Analysis and Review » Unix

Ubuntu 10 LAMP Optimization Guide

Kurt — Tue, 28 Feb 2012 20:52:31 +0000

Ubuntu 10 Linux / Apache2 / MySQL / PHP Guide is all about optimizing Apache, MYSQL and PHP to work faster together to serve up webpages created by the WordPress content management system.

The setting you use for any server depend heavily upon the amount of available RAM / CPU etc as well as the consumption of these resources by other application and or services running in your environment.

In general you want to modify several configuration files to obtain optimal performance. The files you need to modify are:

/etc/apache2/apache2.conf
/etc/mysql/my.cnf
/etc/php5/apache2/php.ini

Let’s start with apache2.conf

Apache2.conf is the main Apache server configuration file. It contains the configuration directives that give the server its instructions. See http://httpd.apache.org/docs/2.2/ for detailed information about the directives.

I want to focus on:

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 1

These keep alive and timeout setting stop external request from eating up apache processes. The above setting will work for just about any setup.

Next let’s talk about the prefork module in apache2.conf, you want to start with

StartServers 4 MinSpareServers 4 MaxSpareServers 10 MaxClients 40 ServerLimit 30 MaxRequestsPerChild 2000

This tells apache how many workers to start with max amount of allowed connects. These numbers play a role in CPU and adjusting them and monitoring the changes overtime will help you optimize apache.

Now restart apache to load the new configuration.

/etc/init.d/apache2 restart

Now let’s move on to my.cnf

located in /etc/mysql/my.cnf this controls, among other things, the resource mysql will consume, most importantly RAM.

[mysqld] key_buffer = 512M sort_buffer_size = 8M read_buffer_size = 8M read_rnd_buffer_size = 8M myisam_sort_buffer_size = 40M query_cache_size = 64M skip-innodb table_cache = 128 max_allowed_packet = 6M thread_stack = 192K thread_cache_size = 8 query_cache_limit = 1M query_cache_size = 16M [mysqldump] quick quote-names max_allowed_packet = 16M [isamchk] key_buffer = 16M

The above is a good mysql optimization starting part. Only use skip-innodb if your using wordpress without innodb enabled, which is default for wordpress.

Now we move to PHP optimization.

You’re going to optimize the php.ini file located /etc/php5/apache2/php.ini

max_execution_time = 30 memory_limit = 64M mysql.cache_size = 2000 session.gc_maxlifetime = 1440 mysqli.cache_size = 2000

The above is a good starting point for optimization on a standard size ubuntu server with average resources for a small to medium size server. PHP isn’t to bad of a memory hog but if your pages are dynamic created with PHP you’ll see CPU spikes on page loads if your server isn’t configured optimally or your resources are just extended to far due to server load.

Some other points of interest.

Are you using any type of caching with WordPress (such as WP-SuperCache)? You may be able to squeeze a bit more performance out of your Ubuntu server by implementing some caching for the websites themselves.

If this does not handle the caching efficiently enough there are more advanced solutions available including using Memcached and Varnish. Memcached is used to cache SQL queries, and Varnish is used to cache dynamic content websites to allow you to serve the content faster.

Along with that you may want to consider scaling your services horizontally. This would be to separate your web server and your SQL server to separate hardware. This would allow your web server and SQL database to operate on different hardware, therefore they would not need to contend with each other for system resources.

Quick Tips for Webmasters, redirects, find, reload

Kurt — Tue, 11 Jan 2011 05:04:26 +0000

Reload Apache2
/etc/init.d/apache2 reload

a2ensite domainname.com

display query status on page –>

Redirects
Redirect 301 /somedomain /forwardtohere
Redirect 301 http://oldodmain.oldpage.html http://google.com
This one will 301 redirect the entire directory to a certain file (location) or homepage.
RedirectMatch 301 ^/community(.*) http://fantasyknuckleheads.com

mysql replace for wordpress multisite
UPDATE wp_9_posts SET post_content = REPLACE(post_content, ‘/wp-content/uploads/’, ‘/wp-content/blogs.dir/9/files/uploads/’);

Find files with ubuntu linux
find / -iname ‘*.ogg’
find / -name domfile.txt

grep -iR “Player not found into database” /var/www/html/wp-content/plugins/simple-tags/inc/

Mass Insert Data into a mySQL Table

Kurt — Fri, 13 Aug 2010 13:29:42 +0000

How to mass insert data into a table via mySQL.

INSERT INTO table_name_goes_here( group_id, parent_id, type, name) VALUES( '1', '2', 'option', 'Aaron Rodgers' ), ( '1', '2', 'option', ' )


Or just add one item
INSERT INTO NFL2010_ProjectedStats(`player`,`pos`,`team`,`p-yds`,`p-td`,`int`,`ru-yds`,`ru-td`,`rec`,`re-yds`,`re-td`,`bonus`)VALUES('Kareem Huggins','RB','TB','0','0','0','500','2','35','350','1','0')



How to capture packets with tcpdump and output to pcap for wireshark
Kurt — Wed, 28 Apr 2010 21:25:48 +0000
how to capture packets with tcpdump and output to pcap for wireshark
-s 0 tell tcpdump to get the entire packet

-w filename.pcap is going to be your output file name

not port 1024 tells tcpdummp to ignore port 1024

you can also say port 1024 to capture packets on that port with tcpdump
tcpdump -s 0 -w filename.pcap not port 1024 and not port 80
You can optionally capture the packets with your firewall 



How to use Sendmail with FreeBSD
Kurt — Wed, 28 Apr 2010 17:07:36 +0000
Using sendmail with freebsd is easy. Here we will cover

how to start and stop sendmail
how to send mail with sendmail
how to send mail from the terminal, cli, command prompt
how to make sendmail start at boot time

How to start and stop send mail:


/etc/rc.d/sendmail  stop
	/etc/rc.d/sendmail  start
	/etc/rc.d/sendmail restart


How to send mail with sendmail from the terminal aka cli or command prompt or root
mail someuser@somedomain.com
Subject: For Testing Only
This email is for testing the mail delivery system only.
* then press ctrl+D
How to make sendmail start at boot time:

edit /etc/rc.conf
add – sendmail_enable=”YES”




How to delete all but one file in linux directory
Kurt — Mon, 15 Mar 2010 21:23:06 +0000
ls *| grep -v FileName | xargs rm -rf
Using this command you can delete all files except the one listed.



Enable FTP FreeBSD and Allow Only Localhost
Kurt — Thu, 04 Feb 2010 03:35:43 +0000
Enable FTP on your FreeBSD server and allow only your localhost (local machine) access to the ftpd server.
The inetd server should be run at boot time by /etc/rc. It then listens for connections on certain internet sockets. When a connection is found on one of its sockets, it decides what service the socket corresponds to, and invokes a program to service the request. The server program is invoked with the service socket as its standard input, output and error descriptors. After the program is finished, inetd continues to listen on the socket.
To enable FTPD Open /etc/inetd.conf file and remove the hash from:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
Then restart inetd.conf
/etc/rc.d/inetd restart
or
/etc/rc.d/inetd onerestart
Or allow only 127.0.0.1 (localhost) to connect to your ftp server:
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l -D -a 127.0.0.1



Best freeBSD Firewall for a Web Server, PF Configuration and Testing
Kurt — Tue, 02 Feb 2010 04:03:01 +0000
freeBSD 8 firewall for web server
You’ll see many articles discussing various firewalls for BSD. freeBSD comes with three firewalls but I’ll lay out what I believe is the best freebsd firewall for a web server, pf.
I need firewall that will help negate DDoS attacks, spoofing and fingerprinting. Allows port 80 and 443 as well as ssh and is simple to test and configure.
Well PF handles all that and comes built into the freeBSD kernel so it’s pretty easy and quick to set up and test.
do a ifconfig to figure out what your interface is named
#ifconfig
bigkill# ifconfig
 re0:  flags=8843 metric 0 IC>
        ether 00:2c:c1:f9:5s:d3
        inet 224.210.155.13 netmask 0xfffffff8 broadcast 224.210.155.253
        media: Ethernet autoselect (100baseTX )
        status: active
lo0: flags=8049 metric 0
        inet 127.0.0.1 netmask 0xff000000

As you can see here the interface name is  re0
 so just replace re0 in the below configuration and apply it to /etc/pf.conf
 ### macro name for external interface.
ext_if = "re0"

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble

### set a default deny everything policy.
block all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN  - Finish; end of session
### * S : SYN  - Synchronize; indicates request to start session
### * R : RST  - Reset; drop a connection
### * P : PUSH - Push; packet is sent immediately
### * A : ACK  - Acknowledgement
### * U : URG  - Urgent
### * E : ECE  - Explicit Congestion Notification Echo
### * W : CWR  - Congestion Window Reduced
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.

### set a rule that allows inbound ssh traffic with synproxy handshaking. yes I changed the ssh port
pass in on $ext_if proto tcp from any to any port 1229 flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port 80 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port 443 flags S/SA synproxy state
 
 If you want to allow any other port simple copy the last line and replace the port number.
 Now issue a reboot command to restart the system in 5 minutes to test your pf configuration.
 shutdown -r +5
 
 Okay not start PF and test it
 /etc/rc.d/pf onestart
 
 Now “test” the current configuration to see what you got
 pfctl -s all" ### list all the current rules that are in effect and shows current connections
 
 If you’re happy with your PF firewall configuration for freebsd 8 you’ll need to apply it at boot time by adding the following to your /etc/rc.conf
 pf_enable="YES"
pf_rules="/etc/pf.conf"
 



How to shutdown freebsd 8 and stop shutdown
Kurt — Tue, 02 Feb 2010 03:45:08 +0000
Shutdown freebsd now
shutdown -r now



Shutdown freeBSD at a scheduled time or within a set time. In the sample below we have shutdown taking place in 5 minutes. This is useful when you want to set a configuration and you’re worried about the system locking you out. Set the shutdown time for five minutes from now and if you get locked out you just have to wait for he reboot to take place.
shutdown -r +5

And if you want to stop the shutdown process from taking place simple issue a kill.
pkill shutdown




FreeBSD 8 LAMP Install for WordPress
Kurt — Mon, 01 Feb 2010 15:48:15 +0000
How to install FreeBSD 8 for WordPress. It’s a basic LAMP install but since we’re not using linux it should be called BAMP or maybe FAMP? Who cares.. here are the steps to install FreeBSD 8 with apache, mySQL, PHP then install wordpress.
I’ll be using ports of course for this entire install. I’m assuming that you have the proper hardware for this type installation.
Start with a minimal installation of freeBSD 8

Bypass the headache and host on vps or dedicated servers with pre-installed LAMP here.
Update the server ports – freebsd guide on ports
First update your port tree
portsnap fetch update *if this is the first time do a portsnap fetch extract
List available update
pkg_version -vIL=
Once you have updated your Ports Collection, before attempting a port upgrade, you should check /usr/ports/UPDATING. This file describes various issues and additional steps users may encounter and need to perform when updating a port, including such things as file format changes, changes in locations of configuration files, or other such incompatibilities with previous versions.
Upgrade your ports with
portupgrade -rR
Okay now that your freeBSD server ports are updates lets do Binary updates freebsd-update.
freebsd-update fetch
freebsd-update install
Then reboot
shutdown -r now
Verify update took place
uname -a
Rollback if necessary
freebsd-update rollback
Now lets install Apache, PHP, mysql and phpMyAdmin on your freeBSD 8 web server.
First install the latest apache from ports.
cd /usr/ports/www/apache22/
make config install clean
echo 'apache22_enable="YES"' << /etc/rc.conf
echo 'apache22ssl_enable="YES"' << /etc/rc.conf
echo 'accf_http_ready="YES"' << /etc/rc.conf && kldload accf_http
Now install PHP
cd /usr/ports/lang/php5
make config install clean
cd /usr/ports/lang/php5-extensions  ** enable mysql extensions **
make config install clean
Now modify your httpd.conf – Add the following entries to /usr/local/etc/apache22/httpd.conf directly after all the LoadModule lines
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
now locate IfModule mod_dir.c and add index.php
DirectoryIndex index.php index.html index.htm
Last but not least get a good php.ini file setup
cp /usr/local/etc/php.ini-recommended /usr/local/etc/php.ini
Restart apache and
/usr/local/etc/rc.d/apache22 start
Now its time for mySQL installation, configuration and setup
cd /usr/ports/databases/mysql50-server
make install WITH_OPENSSL=yes
make distclean
echo 'mysql_enable="YES"' << /etc/rc.conf
Start mysql server and change root password
/usr/local/etc/rc.d/mysql-server start
mysqladmin -u root password sumcrazypaswrd
mysql -u root -p    *make sure you can log in*
rm /root/.history  *remove history so password isn't exposed*
Create a configuration file for mysql in /etc/my.cnf
[client]
port=29912
[mysqld]
port=29912
bind-address=127.0.0.1
Now lets install configure and setup phpMyAdmin
cd /usr/ports/databases/phpmyadmin
make config install clean
cd /usr/local/www/phpMyAdmin && cp config.sample.inc.php
config.inc.php
vi config.inc.php
$cfg['blowfish_secret'] = 'sdf934sdfgHijh98Y';
open httpd.conf and Alias
Alias /phpmyadmin /usr/local/www/phpMyAdmin
Now allow who you want to access it
        
you’ll want https when you connect to phpmyadmin so lets enable https and make some httpd.conf changes
Create your certificate
In order to access phpmyadmin of ssl you need to get https going on apache. You can buy an SSL certificate generated by a trusted CA such as Thwate or Verisign, or you can generate one yourself using OpenSSL. I borrowed a ton of infor from freebsdmadeeasy.com
lets get the openssl.cnf file ready
vi /etc/ssl/openssl.cnf
dir = /root/sslCA
default_days = 3650
Now set up the directories
cd ~root/
mkdir sslCA
chmod 700 sslCA
chmod 700 sslCA
mkdir certs private newcerts
echo 1000 < serial
touch index.txt
cd ~root/sslCA
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf
The CA should now be all set.. test with more;
more ~root/sslCA/cacert.pem
more ~root/sslCA/private/cakey.pem
Now lets generate an SSL certificate for apache
cd ~root/sslCA
openssl req -new -nodes -out yourhostname-req.pem -keyout private/yourhostname-key.pem -config /etc/ssl/openssl.cnf
openssl ca -config /etc/ssl/openssl.cnf -out yourhostname-cert.pem -infiles yourhostname-req.pem
Lets put everything where it needs to be.
mkdir /etc/ssl/crt
mkdir /etc/ssl/key
cp ~root/sslCA/yourhostname-cert.pem /etc/ssl/crt
cp ~root/sslCA/private/yourhostname-key.pem /etc/ssl/key
And finally add the SSL virtual host
Find the below line in your httpd.conf and take the comment hash out.
# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf
Now modify your httpd-ssl.conf
ServerName ssl.yourhostname.com
SSLCertificateFile /etc/ssl/crt/yourhostname-cert.pem
SSLCertificateKeyFile /etc/ssl/key/yourhostname-key.pem
DocumentRoot "/etc/www/apache22/data"      ** whatever your location is**
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
In /usr/local/etc/apache22/extra/httpd-default.conf, disable ServerSignature to prevent the server from showing more information than it has to. Make sure the server-status and the server-info sections in /usr/local/etc/apache22/extra/httpd-info.conf are commented out.
Finally restart apache
/usr/local/etc/rc.d/apache22 restart
Now install wordpress
cd /usr/ports/wordpress
make install clean
do a locate wordpress and move file to web root
locate wordpress
cp /usr/local/www/data/wordpress/* /usr/local/whatever web root is
go into web root and copy wp-config-sample.php to wp-config.php
navigate to https://hostname/phpmyadmin and create wordpress db – add that name to wp-config.php