[BlueOnyx:26058] BlueOnyx Webserver Performance a.k.a. the impact of "open_basedir"

Fri Mar 31 07:21:47 -05 2023

Hello all,

we had some complaints lately about very poor web server performance on our BlueOnyx servers. All affected sites are cms driven, mainly Wordpress. We did a lot of tests and comparisons with other hardware and software - always looks as if the reason was within BlueOnyx itself.

We now are very sure to have found the reason, why a non-blueonyx webserver is about 3 times as fast as a blueonyx one: If you disable open_basedir the problem is gone (A single request on https://server.name/wp-login.php is sufficient to see the difference). 

The problem behind that is, that the php feature "Realpath cache" is disabled when open_basedir is enabled, see:

https://serverfault.com/questions/158584/php-safe-mode-open-basedir-lstat-performance-problem

https://bugs.php.net/bug.php?id=52312

We are aware of that open_basedir is a security feature. But I have to open a discussion here: Is it really needed? From my understanding there should be file access rights permitting access of every website only to areas they are allowed to access and permit the others.

Nice would be an option to disable it per site. But at least we'd need an option to disable it per server. This way we could offer customers their own server with "performance enabled" - and a slightly lesser security. Which can be acceptable if there is only one customer on a single server..

Who has the insights on the security implications of disabling this?

Maybe it would be a good compromise to include this plugin https://github.com/Whissi/realpath_turbo to get both, performance and security as for sure this is we all want. In addition to disabling open_basedir they disable dangerous PHP functions (link,symlink)

Regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20230331/0f9b90c9/attachment.html>