Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1086
  • Last Modified:

Best configuration for VPS with DirectAdmin on CentOS 6.5

Hi,

I'm setting up a VPS with DirectAdmin on CentOS 6.5 for the hosting of WordPress sites and handmade websites.
I was wondering, what do you think is the "best" configuration? What tools/plugins would you use?

Would you use any of these suggestions?
- nginx
- custombuild 2.0 (or 1.2?)
- CSF firewall
- suPHP
- LiteSpeed Web Server
- MOD_SECURITY
- mod_evasive
- ClamAV Antivirus
- Rootkit Hunter
- Malware Detect (Maldet)
- Mod-ruid2

Or do you use others? Like?
And what would work "best" with WordPress?

I'm curious!
Thanks!
0
peps03
Asked:
peps03
  • 16
  • 15
1 Solution
 
gheistCommented:
Since it is CentOS look no further than fedora EPEL. It even has maintained wordpress distribution with all the upgrades

Please calm down on your loooong checklist:
What would you do with 2 web servers and 2 modules for yet another webserver?
Apache + mod_fcgid is much more straightforward

Directadmin will not gain from extra cpanel components.
Why would you install anything that will never work?
0
 
peps03Author Commented:
You would only use: Apache + mod_fcgid?
Nothing for security?

Are there any others with an opinion over a good vps setup?
0
 
gheistCommented:
ha ha ha
You did not mention apache either. Just two other webserver which have no gain from apache modules.
if you call php with fcgi it is very unlikely those modules will protect you a lot.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
peps03Author Commented:
i'm using apache.
What do you mean exactly?
0
 
gheistCommented:
You want to install 2 other web servers according to your list.
EPEL has all the missing pieces that centos does not have. Use care to not install 3 webservers on your server. It will be hard to guess which one is failing.
0
 
peps03Author Commented:
I'm asking what would be a good configuration/combination based on the list.

What do you think of this:
- custombuild 2.0 + custombuild 2.0 plugin
- nginx + apache (via custombuild 2)
- CSF firewall
- cloudlinux
- lsphp
0
 
peps03Author Commented:
and would .htaccess still work with this setup?
0
 
gheistCommented:
CentOS & EPEL is more mainstream than custombuild

Why do you use apache+nginx?
I'd suggest using worker apache 2.2 or event 2.4, calling php-cgi via mod_fcgid (xor nginx with php-fpm)

For htaccess you need apache

CSF is much more functional than default system-config-firewall(-tui) - here I agree with you
You might want to dig deeper in SELinux (easier with CentOS packaging)

Was it cloudlinux or CentOS?

apache equivalent of LSPHP is mod_fcgid (and you require apache for .htaccess)
0
 
peps03Author Commented:
Sorry, im not yet that familiar with all these terms. More questions arise :/
Even though i've searched a lot on the internet.

I'm not familiar with EPEL, that would come instead of....?

The vps is mainly for Wordpress websites and some 'normal' websites.
WordPress uses htaccess, so i think i must stick with apache then right?

Why do you use apache+nginx?
Because directadmin custombuild 2.0 has an option to enable nginx, to use Nginx as a Reverse Proxy for Apache

Why would you rather use:
I'd suggest using worker apache 2.2 or event 2.4, calling php-cgi via mod_fcgid (xor nginx with php-fpm)

Is cloudlinux a replacement for centOS? Can't it be used icw apache / nginx / directadmin ?

Thanks :/
0
 
gheistCommented:
EPEL is a repository with heap of additional software for CentOS/RHEL, all backported from more recent Fedora releases
https://fedoraproject.org/wiki/EPEL
That you use in place of or in addition to custombuild.

You can even get wordpress with multiuser regularily updated from there

I am telling that modern apache is as efficient as nginx, there is no need for nginx reverse proxy
Why apache - for .htaccess
Why NGINX - a bit more efficient still
My suggestion is to choose one - if you insist on htaccess - OK apache event or worker (CentOS 6 has later, Centos 7 former)
If you dont - gain 1% of efficiency with nginx and php-fpm (You can get nginx build for centos from nginx directly)

Cloudlinux is "host" operating system where they can run tenant guest operating systems like CentOS, Windows 2003 and anything imaginable.
0
 
peps03Author Commented:
Thanks for your reply!

Think i can install Cloudlinux from Custombuild 2.0, i saw it as an option.. Is it the same?
Then i think i'll go for apache 2.4 + custombuild 2.0 and Cloudlinux.
0
 
gheistCommented:
CentOS7 is more mainstream, like with 1000x more users than cloudlinux and/or custombuild
And it leaves you space to change hosting provider at any time.
0
 
peps03Author Commented:
so you advice centOS 7 over 6.5?
With apache 2.4? and?
0
 
gheistCommented:
You are undecided. NGINX+PHP-FPM from EPEL will be almost identical
EL7 has apache 2.4 which means you get event mpm out of the box (that 1% performance boost nginx gives)
It has creepy systemd, on the other hand it defaults to very speedy XFS filesystem.

If I was to choose today i'd get over .htaccess requirement and set on
CentOS 6U6 (it is out for month or so, once you install 6.5) + NGINX + PHP-FPM

Then add nginx from home base
http://nginx.org/en/linux_packages.html
repo file with gpg checking:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/x86_64/
gpgkey=http://nginx.org/packages/keys/nginx_signing.key
gpgcheck=1
enabled=1
Alternatively you can get a bit older nginx from epel

PHP-FPM from fedora EPEL:
Then install epel-release from their page, and follow the guides on internet to link that backend with nginx
0
 
peps03Author Commented:
Thanks for your reply!

If I was to choose today i'd get over .htaccess requirement
How would you do the .htaccess stuff, like rewrites, redirects, etc without .htaccess on a per user basis?

Will WordPress still work? It uses htaccess...
0
 
gheistCommented:
NGINX provides equivalent functionality with own rewrite rules.

worker mpm uses 20MB per 100 connections while nginx 10MB per 1000.
normal prefork apache will eat 20MB+PHP memory per connection

I think with worker MPM you are already in warm spot and have better idea if you want to take on changing rewrite rules into nginx conf or no.
0
 
peps03Author Commented:
what would you use in combination with mod_php, worker or prefork? can i just change that without unwanted consequences?


i'm also going to try CentOS 6U6 + nginx + PHP-FPM. Btw, what is the difference between CentOS 6U6  and 6.5?
0
 
gheistCommented:
mod_php works only with prefork (it loads in worker, but no php modules like mysql can be loaded)
for others you have to invoke php-cgi via mod_fcgid like here.
0
 
gheistCommented:
version number is part of package centos-release.
since you will be anyway udating software sometimes your 6.4 installation will become 6U6 roght on first "yum upgrade"
0
 
gheistCommented:
php-fpm is available after you install "epel-release" package, no need to go long leaps to install epel repository definitions.
0
 
peps03Author Commented:
would you switch from mod_php with prefork to php-cgi with worker?
is it safe to switch?
would it have benefits?
(for a operation vps with mainly wordpress sites?)
0
 
gheistCommented:
I switched long ago.
Safe: yes
1) threaded apache uses single 20MB process for 64 connections
2) off-process PHP 1) does not use apache memory while that serves static content 2) is completely isolated from apache - e.g. on attack similar to heartbleed one sweeping through PHP memory will not get SSL keys, or other way - one sweeping Apache memory stand no chance to get to DB passwords.
Wordpress - yes, PHP is same as in prefork, compatible with any module out there.

1NGINX) 10MB 1024
2PHP-FPM) same as (2)
0
 
peps03Author Commented:
For the record, in this setting i would be switching on apache 2.4 from mod_php + prefork to php-cgi + worker

Is what php-cgi+worker uses?
1) threaded apache uses single 20MB process for 64 connections

What does mod_php +prefork use?
What is the benefit of switching except security?

>thanks for your replies btw, really appreciate it!
0
 
gheistCommented:
mod_php uses 1 process of 20MB+php_mem per connection, and users over internet average to 4 connections.
So you think it is reasonable to have 512MB per user of your site?
or maybe go with _worker:
20MB/64+100MB/10== 11MB/conn = 44MB
or nginx+FPM
10MB/1000 + 100MB/10 == 10MB = 40MB

Limits(CentOS)
prefork: 256 client connections
worker 1000
nginx millions to billions
0
 
peps03Author Commented:
Ok! Many thanks!
I'll try to change my existing configuration from mod_php + prefork to php-cgi + worker.

On my next vps i'll try nginx + php-fpm.
0
 
peps03Author Commented:
Thank you!
0
 
gheistCommented:
enable worker -> /etc/sysconfig/httpd
install php_fcgid -> epel (yum install epel-release)
configure php_fcgid -> replace part containing php-zts with example from official php_fcgid documentation in /etc/httpd/conf.d/php.conf (php-zts is the multi-threaded crippled php that loads not even standard modules) patching php.conf will ensure fcgid configuration survives php upgrades.

Make it 1024->
/etc/security/limits.conf
apache - nofile 4096
/etc/httpd/conf/httpd.conf
Around worker set enormous value for each parameter and check the log for maximum permissible.

epel wordpress is also valid option (more or less "yum upgrade" to upgrade), but feel free to do your way
0
 
peps03Author Commented:
in the two php-cgi + worker and nginx + php-fpm configurations, would i leave mod_ruid2 installed or not?
0
 
gheistCommented:
mod_ruid2 is more or less same as mod_fcgid with exception that PHP is ran as a different user.
0
 
peps03Author Commented:
So i should choose between the 2. Which would you do?
0
 
gheistCommented:
mod_ruid2 is not very popular nor maintained.
it sounds cool to have php and apache running as different users
but no normal application is prepared for that (or more accurately - neither should be able to rewrite website content)
so you will actually end up adding "other" php-cgi user to apache group and well end up with mod_fcgid.

Same applies to php-fpm which can be tricked to run as different user but...

I would not take extra complexity now. I'd leave re-evaluating situation for NGINX+FPM stage
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 16
  • 15
Tackle projects and never again get stuck behind a technical roadblock.
Join Now