Should we remove mod_php from the default Virtualmin installation?

Joe's picture
Submitted by Joe on Tue, 08/22/2017 - 10:55 Pro Licensee
Yes, even the PHP developers haven't recommended mod_php in many years
81% (17 votes)
No, I need to run old software that requires mod_php
19% (4 votes)
Total votes: 21

Comments

Joe's picture
Submitted by Joe on Tue, 08/22/2017 - 11:15 Pro Licensee

To kick off a discussion, I want to explain some of my reasons for wanting to ditch mod_php.

  1. It's big (adds ~150MB to the Apache executable), slow, and has major security implications (it runs as Apache and not as the domain owner user).
  2. It is discouraged by even the PHP developers. PHP-FPM is their recommended execution model, which has been supported in Virtualmin for several months now. We've also supported fcgid execution of PHP for many years, a decade or more. Both php-fpm and fcgif execution are: More secure, faster, take less memory, and allow custom configuration per-domain.
  3. I'm unaware of any applications that require mod_php at this point. But, let me know if you know of any.
  4. Installing it for users that need it is just a couple of commands and will usually automatically be detected by Virtualmin once Apache has been restarted with mod_php enabled.

The only argument for mod_php I can think of is that people are used to it. But, we've been discouraging it for years, so hopefully, we're mostly past that.

Submitted by robbrandt on Thu, 08/24/2017 - 13:19

Too many people still use it, and the security issue is with shared hosting environments, not dedicated ones.

Submitted by Gerritjan on Sun, 09/03/2017 - 08:09

It's time for mod_php to kick the bucket. PHP-FPM == PHP-FTW

Diabolico's picture
Submitted by Diabolico on Wed, 09/20/2017 - 21:38

Security risks around mod_php start to pop out before 8-10 years (what i can remember). Excuses like "too many people are using it" or "my app/soft is old" should have no weight. Someone laziness or attempt to save some money and do not upgrade to newer software should never come above overall security and VM reputation.

Make a deadline so people have time to prepare and then remove from VM.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.