We're in the process of migrating our web sites to Amazon's AWS Cloud. While planning for the transition, I decided to fix some of the trouble we've had in the past with the current configuration - namely the Apache process and file system permissions. By default Apache runs as www-data (Debian) or apache (CentOS), which is fine and dandy and secure for simple installations. But when working in multiuser environment (we're basically offering web hosting services to other departments in our organization), this causes trouble. Users are not able to delete files uploaded and owned by www-data etc. Simple problem which causes unnecessary extra work (to my defense: I didn't set up the current system). The solution is to use building blocks to enable Apache to setuid to another user (the one owning the site / virtual host), and as a result, all uploaded etc. files are always owned by the site owner, and thus they'll always be able to operate on the files.

There are several options implementing such in Apache, but I'm basically looking only for two options: mod_fcgid, because I'm familiar with it and in my experience it works well and the performance is great, and ITK MPM because a friend acquainted it to me recently. Featurewise both are equal but the latter is easier to configure. I'm not aware of major differences between the two security-wise either, so, for me, it all boiled down to performance. Which one of the two would perform better?

I didn't seem to find performance comparisons from the Internets, so I had to conduct testing of my own...

Apache configurations were in both cases pretty much the defaults in Debian:

mod_fcgid:

StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0

mpm_itk:

StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerClient 0

Tests we're executed with Apache Benchmark by requesting a simple phpinfo(); PHP page. The command used to execute the tests was:

ab -r -n 1000 -c 1000 'http://localhost/i.php'

Here's a few highlights from Apache Benchmark results:

In number of requests served per second the difference is pretty impressive.

And the transfer rate:

Pretty much along the lines of requests per second.

And the most interesting chart (please note that the lower bars are, the better the performance):

This chart shows that the difference between the two is not really that big for the first 500 requests (actually, it is quite big - mod_fcgi would've served 777 requests by the time mpm itk served 500 so it's performing over 50% better), but it grows significantly at 750 requests. And from there on, mpm itk loses the game totally.

The difference is quite likely a result of the way mpm itk works. It spawns a separate process for each request (afaik) while mod_fcgid is able to serve multiple requests from a single process. Performance of mpm itk can be enhanced by tweaking the MaxClients and Min/MaxSpareServers configuration parameters, but it won't change the fact that spawning a process quite expensive resource wise. The difference gets less and less significant when time spent executing the actual PHP code gets longer. For example, by executing database queries etc. which are common in real-life scenarios.

For busy sites mod_fcgid seems to be a better solution, as it's able to serve more requests with less resources. At least it's what I'm choosing for our Amazon hosted setup.