How to do a 3-tier using PHP

I have a requirement from a client for my PHP Web application to be 3-tier. For exa开发者_如何学编程mple, I would have a web server on Apache in the DMZ, but it should NOT contain any DB connections. It should connect to a Middle server that would host the business objects but be behind the firewall. Then those objects connect to my SQL cluster on another server.

I have actually done this using .NET, but I am not sure how to setup my stack using PHP. I suppose I could have my UI front tier call the middle tier using REST based web services if I create my middle tier as a second web server, but this seems overly complex.

The main reason for this is advanced security: we can not have any passwords on the DMZ first tier web server. The second reason is scalability - to have multiple server on different tiers that can handle the requests. The Last reason is for deployment - it is easier if I can take one set of servers offline for testing before putting them back in production.

Is there a open source project that shows how to do this? The only example I can find is the web server hosting files from a shared drive on another machine (kind of how DotNetNuke pretends to be 3-tier), but that is NOT secure.

Note: I HAVe looked in SO for this answer, and I do see a lot of similar questions, but have not found anyone that actually answered. This is NOT about a Data Access Layer (although I will use it) - my primary question is the design between UI and the Middle Tier.

One option would be to use FastCGI.

On the first tier, simply have the front-end servers (Apache, Lighttpd, NginX, etc) connect to FastCGI servers on the second tier.

The other option would be to reverse-proxy from the first-tier to the second-tier. This is very similar to the first example except that the 2nd tier runs a web-server whereas with FastCGI it doesn't.

But the question you need to ask yourself is why. You can achieve the same thing with 2 tiers and simply having a separate network for each tier (so the DMZ'd servers would have 2 network cards, one for each network). The DB is still isolated from the world, but you don't have to worry about adding un-necessary complexity in the system... Remember, the more pieces you add, the more than can fail...