Configuring Apache Server for highest performance

Posted on: March, 2012, 08:45 AM, By: Ghufran, under System Administration.

How to build SVN server, Step by step

Posted on: April, 2012, 10:25 AM, By: Ghufran, under System Administration. There are many configurations for svn, here a some short instuctions to get a basic svn repository available over http. 1. Install required packages:
apt-get install subversion apache2 libapache2-svn

2. Create an Directory-Structure:
mkdir -p /var/svn/repos/

3. Create a Repository:
cd /var/svn/repos/ svnadmin create --fs-type fsfs <your-repository>

4. Now Create your Project-Struckture to import in the repository:

mkdir -p /tmp/myproject/trunk /tmp/myproject/tags /tmp/myproject/branches

5. Import the Project to the Repository:

svn import /tmp/myproject file:///var/svn/repos/<your-repository> -m "initial import"

6. Make it accesseable over http:

cd /etc/apache2/sites-available touch subversion.conf vim subversion.conf

7. Now edit the empty file with this configuration:

NameVirtualHost *:80 <VirtualHost *:80> <Location /svn> ErrorDocument 404 default DAV svn SVNParentPath /var/svn/repos SVNListParentPath off Require valid-user AuthType Basic AuthName "subversion access" AuthUserFile /var/svn/.htpasswd AuthzSVNAccessFile /var/svn/authz </Location> </VirtualHost>

8. enable dav_svn module for apache:

a2enmod dav_svn enable VHost configuration:

a2ensite subversion.conf

9. now restart the webserver:

/etc/init.d/apache2 restart

10.Create an htpasswd:
htpasswd -c /var/svn/.htpasswd user

11.Create the access control file for the repository:

touch /var/svn/authz

12.edit the empty authz file:

vim /var/svn/authz

13.Give read/write rights to for user:

[your-repository:/] user = rw Let's try to checkout the the repo over http: svn checkout http://your-server/svn/your-repository

Configuring SVN access for read-write/readonly users

Posted on: November, 2012, 06:32 AM, By: Alaa Alomari, under System Administration. firstly you have to enable mod_dav_svn
a2enmod dav_svn

as you know, the access to your repository is defined in <Location> section. Now, assuming that we have the following files:
# File name: /svn/svn_users.pw user1:2flveHpYNuIfs user2:28j5IKaE.v4xk user3:ztsJGtHzptd.c readonly_user:mIW2EWzC3t4eg

and
#File name: /svn/authz.conf [myrepo:/] user1= rw user2= rw user3 = rw readonly = r

To grant read-only access to everybody and write permission to users listed in your svn_users.pw:
<Location /myrepo> DAV svn SVNPath /svn/repos/myrepo AuthType Basic AuthName "My Repository" AuthUserFile /svn/svn_users.pw Order deny,allow

<LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </Location>

to grant read/write access to all users listed in your svn_users.pw:

<Location /myrepo> DAV svn SVNPath /svn/repos/myrepo AuthType Basic AuthName "My Repository" AuthUserFile /svn/svn_users.pw Order deny,allow Require valid-user </Location>

to grant read/write access to some users (let us say user1 and user3) listed in your svn_users.pw:
<Location /myrepo> DAV svn SVNPath /svn/repos/myrepo AuthType Basic AuthName "My Repository" AuthUserFile /svn/svn_users.pw Order deny,allow Require user user1 user3 </Location>

to grant read/write access to users svn_users.pw based on your configuration in authz.conf:

<Location /myrepo> DAV svn SVNPath /svn/repos/myrepo AuthzSVNAccessFile /svn/authz.conf Satisfy Any Require valid-user AuthType Basic AuthName "My subversion repositories" AuthUserFile /svn/svn_users.pw </Location>

How to configure Apache server to have the heights performance

Apache 2.x is a general-purpose webserver, designed to provide a balance of flexibility, portability, and performance. Apache 2.x contains many additional optimizations to increase throughput and scalability over its predecessor Apache 1.3. Most of these improvements are enabled by default, and

there are some compile-time and run-time configuration options that can affect performance with a very high scale. In this article, we will list the options that a server administrator can configure to tune the performance of an Apache 2.x installation. Some of these configuration options enable the httpd to better take advantage of the capabilities of the hardware and OS, while others allow the administrator to trade functionality for speed. Hardware and Operating System: RAM is the main concern that affects webserver performance, and thus you have to try to control the MaxClients setting correctly to reduce swapping between ram and desk and thus reducing latency time. Also please bear in mind that if your operating system supports sendfile system call (sendfile enables Apache 2 to deliver static content faster and with lower CPU utilization), make sure you install the release and/or patches needed to enable it. Run-Time Configuration: Some configurations that affect your webserver performance: HostnameLookups: if set to ON, it adds latency to every request because it requires a DNS lookup to complete before the request is finished Avoid using Allow from domain or Deny from domain directives (i.e., using a hostname, or a domain name, rather than an IP address) Avoid using Options FollowSymLinks and Options SymLinksIfOwnerMatch because they drive apache to run extra system calls to check your symlinks AllowOverride: apache will try to open .htaccess for each filename component. Apache will try to open /.htaccess, /www/.htaccess, and /www/htdocs/.htaccess. So, for highest performance use AllowOverride None everywhere in your filesystem Keep-alive: when keep-alive is set to ON, children will be kept busy doing nothing waiting for more requests on the already open connection. The default KeepAliveTimeout of 15 seconds attempts to minimize this effect. The tradeoff here is between network bandwidth and server resources. In no event should you raise this above about 60 seconds Compile-Time Configuration: some compile time configuration that might affect your webserver performance: Multi-Processing Modules (MPM): choosing the correct MPM can affect the speed and scalability of your webserver The worker MPM uses multiple child processes with many threads each. Each thread handles one connection at a time. Worker generally is a good choice for high-traffic servers because it has a smaller memory footprint than the prefork MPM. The prefork MPM uses multiple child processes with one thread each. Each process handles one connection at a time. On many systems, prefork is comparable in speed to worker, but it uses more memory. Prefork's threadless design has advantages over worker in some situations: it can be used with non-thread-safe third-party modules, and it is easier to debug on platforms with poor thread debugging support. How to know which MPM you are using on your server (worker or prefork)? you can use one of the following commands to know what is the MPM you are currently using: 1. apache2 -l :it will list the compiled modules and from the list you will see prefork.c or worker.c 2. apache2 -V | grep MPM: -V directive print the version and build parameters of apache2 Modules: Since memory usage is such an important consideration in performance, you

should attempt to eliminate modules that you are not actually using. If you have built the modules as Dynamic Shared Object (DSO) Support, eliminating modules can be done simply by commenting out the associated LoadModule directive for that module mod_status and ExtendedStatus On: If you include mod_status and you also set ExtendedStatus On when building and running Apache, the webserver will perform two system calls to get time so that the status report contains timing indications. For highest performance, set ExtendedStatus off. Caching: As of Apache HTTP server version 2.2 mod_cache and mod_file_cache are no longer marked experimental and are considered suitable for production use. These caching architectures provide a powerful means to accelerate HTTP handling, both as an origin webserver and as a proxy. mod_cache and its provider modules mod_mem_cache and mod_disk_cache provide intelligent, HTTP-aware caching. The content itself is stored in the cache, and mod_cache aims to honour all of the various HTTP headers and options that control the cachability of content. It can handle both local and proxied content. mod_cache is aimed at both simple and complex caching configurations, where you are dealing with proxied content, dynamic local content or have a need to speed up access to local files which change with time. mod_file_cache on the other hand presents a more basic, but sometimes useful, form of caching. Rather than maintain the complexity of actively ensuring the cachability of URLs, mod_file_cache offers file-handle and memory-mapping tricks to keep a cache of files as they were when Apache was last started. As such, mod_file_cache is aimed at improving the access time to local static files which do not change very often.

Linux 32 bit Vs. 64 bit

Posted on: April, 2012, 07:57 PM, By: Ghufran, under System Administration. One of the most frequently asked questions for those who have 64-bit CPU (such as an AMD64 or an Intel EM64T) is what to install Linux 32 bit or 64 bit distribution. The main features that you have to think about when you install your distro are: Speed: Nobody has proved that a distro is faster than the other. frankly speaking, most "64-bit" versions of software are actually just recompiled versions of the 32-bit code, with no optimization that would take advantage of the new features these chips offer and perhaps boost performance Compatibility: On 64-bit hardware with x86-64 architecture (AMD64), most 32-bit operating systems and applications can run without compatibility issues. While the larger address space of 64bit architectures makes working with large data sets in applications such as digital video, scientific computing, and large databases easier, there has been considerable debate on whether they or their 32-bit compatibility modes will be faster than comparably-priced 32-bit systems for other tasks. Memory: x86-64 supports vastly larger virtual and physical address spaces than are possible on x86, thereby allowing programmers to conveniently work with much larger data sets. x86-64 also provides 64-bit general purpose registers and numerous other enhancements. 32-bit operating systems are able to handle up to 4GB then Physical Address Extensions (PAE) will be used to allows for up to 64 gigabytes of memory to be used in systems. With the PAE option, memory above 4 gigabytes is simply added to the general page pool. The system makes no distinction between memory above or below 4 gigabytes, and no specific facility is provided for a process or the kernel to access more memory than they would otherwise be able to access, through a sliding window or otherwise. How to know your distro? Linux users should type the uname command. Depending on the platform, you may see

[admin@widwebway ~]$ uname -a Linux widwebway.com 2.6.38-11-server #50-Ubuntu SMP Mon Sep 12 21:34:27 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux [admin@widwebway ~]$ uname -a Linux widwebway.com 2.6.38-11-server #50-Ubuntu SMP Mon Sep 12 21:34:27 UTC 2011 ia64 ia64 ia64 GNU/Linux [admin@widwebway ~]$ uname -a Linux widwebway.com 2.6.38-11-server #50-Ubuntu SMP Mon Sep 12 21:34:27 UTC 2011 i686 i686 i386 GNU/Linux In the above listing, x86_64 GNU/Linux and ia64 GNU/Linux are 64-bit compliant. i386 GNU/Linux is only a 32-bit platform.

Best Security practice for OpenSsh

Posted on: April, 2012, 07:58 PM, By: Ghufran, under System Administration. OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems The main advantage is server authentication, through the use of public key cryptography. and here are a few things you need to tweak in order to improve OpenSSH server security: 1. Default Config Files and SSH Port: /etc/ssh/sshd_config: OpenSSH server configuration file. /etc/ssh/ssh_config: OpenSSH client configuration file. ~/.ssh/: Users ssh configuration directory. ~/.ssh/authorized_keys or ~/.ssh/authorized_keys: Lists the public keys (RSA or DSA) that can be used to log into the users account /etc/nologin: If this file exists, sshd refuses to let anyone except root log in. /etc/hosts.allow and /etc/hosts.deny: Access controls lists that should be enforced by tcp-wrappers are defined here. SSH default port: TCP 22 2. Disable OpenSSH Server: simply you can remove opens by running apt-get remove openssh-server 3. Only Use SSH Protocol 2:SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the Protocol 2 line is exist. 4. Limit Users' SSH Access: By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. to allow wadmin and root to use the system via SSH, add the following to sshd_config:
AllowUsers root wadmin

alzo you can allow all users to login via SSH but deny only a few users, with the following line:
DenyUsers ftpuser1 emailuser1 ftpuser2

and keep in mind that as you can allow and deny access to users, you can do so for groups as below:
AllowGroups group1 group2 DenyGroups group3 group4

and for best security practice, you should always block access to root user/group by adding the following lines to the end of /etc/ssh/sshd_config
DenyUsers root DenyGroups root

Save the file and restart the sshd. 5. Configure Idle Log Out Timeout Interval: to avoid unattended ssh session. Open sshd_config and make sure following values are configured:
ClientAliveInterval 300 ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out 6. Disable .rhosts Files: Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH. 7. Disable Host-Based Authentication (HBA) HBA is to grant access based upon the identity of the host originating the request, instead of the identityof the user making the request. Many network applications in use today use host-based authentication to determine whether access is allowed. Under certain circumstances, it is fairly easy to masquerade as the legitimate host, especially if the masquerading host is physically located close to the host being impersonated. to disable it add the following line to sshd_config
HostbasedAuthentication no

8. Disable root Login via SSH: There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:
PermitRootLogin no

9. Firewall SSH Port # 22: You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only. 10.Change SSH Port and Limit IP Binding: By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:
Port 300 ListenAddress 192.168.1.5 ListenAddress 202.54.1.5

11.Use Public Key Based Authentication: Use public/private key pair with password protection for the private key. Never ever use passphrase free key (passphrase key less) login. 12.Use TCP Wrappers: TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 and 172.16.23.12 :
sshd : 192.168.1.2 172.16.23.12

13.Disable Empty Passwords: You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
PermitEmptyPasswords no

How to make replication for memcached using repcached

Posted on: April, 2012, 08:00 PM, By: Ghufran, under System Administration. repcached script is patch set which adds data replication feature to memcached 1.2.x. and thus, it can save you some serious server load. It can handle only 2 instances sharing the same data. The key features of repcached: Asynchronous data replication. Single master, single slave. Support all memcached command (set, add, delete, incr/decr, flush_all). Slave become master if master going down. Whole data copy to slave automatically when new slave connect to master. Master/slave relation between memcached daemons.

Repcached adds 2 new startup options to memcached: -x hostname or ip address of the master memcached. -X TCP port number of the master. To test your setup, start up two memcached services as below:
# the master memcached -l 10.200.200.59 -d -u nobody # the slave memcached -l 10.200.200.59 -d -x 10.200.200.59 -m 64 -p 11112 -u nobody

Now to test it, let us set and get data on master and try to get it from slave then
$telnet 10.200.200.59 11211 Trying 10.200.200.59... Connected to 10.200.200.59. Escape character is '^]'. set MyKey 1 600 5 12345 STORED get MyKey VALUE MyKey 1 5 12345 END

Now to get it from slave:

$telnet 10.200.200.59 11112 Trying 10.200.200.59... Connected to 10.200.200.59. Escape character is '^]'. get MyKey VALUE MyKey 1 5 12345 END

by the way, the syntax for set command on telnet for memcached is:

set <key> <flags> <exptime> <bytes> [noreply]\r\n<value>\r\n Where: <key> : the key of the data stored <flags> : 32-bit unsigned integer that the server store with the data (provided by the user), and return along the data when the item is retrieved. <exptime> : expiration time in seconds, 0 mean no delay, if exptime is superior to 30 day, Memcached will use it as a UNIX timestamps for expiration. <bytes> : number of bytes in the data block. <cas unique> : unique 64-bit value of an existing entry (retrieved with gets command) to use with cas command. [noreply] : optional parameter that inform the server to not send the reply.

Have i missed anything? share with us your experience