Add ‘Options FollowSymLinks’ and avoid ‘Options SymLinksIfOwnerMatch’ in Apache to save disk I/O

Following up on the advice to stop using AllowOverride All in Apache configs, Wim Godden kindly reminded me of a similar issue that exists when not using FollowSymLinks or when using SymLinksOfOwnerMatch.

The bad configuration

It's about the following kind of configuration.

<Directory "/var/www/html/mysite.be">
    Options SymLinksIfOwnerMatch -FollowSymLinks
</Directory>

The option FollowSymLinks should always be kept on if possible. Without that, every time you request a file, Apache will check if that file resides in a directory that is somehow symlinked. If it is, it will block your request. But that requires an extra check for every file being accessed.

If someone on the site would request the file "/content/styles/v3/style.css", that would results in the following system calls:

stat("/var/www/html/mysite.be/content/styles/v3/style.css", {st_mode=S_IFREG|0644, st_size=5, ...}) = 0
lstat("/var/www/html/mysite.be/content", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/var/www/html/mysite.be/content/styles", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/var/www/html/mysite.be/content/styles/v3″, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/var/www/html/mysite.be/content/styles/v3/style.css", {st_mode=S_IFREG|0644, st_size=5, ...}) = 0
open("/var/www/html/mysite.be/content/styles/v3/style.css", O_RDONLY|O_CLOEXEC) = 10

That's 4x an lstat() disk I/O to check if any of the directories between "/var/www/html" and "/var/www/html/mysite.be/content/styles/v3″ contain any symlinks.

The good configuration

Below is a better configuration. It does not check the symlinks if the owners match (-SymLinksIfOwnerMatch) and it does not limit the Apache server from following Symlinks (+FollowSymLinks).

<Directory "/var/www/html/mysite.be">
    Options -SymLinksIfOwnerMatch +FollowSymLinks
</Directory>

If I were to request a simple file "/content/styles/v3/style.css", it would result in the following system calls:

stat("/var/www/html/mysite.be/content/styles/v3/style.css", {st_mode=S_IFREG|0644, st_size=5, ...}) = 0
open("/var/www/html/mysite.be/content/styles/v3/style.css", O_RDONLY|O_CLOEXEC) = 10

That's a lot less disk I/O on a busy server.

Looking for help?

Tired of fixing all these tech-problems yourself? We've got an excellent team at Nucleus, a top-class Belgian hosting provider, that can help you. Discover our Managed Hosting, where skilled engineers manage your servers and keep them up-to-date, so you can focus on your core business. We use a variety of Configuration Management Systems such as Puppet to make sure every config is reviewed, unit-tested and guaranteed to be working.

Want to get in touch? Find me as @mattiasgeniar on Twitter or via the contact-page on my blog.

Tagged with: ,
Posted in linux, Webdevelopment
2 comments on “Add ‘Options FollowSymLinks’ and avoid ‘Options SymLinksIfOwnerMatch’ in Apache to save disk I/O
  1. Philip Paeps says:

    On modern operating systems, this shouldn’t affect disk i/o much or at all. The kernel will cache the result of the stat() and lstat() calls and return them immediately on subsequent calls. You might gain a slight reduction in context switches but on Linux with VDSO, that shouldn’t be measurable.

    Did you measure any reduction in i/o, or are you just looking at strace output and looking at system calls?

2 Pings/Trackbacks for "Add ‘Options FollowSymLinks’ and avoid ‘Options SymLinksIfOwnerMatch’ in Apache to save disk I/O"
  1. [...] # Defining Chaos In Order Tips, Tricks & Rants of a DevOps Skip to content HomeExperienceGuides – How To’sProjectsAboutContact Information ← RHEL 6/ CentOS 6: Slow SSH logins with DNS timeouts Add ‘Options FollowSymLinks’ and avoid ‘Options SymLinksIfOwnerMatch’ in Apa… [...]

  2. [...] check every path component for symlinks to ensure the owners match. But today I learned from this blog post that not using FollowSymLinks is just as expensive as using SymLinksIfOwnerMatch, because Apache [...]

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>