[BlueOnyx:26060] Re: BlueOnyx Webserver Performance a.k.a. the impact of "open_basedir"

Michael Stauber mstauber at blueonyx.it
Fri Mar 31 14:39:45 -05 2023 

Hi Tobias,

> we had some complaints lately about very poor web server performance on 
> our BlueOnyx servers. All affected sites are cms driven, mainly 
> Wordpress. We did a lot of tests and comparisons with other hardware and 
> software - always looks as if the reason was within BlueOnyx itself.
> 
> 
> We now are very sure to have found the reason, why a non-blueonyx 
> webserver is about 3 times as fast as a blueonyx one: If you disable 
> open_basedir the problem is gone (A single request on 
> https://server.name/wp-login.php <https://server.name/wp-login.php> is 
> sufficient to see the difference).
> 
> The problem behind that is, that the php feature "Realpath cache" is 
> disabled when open_basedir is enabled, see:
> 
> https://serverfault.com/questions/158584/php-safe-mode-open-basedir-lstat-performance-problem <https://serverfault.com/questions/158584/php-safe-mode-open-basedir-lstat-performance-problem>
> 
> https://bugs.php.net/bug.php?id=52312 
> <https://bugs.php.net/bug.php?id=52312>


Ok, I just did a test on a 5211R. Two identical Vsites. Both using 
PHP-FPM with PHP-8.2.4 from the shop. And the latest WordPress also 
installed from the shop.

I just finished the web based initial setup of Wordpress, so both 
installs have the same sample configuration and identical appearance.

One is installed as "site1", the other as "site2".

I then edited /etc/php-fpm-8.2.d/site2.conf and commented out the ...

php_admin_value[open_basedir] = [...]

... line and restarted PHP-FPM:

systemctl restart php-fpm-8.2

I then prepared Firefox to have two tabs open with the debugging console 
activated and the "Network Analysis" open and accessed the Worpress 
installs. "site1" in one tab, "site2" in the other.

Both Vsites use SSL (LE certs), so I used HTTPS for testing.

site1: load time 2.31s on first load, 1,06s on reload
site2: load time 2.84s on first load, 1,17s on reload

So the Vsite w/o open_basedir actually loaded SLOWER and reloaded SLOWER.

I then hit reload a couple of times and the results were all over the 
place. The best speed I could ever get on reloads for "site1" was 1,01s 
and the best speed for reloads of "site2" I could ever get was 0,96s.

So the best speed gain (after many retries) measured in 0,05s (five 
miliseconds!).

I then opened a new Firefox in private mode and tested "site1" (initial 
load and multiple reloads) and then closed that browser, opened another 
Firefox in private mode and repeated the same steps for "site2".

Again the results were all over the place and I could make out no 
discernible speed advantage of one over the other. In fact in some cases 
both the initial load as well as the reload were faster on the Vsite 
with open_basedir enabled and on retries the Vsite with open_basedir 
disabled was faster.

So if there is any speed advantage of NOT having open_basedir 
configured, then in my experience it is so miniscule that it's almost 
impossible to measure.

> We are aware of that open_basedir is a security feature. But I have to 
> open a discussion here: Is it really needed? From my understanding there 
> should be file access rights permitting access of every website only to 
> areas they are allowed to access and permit the others.

Recall that we're doing shared webhosting on a BlueOnyx. So normally a 
PHP script can access *ANYTHING* on the server that the user who runs 
the script has read permissions for. Without the limits imposed by 
open_basedir a malicious user could use scripts to get read access to 
privileged information that includes some of the server configuration as 
well as some limited information about what other Vsites are present and 
possibly also read access to some of the data that other Vsites have 
hosted in their webspace.

For that reason open_basedir is really an absolute must have to isolate 
content of Vsites against access from other Vsites.

> Nice would be an option to disable it per site. But at least we'd need 
> an option to disable it per server.

That is certainly doable, but it would be a feature that only the server 
admin can activate/deactivate on a per Vsite level.

> Maybe it would be a good compromise to include this plugin 
> https://github.com/Whissi/realpath_turbo 
> <https://github.com/Whissi/realpath_turbo> to get both, performance and 
> security as for sure this is we all want. In addition to disabling 
> open_basedir they disable dangerous PHP functions (link,symlink)

The last update to that code on GitHub was posted on January 4th, 2020. 
The latest PHP versions available at that time were PHP-7.4.1 and 
PHP-7.3.14.

https://github.com/Whissi/realpath_turbo/blob/master/realpath_turbo.c 
indicates that this is a Zend extension and in PHP-8.0, 8.1 and 8.2 the 
API for Zend extensions changed drastically (yet again). So I doubt that 
this extension will work in any modern PHP. In fact: It won't work in 
any PHP that hasn't been EOL'ed long ago.

It having received no updates in three years is a really bad sign. For 
all intends and purposes it is abandonware and I wouldn't want to base 
critical infrastructure on something that is no longer actively supported.

Out of curiosity: What BlueOnyx version and PHP versions (also PHP 
implementation - DSO, RUID, suPHP, FPM) are you testing this and what 
speed improvements (if any) do you see?

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list