Naptastic

In this guide, I'm just gonna do everything as root unless otherwise specified.

Install Debian, following the Naptastic Initial guide. During the install process:

• De-select Graphical Desktop Environment and Laptop.
• Select Web Server, SQL Database, and SSH server.

Apache is already installed by virtue of your having selected “Web Server” in the installer.

Change Apache to the Event MPM and install the development libraries

• apt-get install apache2-mpm-event apache2-threaded-dev

• a2enmod proxy_fcgi (something like that anyway. Tab-complete is your friend.)

Find this section in /etc/apache2/mods-available/mpm_event.conf:

<IfModule mpm_event_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75 
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

Change it to look like this:

<IfModule mpm_event_module>
    StartServers         2
    ServerLimit          16
    MaxClients         1024
    MinSpareThreads      32
    MaxSpareThreads      96 
    ThreadLimit          64
    ThreadsPerChild      64
    MaxRequestsPerChild   0
</IfModule>

What we're doing here is tuning Apache to handle the largest possible number of simultaneous connections while consuming the least resources and producing the fewest errors.

ThreadLimit and ThreadsPerChild are set to 64. This is a good value, and also convenient. On the Apache scoreboard, each line is 64 clients wide, so it makes it easier to read.

# apache2ctl status
               Apache Server Status for localhost (via 127.0.0.1)

   Server Version: Apache/2.4.62 (Debian) SVN/1.14.2 OpenSSL/3.0.14
          mod_perl/2.0.12 Perl/v5.36.0

   Server MPM: event
   Server Built: 2024-07-18T05:29:16
     __________________________________________________________________

   Current Time: Saturday, 14-Sep-2024 20:17:57 MDT
   Restart Time: Saturday, 14-Sep-2024 20:16:11 MDT
   Parent Server Config. Generation: 1
   Parent Server MPM Generation: 0
   Server uptime: 1 minute 45 seconds
   Server load: 0.24 0.16 0.06
   Total accesses: 8 - Total Traffic: 85 kB - Total Duration: 816
   CPU Usage: u.07 s.03 cu0 cs0 - .0952% CPU load
   .0762 requests/sec - 828 B/second - 10.6 kB/request - 102 ms/request
   1 requests currently being processed, 0 workers gracefully restarting,
          63 idle workers

Slot PID  Stopping   Connections      Threads       Async connections
                   total accepting busy graceful idle writing keep-alive closing
1    1343 no       0     yes       1    0        63   0       0          0
Sum  1    0        0               1    0        63   0       0          0

................................................................
______________W_________________________________________________
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................

   Scoreboard Key:
   "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
   "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
   "C" Closing connection, "L" Logging, "G" Gracefully finishing,
   "I" Idle cleanup of worker, "." Open slot with no current process

MaxClients needs to be equal to ThreadsPerChild * ServerLimit.

MinSpareThreads and MaxSpareThreads should not be multiples of ThreadLimit. That will lead to need to constant spawning and reaping of server processes, adding latency and wasting CPU time. If a server is very busy, or traffic is very spiky, these are the values you want to increase first.

Then find the Timeout variable and change it to 15 instead of 300. This is how long Apache will wait for a new connection to send a request before giving up on it. Having it so long allows attackers to just saturate the server with new connections. Lowering it makes that kind of attack more difficult. (20 times more difficult, to be precise.) Having a very short timeout set increases the risk of errors for users on slow connections, or with slow applications. Users are not especially patient; I can imagine someone waiting 15 seconds for a website to respond, but not 300, and if my connection or application is that slow, it probably should just fail.

Make sure KeepAlive is turned on.

• apt-get -y install mysql-server mysql-client

Since Debian Buster, I haven't needed a .my.cnf. If you need it, the format of ~/.my.cnf is as follows:

[client]
user="root"
password="password"

You can create a .my.cnf file in any user's home directory so they can do mysql stuff from the shell without having to constantly supply their MySQL username and password.

• Don't give users the root password or grant them privileges on *.*.
• chmod 600