在生产服务器上启用 XDebug 会使 PHP 变慢吗?
标题几乎说明了一切……这是一个坏主意吗?我希望 XDebug 在服务器上提供增强的调试消息。
[编辑] 只是为了把事情说清楚。我知道其中存在安全风险。也许我应该补充我的问题并给出更准确的理由为什么我想这样做。
我们的生产服务器还托管一个测试平台。有时我们用它在尽可能接近生产的环境中测试事物。我主要寻找的是使用 XDebug 的增强版 var_dump()。
这不是高流量应用程序的应用程序服务器,性能也不是那么大的问题。我只是好奇 XDebug 是否会显着影响性能。
此外,我想我只能为定义测试站点的 VirtualHost 启用它。
The title pretty much says it all...is it a bad idea ? I'd like to have the enhanced debug messages that XDebug provides on the server.
[edit]
Just to make things clear. I'm aware there are security risks involved. Perhaps I should complement my question and give more precise reasons why I would want to do this.
Our production server hosts a testing platform also. Sometimes we use it to test things on a environment as close to production as possible. The main thing I'm looking for is using XDebug's enhanced var_dump().
This is not an app server for high traffic apps and performance is not that big of an issue. I was just curious if performance would be noticeably impacted by XDebug.
Besides, I guess I could enable it only for the VirtualHost that defines the testing sites.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(12)
除了调试消息无法在已经投入生产的应用程序中显示这一显而易见的事实之外,而且我不知道您为什么会喜欢这样,还有一些非常糟糕的事情。
第一个是,当您向服务器添加调试行为时,调试引擎“附加”到 PHP 进程并接收引擎的消息以在断点处停止,这是不好的,因为会引入另一个进程的高性能打击停止或“保留”PHP 解析器。
另一个大问题是,当安装调试器时,至少大多数调试器,它们往往有在服务器中打开端口的讨厌习惯,因为它们不适用于生产环境,并且正如您可能知道的那样,任何打开端口的软件服务器中的端口为周围的任何黑客打开了大门。
如果您需要在代码中进行调试,那么在您的应用程序中实现一个调试系统(如果不可用),因为大多数框架都内置了此系统。设置一个配置值,例如 DEBUG_ENABLED,并在抛出异常时(如果未启用),重定向到一个小页面,或者重定向到一个带有调试信息的丑陋页面,但请注意在服务器中显示的调试信息。
我希望这能澄清一切。
编辑显然我的回复没有足够的记录,您应该检查这些来源
最后,有一件事我没有说,因为我认为这是隐含的:这是常识不做!您不会将调试工具放在生产服务器上,其原因与将它们保留在不同的环境中的原因相同,因为您需要将不必要的东西远离它。服务器上运行的任何进程,无论有多轻,都会影响您的性能。
Besides the obvious fact that debug messages cannot be displayed in a application that is already in production, and also the fact that I don't know why would you like that, there a couple of things really bad about it.
The first one is that when you add debugging behavior to your server, the debug engine "attaches" to the PHP process and receive messages of the engine to stop at breakpoints, and this is BAD, because introduces a high performance blow to have another process stopping or "retaining" the PHP parser.
Another big issue is that when a debugger is installed, at least most of them, they tend to have the nasty habit of opening ports in your server, because they are not intended for production environments, and as you may know, any software that opens ports in your server is opening a door for any hacker around.
If you need to have debugging in your code, then in your application, implement a debugging system, if is not available, since most frameworks have this built in. Set a configuration value, say DEBUG_ENABLED and when throwing exceptions, if is not enabled, redirect to a petty page, else to a ugly page with debugging information, but take good care of what debugging information you display in your server.
I hope this clarifies everything.
EDIT As apparently my response is not documented enough, you should check these sources
Finally, there is one thing I didn't said as I thought it was sort of implicit: It's common sense not do it! You don't put debugging instruments on your production server for the same reason that you keep them on a different environment, because you need to keep unnecessary stuff away from it. Any process running on a server, no matter how light it is, will impact your performance.
速度减慢 4 倍
我做了一些测试,只是启用模块,没有实际调试,使得我的开发机器上的请求从 1 秒减慢到大约 4 秒
Slow down by factor 4
I made some tests just enabling the module, without actually debugging, makes slows down a request on my development machine from 1 second to around 4 seconds
完全删除 xdebug(即使未启用它)使我们的页面加载速度提高了 50%(从 60 毫秒降至 30 毫秒)。我们让 xdebug 处于“休眠”状态(等待触发)。我们以为它处于休眠状态,不会造成任何伤害,但我们错了。
我们在 21:43 左右注释掉了 php 配置中的 zend_extension 行。每个核心的平均负载也从 0.4 下降到 0.2:
Removing xdebug completely (even when it was not enabled) gave us 50% in page load boost (down from 60ms to 30ms). We had xdebug sitting "dormant" (waiting for trigger). We thought that since it's dormant it won't cause any harm, but boy were we wrong.
We commented out the zend_extension line in the php config at around 21:43. Average load dropped from 0.4 to 0.2 per core as well:
你到底为什么想要这样的东西?在部署到生产之前进行调试。它会使应用程序变慢。
Why on earth do you want something like that? Debug before you deploy to production. It will make the app slower.
我知道这是一篇旧帖子,但由于 Xdebug 的问题在 10 年后仍然存在,我想指出相关的错误报告(以 WONTFIX NOTABUG 结尾): xdebug.org/view.php?id=1668" rel="nofollow noreferrer">https://bugs.xdebug.org/view.php?id=1668
Tl;dr:
只需安装 xdebug将会(在 linux @least 上)使网站上的所有 php 速度减慢,即使所有标志都设置为 OFF,点击率也会从 2 倍到 20 倍不等。 永远不要在生产环境中安装 xdebug。更好的是,研究侵入性较小的调试选项。
I know this is an old post, but since the issue with Xdebug is still there 10 years on, I'd like to point to the relevant bug report (closed as WONTFIX NOTABUG): https://bugs.xdebug.org/view.php?id=1668
Tl;dr:
Just installing xdebug will (on linux @least) slow all php on the site to a crawl, with hits anywhere from 2x to 20x, even if all flags are set to OFF. DO NOT INSTALL xdebug IN PRODUCTION - EVER. Better yet, investigate less intrusive debug options.
Xdebug 3
XDebug 3 现在允许选择禁用它以接近 0 开销:https://xdebug.org /docs/install#mode
您可以在生产中使用下面的配置来以接近 0 的开销安装 xdebug:
Xdebug 3
XDebug 3 now allows an option to disable it to get near 0 overhead: https://xdebug.org/docs/install#mode
You can use config below in production to have xdebug installed with close to 0 overhead:
你永远不应该将其保留在生产环境中。
您的应用程序永远不需要打印出“那些不错的调试消息”,因为它们对您的用户来说一点也不友好。它们是测试不佳的标志,并且会破坏用户的信任,尤其是在企业/电子商务环境中。
其次,您透露的技术信息越详细,您被黑客攻击的可能性就越大(特别是如果您已经透露您的代码实际上存在问题!)。生产服务器应该将错误记录到文件中,并且永远不要显示它们。
执行速度是您最不关心的,无论如何它都会受到影响,内存也会受到影响。
You should never keep that on production.
Your application shoud never need to print out "those nice debug messages", as they are not nice at all to your users. They are a sign of poor testing and they will kill user's trust, especially in a enterprise/ecommerce environment.
Second, the more detailed technical information you reveal, the more you are likely to get hacked (especially if you are already revealing that there ARE in fact problems with your code!). Production servers should log errors to files, and never display them.
Speed of execution is your least concern, anyway it will be impacted by it, as will memory.
Xdebug 用于向错误日志添加完整的堆栈跟踪,即 display_errors ini 值,当然应该关闭(即使在开发中我也不想这样)。除非您启用remote_attach ini 设置,否则它不允许远程连接到调试器。虽然速度较慢,但如果您遇到 PHP 神秘错误,例如最大内存分配或分段错误,这是您查看实际发生位置的唯一方法。
Xdebug is for adding full stack traces to error logs, that is the display_errors ini value, which of course should be Off (even in development I dont want this). It does not allow remote attachment to a debugger unless you enable the remote_attach ini setting. While it is slower, if you have a PHP mystery error like Max memory allocated or Segmentation fault, this is the only way you will see where it actually hapenned.
您始终可以使用完全相同的配置克隆实时服务器,只是它不会公开。
然后你可以在它上面安装 XDebug 并在几乎完全相同的条件下调试东西(嗯,现实生活和克隆之间的负载会有所不同,但其余部分将是相同的)。
在这种情况下,您可以在实时环境中进行调试,但真实的实时环境不会受到影响。
注意:显然它不适用于任何人。并非每个人都可以轻松克隆服务器。如果你使用AWS等云服务,那就很容易了。如果您使用 Ansible、Chef、Puppet 等服务器配置工具来构建服务器,这也是小菜一碟。
You could always clone your live server with the exactly same configuration, except that it wouldn't be public.
Then you can install XDebug on it and debug things with the almost exactly the same conditions (well, load will be different between real life and the clone, but the rest will be the same).
In that case you debug things on a live environment, but real live is not affected.
Note: Obviously it does not apply to anyone. Not everyone can easily clone a server. If you use cloud services like AWS etc. it would be very easy. If you use server configuration tools like Ansible, Chef, Puppet for building your server this is a piece of cake as well.
您永远不应该在生产服务器上显示调试错误消息。这对您的用户来说很丑陋,而且还存在安全风险。我相信它也会让它慢一点。
You should never display debug error messages on a production server. It's ugly for your users and also a security risk. I'm sure it will make it a little slower too.
如果您“做得正确”,您可以在生产中使用 XDebug。您可以在“休眠”模式下启用扩展,该模式仅通过通过特定主机名称的请求才能启用。请参阅此处的详细信息:
http://www.drupalonwindows。 com/en/content/remote-debugging-product-php-applications-xdebug
You can use XDebug in production if you "do it right". You can enable the extension in a "dormant" mode that is only brought to live through requests that go through a specific HOSTS name. Se details here:
http://www.drupalonwindows.com/en/content/remote-debugging-production-php-applications-xdebug
我使用这个 php 基准测试工具测试了性能影响。免责声明 我构建了该工具。
答案是 xdebug 模块显着减慢了代码执行速度:从 2 倍到 7 倍,具体取决于测试。这是我的结果:
I tested the performance impact using this php benchmark tool. Disclaimer I built the tool.
The answer is the xdebug module significantly slows down code execution: from 2x to 7x times depending on the test. Here are my results: