So.. WHich is faster? suphp or nobody?

Discussion in 'General' started by felosi, Aug 25, 2007.

  1. felosi

    felosi Well-Known Member

    I cant really tell a difference as far as page load, looks just as fast. Just uses a lil extra server resources. And suphp is much more secure for the server as a whole but anyone who gets a shell uploaded to their site - everything can be deleted and all that. But security for the server and the ability to keep a user from using up all resources is gold.

    But I have been playing with open_base lately using 5.2.3 php with suhosin and instead of disabling open base for the clients that need it I simply add /usr/bin or usr/local/bin whichever they need to their open base config and it works. So far I havent been able to find any hacks to bypass the open base with the php I have setup but Im sure there is probably something.

    So suphp is better in all points for security for the server, uses more resources, and is rumored to be slower.

    Nobody - uses less resources, supposed to be faster, but there is always security and to see who is doing what ya know.

    What does most people here use? And what config, like max connections, etc

    I also like the ability to switch back and forth between suphp and nobody when I have to, doesnt look like it errors on world writable stuff like apache does so that hasnt been an issue.

    Just a simple dicussion thread seeing what everyone else thinks ;)
  2. ffeingol

    ffeingol Well-Known Member

    While security is a big reason why people use suexec/suphp there is also a control factor. When it's running a nobody you simply know that PHP is hogging a lot of resources. If your running su then you not only know it's PHP but you also know what user. That can go a long way to tracking down issues.

  3. mistwang

    mistwang LiteSpeed Staff

    Litespeed PHP suEXEC is as fast as running PHP as nobody, faster than Apache mod_php. While, Apache's phpsuexec or suphp implementation run php as CGI script, which is more slower than mod_php and LiteSpeed suEXEC implementation.
  4. felosi

    felosi Well-Known Member

    Well I finally converted my main server to full time suphp. Ive really experimented with page loads on each and they were about the same. Today I thought I saw a drop but was just my pc after upgrading ubuntu dns was a lil funny.

    Anyway, the benefits of running suexec far outweigh any con. Which the only con I can think of but thats just how it has to be but if someone gets a shell on a clients site thru php script they will have full rights to their files and can delete and move anything they want. Now they can do this on nobody too but unless the files are world writable they cant. But for the overall server its the way to go.
  5. felosi

    felosi Well-Known Member

    6 Day Suphp vs Nobody review

    Ok, so it been 6 days since I went suphp so I figured I would update and give some feedback.

    I switched back to nobody tonight and I will explain why. But Id like to point out that sometimes I can have up to 4 sites being ddosed at the same time so its pretty intensive. Im on a ddos protected network so everything I do handle at the server is low bandwidth and http floods but there often times can be a fight on your hands.

    Anyway, was running as nobody every since I got litespeed. Handles dos very very well and keeps load low. Awesome page loads, awesome everything. but at times I would switch to su to see who all is using what.

    I did notice a load increase and some spikiness but ran just like any other cgi app would. So with lots of thought on this I done the switch to suphp.

    Nothing much had went on for the first few days but occasionally load got real high and sometimes every user would flash up with a lsphp process, and I think it was even sites that wasn't active but you know how it acts when you restart it, like there at the first it will show a lot of users with lsphp process? was like that but never lasted too long.

    Average load of jumped from 1-5. So the other day some dos activity shows up. About 3 sites getting it all day. Today for the first time my litespeed lagged from high load from php processes. I switched back to nobody and average load is back to .20 - .40 and that is during an attack as well. Always runs like a champ that way.

    I think the suphp feature would be great in my line of work if I had the hardware, just a core2duo 2.4 with 2gb ram. A woodcrest or quad would be what i need for what I do. The suphp feature is good in dos if you just had like one or two sites getting flooded it will prevent it from opening new php processes when it reaches its limit

    But for what I do - a few high traffic vbulletin forums (well semi-high alexa ranked between 100k and 60k) , high risk hosting(gonna be dos to deal with sometimes from multiple users) Nobody is the best for the hardware I have.

    In general and during attacks it runs fast and at super low load. I suppose it doesnt have to open as many php processes as suphp, seems like it doesnt.

    As far as page load goes it seems like an inactive site would have a 1-2 second delay upon opening it. For example my blog which I test all speeds on, Here is some results from my page laod timer on my browser: first page load from empty cache Suphp = 3 seconds nobody = 1.8 seconds. Cached pages was hardly any difference at all but seems it fluctuated to .2 seconds slower then nobody.

    I also tested from and a few other speed tests. The conclusion I came to on my server was that suphp was about a second slower on first page load and about .10 to .20 slower on cached page load. And of course these are not totally accurate results, there are many factors invloved.

    Id also like to point out that litespeed with suphp was still 2-3 times faster then apache running as nobody and load is much lower then it would be if you was running apache and mod_php.

    We all know the benefits of suphp, I would really like to have it but on this hardware Im on running as nobody is better for me. I figure running as nobody isnt totally insecure if you use open_base and other protections and you can always switch to suphp in case you need to track down something.

    So I think its pretty safe to say that running as cgi is a lil more intensive on the load. Now as far as page loads go Im still a lil divided myself on it because sometimes it seemed it loaded just as fast. I guess its where my server has been under a lot of traffic lately. as far as resource usage there was a pretty significant difference.

    There it is, figured Id take the time to write a review on this subject, hope it helps

    NOTE: I run a very intensive server as I deal with clients who have ddos problems, people that has been kicked off everywhere else. o unless you run high risk clients there wouldnt be much of a resource issue at all using suphp
  6. mistwang

    mistwang LiteSpeed Staff

    There still are some drawbacks with php suEXEC. and we will constantly improve the implementation. In next major release, 3.3, php suEXEC should run very close to running php nobody under heavy load.
  7. felosi

    felosi Well-Known Member

    there is one more thing I am having problems with both php setups. When Im doing something in the server and the load gets around 5 and up then php sites begin lagging, sometimes timing out. While the html sites are fine.
    I dont know if its a disk read thing or what as no cpu is running 100% when it happens. But for example updatedb, backups, untarring big files, ;etc the php begins to lag and I never seen it do that before litespeed.

    If you would like to see what I mean get with me and Ill give you the logins to a few of my litespeed servers.

    I dont know if this is some default setting causing this or what. I tried changing priority but didnt work and made the overall load higher. But it seems I cant do much work in my server now without lagging the php sites.
  8. mistwang

    mistwang LiteSpeed Staff

    I think it is the high I/O wait slow down the server. LiteSpeed web server blocks on disk I/O. So, when disk I/O is high, it may affect the server performance.
  9. felosi

    felosi Well-Known Member

    Well I cant remember if I had this problem using Anticipatory as default I/O scheduler or not. Now Im using CFQ so that may be the problem, Ill try to switch back to Anticipatory and see how it does
  10. xing

    xing LiteSpeed Staff

    I would recommend testing the "deadline" scheduler for db or i/o intensive servers.
  11. felosi

    felosi Well-Known Member

    Yeah I usually use deadline for mysql intensive servers but on regular hosting servers Ive always used AS and just recently went to CFQ.

    So last night I switched to deadline for 2 servers running litespeed. cp is the one I had most of teh problems I mentioned above because it is a fairly busy server. Cp2, there isnt enough clients on yet so has been no problems.

    Anyway running with deadline I go in and rm a huge directory of old backups and ran uipdatedb at the same time, for the lifge of me though I could only get the load to like 5.

    As far as litespeed ran I think I saw an improvment. But starting at 4.5 and up some page loads would stall for about 3 seconds BUT was few and far between and very well could have been my connection but I did see an imporvment.

    I think its pretty safe to say litespeed will run better with deadline as default I/O scheduler then again I just have regular SATA hds. I still got lots of more stress testing to do and plenty of real time attacks and high usage to deal with so I will know for sure within a week or two.
  12. mistwang

    mistwang LiteSpeed Staff

    Linux I/O scheduler is not priority aware, they have their own algorithm. One I/O intensive task will definitely affect other jobs doing disk I/O.
  13. felosi

    felosi Well-Known Member

    I found something that seems to help. I mounted all partitions noatime.
    I ran my usual system backup last night and didnt notice any lag. So i definitely think that mount option helps
  14. QuantumNet

    QuantumNet Well-Known Member

    Okay so you say that Litespeed PHP suEXEC is faster than suPHP. I followed the Directadmin tutorial and have successfully converted to litespeed. I then installed PHP5 LSAPI and all is well. Now I want to convert from standard apache:apache to suEXEC. But your tutorials are very confusing and unclear of how I would go about this. The fact that I use Directadmin only adds more confusion.

    With Directadmin suPHP is an option, but you say Litespeed suEXEC is faster so how do I go about using litespeed suexec with DIrectadmin?

    After I understand this I will write up a new howto for you as there is much to be desired in the Directadmin howto.
  15. felosi

    felosi Well-Known Member

    All you gotta do in server config in litespeed admin is change php suexec to yes ;)

    Then you may wanna go through and check perms of all files. You can make more secure perms now using suexec.

Share This Page