FCGID vs PHP-FPM and security and multiple sites

3 posts / 0 new
Last post
#1 Sun, 06/25/2017 - 16:12
cognosco

FCGID vs PHP-FPM and security and multiple sites

Hello,

Happy long-time Virtualmin user here! I have got a question regarding the new PHP-FPM which I would like to use since it should be better regarding performance.

Is there any negative consequence compare to FCGID? Now I am using FCGID and run every site as its own virtualmin server (user). So in theory, if one of the (WordPress) sites gets attacked and hacked it should be isolated from the rest. Is there any difference when I use PHP-FPM? Because as far as I know opcache can be used more efficient in PHP-FPM (won't be destroyed and can be used on multiple sites). And is the choice between one or multiple pools a choice that will affect security too?

I hope someone could tell me if there are additional risks or setbacks if I would switch to PHP-FPM?

Thanks in advance,

Sun, 06/25/2017 - 21:52
Joe
Joe's picture

PHP-FPM, as configured by Virtualmin, is also operating as the virtual server owner user. There are, to the best of my knowledge, no negative security implications to running PHP-FPM instead of fcgid.

I doubt you will see much performance difference unless you have a very small number of very heavily loaded sites (rather than the more common case of many lightly loaded sites). Note there would be no purpose to sharing pools across domains. A shared hosting system has very different performance characteristics than one that only serves one website for one user. (Though if your Virtualmin system is only hosting one heavily loaded site, you will get the benefits of PHP-FPM; Virtualmin doesn't do anything to make it not work correctly for that case.)

All that said: If you have performance problems. address the source of the problem. Switching between fcgid and PHP-FPM probably won't make a notable difference, though there's no harm in doing so. Performance problems are almost always caused by the database or application, and not the web server or the application server. So, it makes sense to work on those problems first, and only worry about the minor single-digit percentage improvements once the big performance bottlenecks are solved.

--

Check out the forum guidelines!

Mon, 06/26/2017 - 06:01
cognosco

Hi Joe, thanks for the detailed explanation.

I agree with your advice regarding speed improvement. At the moment I don't have any issues. I tweaked my whole config from Apache to Mysql to PHP and Redis. Also the sites themselves are pagecached and minified/combined. Together with CDN. So I wanted to swtich to PHP-FPM as last step.

Main reasons: share Opcache more optimal. Spawn faster processes: no waiting on initial process after closed/idle like FCGID and maybe ramp the spawning slightly up while keeping one pool.

So everything that could be improved is always welcome :) But I totally agree. It's a good advice to focus on the other points first! Thanks again!

Topic locked