Mailing List Archive

Hello Hugo,

2011/9/3 Hugo Vazquez Carames <hvazquez@pentest.es>

> I'm wondering if in a high loaded server is better to have in "Handler" ->
> "Common CGI Options" the "Check file" enabled or not,
>

Well, that would have quite a big impact on what information are passed to
the *CGI. The option points the server whether it's executing the content of
a file (CGI, a PHP file through FastCGI) or it's just passing the requested
URL to a backend server (uWSGI, SCGI, FastCGI, etc) without even checking
whether the file exists. Imagine a Django/RoR app, for instance. In that
case you do not want the server to check any local file, simply because they
do not exist.

and in "Rule" -> "Check local file" enabled or not... I would like to
> uncheck both for performance reasons, but I'm not sure to if there's any
> impact on security...
>

I'm confused about this one. It depends on the rule. Most likely you want
keep it enabled, but I could not tell you for sure without knowing a little
more about the specific case.

Anyway, if you are worried about performance AND it's a production system
you aren't developing on AND you can spend a few hundled Mb of RAM on it,
I'd strongly recommend you to enable "I/O-cache". That will have a
very positive impact on the overall server performance.

Cheers!

--
Greetings, alo
http://www.octality.com/

Hi Alvaro,

my "I/O cache" is enabled: I did it as soon I saw it :-)

My concern is about the impact on checking for the existence of a file on
every request... that means that for every PHP request, there will be a
disk access...?? My system has been designed to serve a minimum of 10k
request/second serving php -actually it can support more than this-. I
have no logs, and I have all I can running from memory/cached, etc.
Having the "Check file" in my FastCGI handler, makes me think about
Cherokee doing a disk access in every request...Is that right? But not
having the "Check file" enabled, maybe would allow an attacker to pass
requests to FastCGI of non-existent files, forcing the FastCGI to do a lot
of disk access, and maybe, creating a denial of service condition...

So, summarizing: what could happen if i disable the "Check file" in my
FastCGI handler working with php-cgi?

And also, what could happen if I disable the "Rule" -> "Check local file"
in a "Extensions" rule -extensions: php,tpe-?

Kind Regards,

On Sat, 03 Sep 2011 14:00:44 +0200, Alvaro Lopez Ortega
<alvaro@octality.com> wrote:

> Hello Hugo,
>
> 2011/9/3 Hugo Vazquez Carames <hvazquez@pentest.es>
>
>> I'm wondering if in a high loaded server is better to have in "Handler"
>> ->
>> "Common CGI Options" the "Check file" enabled or not,
>>
>
> Well, that would have quite a big impact on what information are passed
> to
> the *CGI. The option points the server whether it's executing the
> content of
> a file (CGI, a PHP file through FastCGI) or it's just passing the
> requested
> URL to a backend server (uWSGI, SCGI, FastCGI, etc) without even checking
> whether the file exists. Imagine a Django/RoR app, for instance. In that
> case you do not want the server to check any local file, simply because
> they
> do not exist.
>
> and in "Rule" -> "Check local file" enabled or not... I would like to
>> uncheck both for performance reasons, but I'm not sure to if there's any
>> impact on security...
>>
>
> I'm confused about this one. It depends on the rule. Most likely you want
> keep it enabled, but I could not tell you for sure without knowing a
> little
> more about the specific case.
>
> Anyway, if you are worried about performance AND it's a production system
> you aren't developing on AND you can spend a few hundled Mb of RAM on it,
> I'd strongly recommend you to enable "I/O-cache". That will have a
> very positive impact on the overall server performance.
>
> Cheers!
>


--
---------------------

Hugo Vázquez Caramés

"El trabajo que nunca se empieza es el que tarda más en finalizarse" (J.
R. R. Tolkien)

"La mayoría de las personas gastan más tiempo y energías en hablar de los
problemas que en afrontarlos" (Henry Ford)

"Lo imposible es el fantasma de los tímidos y el refugio de los cobardes"
(N. Bonaparte)

========================================================
PENTEST Consultores
Tel: 93 3962070 / Fax: 93 3962001
e-mail: hvazquez@pentest.es
========================================================
Gane credibilidad y confianza, visite http://www.pentest.es


Este e-mail es confidencial y destinado únicamente a la persona a la cual
va dirigido. Si Ud. no es el destinatario al cual va dirigido este e-mail
o lo recibe por error, queda advertido que cualquier uso,
difusión,impresión o copia de este mensaje está estrictamente prohibido.
Si lo ha recibido por error, por favor, notifíquelo al remitente del
mensaje

This email is confidential and intended solely for the use of the
individual to whom it is addressed. If you are not the intended
recipient,be advised that you have received this email in error and that
any use,dissemination, forwarding, printing or copying of this email is
strictly prohibited. If you have received this email in error please
notify it to sender.

_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

On Sat, 3 Sep 2011, Hugo Vazquez Carames wrote:

> My concern is about the impact on checking for the existence of a file on
> every request... that means that for every PHP request, there will be a disk
> access...??

No for every file every five minutes a disk access is made. I/O-cache
caches the diskaccess (stat).


Stefan
_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee