As with any web application, a great level of thought and planning goes into the optimization of the webapp to ensure fast response times. However, what often gets overlooked is the configuration of the LAMP stack itself. There is plenty of benefit to be gained from optimizing the configuration of Apache, PHP and MySQL.

Although all the different components provide ‘optimised’ configurations, they’re generalised and not written for an applications specific requirements. The aim of the ‘Optimising the LAMP Stack’ series is not to provide an example configuration, but to explain the more important configuration options and what impact those settings have on your web applications - giving a greater in site into how to configure it correctly.

Your MySQL configuration can generally be found in /etc/my.cnf - heres a list of what I see as the most important variables.

1. query_cache_size:
   • MySQL 4 onwards provides query caching, whereby if a database has to continually run the same queries on the same dataset it will cache the results. Although this level of caching should generally be taken care of by the application, this is a good alternative and saves the server repeating tasks.
2. thread_cache:
   • Thread creation/destruction can be expensive, and this happens on every new connection. Keep this in line with the amount of connections you expect your  server to receive. If you start to see a spike in threads created, increase it. The goal is to not have threads created during normal operation.
3. key_buffer_size:
   • The key buffer is used with indexes. The larger you set the buffer, the quicker queries will complete and return a result. I recommend setting this somewhere between a quarter, but no more than half of the systems totally memory. In an ideal situation, this will be sufficient to contain all your table indexes.
4. table_cache:
   • Each time MySQL opens a table, it’s placed in the cache. The more tables you open, the higher cache you’ll require. Also bare in mind that MySQL is multi-threaded, therefore you could end up opening the same table multiple times in different processes and need to account for this.

The above list is the most important options for optimising a standard MySQL servers workload. Although there are plenty more, a lot can degrade performance when used incorrectly or when an applications requirements differ.

Should you wish to further optimize your configuration, I would suggest looking through the sample ‘optimized’ configuration provided with the MySQL server (Generally located in /usr/share/mysql). MySQLTuner is also pretty useful for configuration reccommendations when your database has been up and running for a few days.

Rob Greenwood, Technical Lead

Quite a specific case this one, but something I’ve seen quite often when people are using Remote Desktop (RDP) to work remotely.

Basically, with RDP, you can map the printers on your local workstation to the server you’re connecting to, so you can print from applications from the server, and hey presto, it comes out of the printer sat next to you.

This relies of course on you having installed the driver for your local printer, on the server to which you’re RDP’ing.

What I’ve noticed on several occasions though, is if you have a printer which has a non-local port, for example a DOT4 port (used mainly for printer/scanner/fax/teasmaids), or an IP port (i.e. printers with a HP JetDirect card), even if you have the correct driver installed on the server, when you connect via RDP, your printers are still not mapped.

“Why?”, I hear you ask.  After a bit of digging, I found this MS knowledgebase article.  Essentially, any ports not starting with COM LPT or USB are not redirected as default.

Why MS decided, in their infinite wisdom, to do this, I’m not sure.  However, there’s quite a simple registry fix for this one, shown in the article.

Why have I written a blog post about this fascinating topic?  I’ve noticed that this has foiled RDP users on many occasions as it’s quite a common set of circumstances; increasingly so with the prevalence of using RDP to access a centralised server for out-of-office working.

Daniel Foster,
Technical Director

Since the release of Windows XP and, later, its companion Windows Server 2003, Microsoft have packaged a basic firewall with its operating systems. Formerly known as “Internet Connection Firewall”, this has become a popular addition to the bundled packages, with many users finding it effective for basic firewalling of their internet connections.

But is there a downside to using it? After all, it is a free firewall, simplified and integrated into the operating system… what could be better?

Well in the context of a business-oriented server, almost anything, actually.

The benefits of Windows Firewall to home users are fairly obvious, and can effectively protect a home PC from inbound attacks from the vast number of hackers on the internet. The problems for servers arise due to their usually “remote” nature.. ie. locked up in a server room in the basement, or even 100 miles away in a world-class datacentre such as our own(!)

The firewall runs as a service within Windows itself and, although it will likely spend most of its time disabled, it can be activated by the occasional Windows Update, and can then lock you out of the server altogether, involving costly technician intervention. The default Windows Firewall configuration may well allow your webserver to run, but can block RDP for remote desktop administration, or even ICMP Ping, often used for checking a system’s “alive status”. We regularly take calls from customers whose Windows Firewall has been accidentally enabled.

When you use the firewall’s control panel, you have the option to turn it “On”, or “Off”, but this is not a secure method of deactivation. We recommend disabling the Windows Firewall service entirely from within Control Panel > Administrative Tools > Services.

Even a third-party firewall may give you problems if it is run on the server it is intended to protect. The best practice option is to either opt for a hardware-based firewall or even a small computer set up as an internet security device to go between your critical server and the internet.

Here at Melbourne, we offer an Enterprise-Class shared firewall solution called “Ultrafire” which uses a simple but powerful web-based interface for setting up rules, network aliases and IP services. More details can be found here: http://www.melbourne.co.uk/ultrafire.htm

In conclusion then, it’s best to view Windows Firewall as a handy utility for home use, but to completely disable it if you are running a server.

(Terminal Service Client 6.0)

(Applies to Windows XP only)

For those of you who use Remote Desktop to manage your servers, and, let’s face it that’s most of us who use Windows servers, the updated version of the RDP client is causing some irritation among IT professionals by making the process of logging onto the servers more convoluted.

Basically, Microsoft have, in their wisdom, decided to force you to enter your server’s credentials BEFORE connecting to terminal services. It quite often then inserts a useless string such as “server_name\login” where just the login will suffice, forcing you to correct it.

There is, however, a cure for all this timewasting: remove version 6.0 entirely and go back to using the perfectly adequate version 5.1.

To do this, uninstall RDC 6.0 from Control Panel | Add / Remove Programs.  Check the box “Show Updates”, locate “Update for Windows XP (KB925876)” and uninstall.

Over the past month we have been implementing the Dell OpenManage system on our Dell Windows dedicated servers.

http://www.dell.com/openmanage

This SNMP-based monitoring system gives us a very comprehensive diagnostic readout of the server’s health and notifies us of any impending issues.

Since we started rolling it out, some of these very issues have indeed come to light; some trivial, some more urgent.

In many cases, however, we have seen the need for the RAID card’s driver and/or firmware to be updated.

Replacing the driver is an easy matter, as it is directly available through the optional Hardware section of Windows Update. The required driver is marked version 1.29.03.00, and it requires a server reboot for it to take effect.

The firmware update is more difficult as it requires at least 10-15 minutes of server downtime to allow the PC to boot to a floppy disk containing the updated firmware (version 00.10.51.00.06.12.05.00). It also requires an actual human being to do this at the server itself…

Once these updates have been applied, OpenManage functions correctly.

The firmware update is even more pressing than the driver, as the older firmware, unbelievably, does not allow you to replace a failed hard drive with a new one and then rebuild an existing array; it asks you to start from scratch and delete all data.

The newer firmware allows the addition of a replacement drive as a “hot spare” which is then added to the existing array and rebuilt automatically.

More details of this firmware update is available as a PDF here:

http://www.dell.com/downloads/global/power/ps4q08-20090105-Bernal.pdf

If you’re wanting to test connectivity to your server by traceroute or ping, this site is very handy; allowing you to do traceroutes from 4 locations simultaneously and pings from tens of locations.

Really handy to check connectivity from multiple locations if you’re not sure if something is really down or not

With increased bandwidth charges and other associated overheads incurred with high data flow, HTTP compression may help you out a bit, especially if you have a powerful server which has plenty CPU cycles to spare.

Check if YOUR website is using compression or not, and see how much you could save if you enable it.

http://www.port80software.com/support/p80tools

You can expect anything between a 50% - 80% cut in HTTP traffic if you enable HTTP conpression… and here’s how.

1. Select the “Web Sites” node in your IIS admin MMC, right click and select Properties.

2. Select the Service tab and tick both the “Compress application files” and “Compress static files” tick boxes. You must have both boxes ticked in order for application files to be compressed, although you will not be prompted with this information.

3. Once the Compress static files box is ticked the “Temporary directory field” should become active.
Enter the directory in which you would like IIS to store your temporary compressed static files. The default value is %windir%\IIS Temporary Compressed Files, but you can set it to whatever you like.

If management of hard drive space is an issue for you, you can set the “Maximum temporary directory size” value by selecting the Limited to (in megabytes) radio button and then setting your specified value in the text field provided. If you have this option set then once the limit is reached older cached files are purged to allow new ones to be created.

4. Select the “Web service extensions” node, right click and select the “Add a new web service extension…” item from the menu. You should now be presented with a “New web service extension” dialogue box.

Place the name you wish to call the extension (this name will appear in the web service extensions list) in the Extension name text field.

In the Required files section click on the Add button and you should be presented with an Add file box. Browse to the gzip.dll file which should be located in X:\Windows\system32\inetsrv (where X is your system drive). Once you have found the file, select it and then click the OK. You should now see the full path to the gzip.dll file listed. Tick the box “Set extension status” to allowed so that this extension is allowed. Without setting this the extension will not work and compression will not be enabled. Click the OK button to apply the settings

5. Select the SERVER node at the top of the tree in your IIS Admin MMC (where SERVER is the name of your computer), right click it and then select the Properties menu item. Tick the “Enable direct metabase edit” tick box, and then click OK to apply the changes. What this does is allow you to edit and save your metabase.xml file, as otherwise it is locked when IIS is running. Be sure that you have backed up your IIS6 metabase.xml file.

Open your favourite text editor, and then open your metabase.xml which is located in X:\Windows\system32\inetsrv (where X is your system drive). Do a search for;

<IIsCompressionScheme>

This should bring up two results. One for deflate and one for gzip
Search for the following tag in both the deflate and gzip sections;

HcScriptFileExtensions

Add the php extension under these tags taking careful note to follow the correct syntax. Use the existing syntax for an example if unsure. You might also like to add extensions for any other script extensions while you are here such as aspx and asmx. Dynamic content is never cached by IIS like static content is, and is compressed each time that dynamic content is requested. This means compression of dynamic will consume significantly higher memory and CPU resources which you will need to take into consideration

Search for the following tag in both the deflate and gzip sections;

HcDynamicCompressionLevel

This is set to 0 by default, which isn’t going to give us much compression. 0 is the lowest value with 10 being the highest. However, from what I have read 9 seems to be the sweet spot as setting it to 10 consumes a lot more CPU resources without delivering much more compression. I would recommend setting this value to 9.

Save the file and then exit your editor

Restart IIS

The final step needed to be taken is for the IIS services to be restarted so that your changes are put into effect.

Select the SERVER node at the top of the tree in your IIS Admin MMC (where SERVER is the name of your computer), right click it, select the All tasks menu and then select the Restart IIS menu item.

In the Stop/start/restart window, select the Restart Internet services on SERVER (where SERVER is the name of your computer) option as shown below in figure 9

Congratulation! You should now have IIS compression… check to make sure it’s working by going back to
the online compression checking tool at http://www.port80software.com/support/p80tools

It has come to our attention via various security-related online publications, that there is a new local exploit in the wild for Linux kernel 2.6.17 and above.  This threat is quite serious and can quite quickly turn any regular user account into a privileged superuser account within a couple of seconds.  When it fails on unpatched kernels, it causes a kernel panic and renders the machine useless until rebooted.  More information can be found at the following URLs:

http://secunia.com/advisories/28835/

An excerpt from the above URL is pasted below:

“Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose potentially sensitive information, and gain escalated privileges.

The vulnerabilities are caused due to the missing verification of parameters within the “vmsplice_to_user()”, “copy_from_user_mmap_sem()”, and “get_iovec_page_array()” functions in fs/splice.c before using them to perform certain memory operations. This can be exploited to e.g. read or write to arbitrary kernel memory via a specially crafted “vmsplice()” system call.

Successful exploitation allows attackers to e.g. gain “root” privileges.”

Issue
—–

In the past we have had several customers create test accounts with usernames and passwords such as test/test and username/password.  Having accounts such as these present is a severe security risk.  Having experianced this sort of occurance on more than a few occasions before, we consider threats such as these to be high.  Below is an example of how easily exploits such as this one can be used to gain superuser access to your machine:

[user@test tmp]$ uname -a
Linux testbox 2.6.24.1 #1 Mon Feb 11 17:22:31 EST 2008 i686 unknown
[user@test tmp]$ ./vms

———————————–
Linux vmsplice Local Root Exploit
By qaaz
———————————–
[+] mmap: 0×0 .. 0×1000
[+] page: 0×0
[+] page: 0×20
[+] mmap: 0×4000 .. 0×5000
[+] page: 0×4000
[+] page: 0×4020
[+] mmap: 0×1000 .. 0×2000
[+] page: 0×1000
[+] mmap: 0xb7f56000 .. 0xb7f88000
[+] root
[root@test tmp]#
[root@test tmp]# id
uid=0(root) gid=0(root) groups=2011(user)
[root@test tmp]# uname -a
Linux testbox 2.6.24.1 #1 Mon Feb 11 17:23:00 EST 2008 i686 unknown

Fix
—

Please upgrade the systems kernel to the latest available using your package manager.  For Debian/Ubuntu machines, use the apt package management tool.  For RedHat/Fedora/CentOS systems, use the yum package management system.  All vendors are now reporting that they have deployed fixed kernels onto their repositories.  It also is sensible to carry out a password audit using a tool such as John The Ripper.  This will test the security of all user account passwords on the the machine, and flag any weak passwords that the software can guess easily.

Over the last weekend, we’ve had several calls from customers thinking their servers are down over the weekend. Upon investigation in every case this has been due to Host Europe (123-reg, pipex etc) having issues with their nameservers, which is rendering websites or email unavailable.

As a courtesy service, we offer a free, but unmanaged DNS service to dedicated server and colocation customers.

If you wish to use this facility, please log into our support centre. You will then be able to go in and add zone files to our nameservers for your domain names, and then you can point your domain names to our nameservers which are:

ns1.melbourne.uk.net 87.237.57.1
ns2.melbourne.uk.net 195.10.254.129

This is a free, but un-managed, service that we offer to all customers.