你有什么建议与PHP建立一个共享服务器 [英] What do you recommend for setting up a shared server with php

问题描述

你有什么建议为从一个安全/性能点用PHP建立一个共享服务器？

What do you recommend for setting up a shared server with php from a security/performance point of view?

• 的Apache mod_php的（你怎么保护呢？不是的safe_mode，因为它不会在PHP6等）


• Apache的CGI +的suexec


• Lighttpd的产卵和每个用户的FastCGI

LE：我没有兴趣作为我试图写我自己的使用已经取得的控制面板，所以我想知道什么是设置这个自己的最佳方式。
我在使用Lighttpd的和产生一个FastCGI的为每一位用户托管在根据自己的凭据下运行FCGI进程的思考（上有lighttpd的维基本教程）。
这将是有点安全，但这个会影响性能（大量需要为每个用户FCGI /内存的）这么多，这不是一个可行的解决方案？

LE: I'm not interested in using an already made control panel as i'm trying to write my own so i want to know what's the best way to setup this myself. I was thinking in using Lighttpd and spawn a fastcgi for every hosted user making the fcgi process run under his credentials (there is a tutorial for this on lighttpd wiki). This would be somewhat secure but would this affect performance (lots of users / memory needed for every fcgi) so much that it's not a viable solution?

推荐答案

个人，而Lighttpd的是确定的，我会的Nginx + FastCGI的，如果你结束了一个轻量级的Web服务器+ FastCGI的解决方案去走。我已经运行基准和读取所有code和Nginx的负载下是一个量级更快/更稳定 - 这是非常好的。

Personally, while Lighttpd is OK, I would go with Nginx + FastCGI if you end up going with a lightweight webserver + FastCGI solution. I've run benchmarks and read all the code, and Nginx is an order of magnitude faster/more stable under load -- it's very good.

不过，这不是你问什么。从本质上讲，我会说有安全性/可扩展性对你列出三个选项速度的权衡的频谱，而你只需要决定你想要的。如果你有不可信用户共享的托管服务提供商安装神不知，你会瘦PHP应用程序更倾向于安全性，如果这是你们当中可​​能会朝着性能瘦肉多信任的用户共享。这里是我的想法：

But, that's not what you asked. Essentially, I would say there's a spectrum of security/scaleability vs. speed tradeoffs in the three options you list, and you just need to decide where you want to be. If you're a shared hosting provider with untrusted users installing god-knows-what PHP apps you'll lean more toward security, if this is shared amongst more trusted users you might lean toward performance. Here are my thoughts:

CGI + suexec的：这是迄今为止在一个共享的主机环境中的用户/网站数量而言为您提供最安全，最有效的/可扩展的。过程是催生和内存仅作为请求进来。当然，CGI的产卵使这个最慢的各个脚本的执行时间。慢多少？那么你将不得不标杆，但是总的来说，如果人们正在运行长时间运行的应用程序（即类似字preSS这需要0.25-0.5秒的时间来加载它的库和初始化对每个请求），那么CGI-产卵处罚开始看pretty在上下文中可以忽略不计。

CGI + suexec: This is by far the most secure, and most efficient/scaleable for you in terms of numbers of users/sites in a shared hosting environment. Processes are spawned and memory used only as requests come in. Of course, the CGI-spawning makes this the slowest for execution time of individual scripts. How much slower? Well you would have to benchmark, but generally if people are running long-running apps (i.e. something like WordPress which takes 0.25-0.5 seconds just to load its libs and initialize on each request), then the CGI-spawning penalty starts to look pretty negligible in context.

FastCGI的：这里的问题（它不会，如果你的网络服务器就是Apache，Lighttpd的或Nginx的问题）是找出许多FCGI孩子如何处理你让每一个用户离开运行，因为每个进程吃内存等于PHP间preTER的大小（在Linux中不是所有的是有线当然，但我离题）。而且，与mod_php，并且，这些进程没有用户之间共享，所以你必须每用户限制。例如，Dreamhost的3处为他们的客户帽这一点 - 现在，为客户运行的网站，得到超过2-5页的阵阵浏览量第二，实际上pretty不好，因为这些要求只是堆叠和现场挂起。现在，我喜欢的FastCGI一个轻量级的Web服务器，当我上运行一个应用程序的专用的服务器/集群中，当我可以给应用程序FCGI数百名儿童（全部用当然Web服务器PRIVS，点菜阿帕奇/ prefork + mod_php的）。但是，我不认为这是有道理的，共享的主机，你必须分配/帽儿FCGI每个用户。

FastCGI: The issue here (and it doesn't matter if your webserver is Apache, Lighttpd or Nginx) is figuring out how many FCGI child processes you let each user leave running, because each process eats memory equal to the size of the PHP interpreter (in Linux not all of it is wired of course, but I digress). And, unlike mod_php, these processes aren't shared among users so you have to limit per user. For instance, Dreamhost caps this at 3 for their customers -- now, for a customer running a website that gets bursts of more than 2-5 page views a second, that's actually pretty bad because those requests just stack up and the site hangs. Now, I like FastCGI with a lightweight webserver when I'm running apps on a dedicated server/cluster, when I can give the app hundreds of FCGI children (all with webserver privs of course, à la Apache/prefork + mod_php). But, I don't think it makes sense for shared hosting where you have to allocate/cap the FCGI children per user.

的Apache + mod_php的：因为一切都与Web服务器运行PRIVS最安全的，但你的生活PHP进程池是共享的，所以最好的性能结束。从开发者的角度来看，我不能忍受php_safe模式，并从系统管理员角度看，它真的只有安全的错觉（这对减轻用户笨，但不从实际攻击保护），所以如果我真的宁愿我的CGI其他选项包括safe_mode设置。

Apache + mod_php: Least secure since everything running with webserver privs, but your pool of live PHP processes is shared so it's best on the performance end. From a developer perspective, I can't tolerate php_safe mode, and from a sysadmin perspective it's really only an illusion of security (it mitigates against stupid users but doesn't protect from an actual attack) so I would actually rather have CGI if my other option has to include safe_mode.

Dreamhost的做排序的混合体，他们做的Apache CGI + suexec的默认，但让他们更多的用户谁是复杂的选做FCGI，如果他们想，受到帽和自己的监测的（小）的百分比内存使用情况。这可以节省一吨的内存资源与默认情况下启用FCGI给大家。

Dreamhost does sort of a hybrid, they do Apache CGI + suexec by default, but let the (small) percentage of their more users who are sophisticated elect to do FCGI if they want to, subject to a cap and their own monitoring of memory usage. That saves a ton of memory resources versus enabling FCGI for everyone by default.

如果你谈论的是标准的商用共享主机的另一个问题是，Apache是​​功能齐全，有任何事情（包括这样的东西的mod_security你可能想）模块，你的用户会喜欢它，因为他们的所有的.htaccess CONFIGS将工作等等 - 你会遇到与别的支持，头痛，当他们去安装的Drupal或Word preSS或什么（少了很多的问题，如果我们谈论的内部用户）

Another issue if you're talking about standard commercial shared hosting is, Apache is full-featured, has modules for just about anything (including stuff like mod_security you might want), and your users will like it because all their .htaccess configs will work etc. -- you will run into support headaches with anything else when they go to install Drupal or WordPress or whatever (a lot less of an issue if we're talking internal users).

我个人建议只是保持简单地开始和CGI + suexec的最佳安全性和可扩展性去。如果用户希望FCGI或mod_php的，你有开放的建议/与他们沟通良好的渠道，他们会问它，但无论这些都是你一个更大的头痛只边际性能改进它们，所以我的建议将不会做任何他们最初但如果他们叫​​嚣它是响应。

Personally I would recommend just keeping it simple to start and going with CGI + suexec for best security and scaleability. If your users want FCGI or mod_php and you have a good channel open for suggestions/communication with them, they'll ask for it, but either of these are a much bigger headache for you with only marginal performance improvements for them, so my suggestion would be to not do either of them initially but be responsive if they clamor for it.

我做的做一些有趣之类的Lighttpd + FCGI，而不是标准的Apache + CGI + suexec的，但我内心深处我真的不能推荐它。

I do sympathize with the desire to do something "interesting" like Lighttpd + FCGI instead of the standard Apache + CGI + suexec, but I deep down I really can't recommend it.

如果你运行多个服务器，你可能最终把CGI一些和别的东西对别人的电力用户。并且一定要拥有的cron grep的所有WWW迪尔斯喜欢的事情的phpBB的老屁股版本！

If you're running multiple servers, you could end up putting CGI on some and something else for the power users on the others. And be sure to have cron grep all the www dirs for things like old-ass versions of phpBB!

这篇关于你有什么建议与PHP建立一个共享服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！