For years I have been using modperl and have been quite fond of it, the idea of persistant perl interpereter is excellent.

The problem however lies with using modperl securely for multiple sites. Ideally, the desired solution is to have each site run in a chroot jail for security, have each site execute under it's own user/group and have a modperl instance for each site.

Up until now the best solution I have been able to come up with is as follows:

Implementation 1:
Top Level Apache Server, Port 80, ModProxy
This serves requests via ModProxy to the respective apache servers with mod_perl.
Site 1 Apache Server, Port 8081, ModPerl
This server runs an instance of ModPerl and all scripts required for Site 1.
Apache User: site1
Site 2 Apache Server, Port 8082, ModPerl
This server runs an instance of ModPerl and all scripts required for Site 2.
Apache User: site2
This allowed me to have seperate modperl instances, this is done for three reasons:
1) ModPerl does not support user based processes
2) This prevents polution between instances & secures one mod_perl instance from another.
3) Each instance can be chrooted for additional security.
The problem with this configuration is:
1) Requires a new http server for each additional site/modperl application
2) Apache creates a set of workers for each instance (ususally about 7). With 7 required for the Top level proxy, and 7 for each site, this soon adds up.
e.g. 5 sites = 7 + (5 * 7) = 49 child workers
---------------------------------

Implementation 2:
A new solution I have been working on is to have a single Apache server with chrooting suexec and speedycgi.

The setup is as follows:
1. Create a Chroot Jail for Apache (Extra Security Measure). 2. Modify suExec to allow chrooting before suid and process execution.
3. Install Apache into Chroot Jail
4. For each site:
a. Create a Jail for each site that includes perl + speedycgi
b. Create a virtualhost which specifies SuExecUserGroup and the ENV variable used for the chroot.
How it works:
Apache first resides in a jail, it then serves non-perl requests to static objects as per normal. When a request for a perl script is made:
Apache chroots into the site's jail using suexec. Suexec changes to the correct site's user.
SpeedyCGI then either:
Loads a script into speedy-backend or
Executes a script cached in speedy-backend
Advantages:
1) Provides persistant perl WITH suexec for per-virtualhost user execution
2) SpeedyCGI handles dynamic data, Apache handles static, hence you don't require a covering proxy as described in http://perl.apache.org/docs/1.0/guide/strategy.html
3) The timeout property in speedycgi means that a script with low or no load will drop out of memory, this means high use scripts will run in persistant perl and low use scripts will load into memory then remove themself when they are no longer being activly used.
Disadvantages:
1) Speedycgi seems to be no longer in development, whereas modperl is still in active development.
2) I have read somewhere that speedycgi is not as fast as modperl (will have to benchmark the two later).
3) Since speedycgi with timeout enabled fades out with inactivity, the first request to an inactive script requires all the modules to be reloaded, whereas modperl exists in memory indefinitly and can load a script on server start, rather than first request.
---------------------------------

I was wondering if I could get some feedback on both these designs. I have been researching and testing the second solution over the last few days and would like to get some input.

a) Is there a better way to achive this goal?
b) Is there a way to make modperl scale and attain the desired results without creating a new server for each instance (Implementation 1)?
c) Have I missed anything (security etc. (Implementation 2))?
d) Is there a better solution (fastcgi/pperl etc.)?
e) What are there any downsides (other than those listed above) to either of these implementations?

Finally, as wise perl monks are there any suggestions/ideas?

Sorry if I posted this in the wrong section, this lies somewhere in between meditation & seekers of wisdom)


James Austin

In reply to Apache (httpd) + Persistant Perl (ModPerl/SpeedyCGI) + User Based Processes (SuExec) + Chroot by zxViperxz

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.