Solved

Best configuration for VPS with DirectAdmin on CentOS 6.5

Posted on 2014-11-25
31
767 Views
Last Modified: 2014-12-17
Hi,

I'm setting up a VPS with DirectAdmin on CentOS 6.5 for the hosting of WordPress sites and handmade websites.
I was wondering, what do you think is the "best" configuration? What tools/plugins would you use?

Would you use any of these suggestions?
- nginx
- custombuild 2.0 (or 1.2?)
- CSF firewall
- suPHP
- LiteSpeed Web Server
- MOD_SECURITY
- mod_evasive
- ClamAV Antivirus
- Rootkit Hunter
- Malware Detect (Maldet)
- Mod-ruid2

Or do you use others? Like?
And what would work "best" with WordPress?

I'm curious!
Thanks!
0
Comment
Question by:peps03
  • 16
  • 15
31 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 40468749
Since it is CentOS look no further than fedora EPEL. It even has maintained wordpress distribution with all the upgrades

Please calm down on your loooong checklist:
What would you do with 2 web servers and 2 modules for yet another webserver?
Apache + mod_fcgid is much more straightforward

Directadmin will not gain from extra cpanel components.
Why would you install anything that will never work?
0
 

Author Comment

by:peps03
ID: 40470416
You would only use: Apache + mod_fcgid?
Nothing for security?

Are there any others with an opinion over a good vps setup?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40471047
ha ha ha
You did not mention apache either. Just two other webserver which have no gain from apache modules.
if you call php with fcgi it is very unlikely those modules will protect you a lot.
0
 

Author Comment

by:peps03
ID: 40474187
i'm using apache.
What do you mean exactly?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40474364
You want to install 2 other web servers according to your list.
EPEL has all the missing pieces that centos does not have. Use care to not install 3 webservers on your server. It will be hard to guess which one is failing.
0
 

Author Comment

by:peps03
ID: 40475633
I'm asking what would be a good configuration/combination based on the list.

What do you think of this:
- custombuild 2.0 + custombuild 2.0 plugin
- nginx + apache (via custombuild 2)
- CSF firewall
- cloudlinux
- lsphp
0
 

Author Comment

by:peps03
ID: 40475667
and would .htaccess still work with this setup?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40475737
CentOS & EPEL is more mainstream than custombuild

Why do you use apache+nginx?
I'd suggest using worker apache 2.2 or event 2.4, calling php-cgi via mod_fcgid (xor nginx with php-fpm)

For htaccess you need apache

CSF is much more functional than default system-config-firewall(-tui) - here I agree with you
You might want to dig deeper in SELinux (easier with CentOS packaging)

Was it cloudlinux or CentOS?

apache equivalent of LSPHP is mod_fcgid (and you require apache for .htaccess)
0
 

Author Comment

by:peps03
ID: 40475815
Sorry, im not yet that familiar with all these terms. More questions arise :/
Even though i've searched a lot on the internet.

I'm not familiar with EPEL, that would come instead of....?

The vps is mainly for Wordpress websites and some 'normal' websites.
WordPress uses htaccess, so i think i must stick with apache then right?

Why do you use apache+nginx?
Because directadmin custombuild 2.0 has an option to enable nginx, to use Nginx as a Reverse Proxy for Apache

Why would you rather use:
I'd suggest using worker apache 2.2 or event 2.4, calling php-cgi via mod_fcgid (xor nginx with php-fpm)

Is cloudlinux a replacement for centOS? Can't it be used icw apache / nginx / directadmin ?

Thanks :/
0
 
LVL 61

Expert Comment

by:gheist
ID: 40475850
EPEL is a repository with heap of additional software for CentOS/RHEL, all backported from more recent Fedora releases
https://fedoraproject.org/wiki/EPEL
That you use in place of or in addition to custombuild.

You can even get wordpress with multiuser regularily updated from there

I am telling that modern apache is as efficient as nginx, there is no need for nginx reverse proxy
Why apache - for .htaccess
Why NGINX - a bit more efficient still
My suggestion is to choose one - if you insist on htaccess - OK apache event or worker (CentOS 6 has later, Centos 7 former)
If you dont - gain 1% of efficiency with nginx and php-fpm (You can get nginx build for centos from nginx directly)

Cloudlinux is "host" operating system where they can run tenant guest operating systems like CentOS, Windows 2003 and anything imaginable.
0
 

Author Comment

by:peps03
ID: 40481401
Thanks for your reply!

Think i can install Cloudlinux from Custombuild 2.0, i saw it as an option.. Is it the same?
Then i think i'll go for apache 2.4 + custombuild 2.0 and Cloudlinux.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40482007
CentOS7 is more mainstream, like with 1000x more users than cloudlinux and/or custombuild
And it leaves you space to change hosting provider at any time.
0
 

Author Comment

by:peps03
ID: 40482588
so you advice centOS 7 over 6.5?
With apache 2.4? and?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40483082
You are undecided. NGINX+PHP-FPM from EPEL will be almost identical
EL7 has apache 2.4 which means you get event mpm out of the box (that 1% performance boost nginx gives)
It has creepy systemd, on the other hand it defaults to very speedy XFS filesystem.

If I was to choose today i'd get over .htaccess requirement and set on
CentOS 6U6 (it is out for month or so, once you install 6.5) + NGINX + PHP-FPM

Then add nginx from home base
http://nginx.org/en/linux_packages.html
repo file with gpg checking:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/6/x86_64/
gpgkey=http://nginx.org/packages/keys/nginx_signing.key
gpgcheck=1
enabled=1
Alternatively you can get a bit older nginx from epel

PHP-FPM from fedora EPEL:
Then install epel-release from their page, and follow the guides on internet to link that backend with nginx
0
 

Author Comment

by:peps03
ID: 40489521
Thanks for your reply!

If I was to choose today i'd get over .htaccess requirement
How would you do the .htaccess stuff, like rewrites, redirects, etc without .htaccess on a per user basis?

Will WordPress still work? It uses htaccess...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 61

Expert Comment

by:gheist
ID: 40490277
NGINX provides equivalent functionality with own rewrite rules.

worker mpm uses 20MB per 100 connections while nginx 10MB per 1000.
normal prefork apache will eat 20MB+PHP memory per connection

I think with worker MPM you are already in warm spot and have better idea if you want to take on changing rewrite rules into nginx conf or no.
0
 

Author Comment

by:peps03
ID: 40493953
what would you use in combination with mod_php, worker or prefork? can i just change that without unwanted consequences?


i'm also going to try CentOS 6U6 + nginx + PHP-FPM. Btw, what is the difference between CentOS 6U6  and 6.5?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40494064
mod_php works only with prefork (it loads in worker, but no php modules like mysql can be loaded)
for others you have to invoke php-cgi via mod_fcgid like here.
0
 
LVL 61

Expert Comment

by:gheist
ID: 40494068
version number is part of package centos-release.
since you will be anyway udating software sometimes your 6.4 installation will become 6U6 roght on first "yum upgrade"
0
 
LVL 61

Expert Comment

by:gheist
ID: 40494071
php-fpm is available after you install "epel-release" package, no need to go long leaps to install epel repository definitions.
0
 

Author Comment

by:peps03
ID: 40494363
would you switch from mod_php with prefork to php-cgi with worker?
is it safe to switch?
would it have benefits?
(for a operation vps with mainly wordpress sites?)
0
 
LVL 61

Expert Comment

by:gheist
ID: 40494420
I switched long ago.
Safe: yes
1) threaded apache uses single 20MB process for 64 connections
2) off-process PHP 1) does not use apache memory while that serves static content 2) is completely isolated from apache - e.g. on attack similar to heartbleed one sweeping through PHP memory will not get SSL keys, or other way - one sweeping Apache memory stand no chance to get to DB passwords.
Wordpress - yes, PHP is same as in prefork, compatible with any module out there.

1NGINX) 10MB 1024
2PHP-FPM) same as (2)
0
 

Author Comment

by:peps03
ID: 40494578
For the record, in this setting i would be switching on apache 2.4 from mod_php + prefork to php-cgi + worker

Is what php-cgi+worker uses?
1) threaded apache uses single 20MB process for 64 connections

What does mod_php +prefork use?
What is the benefit of switching except security?

>thanks for your replies btw, really appreciate it!
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40494667
mod_php uses 1 process of 20MB+php_mem per connection, and users over internet average to 4 connections.
So you think it is reasonable to have 512MB per user of your site?
or maybe go with _worker:
20MB/64+100MB/10== 11MB/conn = 44MB
or nginx+FPM
10MB/1000 + 100MB/10 == 10MB = 40MB

Limits(CentOS)
prefork: 256 client connections
worker 1000
nginx millions to billions
0
 

Author Comment

by:peps03
ID: 40502934
Ok! Many thanks!
I'll try to change my existing configuration from mod_php + prefork to php-cgi + worker.

On my next vps i'll try nginx + php-fpm.
0
 

Author Closing Comment

by:peps03
ID: 40502938
Thank you!
0
 
LVL 61

Expert Comment

by:gheist
ID: 40503153
enable worker -> /etc/sysconfig/httpd
install php_fcgid -> epel (yum install epel-release)
configure php_fcgid -> replace part containing php-zts with example from official php_fcgid documentation in /etc/httpd/conf.d/php.conf (php-zts is the multi-threaded crippled php that loads not even standard modules) patching php.conf will ensure fcgid configuration survives php upgrades.

Make it 1024->
/etc/security/limits.conf
apache - nofile 4096
/etc/httpd/conf/httpd.conf
Around worker set enormous value for each parameter and check the log for maximum permissible.

epel wordpress is also valid option (more or less "yum upgrade" to upgrade), but feel free to do your way
0
 

Author Comment

by:peps03
ID: 40504999
in the two php-cgi + worker and nginx + php-fpm configurations, would i leave mod_ruid2 installed or not?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40505051
mod_ruid2 is more or less same as mod_fcgid with exception that PHP is ran as a different user.
0
 

Author Comment

by:peps03
ID: 40505109
So i should choose between the 2. Which would you do?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40505162
mod_ruid2 is not very popular nor maintained.
it sounds cool to have php and apache running as different users
but no normal application is prepared for that (or more accurately - neither should be able to rewrite website content)
so you will actually end up adding "other" php-cgi user to apache group and well end up with mod_fcgid.

Same applies to php-fpm which can be tricked to run as different user but...

I would not take extra complexity now. I'd leave re-evaluating situation for NGINX+FPM stage
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now