PHP Handler Modes

October 12, 2014

 - Tags: ,

Most people don’t know it, but PHP can be executed in different ways on a web server, using different PHP Handler Modes. For big websites with a high traffic, knowing about these PHP Handler Modes can greatly help to improve the website speed. In this article I will explain the different PHP Handler Modes, and what are their pros and cons.

What is a PHP Handler Mode?

When your web server (usually Apache) receives a request to execute a PHP script, it doesn’t itself how to execute this script. Apache needs to communicate with another program which knows how to execute a PHP script. A PHP handler is a specific method that Apache uses to communicate with PHP scripts. It is very useful to know the different PHP handlers to make sure you are using the most suited one for your website.

mod_php

It is the oldest and, and fastest PHP handler. It makes PHP a part of Apache by having Apache interpret the PHP code itself. It is the default handler installed on apache.

Pros:

  • It is fast, as it runs directly in the same process as your Apache server
  • It has low CPU and memory requirement

Cons:

  • It runs as the same user that your Apache process. It means Apache user must have permissions to all of your files. In General when you upload files to your server you do so as a different user that has login rights to the machine. This means that all the files and folders you upload are “owned” by the user that you used to upload them. If you don’t explicitly grant Apache permissions to the file you just uploaded, your PHP scripts will not be able to manipulate these files. For WordPress users, it means that without the proper setup admin will not be able to upload their media files.
  • To further complicate things, if you do grant Apache permissions to these files and your web-server is compromised by an attacker on another website, that attacker could have access to the files of your website, even though the attacker did not attack your website originally.

mod_suphp

If you enable this PHP handler as well as the suEXEC option, your PHP scripts will run as the script owner, instead of Apache user. For each PHP request a new PHP process will be spawned.

Pros:

  • It makes it easier to track which users uses the most resource on the server, as each request is isolated in its own thread.
  • It is easier to use WordPress and other CMS, as there will not be any file permissions issue, contrary to the mod_php
  • It is also more secure: if another website running on the same server is attacked, the attacker cannot exploit this breach to attack your own website.

Cons:

  • It might be slower because of additional time required to spawn new thread for each new request
  • It may be a little be harder to manage the server as it is not possible to change PHP options from .htacess file, but onlu from the php.ini file.

mod_cgi

When mod_php is not available, generally servers default to mod_cgi. Contrary to mod_php, it does not run within Apache but as its own process, outside of Apache. Like mod_php, it will be run as the Apache user. However, with the option mod_suexec enabled, it is possible to run php as another user.

Pros:

  • It offers a lof configuration options
  • It can be used with mod_suexec enabled to solve file permissions and security issues
  • safer than mod_php

Cons:

  • very poor performances
  • legacy PHP handler, not much used anymore

mod_fastcgi

Requests are passed from the server to FastCGI where PHP is interpreted, which allows for a more scalable architecture.
It has the security benefits of mod_cgi but doesn’t include the inconvenients of mod_cgi You may want to choose this PHP handler if your website is too slow with mod_suphp, and you also have available memory on your server.

Pros:

  • More secure(not in the same process as the web server)
  • Can reduce CPU usage by keeping PHP scripts in memory, instead of starting up a new process for each request
  • For static content requests, PHP interpreter will not be called
  • It is faster than mod_suphp (but not as fast as mod_php)

Cons:

  • Can be memory intensive because fastCGI keeps PHP sessions opened in the background
  • Requires requests to be passed from Apache
  • Cannot configure PHP directives in .htaccess

Comparison of PHP handler modes

Mode PHP runs as Speed Resource Usage Security
mod_php an Apache Module Fastest Low memory, low CPU Can be dangerous
mod_suphp a CGI module Slowest High memory, high CPU Safe
mod_cgi a CGI module Slow High memory, high CPU Safe
mod_fastcgi a CGI module Fast High memory, low CPU Safe

Conclusion

I hope that now you better understand how to choose your PHP handlers. Generally speaking, only change your PHP handler if you are having security or performance issues. Otherwise, you might just want to leave it unchanged.

If you would like to know more, check out the additional resources i mentioned below. Also, you can subscribe to my blog if you would like to receive update about new articles. Finally, you can Contact me if you have any questions.

Additional Resources

Leave a Reply