<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<meta name="Generator" content="Kopano WebApp v-6.0.0.57-1+2026.1">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>BlueOnyx Webserver Performance a.k.a. the impact of "open_basedir"</title>
</head>
<body>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;">Hello all,</p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;"><br /></span></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;">we had some complaints lately about very poor web server performance on our BlueOnyx servers. All affected sites are cms driven, mainly Wordpress. </span><span style="font-size: 11pt;">We did a lot of tests and comparisons with other hardware and software - always looks as if the reason was within BlueOnyx itself.</span></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;"><br /></span></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;">We now are very sure to have found the reason, why a non-blueonyx webserver is about 3 times as fast as a blueonyx one: If you disable open_basedir the problem is gone (A single request on <a href="https://server.name/wp-login.php" target="_blank" title="https://server.name/wp-login.php
Klicken Sie auf den Link, um die URL in einem neuen Fenster zu öffnen." rel="noopener">https://server.name/wp-login.php</a> is sufficient to see the difference). </span></p>
<p style="padding: 0px; margin: 0px; min-height: 11pt; font-family: arial, helvetica, sans-serif; font-size: 11pt;"><span style="font-size: 11pt;">The problem behind that is, that the php feature "Realpath cache" is disabled when open_basedir is enabled, see:</span></p>
<p style="padding: 0px; margin: 0px; min-height: 11pt; font-family: arial, helvetica, sans-serif; font-size: 11pt;"><span style="font-size: 11pt;"><a href="https://serverfault.com/questions/158584/php-safe-mode-open-basedir-lstat-performance-problem" target="_blank" title="https://serverfault.com/questions/158584/php-safe-mode-open-basedir-lstat-performance-problem
Klicken Sie auf den Link, um die URL in einem neuen Fenster zu öffnen." rel="noopener">https://serverfault.com/questions/158584/php-safe-mode-open-basedir-lstat-performance-problem</a></span></p>
<p style="padding: 0px; margin: 0px; min-height: 11pt; font-family: arial, helvetica, sans-serif; font-size: 11pt;"><span style="font-size: 11pt;"><a href="https://bugs.php.net/bug.php?id=52312" target="_blank" title="https://bugs.php.net/bug.php?id=52312
Klicken Sie auf den Link, um die URL in einem neuen Fenster zu öffnen." rel="noopener">https://bugs.php.net/bug.php?id=52312</a></span></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;"><br /></span></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;">We are aware of that open_basedir is a security feature. But I have to open a discussion here: Is it really needed? From my understanding there should be file access rights permitting access of every website only to areas they are allowed to access and permit the others.</span><br /></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;"><br /></span></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;">Nice would be an option to disable it per site. But at least we'd need an option to disable it per server. This way we could offer customers their own server with "performance enabled" - and a slightly lesser security. Which can be acceptable if there is only one customer on a single server..</span></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;"><br /></span></p>
<p style="font-family: arial, helvetica, sans-serif; font-size: 11pt; padding: 0px; margin: 0px;"><span style="font-size: 11pt;">Who has the insights on the security implications of disabling this?</span></p>
<p style="font-family: arial,helvetica,sans-serif; font-size: 11pt; padding: 0; margin: 0;"><br /></p>
<p style="font-family: arial,helvetica,sans-serif; font-size: 11pt; padding: 0; margin: 0;"><span style="font-size: 11pt; font-family: arial, helvetica, sans-serif;"><br /></span></p>
<p style="font-family: arial,helvetica,sans-serif; font-size: 11pt; padding: 0; margin: 0;"><span style="font-size: 11pt; font-family: arial, helvetica, sans-serif;">Maybe it would be a good compromise to include this plugin <a href="https://github.com/Whissi/realpath_turbo" target="_blank" title="https://github.com/Whissi/realpath_turbo
Klicken Sie auf den Link, um die URL in einem neuen Fenster zu öffnen." rel="noopener">https://github.com/Whissi/realpath_turbo</a> to get both, performance and security as for sure this is we all want. In addition to disabling open_basedir they disable dangerous PHP functions (link,symlink)</span></p>
<p style="font-family: arial,helvetica,sans-serif; font-size: 11pt; padding: 0; margin: 0;"><span style="font-size: 11pt; font-family: arial, helvetica, sans-serif;"><br /></span></p>
<div class="signatureContainer">
<div class="signature">
<p style="padding: 0; margin: 0;"><span style="font-size: 11pt; font-family: arial, helvetica, sans-serif;"></span></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p style="padding: 0; margin: 0;"></p>
<p>Regards,<br />Tobias</p>
</div>
</div>
</body>
</html>