Monday, August 1, 2016

Running php as fastcgi vs Apache mod with dir permissions of 777



Hi I'm a web developer by trade and not a server engineer please bear with me!



I have just got a new Ubuntu LAMP VPS server, which I am trying to configure.



I understand that running php as apache-mod is the fastest way of running php. but to achieve this I have to set my directories to 777 so php can write to them. And in turn ftp can then no longer delete dirs created by php.



This does not seem ideal.




I understand that using fast-cgi the 'php user' and 'ftp user' are the same hence you do not get these issues and do not have to open directories to 777 to allow writing which I understand to be a security issue.



So what are the pros / cons of




  • fast-cgi with permission 755 vs apache mod with 777 permissions??



Thanks




EDIT



So ok 777 is not good apparently. But how do I then get apache-mod and ftp user to be the same - as mentioned I am not a server admin! thanks


Answer



Apache with mod_php is easy to setup and runs fast - but it doesn't scale. Each request requires a full thread - which includes apache and all its modules. This is exactly what makes it fast - each request gets a dedicated instance of php. On the other hand, a very small number of simultaneous requests will consume all your available memory, and slow your server to a crawl.



If you go the mod_php route - @fuscata's answer provides a good approach - use groups to avoid having your directories and files writeable by 'other'. The other option is to simply make your FTP user the same as the user that apache runs as - although this isn't good from a security standpoint.



I'd definitely suggest the fast-cgi approach - beyond the fact that you can implement your permissions properly, it makes much better use of the available resources. Although it is a bit slower for a single request, under a higher load, the overall performance will be much better than with mod_php.




Use mod_fastcgi with php-fpm - setup your php-fpm pools with user names matching your FTP users, and use the most restrictive permissions possible - 755 is usually acceptable for directories (but you should be able to use 750) consider setting the permissions on your PHP files to 640 - 'other' doesn't really need read permissions on your files (this is especially true for files that contain database passwords, ecommerce keys, etc - although those should be set to 600 - or 400 once you have input the data).


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...