Add this into your vhost (making sure to match the Directory directive with the correct path):
|
1 2 3 4 5 6 7 |
<Directory /var/www/vhosts/mydomain.com/uploads> SetHandler none SetHandler default-handler Options -ExecCGI php_flag engine off RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo .sh </Directory> |
For mod_php, you can just add this to your Apache LogFormat:
%{mod_php_memory_usage}n
Might be best to add it right at the end, so as not to break any log parsing.
Credit: http://tech.superhappykittymeow.com/?p=220
For PHP-FPM (i.e. anyone with NginX or anyone with one of our optimised Magento setups.), put the following into your FPM pool config file, probably here:
– /etc/php-fpm.d/website.conf (RHEL/CentOS)
– /etc/php5-fpm/pools.d/website.conf (Ubuntu)
|
1 2 |
access.log = /var/log/php-fpm/domain.com-access.log access.format = "%p %{HTTP_X_FORWARDED_FOR}e - %u %t \"%m %{REQUEST_URI}e\" %s %f %{mili}d %{kilo}M %C%% \"%{HTTP_USER_AGENT}e\"" |
Notes:
• Permissions matter. Check that the User and/or Group (of THIS fpm pool) can write to /var/log/php-fpm (or /php5-fpm, whatever)
• %{HTTP_X_FORWARDED_FOR}e is there because I was behind a Load Balancer, Varnish and/or other reverse proxy.
• %{REQUEST_URI}e\ is there because this CMS (like most, now), rewrite everything to index.php. I want to know the original request, not just the script name.
• %{kilo}M %C – These are the kickers: Memory usage and CPU PerformanceOptimized usage per request. Ker-pow. Pick your favourite awk/sort one-liner to weed out the heavy hitters.
You can log pretty much anything: any arbitrary header, (like REQUEST_URI), and you should find all the options in the comments under the default “www.conf” packaged config file.
Given that this starts with the PID, it should also help track down any segfaults you see in /var/log/messages / kern.log.
Oh, and while you’re at it, PHP-FPM has a slow log you can enable.
Oh, and don’t forget your old friend logrotate.
Counting the average PHP-FPM process memory usage
Looking at the ‘ps’ output isn’t always accurate because of shared memory. Here’s a one-liner to count up my FPM pool, where “www” is in name of the FPM pool:
|
1 |
for pid in $(ps aux | grep fpm | grep "pool www" | awk '{print $2}'); do pmap -d $pid | tail -1 ; done | sed 's/K//' | awk '{sum+=$4} END {print sum/NR/1024}’ |
Thanks to Dan Farmer for his original Apache memory script, which made me think to do this.
Divide and conquer
Do make sure that multiple websites on the same server are using their own FPM pools, that way it should be much easier to see what’s what.
But you can also separate by URL. I’ve done this with the M-word, but the theory should stand for any CMS where the tasks performed under the admin section will be more intensive than normal front-end user traffic.
The following should work with WordPress, assuming the path is /wp-admin . Magento users can (and should) change their admin path from the default, so watch out for that (usually configured in local.xml)
Or anything really – maybe that “importvideo” script is especially memory-intensive and you don’t want to allow it to bloat up all your processes.
1. Set up a separate PHP-FPM pool.
– give it a different name, different log file names, and listen on a different socket/port.
– Perhaps with a much higher memory_limit
– Perhaps with many fewer pm.max_children (ask customer how many humans actually use the “backend”). You might only need 5 or so.
– Perhaps it needs a longer max_execution_time …. you get the idea.
2. Send your “admin” traffic there.
Here’s how you might go about it. These are excerpts and ideas, rather than solid copy-paste config.
Nginx: something like this:
|
1 2 3 4 5 6 7 8 9 10 11 |
upstream backend { server unix:/var/run/php5-domain.com.sock; } upstream backend-admin { server unix:/var/run/php5-domain.com-admin.sock; } map "URL:$request_uri." $fcgi_pass { default backend; ~URL:.*admin.* backend-admin; } |
… then in your ‘server{}’ bit, use the variable for fastcgi_pass:
fastcgi_pass $fcgi_pass;
Apache: something like this…
|
1 2 3 4 5 6 7 |
# Normal backend alias, corresponds with FastCGIExgternalServer Alias /php.fcgi /dev/shm/domain-php.fcgi <Location ~ admin> # Override Action for “admin” URLs Action application/x-httpd-php /domain-admin.fcgi </Location> Alias /domain-admin.fcgi /dev/shm/domain-admin-php.fcgi |
3. You can probably now LOWER the memory_limit for your “main” pool
– if the rest of the website doesn’t use much memory. Now bask in the memory you just saved for the whole application server.
4. Bonus: NewRelic app separation
Don’t let all that heavy Admin work interfere with your nice / renice appdex statistics – we know (and expect) your backend dashboard to be slower.
Put this in the FPM pool config:
|
1 |
php_value[newrelic.appname] = "www.domain.com Admin" |
Credits: https://willparsons.tech/
If you are seeing the very-default-looking Magento page saying “There has been an error processing your request”, then look in here:
|
1 |
ls -lart <DOCROOT>/var/report/ | tail |
The stack trace will be in the latest file (there might be a lot), and should highlight what broke.
Maybe the error was in a database library, or a Redis library…see next step if that’s the case.
General errors, often non-fatal, are in <DOCROOT>/var/log/exception.log
Other module-specific logs will be in the same log/ directory, for example SagePay.
NB: check /tmp/magento/var/ .
If the directories in the DocumentRoot are not writable (or weren’t in the past), Magento will use /tmp/magento/var and you’ll find the logs/reports/cache in there.
First, find the local.xml. It should be under <DOCROOT>/app/etc/local.xml or possibly a subdirectory like <DOCROOT>/store/app/etc/local.xml
From that, take note of the database credentials, the <session_save>, and the <cache><backend>. If there’s no <cache> section, then you are using filesystem so it won’t be memcache or redis.
– Can you connect to that database from this server? authenticate? or is it at max-connections?
– To test memcache, “telnet host 11211” and type “STATS“.
– To test Redis, “telnet host 6379” and type “INFO”.
You could also use:
|
1 |
redis-cli -s /tmp/redis.sock -a PasswordIfThereIsOne info |
If you can’t connect to those from the web server, check that the relevant services are started, pay close attention to the port numbers, and make sure any firewalls allow the connection.
If the memcache/redis info shows evictions > 0, then it’s probably filled up at some point and restarting that service might get you out of the water.
|
1 |
ls -la /etc/init.d/mem* /etc/init.d/redis* |
3. Check the normal places – sometimes it’s nothing to do with Magento!
– Apache or nginx logs
– Is Apache just at MaxClients?
– PHP-FPM max_children?
|
1 |
ps aux | grep fpm | grep -v root | awk '{print $11, $12, $13}' | sort | uniq -c |
– Is your error really just a timeout, because the server’s too busy?
– Did OOM-killer break something?
|
1 |
grep oom /var/log/messages /var/log/kern.log |
– Has a developer been caught out by apc.stat=0 (or opcache.validate_timestamp=0) ?
Credits: https://willparsons.tech/
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 |
### Fail2Ban ### Best practise: - do NOT edit /etc/fail2ban/jail.conf BUT create a new /etc/fail2ban/jail.local file ============================================================= # Test fail2ban regex: example: fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf example2: fail2ban-regex --print-all-matched/var/log/secure /etc/fail2ban/filter.d/sshd.conf ============================================================= # Remove email notifications: comment out 'sendmail-whois' from action in [ssh-iptables] FYI, comment with # at the BEGINNING of the line like this or it won't work!!! [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] # sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5 ============================================================= # Wordpress wp-login - block POST attacks /etc/fail2ban/jail.local [apache-wp-login] enabled = true port = http,https filter = apache-wp-login logpath = /var/log/httpd/blog.tian.it-access.log maxretry = 3 bantime = 604800 ; 1 week findtime = 120 ---------------------------------------------------------------------------------------------------------------------- /etc/fail2ban/filter.d/apache-wp-login.conf [Definition] failregex = <HOST>.*POST.*wp-login.php HTTP/1.1 ignoreregex = ============================================================= # Manually ban an IP: fail2ban-client -vvv set <CHAIN> banip <IP> # Check status of sshd chain fail2ban-client status sshd |
If you want to make safer your remote server, it is good practise to use a good combination of sshd setup and fail2ban.
Firstly, you should setup your server to allow only key auth, and no passwords. This will drastically reduce the risk. This means anyway that you need to keep your ssh key safe and you won’t be able to access your server unless you have this key. Most of the time is something possible 🙂
For this reason, I’m explaining here how I configured my server.
Have these settings in the config file (NOTE: the verbosity is for Fail2ban)
|
1 2 3 |
LogLevel VERBOSE PasswordAuthentication no |
(restart sshd)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
[DEFAULT] # Ban hosts for # one hour: #bantime = 3600 # one day: bantime = 86400 # A host is banned if it has generated "maxretry" during the last "findtime" # # seconds. findtime = 30 # # "maxretry" is the number of failures before a host get banned. maxretry = 5 # Override /etc/fail2ban/jail.d/00-firewalld.conf: banaction = iptables-multiport [sshd] enabled = true filter = sshd-aggressive port = ssh logpath = /var/log/secure maxretry = 3 findtime = 30 bantime = 86400 |
Add a custom section after the ddos one:
|
1 |
custom = ^%(__prefix_line_sl)sDisconnected from <HOST> port [0-9]+ \[preauth\]$ |
This line matches whoever tries to connect without a proper ssh key.
Add this line to include custom to the sshd-aggressive setup:
|
1 2 3 |
aggressive = %(normal)s %(ddos)s %(custom)s |
Ensure certain traffic goes to a certain server (master), you can use this:
|
1 2 3 4 |
<LocationMatch "^/wordpress/wp-admin/?.*> ProxyPreserveHost On ProxyPass http://ip.of.master.server/ </LocationMatch> |
For a better setup with Variables, just follow the… following steps 🙂
We need to setup some environment variables to get this to work correctly.
Add the following to your environment on the slave server(s):
RHEL/CentOS: /etc/sysconfig/httpdi
|
1 2 |
OPTIONS="-DSLAVE" export MASTER_SERVER="SERVERIP HERE" |
Ubuntu: /etc/apache2/envvars
|
1 2 |
export APACHE_ARGUMENTS="-DSLAVE" export MASTER_SERVER="SERVERIP HERE" |
In your VirtualHost configuration do something like the following.
|
1 2 3 4 5 6 7 8 9 |
<IfDefine SLAVE> RewriteEngine On ProxyPreserveHost On ProxyPass /wp-admin/http://${MASTER_SERVER}/wp-admin/ ProxyPassReverse /wp-admin/http://${MASTER_SERVER}/wp-admin/ RewriteCond %{REQUEST_METHOD} =POST RewriteRule . http://${MASTER_SERVER}%{REQUEST_URI} [P] </IfDefine> |
If you want to apply this globally, edit /etc/httpd/conf/httpd.conf (Centos). Otherwise, just modify the related vhost config file, adding the following:
|
1 2 3 4 5 6 7 |
ServerSignature Off SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot <Location /> Order allow,deny Allow from all Deny from env=bad_bot </Location> |
Check if the site responds:
|
1 2 3 4 5 6 7 8 9 10 |
$ curl -I http://www.mywebsite.com HTTP/1.1 200 OK Date: Thu, 13 Nov 2014 17:12:16 GMT Server: Apache Last-Modified: Thu, 13 Nov 2014 16:00:35 GMT ETag: "1fa5dc-9dd5-507bf9cd66ec0" Accept-Ranges: bytes Content-Length: 40405 Vary: Accept-Encoding,Cookie Content-Type: text/html; charset=UTF-8 |
Check if the agent libwww-perl is allowed or forbidden:
|
1 2 3 4 5 6 |
$ curl -A "libwww-perl" -I http://www.mywebsite.com HTTP/1.1 403 Forbidden Date: Thu, 13 Nov 2014 17:12:51 GMT Server: Apache Vary: Accept-Encoding Content-Type: text/html; charset=iso-8859-1 |
Check if using Mozilla as agent works or not:
|
1 2 3 4 5 6 7 8 9 10 |
$ curl -A "Mozilla/5.0 (iPhone; U; CPU PerformanceOptimized iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5" -I http://www.mywebsite.com HTTP/1.1 200 OK Date: Thu, 13 Nov 2014 17:13:27 GMT Server: Apache Last-Modified: Thu, 13 Nov 2014 16:00:35 GMT ETag: "1fa5dc-9dd5-507bf9cd66ec0" Accept-Ranges: bytes Content-Length: 40405 Vary: Accept-Encoding,Cookie Content-Type: text/html; charset=UTF-8 |
Test loading speed ignoring Varnish
>> adding “Cookie: NO_CACHE=1” will make Varnish to pass the request directly to Apache
|
1 |
time curl -I http://example.com/pagetotest -H "Cookie: NO_CACHE=1" |
If your server is under a load balancer, you might see HTTP requests coming from the Load Balancer’s IP instead of the actual visitor. Generally, load balancers are “recording” the original source IP in the X-Forwarded-For header. This means that this is the header that we need to log in our Apache logs to get the information that we want.
Here how to make this happen:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
Default rule: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined Modified rule that includes the X-Forwarded-For definition: LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined ============================================== >> Best way: On httpd.conf: ===================== SetEnvIfNoCase X-Forwarded-For "." from_proxy=1 LogFormat "%{CF-Connecting-IP}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" forwarded LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined ======================= On vhost.conf ============================ CustomLog /var/log/httpd/vhost-access.log forwarded env=from_proxy CustomLog /var/log/httpd/vhost-access.log combined env=!from_proxy ============================ |
This can be added in vhost configuration OR in .htaccess file
How to rewrite all web request on my site without www to www.domain.com
|
1 2 |
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC] RewriteRule (.*) http://www.example.com$1 [R,L] |
How to redirect all web requests on port 80 (or HTTP) to port 443 (HTTPS)
|
1 2 |
RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] |
How to disable TRACE and TRACK methods on Apache
|
1 2 |
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] |
How to exclude mod_status from being rewritten by existing rules (placed before the problem rule)
|
1 |
RewriteCond %{REQUEST_URI} !=/server-status |
How do I redirect all web requests on www.mysite.net/web to www.mysite.net/sect1/web
|
1 2 |
RewriteCond %{http_host} ^[www\.]*example\.com RewriteRule ^web(/)?$ /sect1/web [R=301,L] |
Rewrite all non-www to www
|
1 2 3 |
RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
Force all URLs to be lowercase
|
1 2 3 4 |
RewriteEngine On RewriteMap lc int:tolower RewriteCond %{REQUEST_URI} [A-Z] RewriteRule (.*) ${lc:$1} [R=301,L] |
WITHOUT disabling MOD_PHP in Apache
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
>> Compile module: yum -y install httpd-devel gcc mkdir /tmp/fastcgi cd /tmp/fastcgi wget https://github.com/whyneus/magneto-ponies/raw/master/mod_fastcgi-SNAP-0910052141.tar.gz tar -zxf mod_fastcgi* cd mod_fastcgi-* make -f Makefile.AP2 top_dir=/usr/lib64/httpd cp .libs/mod_fastcgi.so /usr/lib64/httpd/modules/ >> Enable the module: echo "LoadModule fastcgi_module /usr/lib64/httpd/modules/mod_fastcgi.so" > /etc/httpd/conf.d/fastcgi.conf >> Install php-fpm and create pools like this: [$USER] listen = /dev/shm/$USER-php5-fpm.sock user = $USER group = $USER listen.owner = $USER listen.group = apache listen.mode = 0666 pm = dynamic pm.max_children = 35 pm.start_servers = 5 pm.min_spare_servers = 5 pm.max_spare_servers = 25 slowlog = /var/log/php-fpm/$USER-slow.log php_admin_value[error_log] = /var/log/php-fpm/$USER-error.log php_admin_flag[log_errors] = on >> Add this in the VHOST configuration (before the end of </VirtualHost>) FastCGIExternalServer /dev/shm/$USER-php.fcgi -socket /dev/shm/$USER-php5-fpm.sock -flush -idle-timeout 1800 AddHandler php-fpm .php Action php-fpm /php.fcgi Alias /php.fcgi /dev/shm/$USER-php.fcgi DirectoryIndex index.php <FilesMatch "\.php$"> SetHandler php-fpm </FilesMatch> >> Double check php.ini for 'session.save_path'. session.save_path = "/tmp" ;session.save_path = "/var/lib/php/session" |