Should we remove mod_php from the default Virtualmin installation?
Should we remove mod_php from the default Virtualmin installation?
Submitted by Joe on Tue, 08/22/2017 - 10:55Pro Licensee
Yes, even the PHP developers haven't recommended mod_php in many years
81% (17 votes)
No, I need to run old software that requires mod_php
19% (4 votes)
Total votes: 21
Comments
Submitted by Joe on Tue, 08/22/2017 - 11:15Pro LicenseePermalink
To kick off a discussion, I want to explain some of my reasons for wanting to ditch mod_php.
It's big (adds ~150MB to the Apache executable), slow, and has major security implications (it runs as Apache and not as the domain owner user).
It is discouraged by even the PHP developers. PHP-FPM is their recommended execution model, which has been supported in Virtualmin for several months now. We've also supported fcgid execution of PHP for many years, a decade or more. Both php-fpm and fcgif execution are: More secure, faster, take less memory, and allow custom configuration per-domain.
I'm unaware of any applications that require mod_php at this point. But, let me know if you know of any.
Installing it for users that need it is just a couple of commands and will usually automatically be detected by Virtualmin once Apache has been restarted with mod_php enabled.
The only argument for mod_php I can think of is that people are used to it. But, we've been discouraging it for years, so hopefully, we're mostly past that.
Submitted by Diabolico on Wed, 09/20/2017 - 21:38Permalink
Security risks around mod_php start to pop out before 8-10 years (what i can remember). Excuses like "too many people are using it" or "my app/soft is old" should have no weight. Someone laziness or attempt to save some money and do not upgrade to newer software should never come above overall security and VM reputation.
Make a deadline so people have time to prepare and then remove from VM.
Comments
To kick off a discussion, I want to explain some of my reasons for wanting to ditch mod_php.
The only argument for mod_php I can think of is that people are used to it. But, we've been discouraging it for years, so hopefully, we're mostly past that.
Submitted by robbrandt on Thu, 08/24/2017 - 13:19 Permalink
Too many people still use it, and the security issue is with shared hosting environments, not dedicated ones.
Submitted by Gerritjan on Sun, 09/03/2017 - 08:09 Permalink
It's time for mod_php to kick the bucket. PHP-FPM == PHP-FTW
Security risks around mod_php start to pop out before 8-10 years (what i can remember). Excuses like "too many people are using it" or "my app/soft is old" should have no weight. Someone laziness or attempt to save some money and do not upgrade to newer software should never come above overall security and VM reputation.
Make a deadline so people have time to prepare and then remove from VM.