Perl in shared hosting environments

Dirk Koopman djk at tobit.co.uk
Wed Sep 21 11:21:06 BST 2011


On 21/09/11 09:55, Tomas Doran wrote:
>
> On 21 Sep 2011, at 09:22, Philip Newton wrote:
>>
>> And I agree with Lesley in assuming the answer is "no" - I doubt that
>> you can modify Apache that way to "inject" a module into it from your
>> section of a shared hosting environment.
>
> Oh, yes, of course!
>
> Your perl script isn't going to be able to extend apache without apache
> collaborating in this :)
>

For what it is worth, I stopped using mod_perl (as well as Apache) 
several years ago and moved onto other webservers and FastCGI.

Reason include:

* Apache seems to be the sendmail of the webserving world. Does anybody
   other than me note the frequency of critical bugs, ongoing,
   that Apache has?

* Other webservers can be run, more easily, on non-privileged
   ports and users, chrooted etc etc to reduce the attack surface
   even more (obviously one redirects traffic from port 80 etc
   either via the operating system or load balancers).

* Stuff has to be "stitched into" mod_perl. This is unnecessarily
   tedious -> difficult and probably increases the attack surface
   as well.

* Added (completely) new stuff into the same mod_perl environment
   is next to impossible (i.e. forget "shared hosting").

* mod_perl processes seem(ed) to get bigger and bigger and need(ed)
   to be killed every few 10s of requests to keep memory usage in
   bounds. We needed many more (bigger) machines to run mod_perl v
   other webservers and FastCGI.

* Stuff designed with FastCGI in mind is much easier to test and
   debug.

* FastCGI does not have to be on the same machine as the webserver,
   nor even on the same architecture.

* The difference in speed between mod_perl and an established
   FastCGI set of processes is minimal. In some cases I have found
   FastCGI faster than mod_perl.

* Other webservers can be run, more easily, on non-privileged
   ports and users, chrooted etc etc to reduce the attack surface
   even more (obviously one redirects traffic from port 80 etc
   either via the operating system or load balancers).

I may simply be biased, but it is based on bitter (but now old) experience.

YMMV (and probably does)

Dirk


More information about the london.pm mailing list