Quick Links

When you get a dedicated virtual server to run your website, chances are good that it's configured for everybody, and not customized to maximize performance for running a website.

Overview

There's a number of problem areas where we want to maximize performance:

  • Linux configurationThere are usually services running that don't need to be, wasting memory that could be used for more connections.
  • MySQL configurationOften the default settings are based on a small server, we can add a few key changes to increase performance a great deal.
  • Apache configurationBy default most hosting providers install apache with nearly every module installed. There's no reason to load modules if you aren't ever going to use them.
  • PHP configurationThe default PHP configuration is similarly bloated, there are usually a ton of unnecessary extra modules installed.
  • PHP Opcode CacheInstead of allowing PHP to recompile the scripts every single time, an opcode cache will cache the compiled scripts in memory for huge performance boosts.
  • BackupsShould probably setup some automated backups, since your hosting provider isn't going to do it for you.
  • SecuritySure, Linux is secure enough by default, but there's usually some glaring security issues that you can fix with a few quick settings.

Linux Configuration

There's quite a number of tweaks you can do, which will vary slightly based on the server you are using. These tweaks are for a server running CentOS, but they should work for the majority of DV servers.

Disable DNS

If your hosting provider handles the DNS for your domain (likely), then you can disable the DNS service from running.

disable dns

/etc/init.d/named stop

chmod 644 /etc/init.d/named

The chmod command removes execute permission from the script, stopping it from running on startup.

Disable SpamAssassain

If you aren't using email accounts on your server itself, you shouldn't bother running anti-spam tools. (Also you should check out Google Apps, much better email solution)

/etc/init.d/psa-spamassassin stop

chmod 644 /etc/init.d/psa-spamassassin

Disable xinetd

The xinetd process houses a number of other processes, none of which are useful for a typical web server.

/etc/init.d/xinetd stop

chmod 644 /etc/init.d/xinetd

Limit Plesk Memory Usage

If you use the plesk panel, you can force it to use less memory by adding an options file.

vi /usr/local/psa/admin/conf/httpsd.custom.include

Add the following lines to the file:

MinSpareServers 1 

MaxSpareServers 1

StartServers 1

MaxClients 5

Note that this option is known to work on MediaTemple DV servers, but has not been checked on any others. (See References)

Disable or Turn Off Plesk (optional)

If you only use Plesk once a year, there's very little reason to leave it running at all. Note that this step is completely optional, and slightly more advanced.

Run the following command to turn off plesk:

/etc/init.d/psa stop

You can disable it from running at startup by running the following command:

chmod 644 /etc/init.d/psa

Note that if you disable it, then you can't start it manually without changing the file permissions back (chmod u+x).

MySQL Configuration

Enable Query Cache

Open your /etc/my.cnf file and add the following lines in your [mysqld] section like this:

[mysqld]

query-cache-type = 1

query-cache-size = 8M

You can add more memory to the query cache if you'd like, but don't use too much.

Disable TCP/IP

A surprising number of hosts enable access to MySQL on TCP/IP by default, which makes no sense for a website. You can figure out if mysql is listening on TCP/IP by running the following command:

netstat -an | grep 3306

To disable, add the following line to your /etc/my.cnf file:

skip-networking

Apache Configuration

Open your httpd.conf file, often found in /etc/httpd/conf/httpd.conf

Find the line that looks like this:

Timeout 120

And change it to this:

Timeout 20

Now find the section that includes these lines, and adjust to something similar:

StartServers 2

MinSpareServers 2

MaxSpareServers 5

ServerLimit 100

MaxClients 100

MaxRequestsPerChild 4000

PHP Configuration

One of the things to keep in mind when tweaking a server on the PHP platform is that every single apache thread is going to load up PHP in a separate location in memory. This means if an unused module adds 256k of memory to PHP, across 40 apache threads you are wasting 10MB of memory.

Remove Unneeded PHP Modules

You'll need to locate your php.ini file, which usually is found at /etc/php.ini (Note that on some distributions, there will be an /etc/php.d/ directory with a number of .ini files, one for each module.

Comment out any loadmodule lines with these modules:

  • odbc
  • snmp
  • pdo
  • odbc pdo
  • mysqli
  • ioncube-loader
  • json
  • imap
  • ldap
  • ncurses

 

Todo: Add more information here.

PHP Opcode Cache

There are a number of opcode caches that you can use, including APC, eAccelerator, and Xcache, the last one being my personal preference due to stability.

Download xcache and extract it into a directory, and then run the following commands from the xcache source directory:

phpize 

./configure --enable-xcache

make

make install

Open your php.ini file and add a new section for xcache. You'll need to adjust the paths if your php modules are loaded from somewhere else.

vi /etc/php.ini

Add the following section to the file:

[xcache-common]

zend_extension = /usr/lib/php/modules/xcache.so

[xcache.admin]

xcache.admin.user = "myusername"

xcache.admin.pass = "putanmd5hashhere"

[xcache]

; Change xcache.size to tune the size of the opcode cache

xcache.size = 16M

xcache.shm_scheme = "mmap"

xcache.count = 1

xcache.slots = 8K

xcache.ttl = 0

xcache.gc_interval = 0

; Change xcache.var_size to adjust the size of variable cache

xcache.var_size = 1M

xcache.var_count = 1

xcache.var_slots = 8K

xcache.var_ttl = 0

xcache.var_maxttl = 0

xcache.var_gc_interval = 300

xcache.test = Off

xcache.readonly_protection = On

xcache.mmap_path = "/tmp/xcache"

xcache.coredump_directory = ""

xcache.cacher = On

xcache.stat = On

xcache.optimizer = Off

Todo: Need to expand this a bit and link to xcache in the references.

Backups

There's very little more important than having automated backups of your website. You may be able to get snapshot backups from your hosting provider, which are also very useful, but I prefer to have automated backups as well.

Create Automated Backup Script

I usually start by creating a /backups directory, with a /backups/files directory beneath it. You can adjust these paths if you want.

mkdir -p /backups/files

Now create a backup.sh script inside the backups directory:

vi /backups/backup.sh

Add the following to the file, adjusting the paths and mysqldump password as necessary:

#!/bin/sh

THEDATE=`date +%d%m%y%H%M`

mysqldump -uadmin -pPASSWORD DATABASENAME > /backups/files/dbbackup$THEDATE.bak

tar -cf /backups/files/sitebackup$THEDATE.tar /var/www/vhosts/my-website-path/httpdocs

gzip /backups/files/sitebackup$THEDATE.tar

find /backups/files/site* -mtime +5 -exec rm {} \;

find /backups/files/db* -mtime +5 -exec rm {} \;

The script will first create a date variable so all the files will be named the same for a single backup, then dumps the database, tars up the web files and gzips them. The find commands are used to remove any files older than 5 days, since you don't want your drive to run out of space.

Make the script executable by running the following command:

chmod u+x /backups/backup.sh

Next you'll need to assign it to run automatically by cron. Make sure that you use an account that has access to the backups directory.

crontab -e

Add the following line to the crontab:

1 1 * * * /backups/backup.sh

You can test the script ahead of time by running it while logged on to the user account. (I usually run the backups as root)

Sync Backups Off-Site With Rsync

Now that you have automated backups of your server running, you can sync them somewhere else by using the rsync utility. You'll want to read this article on how to setup ssh keys for automatic login:Add Public SSH Key to Remote Server in a Single Command

You can test this out by running this command on a linux or Mac machine at another location (I have a linux server at home, which is where I run this)

rsync -a user@website.com:/backups/files/* /offsitebackups/

This will take quite a while to run the first time, but at the end your local computer should have a copy of the files directory in the /offsitebackups/ directory. (Make sure to create that directory before running the script)

You can schedule this by adding it to a crontab line:

crontab -e

Add the following line, which will run rsync every hour at the 45 minute mark. You'll notice that we use the full path to rsync here.

45 * * * * /usr/bin/rsync -a user@website.com:/backups/files/* /offsitebackups/

You could schedule it to run at a different time, or only once per day. That's really up to you.

Note that there are a lot of utilities that will allow you to sync via ssh or ftp. You don't have to use rsync.

Security

The first thing you want to do is make sure that you have a regular user account to use through ssh, and make sure that you can use su to switch to root. It's a very bad idea to allow direct login for root over ssh.

Disable Root Login Over SSH

Edit the /etc/ssh/sshd_config file, and look for the following line:

#PermitRootLogin yes

Change that line to look like this:

PermitRootLogin no

Make certain that you have a regular user account and can su to root before you make this change, otherwise you might lock yourself out.

Disable SSH Version 1

There's really no reason to use anything other than SSH version 2, as it's more secure than previous versions. Edit the /etc/ssh/sshd_config file, and look for the following section:

#Protocol 2,1

Protocol 2

Make sure that you are only using Protocol 2 as shown.

Restart SSH Server

Now you'll need to restart the SSH server to make this take effect.

/etc/init.d/sshd restart

Check for Open Ports

You can use the following command to see which ports the server is listening on:

netstat -an | grep LISTEN

You really shouldn't have anything listening other than ports 22, 80, and possibly 8443 for plesk.

Setup a Firewall

Main Article: Using Iptables on Linux‎

You can optionally setup an iptables firewall to block more connections. For instance, I usually block access to any other ports other than from my work network. If you have a dynamic IP address you'll want to avoid that option.

If you have already followed all of the steps in this guide so far, it's probably not necessary to also add a firewall to the mix, but it's good to understand your options.

 

 

See Also

References