ipsum content generator - Generate “Lorem Ipsum” dummy text, for when you need to fill a page with content for testing purposes.  
15. MeasureIt - draw out a ruler to get the pixel width and height of any element on the web page.
16. NagiosChecker - see the status of your services and servers in Firefox’s status bar.  You do monitor your servers, right?
17. PrefBar - power user toolbar for Firefox.  
18. Regular Expressions Tester - testing tool for regular expressions with colour highlighting.
19. RefSpoof - easy spoofing of the HTTP referrer header.
20. ReloadEvery - reloads a web page every so many seconds.
21. Save Session - save your current browser windows & tabs for the next time you open Firefox.
22. Scrapbook - save web pages locally and easily manage collections.  (Like OS X web archives, as supported by Together, DevonThink, and so on, but cross-platform).
23. Selenium IDE - record, edit and debug tests for Selenium, the automated UI testing tool for web developers.  See also PHPUnit’s support for Selenium.  You do have reproducible testing for you web apps, right?
24. Stylish - fix ugly sites, customise the look of your browser or mail client by using your own CSS files.  Stylish is to CSS what Greasemonkey is to Javascript.
25. Tab Mix Plus - tab management on steroids.
26. Tamper Data - view and modify HTTP/HTTPS headers and POST parameters.
27. TimestampDecode - treats the selected number as a timestamp and displays a decoded date/time.
28. TitlebarTweaks - tweak Firefox’s titlebar text.
29. User Agent Switcher - Adds a menu and a toolbar button to switch the user agent of the browser.
30. Venkman - Javascript debugger for Firefox.

Stu’s Recommends

To round off the list, here are a few extensions that I find useful, but which weren’t recommended.  If you haven’t heard of these before, give them a try.

1. Flagfox - display a country flag in the status bar for the location of the current website’s server.
2. Server Switcher - easily switch between development and production servers.
3. Show MyIP - display your current external IP address. 
4. SQLite Manager - Manage any SQLIte database on your computer.

Are you a web developer?  Got a favourite Firefox extension that isn’t on this list?  Let us know in the comments below.

Share This

Share This

Presumably because the companies will have gone bust from a lack of good leadership.  Something we’ve seen before, and will see again.

The successful IT departments in the sort of larger organisations that can provide food and shelter for your true “classic geek” have been part of the business for the last decade, if not longer.  Before we had the sexy CTO and CIO titles, there were IT Managers and Operations Managers who did all this stuff with little fan-fare and trumpet blowing.  They did it on a budget, so they had to have financial management skills.  They managed staff, so they had to have people skills.  They delivered results, so they had to have project management skills.  They made sure the business could do its job, so they had to have quality assurance skills.  They implemented approaches such as ITIL and more lately CoBIT to ensure that the IT department was aligned to the business and relevant regulation.  And they did this whilst still groking computers.  In fact, they did this because they groked computers.

I’ve seen this sort of nonsense before when Java came on the scene, and the rise of the Web 2.0 blogger means I’m seeing it again.  ”Everything is new, everything is different; the old skills and the old lessons no longer apply, so don’t bother learning them” - that is the seductive siren call.  Any student of management history can trace this echo back hundreds if not thousands of years.  The core skills of good governance - direction, organisation and supervision - have not changed.  You can read the works of Confucius from over two thousand years ago, and the principles behind the lessons for the leaders of the time are no different than the principles behind the lessons for the leaders of today.  Practices have changed, but not principles.

There are no secrets, no short-cuts for those-in-the-know; not in business, engineering, or the arts.  You have to know the basics, and you have to do the basics.  Hard work and dedication is always the key, and you won’t find a single leading member of the PHP development team who doesn’t reflect that reality.

So what does this have to do with our favourite punch-bag here on Planet PHP, Ruby on Rails?  For me, the rallying call of Rails is different from the Java and Web 2.0 hype/bullshit machines.  I cringe every time Terry takes a swipe at it.  Whilst I’m as sick of the term ‘agile’ as can be, Rails doesn’t try to claim that the old skills don’t matter.  Quite the opposite.  What they have done is to take the old skills and put them into one approach that can, and does, really work exceptionally well for a lot of firms and a lot of problems.  They’ve worked out what the basics are, and they’ve designed a whole paradigm that ensures the basics are done well.  They’ve executed in a way that the PHP community should be in awe of, not taking the piss out of.

They are years ahead of us in so many important areas, and yet PHP is thriving more than ever.  They must have done something wrong, because they sure didn’t grow the market for web applications.  What did they do wrong?

The fundamental mistake the Rails designers have made, and one that they still haven’t groked en-mass that I can see, is architectural, not philosophical.  Rails is a classic application server, with all the deterministic, concurrency and big-iron-needed-here problems that stopped J2EE from squeezing out PHP at the turn of the century.  For many of the problems of the web, the PHP execute-again architecture has repeatedly been proven to be superior to the application server architecture.  

• PHP is easier for average-skilled folks to deploy.  What’s the point of creating applications if you can’t figure out how to run them anywhere but your bedroom?
• It is easier to track down and eliminate bugs in PHP applications.  No persistent processes mean that PHP applications are deterministic.  PHP code is also much simpler to work through and debug.
• It is easier to scale applications written in PHP.  Folks have done it, and other folks have repeated it.  The Rails community as yet has not.  
• It may be quicker to create applications in Rails, but the operational costs once the application goes into production quickly erode that advantage.  If you’re not in the US, servers cost real money, and application servers need more iron than the equivalent PHP code.

The Agile community likes to talk about “smells”, so how come they don’t see something like mod_rails and gag on the stench of trying to mask architectural failings with such cleverness?

Before I make it onto Terry’s Christmas card list, I should state that I firmly believe that Ruby itself is a programming language that is vastly superior to PHP, especially when you get away from Apache and are creating the behind-the-scenes plumbing required.  The OO in Rails continues to leave PHP for dead, and OO brings many advantages to a thriving development community.  There are real advantages to being able to share code between both the must-be-real-time web front-end and the non-real time backends, and to be able to easily reuse whatever external open-source libraries save you time and effort.  And I believe that solutions such as the Ruby gems are vastly superior to PEAR and PECL.  PEAR/PECL should have been our CPAN, or our RubyForge.  They deliberately chose not to be, wrongly believing that CPAN was a negative feature of Perl.  They believed that one high-quality solution would prove the superior model over time.  They failed to execute, and the paradigm was plain wrong in the first place.

My prediction is that a Rails-like framework, but built using a PHP-style mod_ruby and execute-again architecture, would have a real chance at displacing PHP.  RoR the application server hasn’t a snowball’s chance in hell of achieving that.  Their market firmly remains the same market that .NET and Java already fight over, and it’s a market they’re very welcome to.

Share This