Base de Conhecimento

A complete webserver for hosting heavy traffic php based CMS websites like wordpress, drupal etc is also needed many components to be install and configure and they are:

Ubuntu 14.04 (Very popular Linux distribution)

Apache ( Webserver )

Mariadb-server ( drop in replacement of mysql server)

Fail2ban (intrusion detection prevention)

UFW ( firewall for ubuntu )

Lets start with setup :

1. Apache setup with php5-fpm

# apt-get update   #update local cache for available repository packages)
# apt-get install fail2ban vim curl gcc htop sysstat unzip wget ufw -y                  # install required packages
# apt-get install apache2-mpm-event -y        # install apache mpm support

Edit the ubuntu repository file and add few lines into it. Actually thease repository required in order to get the fast cgi module install for apache support.

# vim /etc/apt/sources.list
Add these line at the end of file and save file
deb http://us.archive.ubuntu.com/ubuntu/ trusty multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty multiverse
deb http://us.archive.ubuntu.com/ubuntu/ trusty-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ trusty-updates multiverse

# apt-get update
# apt-get install libapache2-mod-fastcgi -y
# apt-get install php5-fpm php5-mysql php5-gd php5-mcrypt php5-curl php5-memcached memcahced -y

Create a new php-5fpm.conf file where information to use fastcgi module with apache will be stored.

# vim /etc/apache2/conf-available/php5-fpm.conf

Add following lines into file and save exit.
<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization -idle-timeout 300
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
</IfModule>
Note: -idle-timeout 300 is added extra you can skip adding because its default value is 30s i have added so that if some script uses to execute in more time they can. Also note any script taking more time than default 30s to execute may be a performance bottleneck.
enable required apache module
# a2enmod actions fastcgi alias
# a2enconf php5-fpm
# a2enmod rewrite

# service apache2 restart

# service php5-fpm restart

Though we have installed the php5-curl but it needs to enable

# php5enmod curl

# service php5-fpm restart

To test the php installation create a phpinfo file in /var/www/html

# vim /var/www/html/info.php

add these lines

<?php phpinfo(); ?>

save and exit now access url in your browser

http://<ip address>/info.php

2. How to enable mod_rewrite ?

We have already enabled mod rewrite for apache but we need to configure this for our virtual website host config file.

#  vim /etc/apache2/sites-enabled/000-default.conf

Just bellow the document root

Save and exit restart apache service once

# service apache2 restart

3. Install Mariadb-server

# apt-get install mariadb-server

This will ask for setting root password of mysql.

complete.

4. Ufw config:

Ufw is the default firewall configuration utility we should set default to deny every request and then to allow ssh and httpd

Please note do the same order as suggested here else you will lost the ssh access

# ufw allow ssh

# ufw allow 80/tcp

# ufw enable   # it ask to y/n  give y

# ufw default deny incoming

# ufw default allow outgoing

Some more important ufw rules:-

Allow a port range

# ufw allow 1000:2000/tcp

Deleting a rule

# ufw delete allow 80/tcp # this will delete a rule which we created above to allow all port 80 request.

To show/display status and rules

# ufw status

5. Setup fail2ban to stop ddos on port 80 and 22

We have already installed fail2ban package above now we will configure that

# cd /etc/fail2ban

# cp jail.conf jal.local

# vim jail.local

edit this file

add your vps ip in the file to ignore itself

ignoreip = 127.0.0.1/8 <ip of server>

set the following in the following

bantime  = 3600
findtime = 3600
maxretry = 3

action = %(action_mwl)s

Find the sections [ssh-ddos] , [apache-noscript] ,  [apache-overflows]
and set enabled=true

We will create a rule for apache ddos

at the end of the file add bellow lines

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/*error.log
maxretry = 300
findtime = 300
bantime = 300
action = iptables[name=HTTP, port=http, protocol=tcp]

save the file

now create a new file

# vim /etc/fail2ban/filter.d/http-get-dos.conf

add these lines into and save and exit

[Definition]
failregex = ^<HOST> -.*”(GET|POST).*
ignoreregex =

now restart the service

# service fail2ban restart

6. php.ini edit

php.ini file also need to modify some parameters

# vim /etc/php5/fpm/php.ini

find and modify bellow lines

upload_max_filesize = 25M

post_max_size = 35M

max_execution_time = 90

memory_limit = 256M

save and exit

# service php5-fpm restart

7. Virtual websites hosting (multi website hosting)

To host multiple websites on this server now you should copy the config file in /etc/apache2/sites-enabled  directory and change the value of DocumentRoot , ServerName , <Directory /var/www/html>, ServerAlias(optional).

Let assume i have to host three websites (1)dsstech.in (2)dsstech.com (3) cp.dsstech.in

# cd /etc/apache2/sites-enabled

First modify the default file for my first domain

# vim 000-default.conf

add lines like

save the file. Now for second virtualhost website i will copy this file and edit values

# cp 000-default.conf  dsscom.conf

and the value will be like this

I will do the same thing for my next virtual website host and file named cpdss.conf and the values will be like this

Now save the files and check whether all your parameters are ok

# apachectl configtest

Syntax ok

Now restart apache in order to take effect

# service apache2 restart