Linux, PHP, LAMP, The Web in a blog

This is to see whether you server is CPU-bound or RAM-bound.

We have to stress it and see which one of those components gets saturated first.

If that is the RAM, we can add easily more RAM. The amount of RAM to add depends of the share of the CPU that can still be used before the website becomes slow.

ab -n 300 -c 1 http://www.mywebsite.com

This are the command to run during the stress test

_ uptime

_ free

_ ps -ylC httpd –sort:rss > number_of_apache_processes.txt

_ netstat -nt | grep :80 | wc -l

And obviously check how quick the website is.

To check whether SSL is already loaded by your Apache:
/usr/sbin/httpd -M
If it is not, installed it. After installing it, you should see a file in /etc/httpd/conf.d and a corresponding LoadModule directive there or in the main Apache configuration file.
After you get the module to load, you can start doing the following.

Generating Keys:

cd /usr/local/apache/conf
mkdir ssl
cd ssl
openssl genrsa -out server.key 1024 [generates the private key]
[The public key can be extracted from the private key]

Generating a Certificate Signing Request

openssl req -new -key server.key -out server.csr
This is a formal request so pay attention filling the fields correctly (check the instructions given carefully)

Signing your own certificate

You can get a certificate signed by a CA or you can sign it by yourself (for testing and intranet purpose):
openssl x509 -req- days 365 -in server.csr -signkey server.key -out server.crt
Secure the ssl directory with permission 400!

Configuring SSL

Now you can configure the file mod_ssl.conf in the conf.d directory changing some default value and setting the virtual hosts you are interested in.

Make sure the users can’t access the pages with http rathen than https!
You should be able to do so by:

• removing preexisting Virtual Hosts directives on the port 80
• using Rewriting rules
• using the mod_ssl SSLRequire directive

From the book:
Apache Security, by Ivan Ristic, O’Reilly

ab -n 1000 -c 5 http://mydomain.com/bench.htm
makes 1000 separate requests for the same file with a concurrency (simultaneous requests) of 5

Add this in your Apache configuration file:
SetEnv ENVIRONMENT “dev”

In this way, thanks to the SetEnv instruction, we have created some environment variables in Apache that can be used inside our PHP code.
In our PHP script we can access the variable this way:
$env= $_SERVER[’ENVIRONMENT’];

PHP

• Disable error messages
• expose_php Off

  Check you can’t get info by doing telnet localhost 80 and then issueing: HEAD / HTTP/1.0

• session.use_only_cookies = 1
• allow_url_fopen Off

  [if you don’t really need the opposite]

• register_globals = Off
• magic_quotes_gpc = ???

  This directive was introduced for improving security preventing SQL Injections, and it does. But it’s much better to put it Off and take care of escaping characters by yourself inside the PHP code for two main reasons. It doesn’t use a native function for your database and adds a level of complexity (infact if one of your input data can contain some quotes you’d need to use the stripslashes function )

Apache

• ServerTokens ProductOnly
• ServerSignature Off

Check you can’t get info by doing telnet localhost 80 and then issueing: HEAD / HTTP/1.0

In a shared environment you could use these directives as well (for PHP):

• disable_functions
• enable_dl
• memory_limit
• max filesize in uploading
• safemode ON

Add this in the Apache configuration file:

The Require user parameter could have a list of usernames space-separated.

Usually path_to_passwords_file is /etc/httpd/passwords
If you can’t find the file:
http://httpd.apache.org/docs/1.3/howto/auth.html

Launch this command:

htpasswd path_to_passwords_file username

Restart the server

Don’t forget to uncomment the line:

NameVirtualHost *:80

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Check that DirectoryIndex directive contains:

index.html index.htm index.php

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Typical setup for dev environment

<VirtualHost *:80>
DocumentRoot /var/www/html/example.com/dev/html
ServerName dev.example.com

<Directory /var/www/html/example.com/dev/html>
AllowOverride All
</Directory>

AddDefaultCharset UTF-8

php_flag display_errors on
php_flag display_startup_errors on
php_value error_reporting 2047
</VirtualHost>

The  AllowOverride All directive allows you to use a .htaccess file.

Typical setup for staging environment

<VirtualHost *:80>
DocumentRoot /var/www/html/example.com/staging/html
ServerName staging.example.com

<Directory /var/www/html/example.com/staging/html>
AllowOverride All
</Directory>

AddDefaultCharset UTF-8

php_flag display_errors on
php_flag display_startup_errors on
php_value error_reporting 2047
</VirtualHost>

Typical setup for live environment

<VirtualHost *:80>
DocumentRoot /var/www/html/example.com/live/html
ServerName www.example.com

ServerAlias example.com

ServerAlias example2.com
<Directory /var/www/html/example.com/live/html>
AllowOverride All
</Directory>

AddDefaultCharset UTF-8

php_flag display_errors off
php_flag display_startup_errors off
php_value error_reporting 0
</VirtualHost>

The ServerAlias directive allows to reach the website even without using www at the begin of URL

Don’t forget to uncomment the line:

NameVirtualHost *:80

There must be just ONE ServerName directive and how many ServerAlias directives you need.

Checking the configuration file sintax before restarting the server:

apachectl -t

Some hosting provider set register_globals to ON just for compatibility to old open source projects.
In this case, you should be able to override that just putting this line in your .htaccess file:
php_flag register_globals on