I was recently curious about PHP 5.4's built-in webserver. On the surface it seems as though, while rather barebones, with enough work it could be possible to distribute PHP applications that traditionally depend on a separate web server, like WordPress, as standalone scripts that you could just run with php -S localhost:80 app.php
(or, more likely, './wordpress.sh'
). They might even ship with their own PHP interpreter that has all the features the application needs, which would obviate the need for targeting many different versions of the language.
我最近对PHP 5.4的内置网络服务器感到好奇。从表面上看,虽然相当准确,但有足够的工作,可以分发传统上依赖于单独的Web服务器的PHP应用程序,如WordPress,作为独立脚本,您可以使用php -S localhost:80运行app.php(或者更可能是'./wordpress.sh')。他们甚至可能附带自己的PHP解释器,它具有应用程序所需的所有功能,这样就无需针对许多不同版本的语言。
It's re-inventing the wheel somewhat, but it would certainly increase portability and reduce complexity for the end user.
它在某种程度上重新发明了*,但它肯定会增加可移植性并降低最终用户的复杂性。
However, I saw the following on the documentation page:
但是,我在文档页面上看到以下内容:
This web server was designed to aid application development. It may also be useful for testing purposes or for application demonstrations that are run in controlled environments. It is not intended to be a full-featured web server. It should not be used on a public network.
此Web服务器旨在帮助应用程序开发。它也可用于测试目的或在受控环境中运行的应用程序演示。它不是一个功能齐全的Web服务器。它不应该在公共网络上使用。
This would obviously refer to issues like proper filesystem security and serving the correct HTTP headers, which can be worked through. However, is there more to it? Are there inherent security concerns and/or technical limitations with using PHP's built-in web server in a production environment that can't be worked around? If so, what are they?
这显然会引起诸如正确的文件系统安全性和提供正确的HTTP头之类的问题,这些问题可以通过。但是,还有更多吗?在无法解决的生产环境中使用PHP的内置Web服务器是否存在固有的安全问题和/或技术限制?如果是这样,他们是什么?
4 个解决方案
#1
14
I can think of plenty of operational issues why you wouldn't want to do this:
我可以想到很多操作问题,为什么你不想这样做:
- Logging
- Rewrites
- Throttling
- Efficiency (not tested, but I'm guessing Nginx is a lot faster than PHP's built-in non-optimized server)
- Integration with anything else you have that extends Nginx, Apache, and IIS (things like New Relic)
效率(未经测试,但我猜测Nginx比PHP的内置非优化服务器快很多)
与其他任何扩展Nginx,Apache和IIS的东西集成(像New Relic这样的东西)
However, there is a solution where you get most of the benefit of running PHP with its built-in web server while getting most of the benefit of running a web server out front. That is, you could use a server like Nginx as a reverse proxy to PHP's built-in web server. In this situation, HTTP becomes a replacement for FastCGI, analogous to common usages of the built-in HTTP server in Node.js applications.
但是,有一个解决方案,您可以获得使用内置Web服务器运行PHP的大部分好处,同时获得预先运行Web服务器的大部分好处。也就是说,您可以使用像Nginx这样的服务器作为PHP内置Web服务器的反向代理。在这种情况下,HTTP成为FastCGI的替代品,类似于Node.js应用程序中内置HTTP服务器的常见用法。
Now, I can't speak to the specifics of the warning in the documentation as I am not one of the PHP authors. If it were me, I'd not run PHP alone for the reasons above, but I might consider running it behind a real web server like Nginx. For me though, setting up PHP with PHP-FPM and what not isn't that difficult, and I'll take that over guessing at the seaworthiness of a built-in server that is documented to be for testing only.
现在,我不能在文档中说出警告的细节,因为我不是PHP作者之一。如果是我,我不会因为上述原因单独运行PHP,但我可能会考虑在像Nginx这样的真实Web服务器后面运行它。对我来说,使用PHP-FPM设置PHP并不是那么困难,我会考虑内置服务器的适航性,该内置服务器只能用于测试。
#2
3
PHP's built in server only supports HTTP/1.0, which means clients have to make a new TCP/IP connection for every request. This is very slow.
PHP的内置服务器仅支持HTTP / 1.0,这意味着客户端必须为每个请求建立新的TCP / IP连接。这很慢。
#3
2
The problem with PHP's built-in web server is that it is single threaded!
PHP的内置Web服务器的问题在于它是单线程的!
That has performance and security implications. Performance implications obviously are that only one user can be served at a time (until one request finishes, another can not start).
这具有性能和安全隐患。性能影响显然是一次只能提供一个用户(直到一个请求完成,另一个请求无法启动)。
Security implications are that it's pretty easy to DOS that server, using a simple open socket that sends tiny amounts of data (similar to Slow Loris).
安全问题是DOS服务器非常容易,使用一个简单的开放式套接字,可以发送少量数据(类似于Slow Loris)。
It's useful for simple, one-page, non-interactive applications that have no risk of denial of service.
它对于没有拒绝服务风险的简单,单页,非交互式应用程序非常有用。
#4
-2
It is not intended for production use and may not be able to gracefully handle crashes and memory leaks, raising stability concerns. More importantly PHP itself warns of this explicitly:
它不适合生产使用,可能无法正常处理崩溃和内存泄漏,从而引发稳定性问题。更重要的是,PHP本身明确警告:
Warning This web server was designed to aid application development. It may also be useful for testing purposes or for application demonstrations that are run in controlled environments. It is not intended to be a full-featured web server. It should not be used on a public network.
警告此Web服务器旨在帮助应用程序开发。它也可用于测试目的或在受控环境中运行的应用程序演示。它不是一个功能齐全的Web服务器。它不应该在公共网络上使用。
#1
14
I can think of plenty of operational issues why you wouldn't want to do this:
我可以想到很多操作问题,为什么你不想这样做:
- Logging
- Rewrites
- Throttling
- Efficiency (not tested, but I'm guessing Nginx is a lot faster than PHP's built-in non-optimized server)
- Integration with anything else you have that extends Nginx, Apache, and IIS (things like New Relic)
效率(未经测试,但我猜测Nginx比PHP的内置非优化服务器快很多)
与其他任何扩展Nginx,Apache和IIS的东西集成(像New Relic这样的东西)
However, there is a solution where you get most of the benefit of running PHP with its built-in web server while getting most of the benefit of running a web server out front. That is, you could use a server like Nginx as a reverse proxy to PHP's built-in web server. In this situation, HTTP becomes a replacement for FastCGI, analogous to common usages of the built-in HTTP server in Node.js applications.
但是,有一个解决方案,您可以获得使用内置Web服务器运行PHP的大部分好处,同时获得预先运行Web服务器的大部分好处。也就是说,您可以使用像Nginx这样的服务器作为PHP内置Web服务器的反向代理。在这种情况下,HTTP成为FastCGI的替代品,类似于Node.js应用程序中内置HTTP服务器的常见用法。
Now, I can't speak to the specifics of the warning in the documentation as I am not one of the PHP authors. If it were me, I'd not run PHP alone for the reasons above, but I might consider running it behind a real web server like Nginx. For me though, setting up PHP with PHP-FPM and what not isn't that difficult, and I'll take that over guessing at the seaworthiness of a built-in server that is documented to be for testing only.
现在,我不能在文档中说出警告的细节,因为我不是PHP作者之一。如果是我,我不会因为上述原因单独运行PHP,但我可能会考虑在像Nginx这样的真实Web服务器后面运行它。对我来说,使用PHP-FPM设置PHP并不是那么困难,我会考虑内置服务器的适航性,该内置服务器只能用于测试。
#2
3
PHP's built in server only supports HTTP/1.0, which means clients have to make a new TCP/IP connection for every request. This is very slow.
PHP的内置服务器仅支持HTTP / 1.0,这意味着客户端必须为每个请求建立新的TCP / IP连接。这很慢。
#3
2
The problem with PHP's built-in web server is that it is single threaded!
PHP的内置Web服务器的问题在于它是单线程的!
That has performance and security implications. Performance implications obviously are that only one user can be served at a time (until one request finishes, another can not start).
这具有性能和安全隐患。性能影响显然是一次只能提供一个用户(直到一个请求完成,另一个请求无法启动)。
Security implications are that it's pretty easy to DOS that server, using a simple open socket that sends tiny amounts of data (similar to Slow Loris).
安全问题是DOS服务器非常容易,使用一个简单的开放式套接字,可以发送少量数据(类似于Slow Loris)。
It's useful for simple, one-page, non-interactive applications that have no risk of denial of service.
它对于没有拒绝服务风险的简单,单页,非交互式应用程序非常有用。
#4
-2
It is not intended for production use and may not be able to gracefully handle crashes and memory leaks, raising stability concerns. More importantly PHP itself warns of this explicitly:
它不适合生产使用,可能无法正常处理崩溃和内存泄漏,从而引发稳定性问题。更重要的是,PHP本身明确警告:
Warning This web server was designed to aid application development. It may also be useful for testing purposes or for application demonstrations that are run in controlled environments. It is not intended to be a full-featured web server. It should not be used on a public network.
警告此Web服务器旨在帮助应用程序开发。它也可用于测试目的或在受控环境中运行的应用程序演示。它不是一个功能齐全的Web服务器。它不应该在公共网络上使用。