Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI Using FastCGI with Apache HTTP Server 2.4
FastCGI with Apache httpd 2.4 Jeff Trawick Choosing mod fcgid http://emptyhammock.com/ mod proxy fcgi [email protected] mod authnz fcgi Other tools April 8, 2014 PHP Applications and FastCGI
Future
1/97 Revisions
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI 2014-04-10 FastCGI with Apache httpd Add Require expr ... to /www/tools/ 2.4 configuration in More classic CGI configuration Choosing slide to resolve a potential security hole. Thank mod fcgid mod proxy fcgi you Eric Covener! mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
2/97 Get these slides...
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 http://emptyhammock.com/projects/info/slides.html Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
3/97 Table of Contents
Using FastCGI with Apache HTTP Server 1 The world of FastCGI 2.4 Jeff Trawick 2 FastCGI with Apache httpd 2.4
The world of FastCGI 3 Choosing
FastCGI with Apache httpd 4 mod fcgid 2.4 Choosing 5 mod proxy fcgi mod fcgid mod proxy fcgi 6 mod authnz fcgi mod authnz fcgi
Other tools 7 Other tools
PHP Applications 8 PHP Applications and FastCGI and FastCGI Future 9 Future
4/97 Introduction — Who am I?
Using FastCGI with Apache HTTP Server 2.4 I’ve worked at Jeff Trawick several large corporations, for over two decades The world of FastCGI my own one-person company, Emptyhammock, for the
FastCGI with last two years Apache httpd 2.4 I’ve worked on Choosing several products which were primarily based on or mod fcgid otherwise included Apache HTTP Server mod proxy fcgi lower-level networking products mod authnz fcgi web applications Other tools
PHP I’ve developed or maintained some of the FastCGI Applications and FastCGI support in the Apache HTTP Server project.
Future
5/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 The world of FastCGI Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
6/97 Implemented for most web servers. Implemented for most programming languages and a number of frameworks.
FastCGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI A protocol for communicating between a web server and FastCGI with persistent application processes which can handle any of Apache httpd 2.4 several different phases of requests. Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
7/97 Implemented for most programming languages and a number of frameworks.
FastCGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI A protocol for communicating between a web server and FastCGI with persistent application processes which can handle any of Apache httpd 2.4 several different phases of requests. Choosing Implemented for most web servers. mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
7/97 FastCGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI A protocol for communicating between a web server and FastCGI with persistent application processes which can handle any of Apache httpd 2.4 several different phases of requests. Choosing Implemented for most web servers. mod fcgid Implemented for most programming languages and a mod proxy fcgi mod authnz fcgi number of frameworks.
Other tools
PHP Applications and FastCGI
Future
7/97 input stream for request body output stream for response headers and body output stream for log messages But binary encoded on a stream socket or pipe (Windows). FastCGI process waits repeatedly for new connections.
Fast CGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Inputs and outputs are similar to CGI: The world of FastCGI environment variables FastCGI with CONTENT LENGTH, SCRIPT NAME, etc. Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
8/97 output stream for response headers and body output stream for log messages But binary encoded on a stream socket or pipe (Windows). FastCGI process waits repeatedly for new connections.
Fast CGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Inputs and outputs are similar to CGI: The world of FastCGI environment variables FastCGI with CONTENT LENGTH, SCRIPT NAME, etc. Apache httpd 2.4 input stream for request body Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
8/97 output stream for log messages But binary encoded on a stream socket or pipe (Windows). FastCGI process waits repeatedly for new connections.
Fast CGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Inputs and outputs are similar to CGI: The world of FastCGI environment variables FastCGI with CONTENT LENGTH, SCRIPT NAME, etc. Apache httpd 2.4 input stream for request body Choosing output stream for response headers and body mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
8/97 But binary encoded on a stream socket or pipe (Windows). FastCGI process waits repeatedly for new connections.
Fast CGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Inputs and outputs are similar to CGI: The world of FastCGI environment variables FastCGI with CONTENT LENGTH, SCRIPT NAME, etc. Apache httpd 2.4 input stream for request body Choosing output stream for response headers and body mod fcgid mod proxy fcgi output stream for log messages mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
8/97 Fast CGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Inputs and outputs are similar to CGI: The world of FastCGI environment variables FastCGI with CONTENT LENGTH, SCRIPT NAME, etc. Apache httpd 2.4 input stream for request body Choosing output stream for response headers and body mod fcgid mod proxy fcgi output stream for log messages mod authnz fcgi But binary encoded on a stream socket or pipe (Windows). Other tools FastCGI process waits repeatedly for new connections. PHP Applications and FastCGI
Future
8/97 Raw CGI
Using FastCGI with Apache HTTP Server 2.4 int main(int argc, char **argv) Jeff Trawick { The world of extern char **environ; FastCGI /* environ is {"CONTENT_LENGTH=105", FastCGI with "SCRIPT_NAME=/path/to/foo.fcgi", etc. } */ Apache httpd 2.4 const char *cl_str;
Choosing mod fcgid if ((cl_str = getenv("CONTENT_LENGTH")) { read(FILENO_STDIN,,); /* request body */ mod proxy fcgi } mod authnz fcgi write(STDOUT_FILENO,,); /* response headers Other tools * and body */ PHP write(STDERR_FILENO,,); /* to web server log */ Applications and FastCGI }
Future
9/97 Raw FastCGI
Using FastCGI with Apache int main(int argc, char **argv) HTTP Server { 2.4 socket(); bind(); listen(); Jeff Trawick while (1) { The world of int cl = accept(); FastCGI read(cl, buf); FastCGI with |00000 0101000100080000 0001000000000000 ...... | Apache httpd 2.4 |00010 0104000100190000 090e485454505f48 ...... HTTP_H|
Choosing |00020 4f53543132372e30 2e302e313a383038 OST127.0 .0.1:808| |00030 3101040001002000 000f0f485454505f 1...... HTTP_| mod fcgid |00040 555345525f414745 4e54417061636865 USER_AGE NTApache| mod proxy fcgi |00050 42656e63682f322e 3301040001001000 Bench/2. 3...... | mod authnz fcgi |00060 000b03485454505f 4143434550542a2f ...HTTP_ ACCEPT*/| Other tools write(cl, buf); PHP |00000 01060001041a0600 436f6e74656e742d ...... Content-| Applications and FastCGI |00010 547970653a207465 78742f706c61696e Type: te xt/plain| |00020 0a0a787878787878 7878787878787878 ..xxxxxx xxxxxxxx| Future |00030 7878787878787878 7878787878787878 xxxxxxxx xxxxxxxx| close(cl); } 10/97 } Raw FastCGI
Using FastCGI with Apache HTTP Server How the datastream is defined: 2.4 Jeff Trawick version — 1 byte, always 1
The world of type — 1 byte, stuff like begin-request, abort-request, FastCGI params, stdin-data, stdout-data, etc. FastCGI with Apache httpd request id — 2 byte request identifier 2.4
Choosing content length — 2 byte length of bundled data mod fcgid padding length — 1 byte length of padding data mod proxy fcgi the data (0–64k bytes) mod authnz fcgi
Other tools the padding (0–255 bytes)
PHP Applications |0101000100080000 0001000000000000 ...... | and FastCGI |0104000100190000 090e485454505f48 ...... HTTP_H| Future
11/97 Programming support
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick After all, nobody would want to reinvent that protocol. The world of FastCGI protocol libraries are available for use with Perl, FastCGI
FastCGI with Python, Ruby, C, etc., often based on the C library from Apache httpd Open Market. 2.4
Choosing Code to the API to implement a FastCGI application. mod fcgid With some APIs, a properly coded FastCGI app will also mod proxy fcgi work as plain CGI. mod authnz fcgi PHP supports it transparently. Other tools Some frameworks support it transparently. PHP Applications and FastCGI
Future
12/97 Dual-mode CGI/FastCGI Perl script:
use CGI::Fast; while (my $q = CGI::Fast->new) { $mode = $q->param(’mode’); print $q->header(-type => ’text/html’); print $q->start_html(’hello, world’), $q->h1(’hello, world’), $q->end_html; }
But beware of unintentionally saved state.
Perl example, moving from CGI to FastCGI
Using FastCGI CGI-only Perl script: with Apache HTTP Server use CGI; 2.4 my $q = CGI->new; Jeff Trawick $mode = $q->param(’mode’); print $q->header(-type => ’text/html’); The world of FastCGI print $q->start_html(’hello, world’), $q->h1(’hello, world’), FastCGI with $q->end_html; Apache httpd 2.4 }
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
13/97 But beware of unintentionally saved state.
Perl example, moving from CGI to FastCGI
Using FastCGI CGI-only Perl script: with Apache HTTP Server use CGI; 2.4 my $q = CGI->new; Jeff Trawick $mode = $q->param(’mode’); print $q->header(-type => ’text/html’); The world of FastCGI print $q->start_html(’hello, world’), $q->h1(’hello, world’), FastCGI with $q->end_html; Apache httpd 2.4 }
Choosing Dual-mode CGI/FastCGI Perl script: mod fcgid mod proxy fcgi use CGI::Fast; while (my $q = CGI::Fast->new) { mod authnz fcgi $mode = $q->param(’mode’); Other tools print $q->header(-type => ’text/html’); PHP print $q->start_html(’hello, world’), Applications $q->h1(’hello, world’), and FastCGI $q->end_html; Future }
13/97 Perl example, moving from CGI to FastCGI
Using FastCGI CGI-only Perl script: with Apache HTTP Server use CGI; 2.4 my $q = CGI->new; Jeff Trawick $mode = $q->param(’mode’); print $q->header(-type => ’text/html’); The world of FastCGI print $q->start_html(’hello, world’), $q->h1(’hello, world’), FastCGI with $q->end_html; Apache httpd 2.4 }
Choosing Dual-mode CGI/FastCGI Perl script: mod fcgid mod proxy fcgi use CGI::Fast; while (my $q = CGI::Fast->new) { mod authnz fcgi $mode = $q->param(’mode’); Other tools print $q->header(-type => ’text/html’); PHP print $q->start_html(’hello, world’), Applications $q->h1(’hello, world’), and FastCGI $q->end_html; Future }
But beware of unintentionally saved state. 13/97 Web server support for FastCGI applications
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Available for most web servers, including Apache httpd, Apache httpd 2.4 IIS, Lighttpd, nginx, iPlanet, and others Choosing Typically implemented as a shared library (plug-in mod fcgid module) which can be loaded if the feature is desired mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
14/97 History
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick The FastCGI protocol was originally developed in 1995–1996 for a web server from Open Market, perhaps The world of FastCGI in response to the NSAPI programming model which FastCGI with allowed for C language plug-ins for the Netscape (now Apache httpd 2.4 iPlanet once again) web server. Choosing mod fcgid http://www.fastcgi.com/devkit/doc/fcgi-spec.html mod proxy fcgi One web server implementation of particular interest, also mod authnz fcgi from Open Market: mod fastcgi 1.0 for Apache 1.0 in Other tools 1996 PHP Applications and FastCGI See the August 28, 1996 issue of Apache Week.
Future
15/97 (Surplus of C programmers?)
What happened after that?
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick FastCGI was great for converting existing CGIs (often Perl) and drastically improving performance. The world of FastCGI But: FastCGI with Apache httpd 2.4 Native web server APIs were exploited more and more,
Choosing either for existing scripting languages like Perl or new mod fcgid languages like PHP. mod proxy fcgi Apache httpd modules took off. Web developers and mod authnz fcgi deployers became accustomed to native code plug-ins. Other tools
PHP Applications and FastCGI
Future
16/97 What happened after that?
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick FastCGI was great for converting existing CGIs (often Perl) and drastically improving performance. The world of FastCGI But: FastCGI with Apache httpd 2.4 Native web server APIs were exploited more and more,
Choosing either for existing scripting languages like Perl or new mod fcgid languages like PHP. mod proxy fcgi Apache httpd modules took off. Web developers and mod authnz fcgi deployers became accustomed to native code plug-ins. Other tools
PHP Applications and FastCGI (Surplus of C programmers?)
Future
16/97 Introduces instability into server (these modules can be at least as complicated as the core server) Collisions between requirements of different modules Generally unable to support multiple script interpreter versions Potential lack of thread safety, or expensive locking
Native module drawbacks
Using FastCGI with Apache HTTP Server 2.4 Overall resource use often larger when app runs in the Jeff Trawick web server, especially for prefork model memory The world of FastCGI connections to database, LDAP, etc. FastCGI with Apache httpd Resources are often left behind on any thread/process 2.4 that occasionally runs the application — underutilized. Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
17/97 Collisions between requirements of different modules Generally unable to support multiple script interpreter versions Potential lack of thread safety, or expensive locking
Native module drawbacks
Using FastCGI with Apache HTTP Server 2.4 Overall resource use often larger when app runs in the Jeff Trawick web server, especially for prefork model memory The world of FastCGI connections to database, LDAP, etc. FastCGI with Apache httpd Resources are often left behind on any thread/process 2.4 that occasionally runs the application — underutilized. Choosing Introduces instability into server (these modules can be mod fcgid at least as complicated as the core server) mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
17/97 Generally unable to support multiple script interpreter versions Potential lack of thread safety, or expensive locking
Native module drawbacks
Using FastCGI with Apache HTTP Server 2.4 Overall resource use often larger when app runs in the Jeff Trawick web server, especially for prefork model memory The world of FastCGI connections to database, LDAP, etc. FastCGI with Apache httpd Resources are often left behind on any thread/process 2.4 that occasionally runs the application — underutilized. Choosing Introduces instability into server (these modules can be mod fcgid at least as complicated as the core server) mod proxy fcgi mod authnz fcgi Collisions between requirements of different modules
Other tools
PHP Applications and FastCGI
Future
17/97 Potential lack of thread safety, or expensive locking
Native module drawbacks
Using FastCGI with Apache HTTP Server 2.4 Overall resource use often larger when app runs in the Jeff Trawick web server, especially for prefork model memory The world of FastCGI connections to database, LDAP, etc. FastCGI with Apache httpd Resources are often left behind on any thread/process 2.4 that occasionally runs the application — underutilized. Choosing Introduces instability into server (these modules can be mod fcgid at least as complicated as the core server) mod proxy fcgi mod authnz fcgi Collisions between requirements of different modules Other tools Generally unable to support multiple script interpreter PHP Applications versions and FastCGI
Future
17/97 Native module drawbacks
Using FastCGI with Apache HTTP Server 2.4 Overall resource use often larger when app runs in the Jeff Trawick web server, especially for prefork model memory The world of FastCGI connections to database, LDAP, etc. FastCGI with Apache httpd Resources are often left behind on any thread/process 2.4 that occasionally runs the application — underutilized. Choosing Introduces instability into server (these modules can be mod fcgid at least as complicated as the core server) mod proxy fcgi mod authnz fcgi Collisions between requirements of different modules Other tools Generally unable to support multiple script interpreter PHP Applications versions and FastCGI Potential lack of thread safety, or expensive locking Future
17/97 A particular application usually can’t introduce instability into the server, so basic services and other applications are unaffected. Different applications can use different libraries, interpreter versions, framework versions, etc. Independent start/stop of web server and application Independent identity or chroot env vs. web server and other applications
But with FastCGI
Using FastCGI with Apache HTTP Server 2.4 Often the required application thread/process count is a Jeff Trawick fraction of that of the web server (so resources not left The world of FastCGI behind on threads/processes occasionally used).
FastCGI with Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
18/97 Different applications can use different libraries, interpreter versions, framework versions, etc. Independent start/stop of web server and application Independent identity or chroot env vs. web server and other applications
But with FastCGI
Using FastCGI with Apache HTTP Server 2.4 Often the required application thread/process count is a Jeff Trawick fraction of that of the web server (so resources not left The world of FastCGI behind on threads/processes occasionally used). FastCGI with A particular application usually can’t introduce instability Apache httpd 2.4 into the server, so basic services and other applications Choosing are unaffected. mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
18/97 Independent start/stop of web server and application Independent identity or chroot env vs. web server and other applications
But with FastCGI
Using FastCGI with Apache HTTP Server 2.4 Often the required application thread/process count is a Jeff Trawick fraction of that of the web server (so resources not left The world of FastCGI behind on threads/processes occasionally used). FastCGI with A particular application usually can’t introduce instability Apache httpd 2.4 into the server, so basic services and other applications Choosing are unaffected. mod fcgid Different applications can use different libraries, mod proxy fcgi interpreter versions, framework versions, etc. mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
18/97 Independent identity or chroot env vs. web server and other applications
But with FastCGI
Using FastCGI with Apache HTTP Server 2.4 Often the required application thread/process count is a Jeff Trawick fraction of that of the web server (so resources not left The world of FastCGI behind on threads/processes occasionally used). FastCGI with A particular application usually can’t introduce instability Apache httpd 2.4 into the server, so basic services and other applications Choosing are unaffected. mod fcgid Different applications can use different libraries, mod proxy fcgi interpreter versions, framework versions, etc. mod authnz fcgi
Other tools Independent start/stop of web server and application
PHP Applications and FastCGI
Future
18/97 But with FastCGI
Using FastCGI with Apache HTTP Server 2.4 Often the required application thread/process count is a Jeff Trawick fraction of that of the web server (so resources not left The world of FastCGI behind on threads/processes occasionally used). FastCGI with A particular application usually can’t introduce instability Apache httpd 2.4 into the server, so basic services and other applications Choosing are unaffected. mod fcgid Different applications can use different libraries, mod proxy fcgi interpreter versions, framework versions, etc. mod authnz fcgi
Other tools Independent start/stop of web server and application PHP Independent identity or chroot env vs. web server and Applications and FastCGI other applications Future
18/97 If you run the application request on web server threads, you turn cheap threads into expensive threads. If you run the application request on threads in dedicated application processes, you have lower resource consumption since you’ll have fewer expensive threads.
Relative cost of threads
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Threads that serve application requests are more The world of FastCGI expensive than threads that service static files or proxy FastCGI with requests elsewhere. Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
19/97 If you run the application request on threads in dedicated application processes, you have lower resource consumption since you’ll have fewer expensive threads.
Relative cost of threads
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Threads that serve application requests are more The world of FastCGI expensive than threads that service static files or proxy FastCGI with requests elsewhere. Apache httpd 2.4 If you run the application request on web server threads, Choosing you turn cheap threads into expensive threads. mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
19/97 Relative cost of threads
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Threads that serve application requests are more The world of FastCGI expensive than threads that service static files or proxy FastCGI with requests elsewhere. Apache httpd 2.4 If you run the application request on web server threads, Choosing you turn cheap threads into expensive threads. mod fcgid mod proxy fcgi If you run the application request on threads in dedicated mod authnz fcgi application processes, you have lower resource
Other tools consumption since you’ll have fewer expensive threads.
PHP Applications and FastCGI
Future
19/97 When the application thread isn’t a web server thread: The application often isn’t invoked until after all or much of the request is received by a server thread, and the application is relinquished before all of the response is sent to the client. Some isolation from slower clients, for better utilization of the expensive threads
Ummm, why are there fewer application threads?
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Some requests don’t run the application (static files, The world of FastCGI pings, etc.) FastCGI with Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
20/97 Some isolation from slower clients, for better utilization of the expensive threads
Ummm, why are there fewer application threads?
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Some requests don’t run the application (static files, The world of FastCGI pings, etc.) FastCGI with Apache httpd When the application thread isn’t a web server thread: 2.4 The application often isn’t invoked until after all or much Choosing of the request is received by a server thread, and the mod fcgid application is relinquished before all of the response is mod proxy fcgi sent to the client. mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
20/97 Ummm, why are there fewer application threads?
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Some requests don’t run the application (static files, The world of FastCGI pings, etc.) FastCGI with Apache httpd When the application thread isn’t a web server thread: 2.4 The application often isn’t invoked until after all or much Choosing of the request is received by a server thread, and the mod fcgid application is relinquished before all of the response is mod proxy fcgi sent to the client. mod authnz fcgi Some isolation from slower clients, for better utilization of Other tools the expensive threads PHP Applications and FastCGI
Future
20/97 more or different configuration required for the application
Criticisms of FastCGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI generally troublesome implementations FastCGI with Apache httpd 2.4 just switch from mod fastcgi to mod fcgid or httpd to
Choosing Lighttpd or ... mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
21/97 Criticisms of FastCGI
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI generally troublesome implementations FastCGI with Apache httpd 2.4 just switch from mod fastcgi to mod fcgid or httpd to
Choosing Lighttpd or ... mod fcgid more or different configuration required for the mod proxy fcgi application mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
21/97 Care needed with TCP to protect access Instant auth: Just set REMOTE USER Throw garbage at the TCP port, see what happens AF UNIX has filesystem permissions and is system-only.
Concerns for some special situations
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of Protocol is complex enough that unsanitized input could FastCGI expose bugs in non-mainstream protocol support in app FastCGI with Apache httpd but also in server 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
22/97 Concerns for some special situations
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of Protocol is complex enough that unsanitized input could FastCGI expose bugs in non-mainstream protocol support in app FastCGI with Apache httpd but also in server 2.4
Choosing Care needed with TCP to protect access mod fcgid Instant auth: Just set REMOTE USER mod proxy fcgi Throw garbage at the TCP port, see what happens mod authnz fcgi AF UNIX has filesystem permissions and is system-only. Other tools
PHP Applications and FastCGI
Future
22/97 Competitors
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick HTTP — If you use HTTP you can interoperate with
The world of almost anything. But if you use HTTP you have a lot to FastCGI implement to be able to interoperate with what people FastCGI with Apache httpd will throw at you. 2.4
Choosing SCGI — http://python.ca/scgi/protocol.txt mod fcgid about 100 lines, so easy to implement yourself if existing mod proxy fcgi library support isn’t available or suitable mod authnz fcgi commonly used FastCGI capabilities, plus sendfile Other tools One unfortunate omission: doesn’t provide a way for
PHP routing stderr messages (integration into web server logs). Applications and FastCGI
Future
23/97 Competitors
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick CGI — why not, if load isn’t an issue? The world of FastCGI AJP — not just for Java application servers FastCGI with Apache httpd custom 2.4 Choosing These have varying infrastructure to help with process mod fcgid management and protocol. mod proxy fcgi mod authnz fcgi Other tools (And of course mod foo and JVM or CLR-based interpreters.) PHP Applications and FastCGI
Future
24/97 Non-competitors
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI providers of APIs FastCGI with Apache httpd Modules such as mod wsgi or mod php provide an API 2.4 rather than implement a well-known wire protocol such as Choosing FastCGI, HTTP, or SCGI. mod fcgid This can use FastCGI or other protocols. IOW, WSGI and mod proxy fcgi PSGI are not competitors to FastCGI. mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
25/97 Very light load that isn’t expected to increase (e.g., some non-Internet-facing special-purpose application) I know that I can continue to run the application inside httpd even if the server as a whole scales up or switches to a different MPM
So when would I run the application inside httpd
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI Very lightweight interpreter (e.g., Lua)
FastCGI with Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
26/97 I know that I can continue to run the application inside httpd even if the server as a whole scales up or switches to a different MPM
So when would I run the application inside httpd
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI Very lightweight interpreter (e.g., Lua)
FastCGI with Apache httpd Very light load that isn’t expected to increase (e.g., some 2.4 non-Internet-facing special-purpose application) Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
26/97 So when would I run the application inside httpd
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI Very lightweight interpreter (e.g., Lua)
FastCGI with Apache httpd Very light load that isn’t expected to increase (e.g., some 2.4 non-Internet-facing special-purpose application) Choosing I know that I can continue to run the application inside mod fcgid httpd even if the server as a whole scales up or switches mod proxy fcgi mod authnz fcgi to a different MPM
Other tools
PHP Applications and FastCGI
Future
26/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 FastCGI with Apache httpd 2.4 Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
27/97 Primary FastCGI modules for Apache httpd 2.4
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Several modules are available from the Apache HTTP Server The world of FastCGI project, and others are in use as well. FastCGI with Apache httpd 2.4 These can be compared based on support for key features: Choosing Application process management mod fcgid mod proxy fcgi Communication mechanism mod authnz fcgi Supported FastCGI application roles Other tools
PHP Applications and FastCGI
Future
28/97 Application process management support
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of Can the module manage the lifecycle of FastCGI application FastCGI
FastCGI with processes, based on load and the web server lifecycle? Apache httpd 2.4 A module might only interact with processes it created. Choosing A module might only interact with sockets owned by mod fcgid processes it doesn’t know about, mod proxy fcgi A module might support both models. mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
29/97 Communication mechanism support
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of What types of IPC are supported for communication with the FastCGI application? FastCGI with Apache httpd A module may or may not support TCP sockets. 2.4
Choosing A module may or may not support Unix sockets (on Unix, mod fcgid of course). mod proxy fcgi A module may or may not support local pipes (only on mod authnz fcgi Windows in practice). Other tools
PHP Applications and FastCGI
Future
30/97 FastCGI role support
Using FastCGI with Apache HTTP Server The FastCGI specification defines several different roles that a 2.4 FastCGI application may implement: Jeff Trawick responder role The world of FastCGI Generating the response body in a manner FastCGI with similar to CGI (the typical requirement) Apache httpd 2.4 authorizer role Choosing Deciding whether or not the user is authorized mod fcgid to access the requested resource. This generally mod proxy fcgi is implemented with httpd-specific extensions for mod authnz fcgi the three Apache httpd AAA phases. Other tools
PHP filter role Applications and FastCGI Generating the response body based on an extra Future stream of input data.
31/97 Primary FastCGI modules for Apache httpd 2.4
Using FastCGI with Apache HTTP Server 2.4 fcgid fastcgi proxy fcgi authnz fcgi Jeff Trawick Manages app Yes Yes No No
The world of processes? FastCGI Works with No Yes Yes Yes FastCGI with Apache httpd other processes? 2.4 TCP? No Yes Yes Yes Choosing Local sockets Yes Yes Yes No mod fcgid mod proxy fcgi or pipes? (Unix) mod authnz fcgi Responders? Yes Yes Yes No
Other tools AAA? Yes Yes No Yes (plus PHP providers) Applications and FastCGI Filters? No No No No Future
32/97 Other FastCGI modules for Apache httpd 2.4
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI Kean Johnston has mentioned his work-in-progress, FastCGI with mod extfcgi, a couple of times on the httpd developer Apache httpd 2.4 mailing list, but it is not yet available. Choosing The unique feature planned is support for the FastCGI mod fcgid FILTER role. mod proxy fcgi your module here mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
33/97 About mod authnz fcgi...
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick This is not currently part of 2.4 releases; it must be
The world of obtained from httpd trunk and built separately from FastCGI httpd. FastCGI with Apache httpd http://svn.apache.org/viewvc/httpd/httpd/ 2.4
Choosing trunk/modules/aaa/mod_authnz_fcgi.c?view=co mod fcgid apxs -ci mod authnz fcgi.c mod proxy fcgi mod authnz fcgi Is it production ready? It has been tested by multiple parties, Other tools but it has not been formally reviewed for merging into the PHP Applications 2.4.x branch. I requested that last week. and FastCGI
Future
34/97 About mod fastcgi...
Using FastCGI with Apache HTTP Server 2.4 http://www.fastcgi.com/ Jeff Trawick The latest semi-official code is a snapshot created in The world of 2009; the last release was 2.4.6 in 2007. FastCGI
FastCGI with A reasonably-complete patch to add support for httpd Apache httpd 2.4 2.4 is available from a third party at https://github.
Choosing com/ByteInternet/libapache-mod-fastcgi. mod fcgid Why is mod fastcgi still interesting? Feature set / mod proxy fcgi migration headaches... mod authnz fcgi
Other tools We won’t mention mod fastcgi further.
PHP Applications I hate that, but there hasn’t been a consolidation of patches different and FastCGI people are using for one issue or another, resulting in frustration and Future wasted effort.
35/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 Choosing among the contenders Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
36/97 Choosing
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick After kicking mod fastcgi to the curb, choosing among The world of FastCGI FastCGI implementations is very simple:
FastCGI with Apache httpd 2.4 If you want something to manage the application process Choosing lifecycle in conjunction with httpd, use mod fcgid. mod fcgid If you want different or more flexible application process mod proxy fcgi mod authnz fcgi lifecycle management, use mod proxy fcgi for
Other tools responders and use mod authnz fcgi for authorizers.
PHP Applications and FastCGI
Future
37/97 mod fcgid
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick mod fcgid has The world of mostly nice facilities for managing processes FastCGI
FastCGI with monitoring of processes via mod status reports Apache httpd 2.4
Choosing mod fcgid is missing mod fcgid load balancing to FastCGI processes in the usual sense mod proxy fcgi support for FastCGI apps which can handle multiple mod authnz fcgi concurrent requests or include their own process Other tools management PHP Applications and FastCGI
Future
38/97 mod proxy fcgi
Using FastCGI with Apache HTTP Server 2.4 Key considerations: Jeff Trawick Pair it with mod authnz fcgi if you need to support The world of AUTHORIZER role FastCGI
FastCGI with Does not currently support multiple requests per Apache httpd 2.4 connection (i.e., you’ll have lots of connection
Choosing establishment, lots of sockets in certain states) mod fcgid As a scheme handler for mod proxy, it shares many mod proxy fcgi features with the rest of the mod proxy family, including mod authnz fcgi Load balancing Other tools I/O parameters PHP Balancer manager Applications and FastCGI Unix socket support is a recent addition Future
39/97 mod authnz fcgi
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI Notable features beyond those typically implemented: FastCGI with Apache httpd Supports combined authn/authz like in the FastCGI spec 2.4 Supports the modern provider configuration mechanism Choosing mod fcgid Supports application delivery of the response body with a mod proxy fcgi failed authn check mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
40/97 mod authnz fcgi limitations
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI Notable limitations beyond those mentioned earlier:
FastCGI with Apache httpd Does not share connections with mod proxy fcgi 2.4 Does not interoperate with mod authn socache Choosing mod fcgid Does not support multiple requests per connection mod proxy fcgi Does not support the httpd access control phase mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
41/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 Configuration of ASF FastCGI modules Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
42/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 Configuration of ASF FastCGI modules — mod fcgid Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
43/97 Simple CGI and FastCGI configuration
Using FastCGI with Apache HTTP Server 2.4 Start with CGI: Jeff Trawick Alias /fastcgi/ \ The world of FastCGI /home/trawick/ApacheCon/inst/fastcgi/ FastCGI with Apache httpd 2.4
44/97 More classic CGI configuration
Using FastCGI with Apache HTTP Server
FastCGI with Apache httpd
Additional configuration is likely except for sites with only relatively simple FastCGI applications.
mod fcgid — Is that all?
Using FastCGI with Apache HTTP Server 2.4 It might be, unless... Jeff Trawick default timeouts or other I/O settings aren’t okay The world of FastCGI connect timeout, read/write timeout, hang detection FastCGI with Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
46/97 limits on numbers of processes, rules for shrinking the pool minor protocol adjustments, environment variables, etc.
Additional configuration is likely except for sites with only relatively simple FastCGI applications.
mod fcgid — Is that all?
Using FastCGI with Apache HTTP Server 2.4 It might be, unless... Jeff Trawick default timeouts or other I/O settings aren’t okay The world of FastCGI connect timeout, read/write timeout, hang detection FastCGI with Apache httpd default process management isn’t okay 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
46/97 minor protocol adjustments, environment variables, etc.
Additional configuration is likely except for sites with only relatively simple FastCGI applications.
mod fcgid — Is that all?
Using FastCGI with Apache HTTP Server 2.4 It might be, unless... Jeff Trawick default timeouts or other I/O settings aren’t okay The world of FastCGI connect timeout, read/write timeout, hang detection FastCGI with Apache httpd default process management isn’t okay 2.4 limits on numbers of processes, rules for shrinking the Choosing pool mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
46/97 Additional configuration is likely except for sites with only relatively simple FastCGI applications.
mod fcgid — Is that all?
Using FastCGI with Apache HTTP Server 2.4 It might be, unless... Jeff Trawick default timeouts or other I/O settings aren’t okay The world of FastCGI connect timeout, read/write timeout, hang detection FastCGI with Apache httpd default process management isn’t okay 2.4 limits on numbers of processes, rules for shrinking the Choosing pool mod fcgid mod proxy fcgi minor protocol adjustments, environment variables, etc. mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
46/97 mod fcgid — Is that all?
Using FastCGI with Apache HTTP Server 2.4 It might be, unless... Jeff Trawick default timeouts or other I/O settings aren’t okay The world of FastCGI connect timeout, read/write timeout, hang detection FastCGI with Apache httpd default process management isn’t okay 2.4 limits on numbers of processes, rules for shrinking the Choosing pool mod fcgid mod proxy fcgi minor protocol adjustments, environment variables, etc. mod authnz fcgi
Other tools
PHP Additional configuration is likely except for sites with only Applications and FastCGI relatively simple FastCGI applications.
Future
46/97 Hung process detection
Using FastCGI with Apache HTTP Server 2.4 By default, if a request does not complete within five minutes Jeff Trawick the application will be terminated. The world of No way to disable. Fixme. FastCGI
FastCGI with Apache httpd # my report generates output over a long period of 2.4 # time; don’t kill it Choosing mod fcgid FcgidBusyTimeout 3600 mod proxy fcgi mod authnz fcgi # kill anything that doesn’t respond within 30
Other tools # seconds PHP FcgidBusyTimeout 30 Applications and FastCGI
Future
47/97 I/O timeouts (hung process?)
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick By default, if no data can be read or written within 40 The world of seconds, the application will be terminated. FastCGI
FastCGI with Apache httpd # my report generates output over a long period of 2.4 # time; don’t kill it Choosing FcgidBusyTimeout 3600 mod fcgid # oh, and there are long pauses between generation mod proxy fcgi # of any output mod authnz fcgi
Other tools FcgidIOTimeout 300
PHP Applications and FastCGI
Future
48/97 Process management
Using FastCGI with Apache HTTP Server 2.4 Simple stuff: Jeff Trawick FcgidMaxProcesses — global limit on number of The world of FastCGI processes FastCGI with Apache httpd FcgidMaxProcessesPerClass — limit on number of 2.4 processes per application Choosing mod fcgid FcgidIdleTimeout — termination after idle for this long mod proxy fcgi FcgidMaxRequestsPerProcess — termination after mod authnz fcgi handling this many requests Other tools FcgidProcessLifetime — termination after alive for this PHP Applications long and FastCGI
Future
49/97 Tuning of process management algorithms
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI Spawn score: internal calculation which represents process activity for a FastCGI application; used to determine if a new FastCGI with Apache httpd instance (process) can be created. 2.4
Choosing # Set this high. If actual score is higher for an app, mod fcgid # more instances can’t be created. FcgidSpawnScoreUpLimit 7000 mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
50/97 Tuning of process management algorithms
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Spawn score: internal calculation which represents process The world of FastCGI activity for a FastCGI application; used to determine if a new
FastCGI with instance (process) can be created. Apache httpd 2.4 FcgidSpawnScoreUpLimit 7000 Choosing mod fcgid # Default value. Each process creation adds this to the mod proxy fcgi # score. mod authnz fcgi FcgidSpawnScore 1
Other tools
PHP Applications and FastCGI
Future
51/97 Tuning of process management algorithms
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick Spawn score: internal calculation which represents process
The world of activity for a FastCGI application; used to determine if a new FastCGI instance (process) can be created. FastCGI with Apache httpd FcgidSpawnScoreUpLimit 7000 2.4 FcgidSpawnScore 1 Choosing mod fcgid # By default, termination increases the score. But why? mod proxy fcgi # If a process goes away, create additional headroom for mod authnz fcgi # creating a replacement.
Other tools FcgidTerminationScore -1
PHP Applications and FastCGI
Future
52/97 Tuning of process management algorithms
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Spawn score: internal calculation which represents process The world of activity for a FastCGI application; used to determine if a new FastCGI instance (process) can be created. FastCGI with Apache httpd 2.4 FcgidSpawnScoreUpLimit 7000
Choosing FcgidSpawnScore 1 FcgidTerminationScore -1 mod fcgid mod proxy fcgi # Subtracted from the score each second. mod authnz fcgi FcgidTimeScore 3 Other tools
PHP Applications and FastCGI
Future
53/97 Ugly tuning of process management algorithms
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI mod fcgid scans for certain conditions at configurable intervals. The default values for the intervals are quite high FastCGI with Apache httpd for some — 120 seconds. 2.4
Choosing # Scan for processes which have exceeded idle timeout every mod fcgid # second. FcgidIdleScanInterval 0 mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
54/97 Ugly tuning of process management algorithms
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of mod fcgid scans for certain conditions at configurable FastCGI intervals. The default values for the intervals are quite high FastCGI with for some — 120 seconds. Apache httpd 2.4 FcgidIdleScanInterval 0 Choosing mod fcgid # Scan for processes which need to be terminated every second. mod proxy fcgi FcgidErrorScanInterval 0 mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
55/97 Ugly tuning of process management algorithms
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick mod fcgid scans for certain conditions at configurable
The world of intervals. The default values for the intervals are quite high FastCGI for some — 120 seconds. FastCGI with Apache httpd FcgidIdleScanInterval 0 2.4 FcgidErrorScanInterval 0 Choosing mod fcgid # Scan for zombie processes every second. mod proxy fcgi # (Why don’t we just call waitpid() to see if any children mod authnz fcgi # exited?)
Other tools FcgidZombieScanInterval 0
PHP Applications and FastCGI
Future
56/97 FcgidMaxRequestLen limits the amount of body that will be spooled; the request fails (500) if the body exceeds this amount. The default limit is 128K. Set this lower if you can.
Don’t trust the common WordPress configuration instructions that tell you to increase this to the max (denial of service), but be aware that you may need to increase it to handle larger uploads with WordPress or any other application.
Unfortunately this is a strike against cheaper web server threads.
Request body limits
Using FastCGI with Apache mod fcgid is very aggressive in isolating the application HTTP Server 2.4 from slow clients, to the extent that it will first read the
Jeff Trawick request body before sending to the application.
The world of FastCGI
FastCGI with Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
57/97 The default limit is 128K. Set this lower if you can.
Don’t trust the common WordPress configuration instructions that tell you to increase this to the max (denial of service), but be aware that you may need to increase it to handle larger uploads with WordPress or any other application.
Unfortunately this is a strike against cheaper web server threads.
Request body limits
Using FastCGI with Apache mod fcgid is very aggressive in isolating the application HTTP Server 2.4 from slow clients, to the extent that it will first read the
Jeff Trawick request body before sending to the application. FcgidMaxRequestLen limits the amount of body that The world of FastCGI will be spooled; the request fails (500) if the body FastCGI with exceeds this amount. Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
57/97 Request body limits
Using FastCGI with Apache mod fcgid is very aggressive in isolating the application HTTP Server 2.4 from slow clients, to the extent that it will first read the
Jeff Trawick request body before sending to the application. FcgidMaxRequestLen limits the amount of body that The world of FastCGI will be spooled; the request fails (500) if the body FastCGI with exceeds this amount. Apache httpd 2.4 The default limit is 128K. Choosing Set this lower if you can. mod fcgid mod proxy fcgi Don’t trust the common WordPress configuration instructions mod authnz fcgi that tell you to increase this to the max (denial of service), Other tools
PHP but be aware that you may need to increase it to handle larger Applications and FastCGI uploads with WordPress or any other application.
Future Unfortunately this is a strike against cheaper web server threads. 57/97 Wrappers
Using FastCGI with Apache HTTP Server 2.4 a command which will run for certain requests — by Jeff Trawick container or extension The world of typically is outside of the web space FastCGI
FastCGI with typically is a script which encapsulates command-line Apache httpd 2.4 parameters and environment settings such as envvars and
Choosing ulimits mod fcgid mod proxy fcgi
58/97 Command-specific options
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick Most directives apply to every app in a certain container (vhost or per-dir). The world of FastCGI FcgidCmdOptions allows many directives to be applied for a FastCGI with single specific command. Apache httpd 2.4 Choosing FcgidCmdOptions /path/to/info.pl \ mod fcgid IdleTimeout 30 \ mod proxy fcgi InitialEnv VHOST=www2.example.com \ mod authnz fcgi IOTimeout 5 \ Other tools MaxRequestsPerProcess 10000 PHP Applications and FastCGI
Future
59/97 mod fcgid’s server status support
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 Jeff, this is where you show the sample server-status page. Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
60/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 Configuration of ASF FastCGI modules — mod proxy fcgi Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
61/97 Simplest mod proxy fcgi
Using FastCGI with Apache HTTP Server LoadModule proxy_module modules/mod_proxy.so 2.4 LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so Jeff Trawick
The world of ProxyPass /app/ fcgi://127.0.0.1:10080/ FastCGI
FastCGI with Apache httpd Not so interesting; just replace “http” in the usual pattern 2.4 with “fcgi”. There’s no need for ProxyPassReverse. Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
62/97 Add load balancing
Using FastCGI with Apache LoadModule proxy_module modules/mod_proxy.so HTTP Server LoadModule proxy_balancer_module modules/mod_proxy_balancer.so 2.4 LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so Jeff Trawick LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
The world of FastCGI ProxyPass /app/ balancer://app-pool/
Other tools
PHP Applications and FastCGI
Future
63/97 Use Unix sockets instead
Using FastCGI with Apache HTTP Server LoadModule proxy_module modules/mod_proxy.so 2.4 LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so Jeff Trawick ProxyPass /app/ unix:/var/run/FCGI/hello|fcgi://127.0.0.1/ The world of FastCGI
FastCGI with Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
64/97 Add load balancing (again)
Using FastCGI with Apache LoadModule proxy_module modules/mod_proxy.so HTTP Server LoadModule proxy_balancer_module modules/mod_proxy_balancer.so 2.4 LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so Jeff Trawick LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
The world of FastCGI ProxyPass /app/ balancer://app-pool/
Other tools
PHP Applications and FastCGI
Future
65/97 Proxy examples showing important protocol data
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick We’ll use this configuration with a Perl FastCGI script that The world of FastCGI spits out important variables:
FastCGI with Apache httpd ProxyPass /app1/ fcgi://127.0.0.1:10101/ 2.4 ProxyPass /app2/ unix:/tmp/app2|fcgi://127.0.0.1:10102/ Choosing ProxyPass /app1a/ fcgi://127.0.0.1:10101/ mod fcgid
Other tools
PHP Applications and FastCGI
Future
66/97 The script
Using FastCGI with Apache HTTP Server This is essentially printenv for FastCGI, that only prints 2.4
Jeff Trawick certain variables.
The world of FastCGI #!/usr/bin/perl
FastCGI with use CGI::Fast; Apache httpd 2.4 my %dumpme = ("SCRIPT_NAME" => 1, ...);
Choosing while (my $q = CGI::Fast->new) { mod fcgid print "Content-Type: text/plain\r\n\r\n"; mod proxy fcgi foreach my $env (keys %ENV) { mod authnz fcgi print "env $env = $ENV{$env}\n" Other tools if $dumpme{$env}; PHP Applications } and FastCGI } Future
67/97 Running the script
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI $ spawn-fcgi -n -a 127.0.0.1 -p 10101 ./showenv.pl FastCGI with ... Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi $ spawn-fcgi -n -s /tmp/app2 ./showenv.pl mod authnz fcgi ...
Other tools
PHP Applications and FastCGI
Future
68/97 http://127.0.0.1:8080/app1/a/b/c?a=true
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick env SCRIPT_NAME = /app1/a/b/c The world of FastCGI env FCGI_ROLE = RESPONDER FastCGI with env GATEWAY_INTERFACE = CGI/1.1 Apache httpd 2.4 env SERVER_PORT = 8080 Choosing env REQUEST_URI = /app1/a/b/c?a=true mod fcgid env SERVER_ADDR = 127.0.0.1 mod proxy fcgi env HTTP_HOST = 127.0.0.1:8080 mod authnz fcgi env REQUEST_SCHEME = http Other tools env QUERY_STRING = a=true PHP Applications and FastCGI
Future
69/97 http://127.0.0.1:8080/app2/a/b/c?a=true
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick env SCRIPT_NAME = /app2/a/b/c The world of FastCGI env FCGI_ROLE = RESPONDER FastCGI with env GATEWAY_INTERFACE = CGI/1.1 Apache httpd 2.4 env SERVER_PORT = 8080 Choosing env REQUEST_URI = /app2/a/b/c?a=true mod fcgid env SERVER_ADDR = 127.0.0.1 mod proxy fcgi env HTTP_HOST = 127.0.0.1:8080 mod authnz fcgi env REQUEST_SCHEME = http Other tools env QUERY_STRING = a=true PHP Applications and FastCGI
Future
70/97 http://127.0.0.1:8080/app1a/a/b/c?a=true
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick env SCRIPT_NAME = /app1a The world of env FCGI_ROLE = RESPONDER FastCGI env GATEWAY_INTERFACE = CGI/1.1 FastCGI with Apache httpd env SERVER_PORT = 8080 2.4
Choosing env REQUEST_URI = /app1a/a/b/c?a=true mod fcgid env SERVER_ADDR = 127.0.0.1 mod proxy fcgi env HTTP_HOST = 127.0.0.1:8080 mod authnz fcgi env PATH_INFO = /a/b/c Other tools env REQUEST_SCHEME = http PHP env QUERY_STRING = a=true Applications and FastCGI
Future
71/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 Configuration of ASF FastCGI modules — mod authnz fcgi Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
72/97 FastCGI AUTHORIZER
Using FastCGI This example uses the provider interface for collaboration with with Apache HTTP Server other providers in more complex configurations. 2.4
Jeff Trawick This is for a standard AUTHORIZER that will perform the The world of FastCGI equivalent of authentication and authorization. (It will not see
FastCGI with FCGI APACHE ROLE.) Apache httpd 2.4 AuthnzFcgiDefineProvider authnz FooAuthnz fcgi://localhost:10103/ Choosing
Jeff Trawick
The world of FastCGI FastCGI with Managing external processes Apache httpd 2.4
Choosing (if you’re not using mod fcgid) mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
74/97 Types of tools
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of A couple of tools shown here only get the application FastCGI processes started. They aren’t any help by themselves if the FastCGI with Apache httpd processes terminate unexpectedly. 2.4 Choosing A couple of other tools shown here can be used to control mod fcgid lifecycle (potentially with the system lifecycle) and ensure mod proxy fcgi availability by reacting when the processes terminate mod authnz fcgi unexpectedly. Other tools
PHP Applications and FastCGI
Future
75/97 fcgistarter
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick It only supports TCP/IP sockets, and only on Unix.
The world of In general this implements a rather basic subset of FastCGI features in spawn-fcgi (from the Lighttpd folks). FastCGI with Apache httpd On the bright side, it is bundled with httpd 2.4, and is 2.4
Choosing thus always available for testing. mod fcgid mod proxy fcgi $ fcgistarter -c $PWD/TestAuthn.pl -p 10000 mod authnz fcgi
Other tools
PHP The path to the application is resolved after changing Applications and FastCGI directory to /, so a fully-qualified path is required.
Future
76/97 spawn-fcgi
Using FastCGI with Apache HTTP Server 2.4 Notable features beyond fcgistarter: Jeff Trawick Unix socket support The world of FastCGI pid file support FastCGI with no-fork mode for use with higher-level programs like Apache httpd 2.4 daemontools Choosing chroot, set user, set group, and other identity-related mod fcgid features mod proxy fcgi mod authnz fcgi and better diagnostics messages
Other tools
PHP $ spawn-fcgi -p 10000 TestAuthn.pl Applications and FastCGI
Future
77/97 daemontools
Using FastCGI with Apache HTTP Server Relatively popular for managing FastCGI applications 2.4 Create a service script for the application that Jeff Trawick daemontools can use to up application and The world of FastCGI framework-specific envvars and start the application. FastCGI with Use svc command to handle lifecycle (-u for up, -d for Apache httpd 2.4 down). Choosing mod fcgid Example /etc/service/SERVICE-NAME/run: mod proxy fcgi mod authnz fcgi #!/bin/sh export PERL5LIB=/home/trawick/perl5/lib/perl5 Other tools cd /tmp PHP Applications exec 2>&1 and FastCGI exec spawn-fcgi -p 10000 -u trawick -n \ Future /home/trawick/bin/TestAuthn.pl
78/97 supervisor a.k.a. supervisord
Using FastCGI with Apache Broadly similar to daemontools HTTP Server 2.4 Can create sockets Jeff Trawick Knows about FastCGI in particular and groups of The world of processes listening on the same socket FastCGI
FastCGI with Apache httpd Example VIRTUALENV-ROOT/etc/supervisord.conf: 2.4
Choosing [supervisord] mod fcgid [fcgi-program:testauthn] mod proxy fcgi command=/home/trawick/bin/TestAuthn.pl mod authnz fcgi socket=tcp://localhost:10001 Other tools process_name=%(program_name)s_%(process_num)02d PHP numprocs=4 Applications and FastCGI user=trawick environment=PERL5LIB=/home/trawick/perl5/lib/perl5 Future directory=/tmp
79/97 PHP-FPM
Using FastCGI with Apache Part of modern PHP distributions HTTP Server 2.4 Configurable management of PHP FastCGI processes Jeff Trawick php-fpm is alternative to php-cgi
The world of FastCGI pid = /var/log/httpd/php-fpm.pid
FastCGI with error_log = /var/log/httpd/php_error_log Apache httpd 2.4 log_level = debug
Choosing listen = 127.0.0.1:8081 mod fcgid pm = dynamic mod proxy fcgi pm.max_children = 20 mod authnz fcgi pm.min_spare_servers = 5 Other tools pm.max_spare_servers = 20 PHP pm.max_requests = 0 Applications and FastCGI user = george Future group = ringo
80/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 API/protocol adapters Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
81/97 API/protocol adapters
Using FastCGI Web applications written to some standard API may need an adapter with Apache HTTP Server to create a FastCGI protocol endpoint. 2.4 Jeff Trawick A Django example, using flup for WSGI under the covers:
The world of FastCGI $ ./manage.py runfcgi host=127.0.0.1 port=8000 FastCGI with Apache httpd 2.4
Choosing A Perl example, using plackup for PSGI: mod fcgid $ plackup -s FCGI --listen /var/run/FCGI/hello hello.psgi mod proxy fcgi mod authnz fcgi
Other tools You’ll probably need to use this in conjunction with a more
PHP general process management tool for reliability and lifecycle Applications management. and FastCGI
Future
82/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 PHP Applications and FastCGI Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
83/97 Can work fine with Apache httpd too
PHP and FastCGI
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick Not at all uncommon... The world of FastCGI FastCGI has long been required or recommended for PHP with FastCGI with Apache httpd 2.4 nginx Choosing Lighttpd mod fcgid mod proxy fcgi Zeus mod authnz fcgi IIS Other tools
PHP Applications and FastCGI
Future
84/97 PHP and FastCGI
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick Not at all uncommon... The world of FastCGI FastCGI has long been required or recommended for PHP with FastCGI with Apache httpd 2.4 nginx Choosing Lighttpd mod fcgid mod proxy fcgi Zeus mod authnz fcgi IIS Other tools Can work fine with Apache httpd too PHP Applications and FastCGI
Future
84/97 In PHP wrapper: PHP_FCGI_MAX_REQUESTS=10000
In PHP-FPM configuration: pm.max_requests = 10000
In fcgid configuration: FcgidMaxRequestsPerProcess 10000
PHP with mod fcgid
Using FastCGI with Apache HTTP Server PHP FastCGI processes did exit after 500 requests 2.4
Jeff Trawick Now that is disabled by default with PHP-FPM
The world of If you need to use the feature: FastCGI
FastCGI with Synchronize mod fcgid and PHP limits to avoid 500 error. Apache httpd 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
85/97 In PHP-FPM configuration: pm.max_requests = 10000
In fcgid configuration: FcgidMaxRequestsPerProcess 10000
PHP with mod fcgid
Using FastCGI with Apache HTTP Server PHP FastCGI processes did exit after 500 requests 2.4
Jeff Trawick Now that is disabled by default with PHP-FPM
The world of If you need to use the feature: FastCGI
FastCGI with Synchronize mod fcgid and PHP limits to avoid 500 error. Apache httpd 2.4 In PHP wrapper: Choosing mod fcgid PHP_FCGI_MAX_REQUESTS=10000 mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
85/97 In fcgid configuration: FcgidMaxRequestsPerProcess 10000
PHP with mod fcgid
Using FastCGI with Apache HTTP Server PHP FastCGI processes did exit after 500 requests 2.4
Jeff Trawick Now that is disabled by default with PHP-FPM
The world of If you need to use the feature: FastCGI
FastCGI with Synchronize mod fcgid and PHP limits to avoid 500 error. Apache httpd 2.4 In PHP wrapper: Choosing mod fcgid PHP_FCGI_MAX_REQUESTS=10000 mod proxy fcgi mod authnz fcgi In PHP-FPM configuration: Other tools pm.max_requests = 10000 PHP Applications and FastCGI
Future
85/97 PHP with mod fcgid
Using FastCGI with Apache HTTP Server PHP FastCGI processes did exit after 500 requests 2.4
Jeff Trawick Now that is disabled by default with PHP-FPM
The world of If you need to use the feature: FastCGI
FastCGI with Synchronize mod fcgid and PHP limits to avoid 500 error. Apache httpd 2.4 In PHP wrapper: Choosing mod fcgid PHP_FCGI_MAX_REQUESTS=10000 mod proxy fcgi mod authnz fcgi In PHP-FPM configuration: Other tools pm.max_requests = 10000 PHP Applications and FastCGI In fcgid configuration: Future FcgidMaxRequestsPerProcess 10000
85/97 mod fcgid PHP limitation
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick PHP FastCGI process management ineffective (wasted) with mod fcgid, which routes only single concurrent The world of FastCGI requests to the socket of a process which it has spawned. FastCGI with Apache httpd 2.4 PHP-FPM: If you need to use this for other reasons,
Choosing leave PHP child process management disabled: mod fcgid pm static mod proxy fcgi pm.max_children 0 mod authnz fcgi Other tools PHP-CGI: PHP Applications PHP_FCGI_CHILDREN=0 and FastCGI
Future
86/97 Without PHP child process management, PHP opcode caches are not very effective. Cache is serially reused within single process when the same fcgid-spawned process handles another request.
mod fcgid PHP limitation
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of But: FastCGI With PHP process management, single cache can be FastCGI with Apache httpd used concurrently by many processes. 2.4
Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
87/97 mod fcgid PHP limitation
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of But: FastCGI With PHP process management, single cache can be FastCGI with Apache httpd used concurrently by many processes. 2.4
Choosing Without PHP child process management, PHP opcode mod fcgid caches are not very effective. Cache is serially reused mod proxy fcgi within single process when the same fcgid-spawned mod authnz fcgi process handles another request. Other tools
PHP Applications and FastCGI
Future
87/97 mod fcgid PHP difference
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with PHP flags in .htaccess files — no longer respected when Apache httpd 2.4 you move from mod php to FastCGI Choosing on Windows, mod php strips the drive letter from mod fcgid SCRIPT NAME; mod fcgid doesn’t mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
88/97 mod fcgid PHP example with PHP-CGI
Using FastCGI .conf: with Apache HTTP Server LoadModule fcgid_module modules/mod_fcgid.so 2.4 Jeff Trawick FcgidMaxRequestsPerProcess 5000
The world of FastCGI # Uncomment the following line if cgi.fix_pathinfo is set to 1 in # php.ini: FastCGI with # FcgidFixPathinfo 1 Apache httpd 2.4 Alias /php/ /home/trawick/myhg/apache/documents/AC2012EU/php/ Choosing
Future
89/97 mod fcgid PHP example with PHP-CGI
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick Wrapper script: The world of FastCGI #!/bin/sh FastCGI with Apache httpd export PHPRC=/home/trawick/myhg/\ 2.4 apache/documents/AC2012EU/ Choosing export PHP_FCGI_MAX_REQUESTS=5000 mod fcgid export PHP_FCGI_CHILDREN=0 mod proxy fcgi exec /usr/bin/php-cgi mod authnz fcgi Other tools and be sure to make this script executable PHP Applications and FastCGI
Future
90/97 PHP and mod proxy fcgi
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick General considerations:
The world of FastCGI Use PHP-FPM — no limitations like you have with
FastCGI with mod fcgid. Apache httpd 2.4 With most recent httpd 2.4.x on Unix, use Unix sockets Choosing for better speed. mod fcgid mod proxy fcgi Details of configuration: mod authnz fcgi
Other tools
PHP http://wiki.apache.org/httpd/PHP-FPM. Applications and FastCGI
Future
91/97 Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of FastCGI
FastCGI with Apache httpd 2.4 The future Choosing mod fcgid mod proxy fcgi mod authnz fcgi
Other tools
PHP Applications and FastCGI
Future
92/97 Concern about mod fcgid
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick My 2¢... The world of FastCGI mod fcgid’s inability to route more than one concurrent FastCGI with Apache httpd request per spawned process affects its viability for PHP 2.4 deployments, a traditional area of strength. Choosing mod fcgid is not currently getting sufficient love to keep mod fcgid up with bug reports, or resolve long-standing limitations. mod proxy fcgi mod authnz fcgi A couple of more interested developers is required to keep
Other tools mod fcgid moving forward.
PHP Applications and FastCGI
Future
93/97 A potentially interesting path...
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick Hypothetical mod XXX that can manage application processes The world of FastCGI Process lifetime fits within that of httpd FastCGI with Configured in .conf Apache httpd 2.4 Sets up listening sockets or pipes if needed
Choosing Same implementation, same configuration mechanism for mod fcgid command-line, ports, envvars, etc. regardless of protocol mod proxy fcgi Other modules, such as mod proxy, should be able to mod authnz fcgi symbolically reference the addresses of applications Other tools managed by mod XXX to avoid duplicating that aspect PHP Applications of the configuration. and FastCGI
Future
94/97 A potentially interesting path...
Using FastCGI with Apache HTTP Server 2.4 Jeff Trawick Or...
The world of mod XXX can issue commands to a more general FastCGI purpose process manager like daemontools or supervisord FastCGI with Apache httpd to bring up the application processes with server startup 2.4 and vice versa on server termination. Choosing mod fcgid Since in this case mod XXX would not own the mod proxy fcgi configuration for the application processes, other mod authnz fcgi mod proxy or other httpd modules probably wouldn’t be
Other tools able to symbolically reference aspects of the PHP configuration. Applications and FastCGI
Future
95/97 More information about the ASF modules
Using FastCGI with Apache Documentation: HTTP Server 2.4 http://httpd.apache.org/mod_fcgid/mod/mod_ Jeff Trawick fcgid.html The world of FastCGI http://httpd.apache.org/docs/2.4/mod/mod_ FastCGI with proxy_fcgi.html Apache httpd 2.4 http://httpd.apache.org/docs/trunk/mod/mod_ Choosing authnz_fcgi.html mod fcgid http://wiki.apache.org/httpd/PHP-FPM mod proxy fcgi mod authnz fcgi Mailing lists: Other tools User support: PHP Applications http://httpd.apache.org/userslist.html and FastCGI Development: Future http://httpd.apache.org/lists.html#http-dev
96/97 More general information
Using FastCGI with Apache HTTP Server 2.4
Jeff Trawick
The world of ApacheCon NA 2010 preso with more information on FastCGI mod fcgid and (versus) mod fastcgi: http://people. FastCGI with Apache httpd apache.org/ trawick/AC2010-FastCGI.pdf 2.4 ~
Choosing ApacheCon EU 2012 preso with information on mod fcgid interfacing with more types of external application mod proxy fcgi processes: http://people.apache.org/~trawick/ mod authnz fcgi AC2012EU-Apps.pdf Other tools
PHP Applications and FastCGI
Future
97/97