Discussion:
[PHP-INSTALL] how to statically link PHP 5.2.x + Apache httpd 2.2.x?
Ro Achterberg
2009-09-29 09:46:30 UTC
Permalink
Hi all,

I'm in the midst of setting up my production server, which will be
running on a fully chrooted non-root LAMP configuration. Due to my
high demands for performance and security, I've been advised by
several resources on the net to statically link PHP into Apache.
However, all information I could find seems to pertain to very old
Apache 1.3.x configurations, which are no longer compatible with the
current configure scripts.

In the past few days, I've tried my best to build a libphp5.a static
library using various configure arguments, but to no avail. I'm
starting to wonder if it's at all possible to statically link PHP
5.2.x into httpd 2.2.x! Some information about my build system: httpd
2.2.13, PHP 5.2.11, gcc 4.1.2, binutils 2.18 on CentOS 5.2. My last
unsuccessful ./configure line reads as follows:
"./configure --prefix=/chroot/apache2/php --with-iconv=/usr/local
--enable-static"

Any insights would be greatly appreciated.

Bye, Ro
Rasmus Lerdorf
2009-09-29 13:36:23 UTC
Permalink
Post by Ro Achterberg
I'm in the midst of setting up my production server, which will be
running on a fully chrooted non-root LAMP configuration. Due to my high
demands for performance and security, I've been advised by several
resources on the net to statically link PHP into Apache. However, all
information I could find seems to pertain to very old Apache 1.3.x
configurations, which are no longer compatible with the current
configure scripts.
That's because statically linking is an outdated idea. There are no
performance nor security benefits. The only reason a traditional static
library is faster than a shared library is because a shared library is
usually build using PIC (Position Independent Code) which adds an offset
lookup table allowing the library to be linked into many different
binaries at the same time. Since libphp5.so is not a general-purpose
shared library, but tied implicitly to a specific SAPI, we build it
non-pic by default which means there is no performance difference.

-Rasmus
Ro Achterberg
2009-09-29 13:52:35 UTC
Permalink
Post by Rasmus Lerdorf
Post by Ro Achterberg
I'm in the midst of setting up my production server, which will be
running on a fully chrooted non-root LAMP configuration. Due to my high
demands for performance and security, I've been advised by several
resources on the net to statically link PHP into Apache. However, all
information I could find seems to pertain to very old Apache 1.3.x
configurations, which are no longer compatible with the current
configure scripts.
That's because statically linking is an outdated idea. There are no
performance nor security benefits. The only reason a traditional static
library is faster than a shared library is because a shared library is
usually build using PIC (Position Independent Code) which adds an offset
lookup table allowing the library to be linked into many different
binaries at the same time. Since libphp5.so is not a general-purpose
shared library, but tied implicitly to a specific SAPI, we build it
non-pic by default which means there is no performance difference.
-Rasmus
Hi Rasmus,

While I totally accept your argument against any supposed increased
performance, I very much dispute that static linking would not have
any security benefits. I think most security researchers would agree
with me that from a security point of view, it would be better to
compile Apache without any module support so as to minimize chances
of hostile code injection. This would obviously have to lead to a
static linking of PHP.

Anyway, thanks for your response. I'll stop trying and use PHP as a
non-PIC DSO.

Bye, Ro

Loading...