KNOWNHOST WIKI

User Tools

Site Tools


control-panels:misc:php-handlers-explained

PHP Handlers

This guide is primarily geared towards cPanel servers, however most of these handlers can apply to DirectAdmin too.

In this guide, we'll be going over Apache's many different available PHP Handlers. We'll explain what each one is, what its best at doing, and any pros and cons regarding that handler. We want this section to be informative for you so that you know how each handler differs from each other.

To start; there are many different handlers for PHP on Apache.

  • CGI (mod_cgi/mod_cgid)
  • SuPHP (mod_suphp)
  • DSO (mod_php)
  • FCGI (mod_fcgid)
  • lsapi (mod_lsapi)
  • PHP-FPM

These handlers with the exception of mod_lsapi can apply to DirectAdmin and cPanel servers.

mod_lsapi is a cPanel only module.

CGI

The CGI handler is one of the early PHP Handlers. It runs as a CGI Module as opposed to an Apache Module it's typically either mod_cgi or mod_cgid. When used as the PHP handler PHP scripts are executed as the file owner instead of the default nobody user by Apache. This PHP handler is not typically used due to not being secure (on it's own) nor is it fast: it is considered the slowest handler. At one point in time; this handler was intended as a fallback method in the event no other handler was available.

As EasyApache 4 is available; there is no reason CGI should be used as a handler.

In a Multi-PHP Environment (EasyApache 4) the CGI handler can be applied to all versions.

Advantages of this handler:

  • When paired with SuEXEC, this handler allows you to see user PHP Requests.

Disadvantages of this handler:

  • This handler is considered insecure due to non-restrictive permissions.
  • Causes high resource usage which can lead to potential issues.
  • Apache directives cannot be used. Configuration file(php.ini) required.

SuPHP

If Litespeed is installed; this is the handler that must be set so that Litespeed runs properly.

SuPHP(mod_suphp) was developed as a more secure and better performing handler then its predecessors. With the use of SuEXEC(mod_suexec) it offers secure execution of PHP files with proper set permissions. Due to this; it's been considered the most secure of the handlers to be used for webservers. SuPHP runs PHP has a CGI module which allows Apache to separate PHP processes into their own individual user that is executing them. This allows for isolation between the users. In the event of a compromise; the users files would be unable to modify other users files.

In a Multi-PHP Environment (EasyApache 4) the suPHP handler can be applied to all versions.

Advantages of this handler:

  • Processes executed as the file owner (cPanel user).
  • Can use SuEXEC for the "forked" secure PHP Processes.
  • Improper file ownership/permissions will cause scripts not to be executed.
  • Performs various security checks on each PHP script before execution.
  • Can use mod_userdir (Ex: http://serverip/~$user)

Disadvantages of this handler:

  • Like CGI; high CPU usage is seen.
  • Non-persistent state – requires new process for each PHP request.
  • Unable to use any PHP Caching.
  • No longer maintained.
  • Apache directives cannot be used. Configuration file(php.ini) required.

DSO

DSO(mod_php) is one of the fastest PHP handlers available; the immediate downside to this is that it runs everything as the user nobody by default. This prevents the ability to track individual user since all PHP scripts are owned and executed as the nobody user. This creates a relatively insecure environment when using DSO on its own as this leaves them vulnerable to any sort of malicious attacks that results in modifying PHP scripts or allowing the modification of files outside the directory the file was exploited in.

For this reason; it's recommended that mod_ruid2 be used with DSO to create SuPHP like requirements which allows files to be owned by their respective cPanel user and allows each PHP request/process to be tracked by the user running said request.

In a Multi-PHP Environment (EasyApache 4) the DSO+ruid2 handler can only be applied to one PHP version.

Advantages of this handler:

  • Allows PHP Caching (opcache, etc).
  • PHP Directives can be set within .htaccess (php_flags).
  • Considered to be very fast in execution.
  • Low resource usage. (CPU/Memory)
  • Best paired with mod_ruid2

Disadvantages of this handler(without mod_ruid2):

  • Cannot use mod_userdir (Ex: http://serverip/~$user)
  • Considered to be easily exploitable if compromised due to the user nobody
  • CMS's may not update properly due to permissions.
  • Unable to determine which account abuses resources

FCGI

FCGI or FastCGI(mod_fcgid) has been stated to be the fastest at serving PHP requests compared to SuPHP, but not as fast as utilizing DSO. This handler works to improve CPU usage through increasing server memory availability overall to cache PHP scripts to server memory. The primary benefit for FastCGI is the ability to be used with SuEXEC like the handler SuPHP. This allows scripts to be processed/executed as the user instead of the default nobody user that Apache uses.

In a Multi-PHP Environment (EasyApache 4) the FCGI handler can be applied to all versions.

Due to the configuration requirements necessary for this handler to perform, this handler is recommended to be only for experienced systems administrators.

Advantages of this handler:

  • Persistent processes; does not generate a new process for each request.
  • Low CPU utilization.
  • Allows PHP Caching (opcache, etc).
  • Can be equivalent to suPHP in regards to security, but faster in execution.

Disadvantages of this handler:

  • Memory requirement for its execution of PHP.
  • Keeps PHP Sessions open in the background.

LSAPI (cPanel/EA 4)

LSAPI(mod_lsapi) is a relatively new handler that was released for EasyApache 4 after periodically being only available to CloudLinux. LSAPI is based off of Litespeed's lsphp handler. This handler can replace all other handlers (CGI, SuPHP, FCGID, DSO). It is considered to be the fastest handler out there currently. Utilizing low resource usage for both server memory and CPU. LSAPI provides an exceptional boost in performance over all other PHP handlers. The benefit of such a handler is that it can run "out of the box" not requiring any significant configuration.

The downside is that this is not the full version of LSAPI as CRIU(Checkpoint/Restore In Userspace) and connection pooling are disabled – CloudLinux is required to take full advantage of LSAPI.

In a Multi-PHP Environment (EasyApache 4) the LSAPI handler can be applied to all versions.

This is our default recommend handler for servers without Litespeed.

Advantages of this handler:

  • Fast compared to other handlers.
  • No configuration required.
  • Works with PHP Caching (opcache).
  • Supports PHP Directives in .htaccess (php_flags).
  • Low resource usage (CPU/Memory).
  • Executes PHP Scripts as user.

At this time; there do not appear to be any disadvantages to using lsapi over other handlers.

This makes it the preferred handler for servers not utilizing CloudLinux or Litespeed.

The following modules are required for LSAPI – mod_suphp and mod_suexec

PHP-FPM

PHP-FPM (PHP FastCGI Process Manager) is designed as an alternative FastCGI daemon. This handler allows for the ability of a website to handle high loads by maintaining a connection pool of workers to respond to incoming PHP requests. This handler is considered to be faster than other CGI-related methods (SuPHP, CGI, etc) for multi-user scenarios.

PHP-FPM requires that the server have a decent amount of available memory in order to not perform experience issues. The rule of thumb is at least 2GB of RAM or 30MB per domain. If this is enabled on a server much less then that, performance issues and stability issues can be exhibited.

Due to the configuration requirements necessary for this handler to perform, this handler is recommended to be only for experienced systems administrators.

Advantages of this handler:

  • Persistent process handling.
  • Fast handling of PHP Scripts.
  • Supports high traffic.
  • Utilizes 'on-demand' workers.

Disadvantages of this handler:

  • Requires in-depth configured.
  • Can cause performance issues if not configured properly.
  • Requires decent amount of server resources available.
  • Not meant for low-end servers.
control-panels/misc/php-handlers-explained.txt · Last modified: 2019/05/09 11:30 by Jonathan K. W.