open_basedir will slow you down – security vs. speed
March 21, 2008 – 2:48 amJust a quickie.
I’m working on some security enhancements for my new website project, and in that progress, I have moved away from Apache2.2.3 and now using Lighttpd instead. Lighttpd does not use the same method of invoking php as apache does (mod_php vs. fast-cgi php).
In my eager to make the application as secure and locked down as possible, I went berserk in the php-cgi.ini file and turned on just about any security feature I could find (not safemode!), including the innocent looking switch called “open_basedir”.
That was rather late in the night, so when I resumed my work the following day, I have long forgotten about all the fancy security settings I had enabled in php.
A few hours ago I noticed that the complete render time for the front page suddenly was ~2seconds(!) – and comparing with apache’s load time for the same page (0.9s) I was quite disappointed at lighttpd and fastcgi, but refused to give up my new found love without a fair trial.
I attacked google with full force without finding any useful resources that might be able to explain my issue.. I was quite sure it was APC that did not function well in a fastcgi environment – and therefore my google madness was focused around the keywords “apc + fastcgi”
While chatting to PatrickDK in the #lighttpd channel @ freenode, it suddenly hit me – let’s try to disable everything I have “fixed” last night – starting with XDebug, some 3rd party php modules (syck, memcache, simplexml, fileinfo) – and then, open_basedir flag.
And with just one line commented out in my php-cgi.ini file, the render time went from 2.4 to 0.5 seconds !!(!!)
So just a little note to you guys out there, beware of the open_basedir setting in a setup where you include many files, it is a rather costly feature to use. And when running fastcgi php in chroot()ed setup, its not really required anyway
Its another +1 for lighty and fastcgi
And yes, I’m aware that open_basedir is slow because it has to validate EVERY file or path you work with inside php to check if its within the scope defined.
7 Responses to “open_basedir will slow you down – security vs. speed”
When making large changes in server config and code I routinely run a quick apache benchmark (ap -c 10 -t 30 http://foo) to catch performance killers like that. It may be considered premature optimization to some, but it helps to catch certain things before you go too far. For example, I loaded in a script that was doing a system call out to uname and it immediately dropped about 2 requests per second. Switching that over to php_uname brought that performance back.
By Nate Todd on Mar 24, 2008
Sorry, typo. The apache benchmark is “ab”.
By Nate Todd on Mar 25, 2008
Will make benchmarks myself regarding this, thanks.
Also, have you checked this method for securing FastCGI and Lighttpd?
http://trac.lighttpd.net/trac/wiki/HowToSetupFastCgiIndividualPermissions
A bit messy to set up, but seems to be working really good (been running it for a couple of weeks now).
By Oscar on Apr 21, 2008
Indeed, I got these results:
– With open_basedir: Requests per second: 21.23 [#/sec] (mean)
– Without open_basedir: Requests per second: 23.97 [#/sec] (mean)
By Oscar on Apr 21, 2008
Hello! I don’t know how can disabled open_basedir affect webserver security but i had the same problem. Generating script took 10 seconds. After disabling open_basedir generating took only 1.2 sec., with cache enabled it is more quicker.
Anybody knows that about security with open_basedir disabled ?
By smsinvest.ru on Jan 13, 2009
hello Jippi! nice ideas and interesting point of view. I’m interested in this kind of information on php work and will be so much glad to read new notes written by you. good job! have a nice day
By Andrew on Jan 20, 2009
Hi,
I currently have got Apache+SysCP and would like to switch to lighty because of the performance issues.
Any more hints you can tell me about? Otherwise maybe I’d set it up in a virtual Xen domain to test it first?
Thanks a lot for the tip on php-cgi.ini file, I won’t touch the settings too much there…
By Laatste Nieuws on Aug 2, 2009