php

angch's picture

nginx https proxypass for php apps

Posted Tue, 09/02/2010 - 17:01 by angch

For various reasons (performance + clustering + slowloris protection), putting nginx in front of your apache+php application is a Good Thing. In addition to http, we usually let nginx fronting https for apache, so to simplify your load balanced php apps.

Some additional benefits of doing this:

  • This also enables you to serve multiple domains off a single IP (aka Named Based Virtual Hosts over https), something that Apache doesn't do very well. Your browser may complain loudly about mismatched https certs, though
  • HTTP referer hiding. If you have an internal custom site with less security, say http://private.home/ behind a firewall, you don't have to worry about users from the Internet accessing it, but any links from http://private.home/ to, say, http://www.bytecraft.com.my/ your browser will still leak the internal URL to the webmaster of the external site. Convert the internal site to https://private.home/ and all referers are not sent.

One downside is that the PHP app must realize that it is separated from the actual browser from itself. So the traditional way for checking the remote IP and whether a connection is https or not would not work. ($_SERVER['REMOTE_ADDR'] & $_SERVER['HTTPS'])

To fix this, there are two parts we must changed: get nginx to send additional headers, and get the PHP app to recognize the alternate headers.

1. nginx config

both http and https sections:

location / {
    proxy_pass http://10.0.0.1:80/; # Replace with your apache ip/port
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Scheme $scheme;
}
X-Forwarded-For and Scheme are the important ones here.

2. PHP

Highly dependant on your PHP app, but in general, search for $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTPS'].

Example snippet to force https connection (say, for the login page):

if (isset($_SERVER['HTTP_SCHEME']) && $_SERVER['HTTP_SCHEME'] == 'http') {
    header('Location: https://'.$_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    exit;
}

angch's picture

sugarcrm & memcache: Doing it Wrong

Posted Tue, 09/02/2010 - 12:10 by angch

Part one, tl, dr: memcache actually made sugarcrm slower.

Part two, tl, dr: Installing php5-mcrypt makes your sugarcrm site runs faster! Wish they'd note this more prominently.

We reinstalled sugarcrm the other day. Looked okay on development machine. Tested, everyone (for some values of "every") liked it. So we deployed it to the production machine. Used it for a while, then the dashboard and front page promptly slowed down to a crawl, taking up to 10 seconds to display when it was very snappy and loaded in sub-seconds.

After some false starts at troubleshooting, we backported the site back to the development machine. Slow. Okay, time to bring out the heavy duty tools and be serious about it.

1. Get Xdebug up

sudo apt-get install php5-xdebug     # If you haven't already
sudo vi /etc/php5/conf.d/xdebug.ini  # Or jed. jed is good.

Add following to xdebug.ini:

xdebug.profiler_enable=1
xdebug.profiler_output_dir=/tmp/xdebug

Set up the output directory, restart apache:

mkdir /tmp/xdebug
sudo chown www-data /tmp/xdebug
sudo invoked-rc.d apache2 restart

... and reload the offending slow sugarcrm page. xdebug spits out the diags at

/tmp/xdebug/cachegrind.out.13582

2. Cachegrind Analysis

The cachegrind file is a rather raw output, so we'd rather have a pretty GUI to visualize it. We'll use kcachegrind for this.

Rather than installing the GUI on the development server, we disabled xdebug, and copied the cachegrind output to our workstation. sudo apt-get install kcachegrind on our workstation will get us everything we need.

Start it up. (Applications / Programming / KCacheGrind). Load cachegrind.out.13582 that we copied over. Set the display to display absolute time (Right click on the data, "Show absolute cost"):

There. Out of the total runtime of 7.57 seconds (first row), 6.94 seconds is spent on php::Memcache->set. What?

Memcache making things slower? Wait, we didn't configure sugarcrm to use Memcache! Apparently sugarcrm automagically uses memcache if it detects it:

Sugar automatically enables external cache support once it detects a supported external cache method

3. Conclusion & Fix

It's memcache. It has to be. Time to test.

Before stopping memcached:

Server response time: 7.23 seconds.

After stopping memcached:

Q.E.D. More permanent fix:

sudo vi config_override.php
$GLOBALS['sugar_config']['external_cache_disabled_memcache'] = true;

I'm not sure if the problem is related to sugarcrm or the way we set up our server (all signs point to our version of memcache module for php), but this post is more about how we found the problem, and can be used for just about any php app.

P.S. sugarcrm 5.5a, Ubuntu 8.04 LTS (amd64), mysql 5.0.

P.P.S. Spoiler in title, I know.

Part 2: Speed, more speed!

Further testing still showed that our development server is still faster than production. More testing showed that the both development and production server called Sugar's PEAR's Blowfish routines(why sugarcrm is crypting so many things is beyond me) alot, but the development machine runs those faster. Hmmm.

Further looking at the source code, PEAR's blowfish has a Blowfish implementation in PHP as a fallback in case it can't load the mcrypt module for php. Installing php5-mcrypt and restarting the webserver fixed that.

kamal's picture

Drupal urlencode: Dealing with ampersand in filename

Posted Mon, 09/11/2009 - 10:31 by kamal

A bug poping out with some files failed to download, returning 404. Looking closer at the issue, turned out the files that failed contained ampersand "&" in the filename. PHP would translate the "&" in request path as a key in $_GET variable. So something like:-

$ wget http://www.somesite.com/system/files/fm/somefile_with_&_ampersand.pdf

would result in PHP $_GET as:-

array(
  [q] => system/files/fm/somefile_with_
  [_ampersand] =>
)

urlencode'ing' the path is not enough because PHP would still translate that to an ampersand.

kamal's picture

PHP CLI Segmentation Fault With pgsql

Posted Mon, 13/07/2009 - 14:09 by kamal

"Segmentation fault"

Got this every time running PHP from the command line, especially when working with Drupal. It doesn't caused any harm (script working just fine) and that's why I never look into it. But accidentally found this post and the suggested fix did remove the "Segmentation fault" message from appearing.

  • Commented pgsql in pgsql.ini
  • Load pgsql extension in curl.ini, before the curl extension.
kamal's picture

PHP development server

Posted Wed, 06/05/2009 - 17:02 by kamal

One thing that I like in various Python frameworks such as Django etc, they come with built-in development server that allow you to start developing the application without worrying much about properly setting up apache and all sort of things regarding deployment. Though personally, I'd prefer developer to have some knowledge in configuring apache (at least in their local environment) having some sort of development server still being useful even for myself.

angch's picture

Releasing paprik to public.

Posted Tue, 17/02/2009 - 12:12 by angch

Paprik is our previous generation PHP framework we used for a number of years, targetted for PHP 4 and PostgreSQL. We're in the process of releasing it to the public, under a suitable Open Source license.

I'm currently excising and pruning extra revisions that does not belong to the framework Please don't use it yet.Update 2008-03-03: Done. Go wild!

angch's picture

Tempting.

Posted Tue, 05/08/2008 - 20:42 by angch

Very Important Programmer PHP programming contest looks like easy pickings. Any takers? :)

Hey, the site runs on drupal as well. Aside: so is Wireless KL

angch's picture

PHP frameworks for CRUD

Posted Wed, 30/07/2008 - 12:14 by angch

Quick review of notable frameworks for PHP, and my 2 cents.

  • Cake Cake is nice, because it's modeled on Rails. Cake is not nice, because it's modeled on Rails.

  • CodeIgniter Pro: Lightweight, clean. Less code. Easier for RESTful apps. Con: Still supports PHP4, so still a number of workarounds there.

Syndicate content