Slashdot Mirror
Is Apache 2.0 Worth the Switch for PHP?
An anonymous reader writes "It seems like some of the members of the Apache Software Foundation are a little angry with the PHP Community because they don't recommend using Apache 2.0 with PHP. Since PHP is installed on half of all Apache servers this is a major issue for them. A number of high-profile PHP community members such as John Coggeshall and Chris Shiflett have blogged about this decision in light of a recent posting by Apache Software Foundation Member Rich Bowen which called PHP's anti-Apache2 stance FUD. Is there any real reason for the PHP community to start recommending Apache 2.0, especially when the 1.3.x series of Apache is rock solid and proven? Note Rich did later commend PHP for being a great product, so it's not all flames."
I should probably be noted that PHP used to be an official Apache Software Foundation project until it was mutually agreed to end this relationship. I have no clue as to what the underlying reasons were and as an ASF member myself would rather not speculate on this. See ASF Board Meeting Minutes for Feb 2004 (section 5.G).
P.S. Apache 2.0 is great and there is no reason not to use it IMO.
Apache 2 and a recent Linux kernel come pretty close to the theoretical limits of the hardware when it comes to serving static content. It just loafs along while saturating whatever net connection you give it. It's worth trying out.
Bruce
Bruce Perens.
I run a FreeBSD server with Apache 1.3.33 and PHP 4.3.10. When I was upgrading it a week or two ago to FreeBSD 5.3, I thought about making the switch to Apache 2.0. But then I thought ... What is that going to bring me?
Apache 1.3 has been working flawlessly for me. Until I have a compelling need to switch to Apache 2.0, I'm not going to. I understand that there are some nifty new features in Apache 2.0, but not a single one of them is something that I want/need.
This, I think, is the primary reason why people aren't going to Apache 2.0 in droves, not the PHP team's "FUD".
If Apache wanted people to move to 2, they should provide benefits that make people want to go through the effort to move.
What is supposed to be the problem?
Sent from my ASR33 using ASCII
This was the major reason that PHP has been said not to be used with Apache2. It has NOTHING to do with Apache, it's potential security issues with PHP and some non-thread-safe **EXTERNAL** libs. 95% of it is security related issues. If you're willing to pay attention to your server (like all good admins are supposed to do) there's no real problems that I've seen.
I'm using PHP on Apache 2.0 production servers right now. Honestly, I can say that PHP is more at fault for its own problems. I think that having lots of configurable options for a programming language is a bad idea. It leads to applications working on one installation of PHP, but not another. Administrators who enable things like safe_mode and turn off register_globals on shared servers are made fun of by ignorant programmers who don't understand what safe_mode is for and its usefulness. I have encountered all of this.
The one thing that I wish PHP would take advantage of in Apache 2.0 is the ability to run code as a user other than the web server. Every time I bring this up with the PHP developers, nobody really runs with it. A feature like this would make PHP much better in shared systems and prevent people from having to do weird things to ensure security. I guess PHP is not that great for shared systems right now.
Is there a list somewhere of extensions that are known to be non-thread safe? Or do I need to just test them one by one?
-Bucky
Commercial software vendors typically deploy products in this manner. They fork the code base, or rewrite it entirely but continue to maintain and support the old base for many years.
The apache foundation is one of the FEW open source projects that actually do this. Its probably one of the reasons why the apache webserver is so ubiquitous.
On the other end of the spectrum, you have jboss. Uggg. Go from 3.2.3 to 3.2.5 to 3.2.6 and all are MAJOR upgrades in terms of effort to migrate your code base to the new versions. Its horrible. I would have loved it if 3.2.3 had been supported with regular patches, upgrades etc... but was forced to move to the higher "point" releases. bleh.
I've done the roll-your-own apache/mod_perl/mod_php/mod_etc.etc.etc... thing before. I'd love to have those hours of my life back. So if the Apache foundation really cares about evangelizing 2.x why don't they create something as powerful as ApacheToolbox that actually works with 2.x?
slashsearch.org - slashdot search. powered by google.
Bruce
Bruce Perens.
PHP prides itself on being an easy-to-use language for web applications, and it succeeds. Unfortunately, Apache hasn't become any easier to install and configure between 1.x and 2.x; in fact, if anything, I think it has gotten overall worse. That's why Apache 1.x is a better match to PHP than Apache 2.x. If Apache wants 2.x to be a better match with PHP, then Apache needs to address the problems the PHP community sees with 2.x.
Personally, I'd like to see more server alternatives to Apache anyway. I think there should be a handful of FOSS web servers capable of hosting PHP, web servers that make different kinds of tradeoffs between performance, security, and ease-of-use. The huge market share that Apache has, from my point of view, is a problem, just like the huge market share that Microsoft has in other areas.
I've been using Apache 2 and PHP for almost a year on a pretty high traffic system and it works fine. But I don't do any image work or odd compression or scientific formulas so I don't compile some libs in. I think the Zend guys need to actually break down which libs shouldn't be run with Apache2
The problem is running apache in WORKER or PERCHILD MPM modes. Those are the ones that are using threading.
What I'd recommend to anyone who wants to have a robust, fast apache implementation is to do the following:
There you go... performance increase for 75% of serving requests.
P.S: Avoid perchild at all costs!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
In large projects there are often people who have production systems that would incur large costs if they were forced to do a major rev upgrade.
Of course before OSS this was never an issue as people didn't have a choice but as people now do, thanks largely in part to the ability of OSS project heads to put a few "free" developers on a older rev for maintenance, large OSS projects often maintain older revs for the sake of the users..
You really need look no further than the Linux Kernel to see another example of this in action.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
Bruce
Bruce Perens.
Apache 2 threaded MPMs can run different vhosts under different users, so this has been fixed for over two years. If PHP was thread-safe, you wouldn't have a problem, but as this story highlights, PHP doesn't play nice with threads.
Because v2 is more powerful. Filter chains for one. You can have the output routed through various modules and even shell commands before it's served up to the user. For example, if you want the output of a CGI to then go through server side includes expansion, then gzipped and served to the user. Apache 1.x doesn't have that kind of flexability.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
As for putting a lock around them, I'd imagine that when that happens, it would be considered thread safe *except*...
PHP has a user contributed library system similar to CPAN called PEAR. Some of the libraries in PEAR aren't threadsafe... and even if somebody went through and updated them, next week there will be several new one that are not threadsafe.
Now, all of this would be moot if there were a compelling reason to push to Apache2. The impetus would be there to do the work. But, right now, the last of the 1.x series is just as stable and performs as well as Apache2. That means that there's simply no reason to do the work, and Open Source doesn't like to do unnecessary work.
When there is a benefit to the ongoing work necessary to make it and *keep* it threadsafe, it will likely be done.
--
Evan "And yes, I realize the irony of saying how Open Source works in this reply"
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
I have been interpreting the continued maintenance of the 1.x line for years as a statement that 2.0 was not ready for prime time.
Heck, it doesn't help that they have an "alpha" 2.1 line, that makes the 2.0 line feel even more like its in beta testing.
However, the issue is that many PHP extensions are not threadsafe. This becomes an issue on Windows because the default MPM is multithreaded, while the default MPM for UNIX is multiprocess.
It all goes back to Windows NT being designed from the beginning to enourage the use of threads, while Unix always favored multiple processes.
where there's fish, there's cats
no one has dared to make a COMPLETE TEST of PHP running with Apache2, explaining which PHP modules fail and why.
This is what I want to know. Which modules use libraries that are threadsafe (or have threadsafe versions)? Which modules are known to crash the thread?
I build php here with postgresql as the only additional library over whatever the default modules are (and I have found threadsafe patches for libpq). Is having threadsafe libraries enough?
If I have been able to see further than others, it is because I bought a pair of binoculars.
suspect, and here I'm out on a limb, that it's a fundamental architecture issue. PHP simply did not have global thread-safety as a design goal. And thus it could be difficult to remedy at this late date, especially if it's to be done without breaking things.
.NET. That should take care of the threading issues, although it would almost certainly break existing extensions written in C/C++. I am only half kidding.
Which, as I have remarked earlier, is a sympton of PHP never having been designed to run on Windows.
Maybe there's an opportunity for someone to get famous by writing PHP interpreters in both Java and C#, and then they can sell it to all the PHB's out there who can't decide whether to go with J2EE or
where there's fish, there's cats
Well, mod_lisp was a good reason to stay with Apache1. But there was some work done on the Apache2 version of the module, so it should be all clear to upgrade to Apache2, if you need it for more than just serving to your lisp image.
For most web servers on Linux, once the server has figured out what static file to send, it calls sendfile() and the rest of the work is entirely in the kernel
The problem with apache performance lies in everything that it executes *before* sendfile() is called. Sure you'll be able to serve *ONE* static file at wire speed, but when it comes to serve *many* files per second, the initial overhead puts the foot on your way.
And unfortunately, apache is not good either for serving large files because of the important memory (and scheduling) cost of each concurrent thread (or process in case of preforked). Apache is good as an application server, not as a static content server.
willy
The one thing that I wish PHP would take advantage of in Apache 2.0 is the ability to run code as a user other than the web server. Every time I bring this up with the PHP developers, nobody really runs with it. A feature like this would make PHP much better in shared systems and prevent people from having to do weird things to ensure security. I guess PHP is not that great for shared systems right now.
suExec for PHP is available. My ISP has switched to PHP suExec several weeks ago. I noticed that something was different when cookies was not set properly, and the PHPSESSID was set in the URL (ugly, so I noticed).
This facility makes PHP runs as the user him/herself, instead of the Apache user (just like you wanted). This is a more secure environment for sure.
You need to have a php.ini file with the parameters you want, in your public_html directory, to override the defaults (e.g. how the PHPSESSID is handled, by a cookie, or in the URL, how long a session is valid for, ...etc.)
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
I worked out this problem a while ago, submitted bug 28227 with fix, and it's been sitting in the PHP bug database doing nothing for months. Not only that, but many similar bugs (without fixes) were closed prematurely by the PHP team under the incorrect assumption that the submitter's system was misconnfigured, as opposed to PHP being buggy...
Fights between opensource projects are always sad. Part of the openness is use it however you like... recommendations are opinions. ASF isnt quite blocking PHP yet, but things can go wrong as we've seen in the case of jboss and xfree86.
Whats stopping anyone from uniting php and apache1.3 and packaging them together for each platform the way sqlite was incorporated into php? They go well together, makes alotta sense to be the same project.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
My belief is that PHP is fine under threads, a lot of the third party stuff is unknown (can be read: probably will break) and the PHP guys don't want to bother with broken 3rd party stuff.
This kind of misses the point. The assumption "why bother with apache 2.0 if it doesn't run in multi-threaded mode" misses all the cool things that have gone into apache 2.0 outside of the threading models. I'ts a lot saner, and has cool things like chaining (output of CGI can go through SSI) and a million other things. The PHP guys should just say "run it in the old MPM mpde and have fun" which is I think the real sticking point.