Naptastic

User Tools

Site Tools

Trace:
nndocs:lamp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
nndocs:lamp [2015/07/12 01:54] – gotta turn on proxy_fcgi naptasticnndocs:lamp [2024/09/17 13:51] (current) – [First, create the Universe...] We're on Debian 12 now, lol naptastic
Line 3: Line 3:
 In this guide, I'm just gonna do everything as root unless otherwise specified. In this guide, I'm just gonna do everything as root unless otherwise specified.
  
-Install Debian 7, following the [[nndocs:initial|Naptastic Initial]] guide. During the install process:+Install Debian, following the [[nndocs:initial|Naptastic Initial]] guide. During the install process:
  
   * De-select Graphical Desktop Environment and Laptop.   * De-select Graphical Desktop Environment and Laptop.
Line 25: Line 25:
 ==== Tune Apache ==== ==== Tune Apache ====
  
-Find this section in /etc/apache2/apache2.conf:+Find this section in /etc/apache2/mods-available/mpm_event.conf:
  
   <IfModule mpm_event_module>   <IfModule mpm_event_module>
Line 40: Line 40:
  
   <IfModule mpm_event_module>   <IfModule mpm_event_module>
-      StartServers         16+      StartServers         2
       ServerLimit          16       ServerLimit          16
       MaxClients         1024       MaxClients         1024
Line 52: Line 52:
 What we're doing here is tuning Apache to handle the largest possible number of simultaneous connections while consuming the least resources and producing the fewest errors. What we're doing here is tuning Apache to handle the largest possible number of simultaneous connections while consuming the least resources and producing the fewest errors.
  
-''ThreadLimit'' and ''ThreadsPerChild'' are set to 64. This is a good value, and also convenient because on the Apache scoreboard, each line is 64 clients wide, so it makes it easier to read.+''ThreadLimit'' and ''ThreadsPerChild'' are set to 64. This is a good value, and also convenient. On the Apache scoreboard, each line is 64 clients wide, so it makes it easier to read. 
 + 
 +  # apache2ctl status 
 +                 Apache Server Status for localhost (via 127.0.0.1) 
 +   
 +     Server Version: Apache/2.4.62 (Debian) SVN/1.14.2 OpenSSL/3.0.14 
 +            mod_perl/2.0.12 Perl/v5.36.0 
 +   
 +     Server MPM: event 
 +     Server Built: 2024-07-18T05:29:16 
 +       __________________________________________________________________ 
 +   
 +     Current Time: Saturday, 14-Sep-2024 20:17:57 MDT 
 +     Restart Time: Saturday, 14-Sep-2024 20:16:11 MDT 
 +     Parent Server Config. Generation: 1 
 +     Parent Server MPM Generation: 0 
 +     Server uptime: 1 minute 45 seconds 
 +     Server load: 0.24 0.16 0.06 
 +     Total accesses: 8 - Total Traffic: 85 kB - Total Duration: 816 
 +     CPU Usage: u.07 s.03 cu0 cs0 - .0952% CPU load 
 +     .0762 requests/sec - 828 B/second - 10.6 kB/request - 102 ms/request 
 +     1 requests currently being processed, 0 workers gracefully restarting, 
 +            63 idle workers 
 +   
 +  Slot PID  Stopping   Connections      Threads       Async connections 
 +                     total accepting busy graceful idle writing keep-alive closing 
 +  1    1343 no           yes          0        63                  0 
 +  Sum  1    0        0                  0        63                  0 
 +   
 +  ................................................................ 
 +  ______________W_________________________________________________ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +  ................................................................ 
 +   
 +     Scoreboard Key: 
 +     "_" Waiting for Connection, "S" Starting up, "R" Reading Request, 
 +     "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup, 
 +     "C" Closing connection, "L" Logging, "G" Gracefully finishing, 
 +     "I" Idle cleanup of worker, "." Open slot with no current process
  
 ''MaxClients'' needs to be equal to ''ThreadsPerChild'' * ''ServerLimit''. ''MaxClients'' needs to be equal to ''ThreadsPerChild'' * ''ServerLimit''.
Line 60: Line 110:
 == Timeout == == Timeout ==
  
-Then find the ''Timeout'' variable and change it to 15 instead of 300. This is how long Apache will wait for a new connection to send a request before giving up on it. Having it so long allows attackers to just saturate the server with new connections. Lowering it makes that kind of attack more difficult. (20 times more difficult, to be precise.) You could probably lower this to 10 or seconds, but... let'not get too crazyeh?+Then find the ''Timeout'' variable and change it to 15 instead of 300. This is how long Apache will wait for a new connection to send a request before giving up on it. Having it so long allows attackers to just saturate the server with new connections. Lowering it makes that kind of attack more difficult. (20 times more difficult, to be precise.) Having a very short timeout set increases the risk of errors for users on slow connections, or with slow applications. Users are not especially patient; I can imagine someone waiting 15 seconds for a website to respond, but not 300and if my connection or application is that slow, it probably should just fail.
  
 == KeepAlive == == KeepAlive ==
Line 70: Line 120:
   * ''apt-get -y install mysql-server mysql-client''   * ''apt-get -y install mysql-server mysql-client''
  
-As part of thisyou will create a MySQL root password. This doesn'have to be the same as the system root password. +Since Debian BusterI haven'needed a .my.cnfIf you need itthe format of ~/.my.cnf is as follows:
- +
-=== Create /root/.my.cnf === +
- +
-If you ever want to do anything from the command line you will either need this fileor a wig before you're doneThe format is as follows:+
  
   [client]   [client]
Line 80: Line 126:
   password="password"   password="password"
  
-You can create a .my.cnf file in any user's home directory so they can do mysql stuff from the shell without having to constantly supply their MySQL username and password. It should go without saying, but I'll say it anyway: don't give user accounts access to the MySQL root password. +You can create a .my.cnf file in any user's home directory so they can do mysql stuff from the shell without having to constantly supply their MySQL username and password.
-==== PHP ====+
  
-You'll need these: +  Don't give users the root password or grant them privileges on *.*. 
- +  * chmod 600 
-  * ''apt-get -y install libxml2-dev zlib1g-dev libbz2-dev libcurl4-openssl-dev libjpeg8-dev libpng12-dev libmcrypt-dev libaspell-dev libpspell-dev libtidy-dev libxslt1-dev'' +
- +
-Download and build PHP to include everything we'll need: +
- +
-  * ''cd'' +
-  * ''<nowiki>wget -O php-5.4.28.tar.bz2 http://www.php.net/get/php-5.4.28.tar.bz2/from/this/mirror</nowiki>'' +
-  * ''tar -xvf php-5.4.28.tar.bz2'' +
-  * ''cd php-5.4.28/'' +
-  * ''<nowiki>./configure --enable-fpm --prefix=/usr/local --enable-bcmath --enable-calendar --enable-ftp --enable-libxml --enable-mbstring --with-gd --with-jpeg-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf --with-mcrypt --with-mysql --enable-pdo --enable-soap --enable-sockets --enable-wddx --enable-zip --with-bz2 --with-kerberos --with-pcre-regex --with-pdo-mysql=shared --with-pic --with-pspell --with-tidy --with-xmlrpc --with-xsl --with-zlib --with-curl</nowiki>'' +
-  * ''make'' +
-  * ''make install'' +
- +
-Install ''php.ini'': +
- +
-  * ''cp php.ini-production /usr/local/lib/php.ini'' +
- +
-Install the initscript: +
- +
-  * ''cp sapi/fpm/init.d.php-fpm /etc/init.d/php-fpm'' +
-  * ''chown root. !$'' +
-  * ''chmod 755 !$'' +
-  * ''update-rc.d php-fpm defaults'' +
- +
-Install the FPM-specific configuration files. +
- +
-  * ''mkdir -p /usr/local/etc/pools.d/'' +
- +
-Edit the file ''/usr/local/etc/php-fpm.conf'' and put this in it: +
- +
-  include=/usr/local/etc/pools.d/*.conf +
-  [global] +
-  pid = /usr/local/var/run/php-fpm.pid +
-  error_log = /var/log/php-fpm.log +
- +
-In ''/usr/local/etc/pools.d/'', you need to create a pool definition file for every user who will be using PHP scripts. I name them ''$username.conf''+
- +
-I'm debating whether it makes more sense to create a separate pool per-virtualhost instead of per-user. Whatever. Here's what you put in each pool definition file: +
- +
-  [david] +
-  user = david +
-  group = david +
-   +
-  listen = /var/run/david.sock +
-  listen.owner = www-data +
-  listen.group = www-data +
-  listen.mode = 0660 +
-   +
-  pm = dynamic +
-  pm.max_children = 24 +
-  pm.start_servers = 1 +
-  pm.min_spare_servers = 1 +
-  pm.max_spare_servers = 2 +
-  pm.max_requests = 32768 +
-  ;pm.status_path = /fpm-status +
- +
-Of course, change 'david' to whatever username you're using. +
- +
-==== PHP-APC === +
- +
-  ''<nowiki>wget http://pecl.php.net/get/APC-3.1.13.tgz</nowiki>'' +
-  ''tar -xvf APC-3.1.13.tgz'' +
-  * ''cd APC-3.1.13'' +
-  * ''phpize'' +
-  * ''./configure --enable-apc'' +
-  * ''make'' +
-  * ''make install'' +
- +
-Add this to the end of ''/usr/local/lib/php.ini'': +
- +
-  extension='apc.so' +
-  apc.enable=1 +
-  apc.shm_size=256m +
- +
-At this point, PHP-FPM is ready to start if you want. +
- +
-  * ''service php-fpm start'' +
- +
-==== LAMP stack done. ==== +
- +
-Time to create some sites. By Debian convention, virtualhost definition files go in /etc/apache2/sites-available. By Naptastic convention, the vhost definition file is named the same as the ServerName directive contained within. If you're running Apache 2.4 (not documented yet; sorry,) add .conf to the end of the filename. +
- +
-Here's the format for virtualhost files: +
- +
-  <VirtualHost *:80> +
-        ServerName blog.naptastic.com +
-        ServerAdmin naptastic@gmail.com +
-   +
-        DocumentRoot /var/www/blog.naptastic.com/ +
-        <Directory /> +
-                Options -FollowSymLinks -Indexes -MultiViews +
-                AllowOverride all +
-        </Directory> +
-        <Directory /var/www/blog.naptastic.com/> +
-                DirectoryIndex index.php +
-                Options -Indexes -FollowSymLinks -MultiViews +
-                AllowOverride all +
-        </Directory> +
-   +
-        ErrorLog ${APACHE_LOG_DIR}/error.log +
-        LogLevel warn +
-        CustomLog ${APACHE_LOG_DIR}/access-logs/blog.naptastic.com combined +
-   +
-    <IfModule mod_fastcgi.c> +
-        AddType application/x-httpd-php .php +
-        Action application/x-httpd-php /php.fcgi +
-        Alias /php.fcgi /dev/shm/david-php.fcgi +
-    </IfModule> +
-   +
-    ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/var/www/blog.naptastic.com/$1 +
-   +
-  </VirtualHost>+
  
-FIXME - This is specific to one site. Needs to be generalized. 
nndocs/lamp.1436666045.txt.gz · Last modified: 2015/07/12 01:54 by naptastic