[thelist] PHP Perl Apache security

Aredridel aredridel at nbtsc.org
Sun Jul 20 19:27:30 CDT 2003


On Sun, 2003-07-20 at 15:35, Keith wrote:
> At 08:57 AM Sunday 7/20/2003, Ari wrote:
> 
> >The mod_proxy scenario:
> >
> >You run a separate copy of apache for each vhost (at least each that
> >need it), with a different User directive ....
> 
> >Then, you set up mod_proxy on the /main/ instance of Apache to map each
> >user's URL-space into the other instance of apache, running on another
> 
> Correct me if I misunderstand, but it looks like you are describing a hack 
> to accomplish Apache2's perchild MPM. How does it differ, not so much in 
> details but in things like resources.

A bit of a hack, but very functional.

Also a bit more powerful, since the processes are truly separate, even
config files.

It's also the tried-and-true prefork MPM, not threaded.  That's
important for many PHP extensions, which are not nice with threads.

> RAM, because of Linux >= 2.0's memory handling.  If you set apache to
> >only prefork a few daemons per user (adjust as their site load grows),
> >you don't end up too badly off, resource-wise.  It's probably lighter
> 
> Apache2's perchild /seems/ to require 8 daemons per user that all run on 
> bootup. And the number allocated per user is not done dynamically. That 
> scenario seems to guarantee that there will always be some wasted resources 
> for most vhosts, while others will be under strain until a human intervenes.

Apache's prefork MPM lets you have a pool -- min and max. That should be
plenty tunable -- just keep one spare initially, and set max to
something reasonable.

Also, extra daemons aren't too bad, because this is what system swap is
for... let those processes that don't need to be in RAM page out! 
Swapping isn't bad, it's thrashing that's the killer...

> This looks like it might be OK for a clean box, but what problems can be 
> anticipated if this is a conversion on a box with hundreds of VHosts?

you should be able to do it one vhost at a time, honestly.  Just map one
vhost's url space with mod_proxy, try it out, then do the next, once you
have it stable, do 'em all.




More information about the thelist mailing list