Jan-Philipp Litza

The perils of using php-fpm with Apache for shared hosting

Yesterday, I was again working on building a new webserver at work. I had already found a way to use php-fpm with Apache and sockets (not easy in Debian Wheezy by the way, I had to compile mod_proxy myself from a later Apache version). Every user had its own php-fpm pool and thus its own socket, everything was fine.

But then it struck me when setting up some stuff for customers who didn’t have the usual setup: Everybody who can use mod_rewrite in his .htaccess can simply specify another user’s socket to execute PHP with that other user’s permissions. That’s not only unfortunate, that’s unacceptable in a shared hosting environment. After all, we only do this stuff with multiple users to enhance security…

Thus, back to old suexec and mod_fcgid. Much worse performance, but seemingly the only sane way to do shared hosting with PHP. ☹