whats the difference between running PHP using Fast CGI or as an Apache Module?
I have been a web developer using PHP for years now, and my work laptop runs CentOS with PHP5 as an Apache Module. This suits me just fine for development, but now I want to setup a web server that runs PHP 4.4.8 and PHP 5.2.5 and offer hosting to people. I know PHP4 is very old, but I am looking to offer my users the freedom of choice, as there are still third party applications out there that may need to be run on PHP4.
I will want PHP 5 to be the default, and allow PHP 4 to be used if either the file extension is .php4, or they have a line in their .htaccess file. I have seen various tutorials in search engine results saying to run both, I can either do one of the following:
1. Install PHP5 as a module, and run PHP4 using FastCGI
2. Install PHP5 and PHP4 and run both using FastCGI
3. Install PHP4 as a module, and run PHP5 using FastCGI
In the future I will also be looking to support PHP6 once a stable version has been released, though that will probably be optional to begin with and require a line in the .htaccess file too - like PHP4. I will be using Apache 2.2.8 on CentOS 5.1. I am also looking to install Ruby on Rails and Django too, which I think use FastCGI.
What's the difference between running as an Apache Module, or using FastCGI? This will be for a shared hosting environment so performance over lots of connections, stability and security are my concerns. Should I run everything using FastCGI, if not, would the default PHP version be better off installed as an Apache Module?
If you're using Apache 2.2.8, it depends on what MPM you're using.
With the traditional prefork module Apache runs as nobody/nogroup and thus PHP when ran as a module will run as nobody/nogroup. File permissions for all your users thus need to be set in potentially insecure ways so that the webserver can read the files or so the scripts can write to files in their directories. If you're going to use a traditional prefork module one "secure" way to permit PHP is to use FastCGI, next best to use mod_suphp.
With newer versions of apache you can use the perchild MPM which helps deal with some of the security issues of running apache as a module. It may however present entirely new issues especially if you're using some control panel which doesn't understand it.
The biggest difference overall with FastCGI other then security benefits is that it makes it so you can create entirely different "application" servers... you can have separate server/s which will do nothing but run code for you.
#2 is the safest and best way to implement PHP assuming you're using a normal Apache prefork MPM.
#4 (Run both as a module) if you understand how to configure Apache 2.2 using a perchild MPM.
#1 or #3 aren't recommended...
Standard disclaimers apply: I could be completely wrong.
Thank you Lightwave. I have just read in the PHP manual that there are potentially permissions problems with running PHP as an Apache Module. So it would probably be best to run all my php versions as Fast CGI then? Is that what you would do in this situation?
On a tangent... Lighttpd looks good for performance, but I am not sure if cPanel will be able to administer it. Apache is probably more stable/secure as it has been in development for a lot longer.
Cpanel won't work with lighttpd. Although its still faster, lighttpd isn't the order of magnitude better than apache that it once was. One thing to beware of with FastCGI - if you use it to implement security, you need a different FastCGI process running for each pool of threads that belong to a different user. Therefore, it is great for small numbers of users but you run out of memory if you have hundreds.