Quick Links
When you get a dedicated virtual server to run your website, chances are good that it's configured for everybody, and not customized to maximize performance for running a website.
Contents[hide] |
Overview
There's a number of problem areas where we want to maximize performance:
- Linux configurationThere are usually services running that don't need to be, wasting memory that could be used for more connections.
- MySQL configurationOften the default settings are based on a small server, we can add a few key changes to increase performance a great deal.
- Apache configurationBy default most hosting providers install apache with nearly every module installed. There's no reason to load modules if you aren't ever going to use them.
- PHP configurationThe default PHP configuration is similarly bloated, there are usually a ton of unnecessary extra modules installed.
- PHP Opcode CacheInstead of allowing PHP to recompile the scripts every single time, an opcode cache will cache the compiled scripts in memory for huge performance boosts.
- BackupsShould probably setup some automated backups, since your hosting provider isn't going to do it for you.
- SecuritySure, Linux is secure enough by default, but there's usually some glaring security issues that you can fix with a few quick settings.
Linux Configuration
There's quite a number of tweaks you can do, which will vary slightly based on the server you are using. These tweaks are for a server running CentOS, but they should work for the majority of DV servers.
Disable DNS
If your hosting provider handles the DNS for your domain (likely), then you can disable the DNS service from running.
disable dns/etc/init.d/named stop
chmod 644 /etc/init.d/named
The chmod command removes execute permission from the script, stopping it from running on startup.
Disable SpamAssassain
If you aren't using email accounts on your server itself, you shouldn't bother running anti-spam tools. (Also you should check out Google Apps, much better email solution)
/etc/init.d/psa-spamassassin stopchmod 644 /etc/init.d/psa-spamassassin
Disable xinetd
The xinetd process houses a number of other processes, none of which are useful for a typical web server.
/etc/init.d/xinetd stopchmod 644 /etc/init.d/xinetd
Limit Plesk Memory Usage
If you use the plesk panel, you can force it to use less memory by adding an options file.
vi /usr/local/psa/admin/conf/httpsd.custom.include
Add the following lines to the file:
MinSpareServers 1MaxSpareServers 1
StartServers 1
MaxClients 5
Note that this option is known to work on MediaTemple DV servers, but has not been checked on any others. (See References)
Disable or Turn Off Plesk (optional)
If you only use Plesk once a year, there's very little reason to leave it running at all. Note that this step is completely optional, and slightly more advanced.
Run the following command to turn off plesk:
/etc/init.d/psa stop
You can disable it from running at startup by running the following command:
chmod 644 /etc/init.d/psa
Note that if you disable it, then you can't start it manually without changing the file permissions back (chmod u+x).
MySQL Configuration
Enable Query Cache
Open your /etc/my.cnf file and add the following lines in your [mysqld] section like this:
[mysqld]query-cache-type = 1
query-cache-size = 8M
You can add more memory to the query cache if you'd like, but don't use too much.
Disable TCP/IP
A surprising number of hosts enable access to MySQL on TCP/IP by default, which makes no sense for a website. You can figure out if mysql is listening on TCP/IP by running the following command:
netstat -an | grep 3306
To disable, add the following line to your /etc/my.cnf file:
skip-networking
Apache Configuration
Open your httpd.conf file, often found in /etc/httpd/conf/httpd.conf
Find the line that looks like this:
Timeout 120
And change it to this:
Timeout 20
Now find the section that includes these lines, and adjust to something similar:
StartServers 2MinSpareServers 2
MaxSpareServers 5
ServerLimit 100
MaxClients 100
MaxRequestsPerChild 4000
PHP Configuration
One of the things to keep in mind when tweaking a server on the PHP platform is that every single apache thread is going to load up PHP in a separate location in memory. This means if an unused module adds 256k of memory to PHP, across 40 apache threads you are wasting 10MB of memory.
Remove Unneeded PHP Modules
You'll need to locate your php.ini file, which usually is found at /etc/php.ini (Note that on some distributions, there will be an /etc/php.d/ directory with a number of .ini files, one for each module.
Comment out any loadmodule lines with these modules:
- odbc
- snmp
- pdo
- odbc pdo
- mysqli
- ioncube-loader
- json
- imap
- ldap
- ncurses
Todo: Add more information here.
PHP Opcode Cache
There are a number of opcode caches that you can use, including APC, eAccelerator, and Xcache, the last one being my personal preference due to stability.
Download xcache and extract it into a directory, and then run the following commands from the xcache source directory:
phpize./configure --enable-xcache
make
make install
Open your php.ini file and add a new section for xcache. You'll need to adjust the paths if your php modules are loaded from somewhere else.
vi /etc/php.ini
Add the following section to the file:
[xcache-common]zend_extension = /usr/lib/php/modules/xcache.so
[xcache.admin]
xcache.admin.user = "myusername"
xcache.admin.pass = "putanmd5hashhere"
[xcache]
; Change xcache.size to tune the size of the opcode cache
xcache.size = 16M
xcache.shm_scheme = "mmap"
xcache.count = 1
xcache.slots = 8K
xcache.ttl = 0
xcache.gc_interval = 0
; Change xcache.var_size to adjust the size of variable cache
xcache.var_size = 1M
xcache.var_count = 1
xcache.var_slots = 8K
xcache.var_ttl = 0
xcache.var_maxttl = 0
xcache.var_gc_interval = 300
xcache.test = Off
xcache.readonly_protection = On
xcache.mmap_path = "/tmp/xcache"
xcache.coredump_directory = ""
xcache.cacher = On
xcache.stat = On
xcache.optimizer = Off
Todo: Need to expand this a bit and link to xcache in the references.
Backups
There's very little more important than having automated backups of your website. You may be able to get snapshot backups from your hosting provider, which are also very useful, but I prefer to have automated backups as well.
Create Automated Backup Script
I usually start by creating a /backups directory, with a /backups/files directory beneath it. You can adjust these paths if you want.
mkdir -p /backups/files
Now create a backup.sh script inside the backups directory:
vi /backups/backup.sh
Add the following to the file, adjusting the paths and mysqldump password as necessary:
#!/bin/shTHEDATE=`date +%d%m%y%H%M`
mysqldump -uadmin -pPASSWORD DATABASENAME > /backups/files/dbbackup$THEDATE.bak
tar -cf /backups/files/sitebackup$THEDATE.tar /var/www/vhosts/my-website-path/httpdocs
gzip /backups/files/sitebackup$THEDATE.tar
find /backups/files/site* -mtime +5 -exec rm {} \;
find /backups/files/db* -mtime +5 -exec rm {} \;
The script will first create a date variable so all the files will be named the same for a single backup, then dumps the database, tars up the web files and gzips them. The find commands are used to remove any files older than 5 days, since you don't want your drive to run out of space.
Make the script executable by running the following command:
chmod u+x /backups/backup.sh
Next you'll need to assign it to run automatically by cron. Make sure that you use an account that has access to the backups directory.
crontab -e
Add the following line to the crontab:
1 1 * * * /backups/backup.sh
You can test the script ahead of time by running it while logged on to the user account. (I usually run the backups as root)
Sync Backups Off-Site With Rsync
Now that you have automated backups of your server running, you can sync them somewhere else by using the rsync utility. You'll want to read this article on how to setup ssh keys for automatic login:Add Public SSH Key to Remote Server in a Single Command
You can test this out by running this command on a linux or Mac machine at another location (I have a linux server at home, which is where I run this)
rsync -a user@website.com:/backups/files/* /offsitebackups/
This will take quite a while to run the first time, but at the end your local computer should have a copy of the files directory in the /offsitebackups/ directory. (Make sure to create that directory before running the script)
You can schedule this by adding it to a crontab line:
crontab -e
Add the following line, which will run rsync every hour at the 45 minute mark. You'll notice that we use the full path to rsync here.
45 * * * * /usr/bin/rsync -a user@website.com:/backups/files/* /offsitebackups/
You could schedule it to run at a different time, or only once per day. That's really up to you.
Note that there are a lot of utilities that will allow you to sync via ssh or ftp. You don't have to use rsync.
Security
The first thing you want to do is make sure that you have a regular user account to use through ssh, and make sure that you can use su to switch to root. It's a very bad idea to allow direct login for root over ssh.
Disable Root Login Over SSH
Edit the /etc/ssh/sshd_config file, and look for the following line:
#PermitRootLogin yes
Change that line to look like this:
PermitRootLogin no
Make certain that you have a regular user account and can su to root before you make this change, otherwise you might lock yourself out.
Disable SSH Version 1
There's really no reason to use anything other than SSH version 2, as it's more secure than previous versions. Edit the /etc/ssh/sshd_config file, and look for the following section:
#Protocol 2,1Protocol 2
Make sure that you are only using Protocol 2 as shown.
Restart SSH Server
Now you'll need to restart the SSH server to make this take effect.
/etc/init.d/sshd restart
Check for Open Ports
You can use the following command to see which ports the server is listening on:
netstat -an | grep LISTEN
You really shouldn't have anything listening other than ports 22, 80, and possibly 8443 for plesk.
Setup a Firewall
Main Article: Using Iptables on Linux
You can optionally setup an iptables firewall to block more connections. For instance, I usually block access to any other ports other than from my work network. If you have a dynamic IP address you'll want to avoid that option.
If you have already followed all of the steps in this guide so far, it's probably not necessary to also add a firewall to the mix, but it's good to understand your options.