Serving The Planet

My Best Practices Ubuntu 14.04 LTS Server Configuration at TransIP VPS

ubuntu-server-14-ltsRight … thus far things seem to work rather stable. Time for a little update how exactly I solved the WordPress Internal Server Error“-issue on my own self-hosted blog, as I dare to write a blogpost about it without the platform crashing Long answer very short: set up my own Linux webserver to bypass RAM limits of IC hosting. As running a WordPress site with 90+ plugins requires a different strategy

My Best Practices Server Configuration

And this is *not* a step-by-step guide, but rather a Best Practices log for personal purposes. Although other people might benefit from it too. As it took me 3 weeks to compile and get to the bottom of certain interesting issues.

WordPress

https://www.digitalocean.com/community/tutorials/how-to-configure-secure-updates-and-installations-in-wordpress-on-ubuntu

correct file permissions:

File System Tweaks

  • swap file tweak: vm.swapiness=10 /etc/sysctl.conf
  • SSD tweaks: noatime in /etc/fstab
    tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0

Webmin installation

vi /etc/apt/sources.list
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
apt-get update
wget -q http://www.webmin.com/jcameron-key.asc -O-  | sudo apt-key add -
apt-get update
apt-get install webmin
service apache2 restart

Firewall configuration

Simple iptables script

apt-get install iptables-persistent

Create firewall configuration script

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -s $i --dport http -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -s $i --dport https -j ACCEPT; done
iptables -A INPUT -p tcp --dport http -j DROP
iptables -A INPUT -p tcp --dport https -j DROP
iptables -I INPUT 1 -p tcp --dport 22  -j ACCEPT
iptables -I INPUT 2  -p tcp --dport 10000 -j ACCEPT
iptables -P INPUT ACCEPT
iptables -A  INPUT -j DROP
invoke-rc.d iptables-persistent save

Additional notes:

  • Don’t bother to hack into port 22 of 10000. Obviously changed those to custom ports that I’m not going to disclose.
  • when you’re not using CloudFlare? You might want to add in these:
    iptables -I INPUT 3 -p tcp --dport 443 -j ACCEPT
    iptables -I INPUT 4 -p tcp --dport 80 -j ACCEPT
  • don’t forget to save your iptables, otherwise at a server reboot you will lose all settings.

Sources:

Double check:

iptables -L --line-numbers
iptables -S

References:

Enable Curl

Required by many Apps & WP Plugins

apt-get install php5-curl

EWWW image optimizer required apps:

apt-get install imagemagick php5-imagick
apt-get install libjpeg-progs
apt-get install graphicsmagick
apt-get install gifsicle
wget http://static.jonof.id.au/dl/kenutils/pngout-20150319-linux.tar.gz &&\
tar -xf pngout-20150319-linux.tar.gz &&\
rm pngout-20150319-linux.tar.gz &&\
cp pngout-20150319-linux/x86_64/pngout /bin/pngout &&\
rm -rf pngout-20150319-linux

also checkout: https://www.causingeffect.com/software/expressionengine/ce-lossless/user-guide/installation

Monitoring apps

apt-get install htop
apt-get install iotop

Install PHP cache

(might cause conflicts with W3 WP cache)

edit /etc/php5/apache2/php.ini

and change: “;opcache.enable=0” to “opcache.enable=1”

php5enmod opcache
service apache2 restart

Install PECL / Pear

Required for WordPress SSH FTP:

apt-get install php-pear
apt-get install php5-dev
apt-get install libcurl3-openssl-dev
apt-get install libpcre3-dev
apt-get install zlib1g-dev
apt-get libcurl4-openssl-dev
apt-get libevent-dev
pecl install pecl_http
vi /etc/php5/cli/php.ini

mind you! not /etc/php5/apache2/php.ini … or do both when in doubt. I know phpinfo uses apache2 but for this to work properly it has to be /etc/php5/cli/php.ini at first.

You might also like:   Vimeo Plus Support: Groups vs Channel vs Albums
add “extension=raphf.so"
add "extension=propro.so"
add "extension=http.so"

Restart apach again to make php5 loads properly. Then add the same lines to /etc/php5/apache2/php.ini

edit:

  • “upload_max_filesize=2MB” to 32MB … affects other uploads
  • “post_max_size=8M” to 32MB .. affects wordpress xml uploads
  • “zlib.output_compression = off” to on
  • “zlib.output_compression_level = -1” to 9
  • upload_tmp_dir = /tmp
apt-get purge php5-apcu

Tune MySQLd

apt-get install mysqltuner

Troubleshooting commands

  • htop
  • top
  • oistat mhx 2 # apt-get install sysstat
  • ltrace -p PID # trace library calls
  • strace -p PID # trace system calls
  • vmstat 2
  • tail /var/log/apache2/error.log # http://wiki.apache.org/httpd/ListOfErrors

mod_cloudflare for apache:

NTP: Synchronize system clock

apt-get install ntp ntpdate ntp-doc
sudo ntpdate pool.ntp.org
sudo service ntp start

Leap second bug: http://stackoverflow.com/questions/1282232/mysql-high-cpu-usage

Security Hardening Best Practices

Speed up static resources:

http://www.oxhow.com/host-images-wordpress-blog-subdomain-better-speed/

Troubleshooting Bibliography

PhpMyAdmin 404

Server load / Browser Socket issues

W3TC issues

and might add upon this article later …

About Earnie Rhyker

tech pioneer | intellectual BadAss | ethical lifehacker | WordPress Developer & Polyglot | information activist | blogger | added value services provider | multimedia enthusiast | senior linux server administrator | geek | bitcoin investor | laptop entrepreneur | open source contributor | hackintosh fanatic | charity donator | accredited top MLM networker & internet marketer 2014-2016 @ BFH | digital expat

View All Posts

Communities I have been 'hanging out' regularly over the past two decades. 

Note: links go to my profile on those respective sites. Connect with me if you like.

 

, , ,

Earn With Earnie

This site hasn't been updated since 2022. Visit my new blog -- EarnWithEarnie.com -- instead:

X
error: Content is DCMA protected !!