[CentOS] Apache User Isolation/Perchild, or PHP "chroot"?

Wed May 2 21:09:44 UTC 2007
Scott Lamb <slamb at slamb.org>

On May 2, 2007, at 8:18 AM, Barry Brimer wrote:

> I had previously considered this, but never went anywhere with it.   
> Would you
> also need something like mod_proxy_html to rewrite HTML on the fly,  
> or would
> that not be required in this case?

Not necessarily - you can set the ServerName and such of each proxied  
host to be correct when proxied, not when accessed directly.

Another option would be to use mod_fcgid to delegate to different PHP  
instances using FastCGI. FastCGI is popular lately (particularly with  
the Ruby-on-Rails people) for other reasons - asynchronous webservers  
like lighttpd and nginx have started to become trendy, and because  
PHP is not written asynchronously they have no mod_php equivalent.

The biggest advantage to using FastCGI here would be to reduce the  
number of processes running and memory footprint. As Paul Heinlein  
said, this proxied Apache setup would mean doubling the number of  
Apache processes running. Here you just have a few PHP processes  
running per vhost to handle the dynamic stuff - static files can be  
handled by the main server. Presumably a FastCGI PHP process would  
have less of a memory footprint than a whole Apache also.

If you do go with the two layers of Apache instances, at least turn  
off keepalives on the proxied ones (a waste when accessed only  
locally) and turn down the number of processes they have running.

In an earlier message:

On May 2, 2007, at 2:45 AM, Dan Mensom wrote:
> What is the easiest method for dealing with this? I found
> http://webauth.stanford.edu/manual/mod/perchild.html but it does  
> not seem
> to be compiled with the CentOS 5 apache, and I've read elsewhere  
> that php
> has issues with mutlithreaded apache.

perchild is dead, I'm afraid.

-- 
Scott Lamb <http://www.slamb.org/>