Notes and links for apache webserver configuration and web-site design.
Main apache configuration is in apache.conf
, the activated modules are in the subdir ./mods-enabled
which holds links to ../mods-available
. For virtual hosts the same construction is used with the directories ./sites-enabled
and ../sites-available
.
Apache Config options:
The apache packages I use include a lot of files in the apache.conf. To keep the overview it may be wise to disable some of these includes (e.g. Include /etc/apache2/conf.d/) and put the directives in apache.conf itself.
- ErrorDocument 404 /error/404error.html
- If a page is not found (error 404 /error/404error.html is displayed and not the boring default
Apache Server security:
One way to secure your web server is to expose as little information as possible to the web. If hackers don’t know what you are running they don’t know which known vulnerabilities to explore.
- Apache.conf
ServerSignature Off
- Apache will not send any information about your server. Options below are only useful if this is not set.
- Apache.conf
ServerTokens Prod
- Minimize the information about apache
- Apache.conf
TraceEnable Off
- Clients can not use the TRACE method
- php.ini (/etc/php5/apache2/php.ini)
expose_php Off
- Do no put PHP information in the web server header
The traffic to and from your website can be encrypted by using X.509 certificates and the https secure webserverport (443)
Access to individual directories can be restricted using htpasswd. In the server directory definition put directives below. You can also put a .htacces file in directory to protect and leave out the <Directory> directives:
<Directory /var/www>
AuthType Basic
AuthName "Enter username and password"
AuthUserFile /etc/apache2/htpasswd
require valid-user
</Directory>
- htpasswd /etc/htpasswd <user>
- Add or change <user> in /etc/htpasswd. Use -c to create the file
Other security measures you can take is to restrict access to specific files in .htacces or your apache configuration.
# Protect .htaccess files
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Protect wp-config.php
<FilesMatch ^wp-config.php$>
deny from all
</FilesMatch>
Apache modules and add-ons
PHP-extentions:
To be able to call perl from php:
# cd /usr/lib;ln -s libperl.so.5.8 libperl.so
# pecl install perl
# vi /etc/php5/apach2/php.ini
add line extension=perl.so
Restart apache:
# /usr/sbin/apache2ctl -k graceful
Apache certificates
SSL certificates can be used to authenticate the owner of a web-site and to encrypt the traffic to the web-server
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# cp server.key server.key_org
# openssl rsa -in server.key_org -out server.key
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Copy the server.key and the server.crt to the directory you let your VirtualHost point to (see below)
In the apache site cofiguration add following lines to your VirtualHost
<VirtualHost www.yourdomain.com:443>
SSLEngine on
SSLProxyEngine on
SSLProtocol all
SSLCipherSuite all
SSLCertificateFile /etc/apache2/cert/server.crt
SSLCertificateKeyFile /etc/apache2/cert/
server.key
</VirtualHost>
To redirect traffic from the standard http port (80) to the secure connection (port 443) also add
<VirtualHost www.yourdomain.com:80>
RedirectPermanent / https://www.yourdomain.com
</VirtualHost>
Restart apache:
# /usr/sbin/apache2ctl -k graceful
Iceweasel/Firefox configuration
I’m a debian user. We have a laptop running Ubuntu (which has debian a framework) to please the ‘it just has to work’ users at home without to much effort. For myself I like to stick to native-debian, including using the icy variants of the hot web-clients. Most times you read iceweasel below it should be firefox if you use that.
User configuration can be modified in ‘about:config‘ (stored in ${HOME}/.mozilla/firefox/<profile-dir>/prefs.js
)
System-wide configuration is in /usr/lib/iceweasel/defaults/pref/firefox.js
, which is maintained by the package, your own system-wide changes should be in /etc/iceweasel/pref/iceweasel.js
I added the parameter network.protocol-handler.app.mailto
as type string
with value /usr/bin/icedove
. Just to make sure the browser starts a new message in icedove when clicking a mailto:
-button.
Plone CMS
The content and the presentation of this site is managed by Plone, a python based Content Management System.
Upgrade from plone@etch to plone@lenny (plone 2.5.1 -> 3.1.3, zope 2.9 -> 2.10)
With the upgrade of the web-server to lenny (debian 5.0) plone3 ans zope2.10 are delivered. After struggling and searcing 2 days the upgrade eventually was very, very simple.
A number of zope and plone packages are installed, besides the basis, zope-plone3 is essential.
Lenny comes with python 2.5, zope2.10 requires python 2.4
# cd /usr/bin
# rm python
# ln -s python2.4 python
Create a default site.
# dzhandle --zope-version=2.10 --user=zope:zope make-instance --addon-mode=all --service-port=9083 plone3-site
As CMFPlone and CMFPlone:3.0 are both known Zope2.10 products the plone2 version is installed
# rm -r CMFPlone
# dzhandle -z2.10 add-product
plone3-site CMFPlone:3.0zhandle -z2.10 add-product plone3-site
CMFPlone:3.0
We use some none-default products which have to be installed manually.
# dzhandle --zope-version=2.10
--user=zope:zope add-product plone3-site CacheSetup CMFSquidTool
PageCacheManager PolicyHTTPCacheManager
dzhandle add-product: product
`CacheSetup' (1.2-1, tree-linked) in instance `plone3-site' (2.10) .
Keep it
dzhandle add-product: product
`CMFSquidTool' (1.2-1, tree-linked) in instance `plone3-site' (2.10)
. Keep it
dzhandle add-product: product
`PageCacheManager' (1.2-1, tree-linked) in instance `plone3-site'
(2.10) . Keep it
dzhandle add-product: product
`PolicyHTTPCacheManager' (1.2-1, tree-linked) in instance
`plone3-site' (2.10) . Keep it
dzhandle add-product: found product
`CMFPlone' installed from package `zope-cmfplone' in instance
`plone3-site' (2.10) while adding adding product from `zope-plone3'.
Keep it
COREBlog2.0 is not ported to lenny, the etch package zope-coreblog2 is version 0.8.1b-2 wich is not supported by plone3.
Download COREBlog2 0.982 (Beta
release) (Apr 13, 2007) from
http://plone.org/products/coreblog2/releases/0.982,
extract it into /usr/share/zope/Products/COREBlog2_plone3 and copied it into the instance
# tar -xzf COREBlog2_0982b.tgz
# cp -R COREBlog2
/usr/share/zope/Products/COREBlog2_plone3
# cd
/var/lib/zope2.10/instance/plone3-site/Products
# cp -R
/usr/share/zope/Products/COREBlog2_plone3 ./COREBlog2
# chown zope:zope COREBlog2
Stop the old zope2.9 site to make sure you copy Data.fs as it is.
# /etc/init.d/zope2.9 stop
# cd /var/lib/zope2.10/instance/plone3-site/var
# cp
/var/lib/zope2.9/instance/plone-site2/var/Data.fs .
# chown zope:zope Data.fs
The first time start the new instance in the foreground to see all possible errors.
# bin/zopectl fg
Go to the ZMI interface, find the sites you need to migrate. In the site goto portal_migration and upgrade. If you migrate multiple sites the second may fail. Stop/start the instance and try migration again.
Open issues
I want to change somethings in the presentation layout. This should be done in the ZMI interface under /portal_view_customizations
however, if I wnat to cahnge the portal.footer it presents me the search.pt template. Changes ae also stored in the search.pt other customazations can not be made in ‘zope.interface.Interface’
Website performance (untested yet)
&amp;lt;a href=”http://ad.doubleclick.net/jump/tmn.howtogeek/;tile=1;sz=728×90;ord=123456789?” target=”_blank” &amp;gt;&amp;lt;img src=”http://ad.doubleclick.net/ad/tmn.howtogeek/;tile=1;sz=728×90;ord=123456789?” border=”0″ alt=”” /&amp;gt;&amp;lt;/a&amp;gt;
Contents[hide] |
Overview
There’s a number of problem areas where we want to maximize performance:
- Linux configuration
There are usually services running that don’t need to be, wasting memory that could be used for more connections. - MySQL configuration
Often the default settings are based on a small server, we can add a few key changes to increase performance a great deal. - Apache configuration
By default most hosting providers install apache with nearly every module installed. There’s no reason to load modules if you aren’t ever going to use them. - PHP configuration
The default PHP configuration is similarly bloated, there are usually a ton of unnecessary extra modules installed. - PHP Opcode Cache
Instead of allowing PHP to recompile the scripts every single time, an opcode cache will cache the compiled scripts in memory for huge performance boosts. - Backups
Should probably setup some automated backups, since your hosting provider isn’t going to do it for you. - Security
Sure, Linux is secure enough by default, but there’s usually some glaring security issues that you can fix with a few quick settings.
Linux Configuration
There’s quite a number of tweaks you can do, which will vary slightly based on the server you are using. These tweaks are for a server running CentOS, but they should work for the majority of DV servers.
Disable DNS
If your hosting provider handles the DNS for your domain (likely), then you can disable the DNS service from running.
disable dns /etc/init.d/named stop chmod 644 /etc/init.d/named
The chmod command removes execute permission from the script, stopping it from running on startup.
Disable SpamAssassain
If you aren’t using email accounts on your server itself, you shouldn’t bother running anti-spam tools. (Also you should check out Google Apps, much better email solution)
/etc/init.d/psa-spamassassin stop chmod 644 /etc/init.d/psa-spamassassin
Disable xinetd
The xinetd process houses a number of other processes, none of which are useful for a typical web server.
/etc/init.d/xinetd stop chmod 644 /etc/init.d/xinetd
Limit Plesk Memory Usage
If you use the plesk panel, you can force it to use less memory by adding an options file.
vi /usr/local/psa/admin/conf/httpsd.custom.include
Add the following lines to the file:
MinSpareServers 1 MaxSpareServers 1 StartServers 1 MaxClients 5
Note that this option is known to work on MediaTemple DV servers, but has not been checked on any others. (See References)
Disable or Turn Off Plesk (optional)
If you only use Plesk once a year, there’s very little reason to leave it running at all. Note that this step is completely optional, and slightly more advanced.
Run the following command to turn off plesk:
/etc/init.d/psa stop
You can disable it from running at startup by running the following command:
chmod 644 /etc/init.d/psa
Note that if you disable it, then you can’t start it manually without changing the file permissions back (chmod u+x).
MySQL Configuration
Enable Query Cache
Open your /etc/my.cnf file and add the following lines in your [mysqld] section like this:
[mysqld] query-cache-type = 1 query-cache-size = 8M
You can add more memory to the query cache if you’d like, but don’t use too much.
Disable TCP/IP
A surprising number of hosts enable access to MySQL on TCP/IP by default, which makes no sense for a website. You can figure out if mysql is listening on TCP/IP by running the following command:
netstat -an | grep 3306
To disable, add the following line to your /etc/my.cnf file:
skip-networking
Apache Configuration
Open your httpd.conf file, often found in /etc/httpd/conf/httpd.conf
Find the line that looks like this:
Timeout 120
And change it to this:
Timeout 20
Now find the section that includes these lines, and adjust to something similar:
StartServers 2 MinSpareServers 2 MaxSpareServers 5 ServerLimit 100 MaxClients 100 MaxRequestsPerChild 4000
PHP Configuration
One of the things to keep in mind when tweaking a server on the PHP platform is that every single apache thread is going to load up PHP in a separate location in memory. This means if an unused module adds 256k of memory to PHP, across 40 apache threads you are wasting 10MB of memory.
Remove Unneeded PHP Modules
You’ll need to locate your php.ini file, which usually is found at /etc/php.ini (Note that on some distributions, there will be an /etc/php.d/ directory with a number of .ini files, one for each module.
Comment out any loadmodule lines with these modules:
- odbc
- snmp
- pdo
- odbc pdo
- mysqli
- ioncube-loader
- json
- imap
- ldap
- ncurses
Todo: Add more information here.
PHP Opcode Cache
There are a number of opcode caches that you can use, including APC, eAccelerator, and Xcache, the last one being my personal preference due to stability.
Download xcache and extract it into a directory, and then run the following commands from the xcache source directory:
phpize ./configure --enable-xcache make make install
Open your php.ini file and add a new section for xcache. You’ll need to adjust the paths if your php modules are loaded from somewhere else.
vi /etc/php.ini
Add the following section to the file:
[xcache-common] zend_extension = /usr/lib/php/modules/xcache.so [xcache.admin] xcache.admin.user = "myusername" xcache.admin.pass = "putanmd5hashhere" [xcache] ; Change xcache.size to tune the size of the opcode cache xcache.size = 16M xcache.shm_scheme = "mmap" xcache.count = 1 xcache.slots = 8K xcache.ttl = 0 xcache.gc_interval = 0 ; Change xcache.var_size to adjust the size of variable cache xcache.var_size = 1M xcache.var_count = 1 xcache.var_slots = 8K xcache.var_ttl = 0 xcache.var_maxttl = 0 xcache.var_gc_interval = 300 xcache.test = Off xcache.readonly_protection = On xcache.mmap_path = "/tmp/xcache" xcache.coredump_directory = "" xcache.cacher = On xcache.stat = On xcache.optimizer = Off
Todo: Need to expand this a bit and link to xcache in the references.
Backups
There’s very little more important than having automated backups of your website. You may be able to get snapshot backups from your hosting provider, which are also very useful, but I prefer to have automated backups as well.
Create Automated Backup Script
I usually start by creating a /backups directory, with a /backups/files directory beneath it. You can adjust these paths if you want.
mkdir -p /backups/files
Now create a backup.sh script inside the backups directory:
vi /backups/backup.sh
Add the following to the file, adjusting the paths and mysqldump password as necessary:
#!/bin/sh THEDATE=`date +%d%m%y%H%M` mysqldump -uadmin -pPASSWORD DATABASENAME > /backups/files/dbbackup$THEDATE.bak tar -cf /backups/files/sitebackup$THEDATE.tar /var/www/vhosts/my-website-path/httpdocs gzip /backups/files/sitebackup$THEDATE.tar find /backups/files/site* -mtime +5 -exec rm {} ; find /backups/files/db* -mtime +5 -exec rm {} ;
The script will first create a date variable so all the files will be named the same for a single backup, then dumps the database, tars up the web files and gzips them. The find commands are used to remove any files older than 5 days, since you don’t want your drive to run out of space.
Make the script executable by running the following command:
chmod u+x /backups/backup.sh
Next you’ll need to assign it to run automatically by cron. Make sure that you use an account that has access to the backups directory.
crontab -e
Add the following line to the crontab:
1 1 * * * /backups/backup.sh
You can test the script ahead of time by running it while logged on to the user account. (I usually run the backups as root)
Sync Backups Off-Site With Rsync
Now that you have automated backups of your server running, you can sync them somewhere else by using the rsync utility. You’ll want to read this article on how to setup ssh keys for automatic login: Add Public SSH Key to Remote Server in a Single Command
You can test this out by running this command on a linux or Mac machine at another location (I have a linux server at home, which is where I run this)
rsync -a user@website.com:/backups/files/* /offsitebackups/
This will take quite a while to run the first time, but at the end your local computer should have a copy of the files directory in the /offsitebackups/ directory. (Make sure to create that directory before running the script)
You can schedule this by adding it to a crontab line:
crontab -e
Add the following line, which will run rsync every hour at the 45 minute mark. You’ll notice that we use the full path to rsync here.
45 * * * * /usr/bin/rsync -a user@website.com:/backups/files/* /offsitebackups/
You could schedule it to run at a different time, or only once per day. That’s really up to you.
Note that there are a lot of utilities that will allow you to sync via ssh or ftp. You don’t have to use rsync.
Security
The first thing you want to do is make sure that you have a regular user account to use through ssh, and make sure that you can use su to switch to root. It’s a very bad idea to allow direct login for root over ssh.
Disable Root Login Over SSH
Edit the /etc/ssh/sshd_config file, and look for the following line:
#PermitRootLogin yes
Change that line to look like this:
PermitRootLogin no
Make certain that you have a regular user account and can su to root before you make this change, otherwise you might lock yourself out.
Disable SSH Version 1
There’s really no reason to use anything other than SSH version 2, as it’s more secure than previous versions. Edit the /etc/ssh/sshd_config file, and look for the following section:
#Protocol 2,1 Protocol 2
Make sure that you are only using Protocol 2 as shown.
Restart SSH Server
Now you’ll need to restart the SSH server to make this take effect.
/etc/init.d/sshd restart
Check for Open Ports
You can use the following command to see which ports the server is listening on:
netstat -an | grep LISTEN
You really shouldn’t have anything listening other than ports 22, 80, and possibly 8443 for plesk.
Setup a Firewall
Main Article: Using Iptables on Linux
You can optionally setup an iptables firewall to block more connections. For instance, I usually block access to any other ports other than from my work network. If you have a dynamic IP address you’ll want to avoid that option.
If you have already followed all of the steps in this guide so far, it’s probably not necessary to also add a firewall to the mix, but it’s good to understand your options.
Retrieved from “http://www.howtogeek.com/wiki/Tweaking_a_Dedicated_Virtual_Web_Server”