Slashdot Mirror
Is Apache 2.0 Worth the Switch for PHP?
An anonymous reader writes "It seems like some of the members of the Apache Software Foundation are a little angry with the PHP Community because they don't recommend using Apache 2.0 with PHP. Since PHP is installed on half of all Apache servers this is a major issue for them. A number of high-profile PHP community members such as John Coggeshall and Chris Shiflett have blogged about this decision in light of a recent posting by Apache Software Foundation Member Rich Bowen which called PHP's anti-Apache2 stance FUD. Is there any real reason for the PHP community to start recommending Apache 2.0, especially when the 1.3.x series of Apache is rock solid and proven? Note Rich did later commend PHP for being a great product, so it's not all flames."
I should probably be noted that PHP used to be an official Apache Software Foundation project until it was mutually agreed to end this relationship. I have no clue as to what the underlying reasons were and as an ASF member myself would rather not speculate on this. See ASF Board Meeting Minutes for Feb 2004 (section 5.G).
P.S. Apache 2.0 is great and there is no reason not to use it IMO.
Anybody still running Apache1 on Windows is nuts.
Apache2 works way better on Windows.
The problem that PHP can be linked against non-threadsafe libraries, and this causes issues with Apache 2 when it's using the Worker MPM. However, if PHP died and takes the thread with it Apache simple restarts it. I had Apache2 and PHP in this configuration for almost a year, and expect for threads randomly restarting because of PHP, I had no issues. If you want to solve the thread problem, change the MPM to prefork (which is the default last I looked), which emulates the Apache1 behavior, and stops that problem.
This signature was left intentionally blank.
Apache 2 and a recent Linux kernel come pretty close to the theoretical limits of the hardware when it comes to serving static content. It just loafs along while saturating whatever net connection you give it. It's worth trying out.
Bruce
Bruce Perens.
Well, as the article probably says.. Many of PHP's modules aren't thread-safe. So there'll be little errors that might not show up until you have thousands of concurrent accesses. This of course can be solved by using the pre-fork config for Apache2..
I run a FreeBSD server with Apache 1.3.33 and PHP 4.3.10. When I was upgrading it a week or two ago to FreeBSD 5.3, I thought about making the switch to Apache 2.0. But then I thought ... What is that going to bring me?
Apache 1.3 has been working flawlessly for me. Until I have a compelling need to switch to Apache 2.0, I'm not going to. I understand that there are some nifty new features in Apache 2.0, but not a single one of them is something that I want/need.
This, I think, is the primary reason why people aren't going to Apache 2.0 in droves, not the PHP team's "FUD".
It's not nearly late enough in the thread for someone respected to post correct, non-inflamatory, rational information.
You're going to stop all the foaming at the mouth, and who wants a half-frothed troll this close to Christmas?
Never confuse volume with power.
Can anyone point me to a succint explanation of why there have been an Apache 1.x line and an Apache 2.0 line for years? This to me has always seemed like an implicit statement from the Apache people that I should not yet move to 2.0.
I checked the front page of Apache and there were release announcements for the latest version of both lines. Neither announcement carried a statement indicating when you should use it over the other. The front page does not appear to link to anything addressing the issue, and the FAQ does not appear to handle it, either.
Secession is the right of all sentient beings.
I guess the only reason i can think of not to use PHP on Apache-2 ... is if you absolutely HAVE to use a threaded version of Apache-2.
... is the fact that PHP keeps continuously crashing your httpd-processes.
... but looses the benefits the threaded-MPMs offer.
... i would jump right on it :)
.. i never experimented with a threaded apache-1.3 (not even sure if that's possible) ... but for Apache-2 with the current state of PHP .. it's not recommended ...
THe apache-2 (Worker MPM) itself is rock solid and definately seems to boost performance of ones http-server compared to traditional apache-1.3.
I am not exactly sure about a prefork-MPM vs apache-1.3 comparison.
The biggest problem with PHP on any threaded Apache-2 (i am not sure if this holds true for the 1.3 series as well)
Switching to the prefork MPM makes everything rock-solid again
If PHP could actually solve their problems with running in a threaded Apache-2
Again
Apache 2.0 has proven to have so many new features that it was well worth the upgrade. Early on we encountered some minor issues with the threads, so we switched to pre-fork and have had no issues. We have been running PHP and mod_perl in pre-fork mode without a single issue for the last year. Unless you cannot switch because you use a module with no 2.0 support, I would make the switch immediately. And don't forget, you can always install both apache 1.x and 2.0 to give it a test run.
What is supposed to be the problem?
Sent from my ASR33 using ASCII
As mentioned (probably more than once by now), the only issue is some non-thread-safe libraries that PHP can link to. Configuring Apache to run with the "Prefork" MPM solves this problem (by running with the same model as Apache 1.x did).
I see no reason so far to discourage use of Apache 2.0 with PHP other than vague "well, I heard from some guy that he tried it and it had some kind of problem" sort of complaints. Personally, I like the fact that Apache 2.0x has mod_ssl and mod_deflate (/mod_gzip) as part of the codebase, so I no longer have to compile and install them separately...
Hacker Public Radio is our Friend
I'm using PHP on Apache 2.0 production servers right now. Honestly, I can say that PHP is more at fault for its own problems. I think that having lots of configurable options for a programming language is a bad idea. It leads to applications working on one installation of PHP, but not another. Administrators who enable things like safe_mode and turn off register_globals on shared servers are made fun of by ignorant programmers who don't understand what safe_mode is for and its usefulness. I have encountered all of this.
The one thing that I wish PHP would take advantage of in Apache 2.0 is the ability to run code as a user other than the web server. Every time I bring this up with the PHP developers, nobody really runs with it. A feature like this would make PHP much better in shared systems and prevent people from having to do weird things to ensure security. I guess PHP is not that great for shared systems right now.
This isn't to say that Apache is worthless. On the contrary, it is an exceptionally good server. It just doesn't scale as well as some others for static content.
-----
Free P2P Backup, Windows & Linux
I amde the switch over to Apache 2.0 and PHP 5 about 3 weeks ago at this point and have found it to be rock solid so far. My impression was that the PHP guys are recommending PHP4 for Apache 1.3.x and PHP5 for Apache 2.0.x. So in translation what they are not recommending is PHP4 on Apache 2.0.x. Perhaps I have gotten the wrong impression but that's what I got...
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
Stick with kernel 1.3.79 and Apache 1.1 just to be "safe".
Are you intolerant of intolerant people?
Is there a list somewhere of extensions that are known to be non-thread safe? Or do I need to just test them one by one?
-Bucky
Yeah, be very affraid of new technology, it could be better and force you to upgrade.
On the other hand, I had looked at the problem reasonably hard when choosing supported software for UserLinux, so I did know something about the problem. So perhaps that disqualifies me.
Bruce
Bruce Perens.
I've done the roll-your-own apache/mod_perl/mod_php/mod_etc.etc.etc... thing before. I'd love to have those hours of my life back. So if the Apache foundation really cares about evangelizing 2.x why don't they create something as powerful as ApacheToolbox that actually works with 2.x?
slashsearch.org - slashdot search. powered by google.
Bruce
Bruce Perens.
I sustain 5 million hits per day on an Apache2+PHP server that (for me) indicates it's a "do-able" platform to run with.
Slashdot? Oh, I just read it for the articles.
PHP prides itself on being an easy-to-use language for web applications, and it succeeds. Unfortunately, Apache hasn't become any easier to install and configure between 1.x and 2.x; in fact, if anything, I think it has gotten overall worse. That's why Apache 1.x is a better match to PHP than Apache 2.x. If Apache wants 2.x to be a better match with PHP, then Apache needs to address the problems the PHP community sees with 2.x.
Personally, I'd like to see more server alternatives to Apache anyway. I think there should be a handful of FOSS web servers capable of hosting PHP, web servers that make different kinds of tradeoffs between performance, security, and ease-of-use. The huge market share that Apache has, from my point of view, is a problem, just like the huge market share that Microsoft has in other areas.
How much longer can we keep this joke going?
Talk to Microsoft, it's them what's keeping the joke going.
Infuriate left and right
I've been using Apache 2 and PHP for almost a year on a pretty high traffic system and it works fine. But I don't do any image work or odd compression or scientific formulas so I don't compile some libs in. I think the Zend guys need to actually break down which libs shouldn't be run with Apache2
The problem is running apache in WORKER or PERCHILD MPM modes. Those are the ones that are using threading.
What I'd recommend to anyone who wants to have a robust, fast apache implementation is to do the following:
There you go... performance increase for 75% of serving requests.
P.S: Avoid perchild at all costs!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Allow me to clarify something if I may. I'm not suggesting that everyone needs to migrate to Apache 2.0 today. I'm suggesting that PHP not strenuously discourage people from doing so. Those are two rather different things.
I hardly think that my posting (which, of course, nobody can read now because my server in my bedroom is melting. *sigh*) qualifies as unimitigated flames.
And I *certainly* don't presume to speak for the whole Apache community. It was just some (I thought0 harmless observations.
Apache guy, Open Source enthusiast, runner
PHP spread FUD about Apache2 because that's what they *THINK* of it.
[F]ear - what if my PHP processes crash?
[U]ncertainty - has this thing been tested yet?
[D]oubt - Hmmm I'm not sure...
And as far as I know, no one has dared to make a COMPLETE TEST of PHP running with Apache2, explaining which PHP modules fail and why.
In other words, it's simply FEAR OF THE UNKNOWN what the php community has about Apache2.
If Frontpage extensions are not available for Apache 2, that sounds like an extremely compelling reason to use 2.0! Frontpage extensions should never be used in any way, shape or form IMHO. I suppose they can actually be secured in some fashion, but I've never encountered any organization that succeeded at it. These are always backdoors into web defacements and depending on the architecture, the organization itself.
In large projects there are often people who have production systems that would incur large costs if they were forced to do a major rev upgrade.
Of course before OSS this was never an issue as people didn't have a choice but as people now do, thanks largely in part to the ability of OSS project heads to put a few "free" developers on a older rev for maintenance, large OSS projects often maintain older revs for the sake of the users..
You really need look no further than the Linux Kernel to see another example of this in action.
Really, I know what I'm doing...Ohhhh, look at the shiny buttons!
Bruce
Bruce Perens.
Stop being so mean! It's not PHP's fault they can't run in a thread model. Threads have only been commonplace for 25 years, and the standard way you do things for 15.
They just need some time to catch up. Apache 2.x is light years faster/leaner/meaner then 1.x was. Oh, and PHP runs perfectly fine under 2.x, as others have pointed out.
OK, so yea, it's actually kinda sad (read: pathetic)
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
In my experience, FrontPage actually works quite a bit better with Apache 2.0. FrontPage for Apache 1.x requires patching your Apache or downloading pre-patched binaries from rtr.com or Microsoft. FrontPage for Apache 2 can load cleanly as a module, no server modifications needed.
If you want the offical notice of Apache 2 support, see here.
The horror of actually making solid software; nobody's upgrading.
Maybe Windows knows what it's doing after all.
Bruce
Bruce Perens.
Apache 2 threaded MPMs can run different vhosts under different users, so this has been fixed for over two years. If PHP was thread-safe, you wouldn't have a problem, but as this story highlights, PHP doesn't play nice with threads.
You can run both Subversion and PHP 4 concurrently in Apache 2.0. We've been doing it sucessfully for several months now with no problems in prefork mode. No need for two versions of Apache when one will do.
suspect, and here I'm out on a limb, that it's a fundamental architecture issue. PHP simply did not have global thread-safety as a design goal. And thus it could be difficult to remedy at this late date, especially if it's to be done without breaking things.
.NET. That should take care of the threading issues, although it would almost certainly break existing extensions written in C/C++. I am only half kidding.
Which, as I have remarked earlier, is a sympton of PHP never having been designed to run on Windows.
Maybe there's an opportunity for someone to get famous by writing PHP interpreters in both Java and C#, and then they can sell it to all the PHB's out there who can't decide whether to go with J2EE or
where there's fish, there's cats
The problems with Christianity and D&D are essentially the same: too many people RTFM, but don't comprehend it.
Great sig!
The good thing about Christianity is that the DM is much, much better. Or at least more consistent.
The bad thing is that He can't be bought off with a six-pack of Dew and a pizza.
The good thing about D&D is that the DM is usually your friend and will try to make it so you have fun.
The bad thing is that the DM can give you millions of gold pieces, +8 everything and make you king of world or even a god, but you still gotta go to work/class on Monday morning.
You are in a maze of twisty little passages, all alike.
Well, mod_lisp was a good reason to stay with Apache1. But there was some work done on the Apache2 version of the module, so it should be all clear to upgrade to Apache2, if you need it for more than just serving to your lisp image.
For most web servers on Linux, once the server has figured out what static file to send, it calls sendfile() and the rest of the work is entirely in the kernel
The problem with apache performance lies in everything that it executes *before* sendfile() is called. Sure you'll be able to serve *ONE* static file at wire speed, but when it comes to serve *many* files per second, the initial overhead puts the foot on your way.
And unfortunately, apache is not good either for serving large files because of the important memory (and scheduling) cost of each concurrent thread (or process in case of preforked). Apache is good as an application server, not as a static content server.
willy
Apache 2 changes CORE functionality- great! But that doesn't really affect what it does, but rather how it does it. Maybe if it implemented some new HTTP 1.2 I would get it in there... but who'd notice?
Apache1 has been tried, tested, and true and has reached a lovely 1.3.33 version, of which security patches are rare and bugfixes are also rare. Similar situation with mod_ssl. So why leave your nice warm, structurally stable house in favour of the blistering cold to try something new that has a new version for bugs and security on a much more common basis? Personally, until Apache 2 gains some serious market share, I see no reason to leave. We provide hosting- and need reliability, and can't be wasting time with constant updates (though updates are better than not fixing of course) when we could otherwise stick with Apache 1.
Apache1 does one thing, and does it well. Period. Sure there are crazy new features of Apache2, and I've tried them else. Personally, I see nothing compelling to move at this point. There are a few small 'that would be nice' features, but really nothing exciting in the way of Linux2.6, WindowsXP, etc. Even 2.6 is having slow adoption. You can only find it on workstations, because no supportive provider is about to live on the bleeding edge and leave their customers bleeding. Apache on the other hand doesn't have a place on the workstation (unless it doubles as a causal server), so in the same way, you're trying to get those folks who prefer stable releases (like Debian stable) over bleeding edge.
So why switch?
"Bad press leads to lots of misinformed morons saying stupid things about how Apache 2 is not ready for prime time." -- I guess I'm one of those morons. Personally I'm not about to replace one of the core pieces of software between us and our customers with something that hasn't proven itself to me. We've set it up in testing environments, and found that it performed similarly and didn't offer anything new we need.
when you see the word 'Linux', drink!
The one thing that I wish PHP would take advantage of in Apache 2.0 is the ability to run code as a user other than the web server. Every time I bring this up with the PHP developers, nobody really runs with it. A feature like this would make PHP much better in shared systems and prevent people from having to do weird things to ensure security. I guess PHP is not that great for shared systems right now.
suExec for PHP is available. My ISP has switched to PHP suExec several weeks ago. I noticed that something was different when cookies was not set properly, and the PHPSESSID was set in the URL (ugly, so I noticed).
This facility makes PHP runs as the user him/herself, instead of the Apache user (just like you wanted). This is a more secure environment for sure.
You need to have a php.ini file with the parameters you want, in your public_html directory, to override the defaults (e.g. how the PHPSESSID is handled, by a cookie, or in the URL, how long a session is valid for, ...etc.)
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
It still seems to me to be an architecture issue.
Bruce
Bruce Perens.
Yes it does. The only exceptions are SYSV IPC objects which don't get automatically reaped, and temporarily created filesystem objects that still have links.
Assuming your kernel isn't buggy, anyway.
DNA just wants to be free...
I worked out this problem a while ago, submitted bug 28227 with fix, and it's been sitting in the PHP bug database doing nothing for months. Not only that, but many similar bugs (without fixes) were closed prematurely by the PHP team under the incorrect assumption that the submitter's system was misconnfigured, as opposed to PHP being buggy...
from the docs:
Do not use Apache 2.0.x and PHP in a production environment neither on Unix nor on Windows.
Fights between opensource projects are always sad. Part of the openness is use it however you like... recommendations are opinions. ASF isnt quite blocking PHP yet, but things can go wrong as we've seen in the case of jboss and xfree86.
Whats stopping anyone from uniting php and apache1.3 and packaging them together for each platform the way sqlite was incorporated into php? They go well together, makes alotta sense to be the same project.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
If you know anything about webhosting you know that cPanel/WHM (and competitors, e.g. DirectAdmin, Fantastico, etc) still support the stodgy old Apache 1.3/mod_php model. The vast majority of sites out there run on cPanel or some other type of shared/reseller type of control panel/managed hosting software. Until this changes, don't expect Apache 2.0 to make any inroads.
That said, everyone should hope 1.x to die ASAP. Basically the Apache developers have to do double duty maintaining two completely seperate branches. If everyone could let 1.3 die then there would be a LOT more manpower available to concentrate on 2.0. For many many years they have said that no new features are going into 1.3 -- everything is happening on 2.x. Yet they still have to maintain security fixes and chase down bugs on the 1.3 branch which is very creaky. There is a reason, after all, that they decided to rewrite everything for 2.x.