1
Development and Code Review / Why php-cgi with lighty fcgi wrapper instead of php-fpm?
« on: February 13, 2017, 02:43:23 am »
Hi, guys.
Just installed OPNSense in a VM for testing and was quite surprised to see it running php-cgi instead of fpm. Why so?
Ofc, firewall/router webface isn't intended nor required to serve 100s of rps, so fpm performance optimizations aren't that relevant here, but what about stability and security? Personally I thought cgi-fcgi (don't confuse with fpm-fcgi) sapi was long ago obsolete and probably even dropped, however now I can see its still maintained, but how actively?
Also wouldn't it be better to run fcgi manager as separate process and then completely drop root privs from lighty as the first step to complete and proper priv separation? Having daemon listening public socket running as root just makes me a bit uncomfortable, even though it is behind packet filter)
And same question for lighty vs nginx.
I have nothing against lighty, actually have almost no experience with it at all. Just curious, was it intended and though-about migration or it just was inherited from parent sense and left intact?
Just installed OPNSense in a VM for testing and was quite surprised to see it running php-cgi instead of fpm. Why so?
Ofc, firewall/router webface isn't intended nor required to serve 100s of rps, so fpm performance optimizations aren't that relevant here, but what about stability and security? Personally I thought cgi-fcgi (don't confuse with fpm-fcgi) sapi was long ago obsolete and probably even dropped, however now I can see its still maintained, but how actively?
Also wouldn't it be better to run fcgi manager as separate process and then completely drop root privs from lighty as the first step to complete and proper priv separation? Having daemon listening public socket running as root just makes me a bit uncomfortable, even though it is behind packet filter)
And same question for lighty vs nginx.
I have nothing against lighty, actually have almost no experience with it at all. Just curious, was it intended and though-about migration or it just was inherited from parent sense and left intact?