dso vs suphp vs fastcgi

[Usmeee]

Hi

I have a high end vps (1Core cpu and 2GB ram) and up till now, I have been running only my own sites. I run multiple wordpress blogs, and 2 Joomla sites. The traffic I am getting in total is currently on average 25K unique a day. (sometimes up to 40K unique)

I have decided to offer shared hosting on limited scale to few friends and few other people. Now, to make the server secure for shared hosting environment, I am stuck with the multiple options below.

dso vs suphp vs fastcgi
Up till now, I have been using php with dso (and eAccelerator). Even my vps is serving 25K unique a day, I haven't seen load going more than 2.0 (for normal operations)

I have read on many forums and online articles that for shared hosting one should always use suphp for security and better tracking. BUT at the same time, I have read that suphp should not be used for high traffic servers. And also eAccelerator will not anymore so that will also increase load.

I read that Fastcgi is faster than suphp but its very complex to configure. If not done correctly, it will create many problems.

Please ... help me decide what to do?
I want to make my VPS secure by every possible way but I do not want to risk much degraded performance. (I can accept a little difference)

What should I choose? And without eAccelerator, wouldn't my site load time will increase badly?

I am not an expert in linux (or whm/cpanel) but I try to learn and get things quickly. My hosting provider offers full management and they are doing everything for me. But they want me to decide what to do.

Please help.

[Spiral]

I have a high end vps (1Core cpu and 2GB ram) and up till now, I have been running only my own sites. I run multiple wordpress blogs, and 2 Joomla sites. The traffic I am getting in total is currently on average 25K unique a day. (sometimes up to 40K unique)

That is entirely the wrong machine for that traffic!

About the last thing I would consider running with that traffic pattern is any VPS server or a machine that is that lowball of a configuration.

That alone is asking for trouble and headaches!

I have decided to offer shared hosting on limited scale to few friends and few other people. Now, to make the server secure for shared hosting environment, I am stuck with the multiple options below.

You want to add even more traffic to your server that is already inadequate for your existing traffic? There is irony.

dso vs suphp vs fastcgi

Your situation would clearly ask for "fastcgi" which contrary to popular belief is actually the fastest of the 3 of them and with good reason and no is not difficult to configure and yes is these days just about equally secure as SuPHP so where performance is a concern, fastcgi would definitely be the way to go.

Also another misconception is that SuPHP is drastically slower than DSO which is true but the impact going to SuPHP is very minor if it is configured correctly. FastCGI however is just the opposite and you will actually get greater performance than running DSO with any accelerator especially on your extremely limited resources.

Up till now, I have been using php with dso (and eAccelerator). Even my vps is serving 25K unique a day, I haven't seen load going more than 2.0 (for normal operations)

You might look at combining "fcgi" (the 3rd party flavor somewhat like fastcgi that Cpanel has available) along with "xcache" or similar.

I have read on many forums and online articles that for shared hosting one should always use suphp for security and better tracking. BUT at the same time, I have read that suphp should not be used for high traffic servers. And also eAccelerator will not anymore so that will also increase load.

All 3 statements are false for different reasons. SuPHP is not your only option for security and in some ways is actually just as insecure as DSO or phpSuExec if you don't know what you are doing and sadly the vast majority of hosting administrators don't realize this. SuPHP can be made to actually really be as secure as people think but not without some custom modifications you don't get just flat installing it and most people don't know they need to do that.

eAccelerator will bloody increase loads itself and actually has a few other issues that go beyond the scope of this discussion. However, for the purposes of this reply, then 'yes' --- that particular accelerator only works with 'dso' mode PHP so you would need to look at another caching system or accelerator if you changed your PHP type.

(It should be noted that SuPHP without any accelerator typically outperforms dso **WITH** an accelerator --- common misconception that it doesn't but true never the less ironically)

I read that Fastcgi is faster than suphp but its very complex to configure. If not done correctly, it will create many problems.

FastCGI or even FCGI is not very complicated and really is no more difficult in configuring that SuPHP. In some respect it's actually easier.

I think the word I would use rather than "complex" is "different".

Please ... help me decide what to do?
I want to make my VPS secure by every possible way but I do not want to risk much degraded performance. (I can accept a little difference)

Yes you can very much have your cake and eat it too! Heavily securing servers with minimal performance impact (actually increasing performance most of the time) is precisely what I specialize in doing specifically and deal with myself each and every day.

What should I choose? And without eAccelerator, wouldn't my site load time will increase badly?

Based on the information you provided in your post and knowing that you are running a Cpanel server, I would go with "fastcgi" support enabled with the "fcgi" option and then **IF** you need to further push the performance threshhold consider looking at xcache or similar but first looking at running with an MPM and stripping off excess functions and features you don't actually use or need which adds code overhead that also impacts performance.

I am not an expert in linux (or whm/cpanel) but I try to learn and get things quickly. My hosting provider offers full management and they are doing everything for me. But they want me to decide what to do.

Well lucky for you I am --- an expert that is. Unix / Linux systems administrator for more than 3 decades, programmer, and security specialist for more than 20 years. Been dealing with Cpanel systems specifically all the way since the very first earliest cpanel releases.

Personally, I have very little faith in most "full management" services but then I have an unusual perspective and vantage point on that being able to look at a lot of these guys from the position and background of extremely a whole lot more experience and covering a lot more knowledge than most "think they know" out there but with that said and assuming your host can really in fact indeed handle helping you with your security and performance issues and also to the degree that you are asking about, I would advise having them do the following or some similar variation with these basic items as your guideline:

On the performance side look at switching to FCGI w/minimal modules but still including all the modules that you need but leaving out extraneous addons that you don't use at all. Some modules that are an educated "as needed" decision would be things such as "mod_bandwidth" that don't really help as much as hinder. Look at doubling the stats for your request handling, consider adding xcache or something similar but make sure what you add supports fastcgi or fcti (eAccelerator does not). If you upgrade your server memory, this will be to your largest advantage more than anything.

You might also look at putting on a 3rd party handler to handle port 80 requests such as an http accelerator, squid, or perhaps a faster web server such as nginx with a cache layer in between but I would only consider these types of modifications **IF** and only **IF** you can substantially increase your limited memory resources else it is not worth either your time nor effort to even consider.

On the security side, you of course should look at APF or even better, Chirpy's CSF firewall which is probably the best and easiest to configure solution alongside Cpanel systems, mod_security (though I would get a better ruleset than the standard default rules), SuHosin (the number of code injection attacks has risen exponentially lately), mod_evasive, set "PCI recommended" options in your Apache, turn off external PHP exposure, and all the other various tidbits out there that should probably be considered as "standard" things to do for all hosting servers.

Please help.

You got it. Hopefully this information was helpful.

If you need more assistance beyond these comments, feel free to contact me anytime.

[Infopro]

...
My hosting provider offers full management and they are doing everything for me. But they want me to decide what to do.

Ask them to set you up with SuPHP.

[Usmeee]

Thank you so much for you reply.
It helped me a lot.

That is entirely the wrong machine for that traffic!

About the last thing I would consider running with that traffic pattern is any VPS server or a machine that is that lowball of a configuration.

Well ... Only one of myblog is getting some serious traffic. I am running "WP_Super_Cache" and never had any problem with server performance.
May be I have fewer neighbors on VPS there.

That alone is asking for trouble and headaches!

Now I am considering myself lucky
Seriously, I didn't have a downtime in last 27 days or so.

Again thanks for such a detailed response.
Much appreciated.

[Spiral]

Well ... Only one of myblog is getting some serious traffic. I am running "WP_Super_Cache" and never had any problem with server performance.

Are you actually running a VPS or a Cloud server?

Clouds are often marketed as "VPS" servers but very much quite different.

Now I am considering myself lucky
Seriously, I didn't have a downtime in last 27 days or so.

The issue I am referring to specifically there is your mention of 25,000 to 40,000 unique hits daily running against only a 2 GB single cpu core and it being a VPS server on top of that which is a bit mismatched to say the least.

Again thanks for such a detailed response.
Much appreciated.

You're Welcome.

[jacobt]

Choosing the right PHP handler is one of the most critical things you can do for your website, but it is often the least understood.

I researched a lot into the different PHP handlers and tested how they handle on a lot of different servers. I wrote up a really handy article describing all of the differences between them all.

Its helped a lot of customers at the web hosting company I work for. I hope you guys find just as helpful:
/http://boomshadow.net/tech/php-handlers/

[LinuxTechie]

Hello,

It is a cool stuff :-) Cheers!

[garhiyal]

My take is that after taking into account security, DSO (with open_basedir set to user folder)) is much better than other options.

In a shared hosting scenario, a user uploads the PHP files etc. by his userid. Now even if his PHP script has some security vulnerabilities, it cannot overwrite those files nor can create new ones except in folders with 777 or nobody user permissions. Whereas in suPHP or CGI more, a script vulnerability can be used to overwrite the entire filesystem of the user..

Having PHP running as DSO and with sub-folders having 777 permissions is not the best scenario, but I feel its far better than a PHP script having full access to the user file system. This I can say with one experience I had with GoDaddy shared hosting account where I believe PHP runs as CGI or suPHP. A vulnerability in Joomla had led the hacker to erase all the user files and plant his own. Had it been a DSO scenario, own files in a sub-folder would have been impacted.

[Infopro]

If a rogue script is running as user nobody (In your example most users accounts will have at least some files and folders owned by nobody), this is safer than the same script running as a single user being contained in one account?

Every time a user wants to install something via their website, a module, a theme, whatever, the installation will probably fail and if it doesn't fail will probably be broken somehow. Now you've got to come and sort out permissions for that user to finish whatever they're doing. Until next time and you get another ticket. And another.

And another.

Too much overhead, IMHO.

[garhiyal]

If a rogue script is running as user nobody (In your example most users accounts will have at least some files and folders owned by nobody), this is safer than the same script running as a single user being contained in one account?

Considering open_basedir restrictions are applied properly, rogue PHP scripts will not be able to go into other home dirs. But I do agree rogue CGI/PERL scripts can exploit this scenario.

Every time a user wants to install something via their website, a module, a theme, whatever, the installation will probably fail and if it doesn't fail will probably be broken somehow. Now you've got to come and sort out permissions for that user to finish whatever they're doing. Until next time and you get another ticket. And another.

This I do agree with you. It does raise no. of support tickets etc.

Other day I was working on a server with cPanel and suPHP, a user php.ini can completely circumvent the system php.ini. And that is not good. Though I feel it may be possible to prevent it (have'nt worked much with suPHP), but default cPanel EasyApache's setup does allow this scenario.

[alphawolf50]

Hi

I have a high end vps (1Core cpu and 2GB ram) and up till now, I have been running only my own sites. I run multiple wordpress blogs, and 2 Joomla sites. The traffic I am getting in total is currently on average 25K unique a day. (sometimes up to 40K unique)
[...]
dso vs suphp vs fastcgi
Up till now, I have been using php with dso (and eAccelerator). Even my vps is serving 25K unique a day, I haven't seen load going more than 2.0 (for normal operations)

Hi Usmeee,

Just to clear up a little confusion, a load of 2.0 is actually extremely high on a 1 core system. The best analogy I've heard for "load" is this:

For each core, imagine you have a "lane" on a highway. The "Load" refers to how much traffic you're trying to send down that highway at one time. So if you have a load of 1.0, then you have one "lane" of traffic operating at full capacity. In your case you only have 1 lane, so a load of 2.0 means you're trying to put twice as much traffic down the lane as will fit. With a dual-core system you'd be operating exactly at capacity. If you can afford to do so, an upgrade would be wise.

RE: dso/suPHP/fcgid -- mod_fcgid is a speed demon in my experience. I pair it up with mpm_worker and suEXEC. Since you're inexperienced I think you'll find this arrangement to take considerably more effort to get "just right", but if you're willing to put in the time to research the recommendations and "gotchas" it is well worth it.

Last thought: As others have said, ConfigServer Firewall (CSF) is definitely something you should look into, as well as mod_security. While theoretically these two things would increase your load, they'll likely have the opposite effect. Many of the bots currently burning up resources on your site will quickly find themselves faced with an IP ban (if you enable that), which will free up resources for your actual human users. Once you've installed CSF, look for the button that says "Check Server Security". Apply whichever recommendations won't break your services