PHP Handlers

In this guide, we'll be going over Apache's many different available PHP Handlers. We'll explain what each one is, what its best at doing, and any pros and cons regarding that handler. We want this section to be informative for you so that you know how each handler differs from each other.

To start, there are many different handlers for PHP on Apache:

• CGI (mod_cgi/mod_cgid)
• SuPHP (mod_suphp)
• DSO (mod_php)
• FCGI (mod_fcgid)
• LSAPI (mod_lsapi)
• PHP-FPM

mod_lsapi can be used on cPanel servers or DirectAdmin servers with CloudLinux installed.

The CGI handler is one of the very early PHP Handlers. It runs as a CGI Module as opposed to an Apache Module – typically either mod_cgi or mod_cgid. When used as the PHP handler, PHP scripts are executed as the file owner instead of the default nobody¹⁾ user by Apache. This PHP handler is not typically used due to not being secure (on it's own) nor is it fast: it is considered the slowest handler. At one point in time, this handler was intended as a fallback method in the event no other handler was available.

See here: Not secure unless mpm-itk is in use

Advantages of this handler:

• When paired with SuEXEC, this handler allows you to see user PHP Requests

Disadvantages of this handler:

• This handler is considered insecure due to non-restrictive permissions
• Causes high resource usage which can lead to potential issues
• Apache directives cannot be used. Configuration file (php.ini) required
• Requires mpm-itk to be secure.

SuPHP (mod_suphp) was developed as a more secure and better-performing handler then its predecessors. With the use of SuEXEC (mod_suexec) it offers secure execution of PHP files with proper set permissions. Due to this, it's been considered the most secure of the handlers to be used for webservers. SuPHP run PHP as a CGI module which allows Apache to separate PHP processes, using their own individual user for execution. This allows for isolation between the users. In the event of a compromise, the user's files would be unable to modify a different user's files.

With EasyApache4 on cPanel servers, the suphp handler can be applied to all versions.

Advantages of this handler:

• Processes executed as the file owner (the user's account)
• Can use SuEXEC for the "forked" secure PHP Processes
• Improper file ownership/permissions will cause scripts not to be executed
• Performs various security checks on each PHP script before execution
• Can use mod_userdir (Ex: http://serverip/~$USERNAME)

Disadvantages of this handler:

• Like CGI, SuPHP is CPU-intensive
• Non-persistent state – requires new process for each PHP request
• Unable to use any PHP Opcode Caching
• No longer actively maintained by it's developers
• Apache directives cannot be used. Configuration file (php.ini) required
• Improper file permissions can cause a world-readable situation that introduces security risks across websites.

DSO (also known as mod_php, or PHP as an Apache module) is one of the fastest PHP handlers available: the immediate downside to this is that it runs everything as the Apache user nobody or apache by default. This prevents the ability to track individual users/accounts on the server since all PHP scripts are owned and executed as the nobody²⁾ user. This creates a relatively insecure environment when using DSO without mod_ruid2 – it leaves scripts vulnerable to any sort of malicious attacks that results in modifying PHP scripts or allowing the modification of files outside the directory the file was exploited in.

For this reason we strongly recommended that mod_ruid2 be used with DSO to create SuPHP-like ownership requirements which allows files to be owned by their respective DirectAdmin/cPanel user and allows each PHP request/process to be tracked by the user running said request.

In a Multi-PHP Environment (EasyApache 4 or using multiple versions of PHP with DirectAdmin's CustomBuild) the DSO+mod_ruid2 handler can only be applied to one PHP version – DSO cannot be used for multiple versions of PHP at the same time.

Advantages of this handler:

• Allows PHP Caching (Opcache, etc.)
• PHP Directives can be set within .htaccess (php_flag / php_value)
• Considered to be very fast in execution
• Low resource usage (CPU/Memory)
• Best paired with mod_ruid2

Disadvantages of this handler(without mod_ruid2):

• Cannot use mod_userdir (Ex: http://serverip/~$USERNAME)
• Considered to be easily exploitable if compromised due to scripts executing as the nobody³⁾ user
• CMS's may not update properly due to permissions / ownership
• Unable to determine which account abuses resources

FCGI or FastCGI (mod_fcgid) has been stated to be the fastest at serving PHP requests compared to SuPHP, but not as fast as utilizing DSO. This handler works to improve CPU usage through increasing server memory availability overall to cache PHP scripts to server memory. The primary benefit for FastCGI is the ability to be used with SuEXEC like the handler SuPHP. This allows scripts to be processed/executed as the user instead of the default nobody⁴⁾ user that Apache uses.

With EasyApache4, the FCGI handler can be applied to all versions.

Advantages of this handler:

• Persistent processes; does not generate a new process for each request
• Low CPU utilization
• Allows PHP Caching (Opcache, etc)
• Can be equivalent to suPHP in regards to security, but faster in execution

Disadvantages of this handler:

• Memory requirement for its execution of PHP
• Keeps PHP Sessions open in the background

LSAPI (mod_lsapi) is a relatively new handler that was released for cPanel/EasyApache 4 after periodically being only available to CloudLinux servers – mod_lsapi PRO (with additional configuration options) is available for DirectAdmin and cPanel/WHM servers with CloudLinux installed. LSAPI is based off of LiteSpeed's built-in lsphp handler. mod_lsapi can replace all other handlers (CGI, SuPHP, FCGID, or DSO). It is considered to be the fastest handler out there currently. Utilizing low resource usage for both server memory and CPU. LSAPI provides an exceptional boost in performance over all other PHP handlers. The benefit of such a handler is that it can run "out of the box" not requiring any significant configuration.

The downside is that this is not the full version of LSAPI as CRIU(Checkpoint/Restore In Userspace) and connection pooling are disabled – CloudLinux is required to take full advantage of LSAPI with mod_lsapi PRO.

In a Multi-PHP Environment, the LSAPI handler can be applied to all versions.

Advantages of this handler:

• Fast compared to other handlers
• No configuration required
• Works with PHP Caching (Opcache).
• Supports PHP Directives in .htaccess (php_flag or php_value)
• Low resource usage (CPU/Memory)
• Executes PHP Scripts as user

Disadvantages of this handler:

• Improper file permissions can cause a world-readable situation that introduces security risks across websites.

PHP-FPM (PHP FastCGI Process Manager) is designed as an alternative FastCGI daemon. This handler allows for the ability of a website to handle high loads by maintaining a connection pool of workers to respond to incoming PHP requests. This handler is considered to be faster than other CGI-related methods (SuPHP, CGI, etc.) for multi-user scenarios.

PHP-FPM requires that the server have a larger amount of available memory compared to other PHP handler options in order to operate without memory issues. The rule of thumb is at least 2GB of RAM or 30MB per domain. If this is enabled on a server much less then that, performance issues and stability issues can be exhibited.

Advantages of this handler:

• Persistent process handling
• Fast handling of PHP Scripts
• Supports high traffic
• Utilizes 'on-demand' workers

Disadvantages of this handler:

• Requires in-depth configured
• Can cause performance issues if not configured properly
• Requires decent amount of server resources available
• Not meant for low-end servers