Re: Fastcgi or apache-mpm-itk?

To: debian-isp@lists.debian.org
Subject: Re: Fastcgi or apache-mpm-itk?
From: Craig Sanders <cas@taz.net.au>
Date: Wed, 4 Jun 2008 17:34:28 +1000
Message-id: <[🔎] 20080604073428.GA19284@taz.net.au>
In-reply-to: <[🔎] 48455E59.8030506@vandervlis.nl>
References: <[🔎] 48455E59.8030506@vandervlis.nl>

On Tue, Jun 03, 2008 at 05:08:09PM +0200, Paul van der Vlis wrote:
> I would like to install Apache for shared hosting. I would like also a
> form of secure PHP.
> 
> I like to use Debian packages for security-support. There are no
> packages for mpm-peruser and mod-ruid so I don't want them.
> Suphp and php5-cgi are slow, I've heard.
> 
> Stays suexec/fastcgi like here:
> http://www.cosmocode.de/en/blogs/gohr/20070516093908/
> http://packages.debian.org/etch/libapache2-mod-fastcgi  (nonfree!)
> 
> And apache2-mpm-itk:
> http://blog.stuartherbert.com/php/2008/04/19/using-mpm-itk-to-secure-a-shared-server/
> http://packages.debian.org/etch/apache2-mpm-itk
> 
> What would you choose?

i use apache2-mpm-itk, partly because i think suexec is too inflexible
to bother with. if you want to do things *EXACTLY* as has been
hard-coded into it at compile time, it's OK. any minor variation and it
just won't do it, and can't be made to.  I've never liked suexec, even
before i found apache2-mpm-itk, i used cgiwrap as a far more flexible
alternative.

i use it with libapache2-mod-php5 (w/ php5-suhosin) and it works great.

i also use it (on the same servers as mod-php5) with libapache2-mod-speedycgi
for persistent perl CGI scripts - in a vhosting environment, that's MUCH
safer than mod_perl.

(one thing that works extremely well as an alternative to mod_perl or
as a perl alternative to PHP is the combination of apache2-mpm-itk,
libapache2-mod-speedycgi, and libhtml-mason-perl aka HTML::Mason. perl
embedded in html rather than PHP)

anyway, just set up apache2-mpm-itk and pretty much forget it.
essentially no maintainence required. each vhost runs as it's own user,
so no more world-writable or www-data writable files, no need to worry
about one vhost's scripts being able to read (or write!) another vhost's
private files.

the one (very minor) hassle with it is that because it's not an official
apache2 mpm (it's a fork of apache2-mpm-prefork), it lags behind the
other apache packages, usually by a few days. if you're sticking with
stable, this won't be a problem at all....but if you're tracking testing
or unstable, you need to be careful about upgrades, mark apache2-mpm-itk
as held so it doesn't get auto-removed, and upgrade it manually when you
know it is available.

craig

-- 
craig sanders <cas@taz.net.au>

BOFH excuse #13:

we're waiting for [the phone company] to fix that line

Reply to:

Follow-Ups:
- Re: Fastcgi or apache-mpm-itk?
  - From: Norbert Schuetz <norbert_schuetz@bigfoot.com>

References:
- Fastcgi or apache-mpm-itk?
  - From: Paul van der Vlis <paul@vandervlis.nl>

Prev by Date: Fastcgi or apache-mpm-itk?
Next by Date: Re: Fastcgi or apache-mpm-itk?
Previous by thread: Fastcgi or apache-mpm-itk?
Next by thread: Re: Fastcgi or apache-mpm-itk?
Index(es):
- Date
- Thread