Code, InfoSec and Server Stuff
Views are my own and not my employer's
Here is how I added two subdomains (one pointing to a new UpCloud VM and the other pointing to an NGINX subsite) on Ubuntu 18.04.
Read the full article here: https://fearby.com/article/adding-two-sub-domains-one-pointing-to-a-new-upcloud-vm-and-the-other-pointing-to-an-nginx-subsite-on-ubuntu-18-04/
This guide will show you how to enable the latest Transport Layer Security (TLS) 1.3 protocol with it’s predecessor Secure Sockets Layer (SSL) with NGINX and OpenSSL for better website security on an Ubuntu 16.04 server
Advertisement:
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. Making sure your server is up to date and running the latest SSL software is important. I have updated Open SSL before and blogged about this here. Do backup your server before changing settings and if you use Cloudflare (if you don’t do it now) enable Development Mode (and disable caching until changes are made).
For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).
TLS 1.3 is the latest SSL security protocol that can be used between clients and servers to encrypt connections on the web.
TLS 1.3 uptake is only 60% according to https://caniuse.com/#search=TLS%201.3
Read why TLS 1.3 is important and news on TLS 1.3 can be found here: https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
The Good and Bad
Done be like this commercial site with very poor security (tested with SSL labs and asafaweb)
Here is what the top 1 million sites do
Here it is!! Alexa Top 1 Million Analysis – February 2018 https://t.co/TjBHNX7zTi
— Scott Helme (@Scott_Helme) February 26, 2018
Installing Open SSL on Ubuntu
Connect to your Ubuntu 16.04 server via SSH (I connected to my Vultr server)
Check what version of OpenSSL you have? My OpenSSL is out of date.
1 2 | # openssl version OpenSSL 1.1.0g 2 Nov 2017 |
Tip: What Ciphers does your Open SSL Support?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | openssl ciphers -s -v ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 |
Time to update Open SSL
OpenSSL 1.1.1 beta is available and supports TLS 1.3 but it is n BETA form. OpenSSL code is available here.
I did the following to download and build the latest version of OpenSSL.
1 2 3 4 5 6 7 | mkdir /openssltemp cd /openssltemp sudo git clone git://git.openssl.org/openssl.git cd openssl/ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl -Wl,-rpath,/usr/local/ssl/lib make sudo make install |
I tried to check the open SSL version but had an error?
1 2 3 | openssl version openssl: /usr/lib/x86_64-linux-gnu/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by openssl) openssl: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by openssl) |
A quick GitHub ticket revealed I needed to set a path variable.
1 2 | export LD_LIBRARY_PATH=/usr/local/lib echo "export LD_LIBRARY_PATH=/usr/local/bin/openssl" >> ~/.bashrc |
Open SSL now reports it’s version.
1 2 | openssl version OpenSSL 1.1.1-pre3 (beta) 20 Mar 2018 |
What version NGINX do you have (1.13 supports TLS 1.3) read here
1 2 | # nginx -v nginx version: nginx/1.13.9 |
Backup your NGINX
Do backup your server files and take a snapshot if need be. I am not responsible;e for a broken server,
1 | sudo cp -R /etc/nginx/ /nginx-backup-26thMar-2018 |
Edit NGINX Configuration
Update NGINX configuration: /etc/nginx/sites-available/default
1 2 3 4 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ecdh_curve secp384r1; |
tip: Review other NGINX hardening settings here. Also remove TLSv1.0
I tested my NGINX config loaded them and restarted NGINX
1 2 3 | nginx -t nginx -s reload /etc/init.d/nginx restart |
Check the status of NGINX
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | # /etc/init.d/nginx status [ ok ] Restarting nginx (via systemctl): nginx.service. ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) Docs: man:nginx(8) Process: 15154 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS) Process: 15162 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Process: 15159 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Main PID: 15166 (nginx) Tasks: 4 Memory: 2.3M CPU: 27ms CGroup: /system.slice/nginx.service ├─15166 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; ├─15170 nginx: worker process ├─15171 nginx: cache manager process └─15172 nginx: cache loader process |
If you have configured Cloudflare then log in and enable TLS support.
Enable TLS 1.3 in Chrome by visiting chrome://flags/#tls13-variant This should be automatic in later versions of Chrome and other browsers.
Verify TLS
I used the developer tools in Chrome to confirm the page was verified in TLS 1.3.
Updated to 1.1.1-pre6-dev
1 2 3 4 5 6 7 8 9 10 11 | mkdir /temp cd /temp sudo git clone https://github.com/openssl/openssl.git cd openssl/ ./config --prefix=/usr/local --openssldir=/usr/local -Wl,-rpath,/usr/local make sudo make install openssl OpenSSL> version OpenSSL 1.1.1-pre6-dev xx XXX xxxx OpenSSL> exit |
Don’t forget to test your SSL strength with https://dev.ssllabs.com/ssltest/
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.4 fixed typo
v1.3 added bad ssl cert.
v1.2 ssl test v1.1 updated to 1.1.1-pre6-dev
v1.0 Initial post
It is possible to deploy a server in minutes to hours but it can take days to secure. What tools can you use to help identify what to secure on your website?
Advertisement:
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line, installing a Free SSL certificate and setting up SSL security.
Security Tools
Qualys SSL Labs SSL Tester is the best tool for checking an SSL certificate strength
Most people don’t know Qualys also has another free (limited to 10 scans) vulnerability scanner for websites.
Goto https://freescan.qualys.com/ and click Start your free account.
Complete the signup form
Now check your email to login and confirm your email account
Login now from the email.
Create a password (why the 25 char max Qualys?)
Enter your website URL and click Scan
The scan can take hours
While the scan was being performed I noticed that Qualys offers alerts (I’ll check this out later): https://www.qualys.com/research/security-alerts/
Yes, the scan can take hours, take a walk or read other posts here.
The scan is almost complete
Yay, my latest scan revealed 0 High, 0 Medium and 0 Low-risk vulnerabilities.
It did report 23 informational alerts like “Firewall Detected“.
Threat Report Results
Patch Report Results
This report was empty (probably because I don’t run Windows)
Threat Report Results
The OWASP report contained partial scan results (maybe the full report is available to pro users)
Previous Scan Results
The Qualys dashboard will show all past scans.
My first scan showed a Low priority issue with the /wp-login.php page as the input fields did not have “autocomplete=”off””, I fixed this by adding “autocomplete=”off”” the removing the page (safer).
The second scan found two issues with cookies (possibly ad banner cookies) and 2 subfolders that I created in past development exercises. I deleted the two sub-folders that were not needed.
The third scan was clean.
Here is a scan of a static website of a friends server (static can be less secure if the server underneath is old or unpatched).
Happy scanning. I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.1 Static Web Server Scan
v1.0 Initial post
This guide will show how you can set up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
Advertisement:
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. This post will show how to let Cloudflare handle the DNS for the domain.
Update 2018: For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).
Snip from here “Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.”
Buy a Domain
Buy a domain name from Namecheap here.
Cloudflare Benefits (Free Plan)
View paid plan options here.
Cloudflare CDN map
Cloudflare CDN says it can load assets up to 2x faster, 60% less bandwidth from your servers by delivering assets from 127 data centres.
Setup
You will need to sign up at cloudflare.com
After you create an account you will be prompted to add a site
Cloudflare will pull your public DNS records to import.
You will be prompted to select a plan (I selected free)
Verify DNS settings to import.
You will now be asked to change your DNS nameservers with your domain reseller
TIP: If you have an SSL cert (e.g Lets Encrypt) already setup head to the crypto section and select ” Full (Strict)” to prevent ERR_TOO_MANY_REDIRECTS errors.
Cloudflare UI
I asked Twitter if they could kindly load my site so I could see if Cloudflare dashboard/stats were loading.
Could I kindly ask if you are reading this that you visit https://t.co/9x5TFARLCt, I am writing a @Cloudflare blog post and need to screenshot stats. Thanks in advance
— Simon Fearby (Developer) (@FearbySoftware) March 13, 2018
The Cloudflare CTO responded. 🙂
Sure thing 🙂
— John Graham-Cumming (@jgrahamc) March 13, 2018
Confirm Cloudflare link to a domain from the OSX Comand line
1 2 3 | host -t NS fearby.com fearby.com name server dane.ns.cloudflare.com. fearby.com name server nora.ns.cloudflare.com. |
Caching Rule
I set up the following caching rule to cache everything for 8 hours instead of WordPress pages
“fearby.com.com/wp-*” Cache level: Bypass
“fearby.com.com/wp-admin/post.php*” Cache level: Bypass
“fearby.com/*” Cache Everything, Edge Cache TTL: 8 Hours
Cache Results
Cache appears to be sitting at 50% after 12 hours. having cache os dynamic pages out there is ok unless I need to fix a typo, then I need to login to Cloudflare and clear the cache manually (or wait 8 hours)
Performance after a few hours
DNS times in gtmetrix have now fallen to a sub 200ms (Y Slow is now a respectable A, it was a C before). I just need to wait for caching and minification to kick in.
webpagetest.org results are awesome
See here: https://www.webpagetest.org/result/180314_PB_7660dfbe65d56b94a60d7a604ca250b3/
Google Page Speed Insights Report
Mobile: 78/100
Desktop: 87/100
Check with https://developers.google.com/speed/pagespeed/insights/
Update 24th March 2018 Attacked?
I noticed a spike in and traffic (incoming and threats) on the 24th of March 2018.
I logged into Cloudflare on my mobile device and turned on Under Attack Mode.
Cloudflare was now adding a delay screen in the middle of my initial page load. Read more here. A few hours after the Attach started it was over.
After the Attack
I looked at the bandwidth and found no increase in traffic from my initial host VM. Nice.
Thanks, Cloudflare.
Cloudflare Pros
Cloudflare Cons
Cloudflare status
Check out https://www.cloudflarestatus.com/ for status updates.
Don’t forget to install the CloudFlare Plugin for WordPress if you use WordPress.
More Reading
Check out my OWASP Zap and Kali Linux self-application Penetration testing posts.
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.8 host Command from the OSX CLI
v1.7 Subdomain error
v1.6 Cloudflare Attack
v1.5 WordPress Plugin
v1.4 More Reading
v1.3 added WAF snip
v1.2 Added Google Page Speed Insights and webpage rest results
v1.1 Added Y-Slow
v1.0 Initial post
Chrome 65 beta has added SEO to audits in the Developer Tools Audit tab.
Advertisement:
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line.
When you develop any site you need to perform regular audits to ensure it is up-to-date and compliant. Google Chrome has audit tools built right in (Chrome 65 has SEO audit tools (yay)
Chrome 64Developer Tools – Audit tool.
Chrome 64 Audit Scan options
Chrome 64 Audit Results
The performance results seem off given I have set up a CDN, optimized WordPress.
Time to download Chrome 65 beta and get new audit tools.
Chrome version confirmed
Audit Options
Chrome 65 Audit Results
Hmmm, results are different (same website, network and time)
Chrome 64 Audit Results:
Chrome 65 BETA Audit Results:
Google recommends you load pages in under 1s, I would suggest using multiple tools to indicate site speed.
https://gtmetrix.com is a great site for testing your sites speed. I used GT Metrix to move my site from 26s to 6 by setting up a WordPress CDN, moving away from CPanel to a self-managed server on Vultr then to 4s with optimising PHP by setting up child workers.
https://www.webpagetest.org is also good for testing websites.
I will continue to use Chrome Audit Tools for other results like SEO
That’s weird Chrome Audit Tools, I thought I did not have meta tags?
I downloaded the WP Meta SEO plugin, I use the wp command from the SLI (setup guide here)
1 2 3 4 | cd /www/wp-content/plugins/ wget https://downloads.wordpress.org/plugin/wp-meta-seo.3.6.6.zip unzip wp-meta-seo.3.6.6.zip rm -R wp-meta-seo.3.6.6.zip |
I activated the plugin in WordPress the loaded the dashboard. WP Meta SEO asked to import data from the Yoast plugin.
Now I can see my metadata is falling behind.
With WP Meta SEO I was able to apply individual page Meta tags.
I added the following meta tags with WP Meta SEO plugin for each page (the metadata below was for this page)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | <meta name="viewport" content="width=device-width, initial-scale=1" /> <meta name="twitter:image" content="https://fearby-com.exactdn.com/wp-content/uploads/2018/02/php_pool_featured.jpg" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:site" content="@FearbySoftware" /> <meta name="twitter:domain" content="Programming, IoT and Server Stuff" /> <meta name="twitter:description" content="How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic" /> <meta name="twitter:title" content="Setup PHP FPM on demand child workers in PHP 7.x" /> <meta property="og:image" content="https://fearby-com.exactdn.com/wp-content/uploads/2018/02/php_pool_featured.jpg" /> <meta property="og:site_name" content="Programming, IoT and Server Stuff" /> <meta property="og:description" content="How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic" /> <meta property="og:url" content="https://fearby.com/article/how-to-setup-php-fpm-on-demand-child-workers-in-php-7-x-to-increase-website-traffic/" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Setup PHP FPM on demand child workers in PHP 7.x" /> <meta name="description" content="How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic" /> <meta name="keywords" content="Setup PHP FPM on demand child workers in PHP 7.x" /> <meta name="title" content="Setup PHP FPM on demand child workers in PHP 7.x" /> |
fyi
I use the free version of the Yoast for SEO plugin in WordPress. The premium version has a lot more to offer, I might have to check Premium out.
I am now on the hunt for meta plugins for WordPress
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.2 WP-Meta SEO
v1.1 Added webpagetest.org link and results
v1.0 Initial post
This blog post will show you how to setup PHP FPM on-demand child workers in PHP 7.x to increase website traffic.
Advertisement:
My blog was experiencing a number of slow page loads and often running “sudo service php7.0-fpm restart” would resolve the problem. I have blogged before about setting up Ubuntu Servers on AWS, Digital Ocean and Vultr but this post is about debugging and speeding up PHP on Ubuntu self-managed servers.
Background
I tried the normal tweaks in “/etc/php/7.0/fpm/php.ini” like
1 | memory_limit = 512M |
I setup servers like this.
Temporary Fix
I had even set up a temporary NGINX and php7.0-fpm restart ever 5 and 1-minute respectively until I had time to look into this.
1 2 | */5 * * * * /etc/init.d/nginx restart * * * * * sudo service php7.0-fpm restart |
Debug
I checked out the PHP7.0-fpm.log and I found the following
1 2 3 4 5 6 7 8 9 | [25-Feb-2018 16:35:35] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it [25-Feb-2018 17:02:26] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it [25-Feb-2018 17:51:09] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it [25-Feb-2018 18:18:51] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it [25-Feb-2018 20:58:12] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it [25-Feb-2018 21:02:57] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it [25-Feb-2018 21:30:58] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it [25-Feb-2018 21:35:10] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it [25-Feb-2018 23:36:28] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it |
Setting up a PHP-FPM pool
Read the official guide here on configuring PHP FPM pools etc.
I edited “/etc/php/7.0/fpm/pool.d/www.conf” and added the following to set up a pool of PHP-FPM servers.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | ; Note: This value is mandatory. pm = dynamic ; The number ocf child processes to be created when pm is set to 'static' and the ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. ; This value sets the limit on the number of simultaneous requests that will be ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP ; CGI. The below defaults are based on a server without much resources. Don't ; forget to tweak pm.* to fit your needs. ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' ; Note: This value is mandatory. pm.max_children = 40 ; The number of child processes created on startup. ; Note: Used only when pm is set to 'dynamic' ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 pm.start_servers = 10 ; The desired minimum number of idle server processes. ; Note: Used only when pm is set to 'dynamic' ; Note: Mandatory when pm is set to 'dynamic' pm.min_spare_servers = 5 ; The number of seconds after which an idle process will be killed. ; Note: Used only when pm is set to 'ondemand' ; Default Value: 10s pm.process_idle_timeout = 30s; ; The number of requests each child process should execute before respawning. ; This can be useful to work around memory leaks in 3rd party libraries. For ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. ; Default Value: 0 pm.max_requests = 250 |
You may need more or fewer child processes depending on your needs and free memory.
After editing the PHP-FPM config file restart PHP-FPM
1 | sudo service php7.0-fpm restart |
Restart Nginx
1 | sudo /etc/init.d/nginx restart |
You will be able to view the PHP child process status by typing the following
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | service php7.0-fpm status ● php7.0-fpm.service - The PHP 7.0 FastCGI Process Manager Loaded: loaded (/lib/systemd/system/php7.0-fpm.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-02-26 00:33:17 AEDT; 5min ago Docs: man:php-fpm7.0(8) Main PID: 1284 (php-fpm7.0) Status: "Processes active: 0, idle: 10, Requests: 56, slow: 0, Traffic: 0.2req/sec" Tasks: 11 Memory: 330.1M CPU: 39.558s CGroup: /system.slice/php7.0-fpm.service ├─1284 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf) ├─1503 php-fpm: pool www ├─1504 php-fpm: pool www ├─1505 php-fpm: pool www ├─1506 php-fpm: pool www ├─1507 php-fpm: pool www ├─1508 php-fpm: pool www ├─1509 php-fpm: pool www ├─1511 php-fpm: pool www ├─1512 php-fpm: pool www └─1513 php-fpm: pool www Feb 25 10:33:16 servername systemd[1]: Starting The PHP 7.0 FastCGI Process Manager... Feb 25 10:33:17 servername systemd[1]: Started The PHP 7.0 FastCGI Process Manager. |
You can use htop (commands here) to see child PHP processes in the pool and to verify free memory.
This command is good for watching free memory on a server
1 | watch -n 1 'free -m' |
I prefer to use up free memory (if available) and leave about 100mb free.
1 2 3 4 5 | Every 1.0s: free -m Mon Feb 26 00:47:55 2018 total used free shared buff/cache available Mem: 992 518 120 40 353 280 Swap: 0 0 0 |
Hope this helps someone.
Donate and make this blog better
Ask a question or recommend an article
Revision History
v1.0 Initial Post
Adminer is a free GUI tool that can you can easily install on a PHP web server. Adminer allows you to easily connect to your MySQL instance, create databases/tables/indexes/rows and backup/import databases and much more.
Advertisement:
You can read my other posts on Useful Linux Terminal Commands and Useful OSX Terminal Commands.
I used to use phpMyAdmin to manage MySQL databases on AWS, Digital Ocean and Vultr but switched to Adminer due to forgotten issues. You can always manage MySQL via command line but that is quite boring.
The below screenshots were taken on my local Development Mac Laptop (with optional OSX Apache SSL Setup (that reports “Not Secure” (but it is good enough to use locally)). I prefer to code in SSL and warn when SSL is not detected.
Downloading and Installing Adminer
Navigate to https://www.adminer.org/ and click Download.
Click English only (.php file)
Save the Adminder for MySQL (.php) file to your web server and give it a random name and put in a folder also with a random name (I use https://www.grc.com/passwords.htm to generate strong password).
Tip: Uploading this file to a live serve offers hackers and unauthorized people potential access to your MySQL server. I would remove this file from live serves when you are not using it not to be sure.
Tip: Read my guide here on setting up NGINX, MySQL and PHP here. Basically I did this to setup MySQL on Ubuntu 16.04.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | sudo apt-get install mysql-common sudo apt-get install mysql-server mysql --version >mysql Ver 14.14 Distrib 5.7.19, for Linux (x86_64) using EditLine wrapper sudo mysql_secure_installation >Y (Valitate plugin) >2 (Strong passwords) >N (Don't chnage root password) >Y (Remove anon accounts) >Y (No remote root login) >Y (Remove test DB) >Y (Reload) service mysql status > mysql.service - MySQL Community Server |
TIP: Ensure MySQL is secure and has a good root password, also consider setting up Ubuntu Firewalls and Securing Ubuntu. Also ensure the Server is patched and does not have exploits like Spectre and meltdown.
Now you can access your Admirer php file on your Web Server (hopefully with an obfiscated name).
Login to Adminer with your MySQL root password.
Click Create databaase
Give the database a name and choose the character coding standard (e.g UTF8 ceneral ci). Different standards have different performance impacts too.
Now that you have a database you can create a table.
Consider adding an auto-incrementing ID and say a Key and Value varchar column.
When the table is created you can add a row to the table.
I created one with a “TestKey” and “TestValue” row.
The row was inserted.
The final thing to do is add a database user that code can connect to the database with. Click Privileges.
Click Create user
Tick All privileges and click Save
Now the user is added to the database
Let’s create a PHP file and talk to the database. Let’s use parameterized queries
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | <?php date_default_timezone_set('Australia/Sydney'); echo "Last modified: " . date ("F d Y H:i:s.", getlastmod()) . "<br /><br />"; // Turn on if you need to see errors // error_reporting(E_ALL); // ini_set('display_errors', 0); $dbhost = '127.0.0.1'; $dbname = 'dbtest'; $dbusername = 'dbtestuser'; $dbpassword = '*****************************************''; $con = mysqli_connect($dbhost, $dbusername, $dbpassword, $dbname); // Turn on debug stuff if you need it // echo var_dump($con); // printf(" - Error: %s.n", $stmt->error); if($con->connect_errno > 0){ printf(" - Error: %s.n", $stmt->error); die("Error: Unable to connect to MySQL"); } else { echo "Charset set to utf8<br />"; mysqli_set_charset($con,"utf8"); } if (!$con) { echo "Error: Unable to connect to MySQL (E002)" . PHP_EOL; echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL; echo "Debugging error: " . mysqli_connect_error() . PHP_EOL; exit; } else { echo "Database Connection OK<br />"; echo " Success: A proper connection to MySQL was made! The $dbname database is great." . PHP_EOL . "<br />"; echo " - Host information: " . mysqli_get_host_info($con) . PHP_EOL . "<br />"; echo " - Server Info: '" . mysqli_get_server_info($con) . "'<br />"; echo " - Server Protocol Info : ". mysqli_get_proto_info($con) . "<br />"; echo " - Server Version: " . mysqli_get_server_version($con) . "<br />"; //echo " - Server Connection Stats: " . print_r(vmysqli_get_connection_stats($con)) . "<br />"; echo " - Client Version: " . mysqli_get_client_version($con) . "<br />"; echo " - Client Info: '" . mysqli_get_client_info() . "'<br />"; echo "Ready to Query the database '$dbname'.<br />"; // Input Var's that are parameterized/bound into the query statement $in_key = mysqli_real_escape_string($con, 'TestKey'); // Output Var's that the query fills after querying the database // These variables will be filled with data from the current returned row $out_id = ""; $out_key = ""; $out_value = ""; echo "1. About to query the database: '$dbname'<br />"; $stmt = mysqli_stmt_init($con); $sql = "SELECT testid, testkey, testvalue FROM tbtest WHERE testkey = ?"; echo "SQL: $sql (In = $in_key)<br /"; if (mysqli_stmt_prepare($stmt, $sql)) { echo "2. Query Returned<br />"; /* Type specification chars Character Description i corresponding variable has type integer d corresponding variable has type double s corresponding variable has type string b corresponding variable is a blob and will be sent in packets */ mysqli_stmt_bind_param($stmt, 's', $in_key); mysqli_stmt_execute($stmt); mysqli_stmt_bind_result($stmt, $out_id, $out_key, $out_value); mysqli_stmt_fetch($stmt); // Do something with the 1st returned row echo " - Row: ID: $out_id, KEY: $out_key, VAL: $out_value <br />";// // Do we have more rows to process while($stmt->fetch()) { // Output returned values echo " - Row: ID: $out_id, KEY: $out_key, VAL: $out_value <br />";// } mysqli_stmt_close($stmt); echo "Done<br />"; } else { echo "3. Error Querying<br/>"; printf(" - Error: %s.n", $stmt->error); } } ?> |
Result
If you don’t have a server check out my guides on AWS, Digital Ocean and Vultr.
Happy coding and I hope this helps someone.
Donate and make this blog better
Ask a question or recommend an article
Revision History
v1.0 Initial Version
I have blogged before about building a server for users to install WordPress, optimizing images in WordPress, deploying WordPress via CLI, moving WordPress, speeding up WordPress and securing WordPress but what do you do if you want a non-WordPress site without the support hassles?
Advertisement:
Recently I gave the https://platforma.ws iOS prototyping library extensions a test. I was delighted to find they had a Web Wireframe Kit (generation suite) for prototyping and exporting working websites. You can try the free version or buy a licence here.
Creating a Website with Platforma Web Wireframe Kit
Goto https://platforma.ws and click HTML Generator (or click here)
You will be presented with an empty website ready for your attention.
Adding Website Elements
It’s as simple as clicking a purple add button.
This reveals a number of HTML templates samples that you can drag and drop to your website design.
You can then choose a category (e.g “Header”) and see the available samples elements.
Simply drag and drop the elements out into your design.
Now, Let’s click the purple Add (in the top left) button and add a sample Header section, sample Contents, sample Slider, sample Body, sample first Call to Action section, sample Pricing Table, sample second Call to Action section, sample Footer section.
30 seconds later and I have generated designed a site ready to edit the exported HTML.
Exporting Your Site from Platforma
Click on the Export button (in the top right).
I was greeted with the following export screen, this page explains the difference in export options: http://app.platforma.ws/docs/
I don’t need “node.js” or “gulp” “Advanced Version” (PUG + STYLUS) so I’ll choose “Simple Version” (HTML + CSS + JS).
You will need to enter a licence key to continue the export.
The website export download came down just fine.
Code
The code looks ok, I did notice that images were missing alt tags so I added those in.
Any Errors in the Code (in Chrome)?
Nope, Chrome loads the code with no errors.
Testing Online
How about HTML5 and WCAG 2.0 AA
I uploaded the zip file to my server (using the scp command), I could have used SFTP.
1 | scp /local/folder/local-file.zip account@www.server.com:/www/destination-folder/ |
I unzipped the site with
1 2 | sudo apt-get install unzip unzip filename.zip |
The site loads just fine in a web browser
Accessibility
I used https://achecker.ca/checker/index.php to test the site with WCAG 2.0 AA, the only remaining issues I found were in relation to the multiple H1, H2 etc tags (this can be fixed by moving the H CSS code to custom classes and removing H1, H2 etc tags altogether (and reference the custom class matching the H* tags)).
fyi: The potential WCAG problems that were being alerted were in relation to…
I tested the sites HTML compliance with https://validator.w3.org/, the code passed with flying colours.
Customizing
I could not find a way to edit the elements in the http://app.platforma.ws/# like the Platforma iOS Adobe XD Kit but you can quickly edit in your HTML after exporting (using your editor of choice like Dreamweaver, Sublime or Notepad).
Conclusion
Platforma Web Wireframe Kit is an essential tool for anyone wanting to build quick web prototype (or even live sites) website for themselves, clients etc. I am very impressed with the code created.
Read More
Check out my guide, Using Adobe XD and Platforma Web Wireframe Kit to prototype an iOS app.
Donate and make this blog better
Ask a question or recommend an article
Revision History
v1.1 Added more, fixed a bit.
etc
This post shows my never ending quest to speed up WordPress for free.
Advertisement:
I have used to use WP Total Cache in the past but decided to check out what other recommended, I found this post 6 Best WordPress Caching Plugins Compared. Some WordPress Caching Plugins.
What plugin do I use?
Benchmark (No Caching Plugin)
I tested my site before installing a caching plugin with https://www.webpagetest.org/ and my site was loading in 21s (loading over 141 files).
My site loaded in a terrible 21.3 seconds. My blog is hosted on Jumba (Net Registry) on and Ultimate plan for $25 a month.
My site seems to deliver 70% images so I wonder if a page caching plugin can help?
I do run the EWWW Image Optimizer plugin to automatically compress images when I upload them to my site. Read my blog post on the EWWW Image Optimizer here. I do keep images at a high quality to capture all details.
WP Fastest Cache Plugin
I have decided to try the WP Fastest Cache because it’s source was updated 4 hours ago compared to WP Super Cahches update 5 months ago. Both these plugins offer similar GT Metrix performance improvements and WP Fastest Cache has been tested on WordPress v4.8.
Installing WP Fastest Cache
I looked for the WP Fastest Cache Plugin on the WP plugin directory but it was not there.
I downloaded the latest version WP Fastest Cache from https://wordpress.org/plugins/wp-fastest-cache/
I upload the WP Faster Cache plugin to my site.
I Activated the plugin.
WP Fastest Cache plugin is now installed 🙂
It appears to have auto cached/indexed my site?
Now it’s time to run the same benchmark and see if the site is faster (with the same settings (Singapore chrome))?
1 of 3 test are under way.
WP Fastest Cache Results
Wow WP Fastest Cache loaded my site 2 seconds slower (Try 1 = 23 seconds, Try 2 = 21 seconds and Try 3 = 28 Seconds).
This could have been because of weekend traffic or hosting issues but this was not what I expected.
I disabled the WP Fastest Cache plugin and ran the benchmarks again and it was still 23 seconds (weekend traffic?). I re enabled WP Fastest Cache and re ran the test but no improvement.
My bad I think I needed to manually configure the WP Faster Cache plugin by opening the new WP Faster Cache menu on the left-hand side of the WP admin dashboard.
There I enabled caching options in the WP Faster Cache options.
I ran https://www.webpagetest.org tests again and got 16s, 18s and 16s seconds results in three tests and an A on compressed images. It appears you need to manually configure the WP Total Cache plugin after installing it (I missed this step).
I disable WP Fastest Cache and tried the WP Super Cache plugin and the test results were 29s, 24s, 24s (slower than WP Faster Cache). then tried W3 Total cache and the results were ()
I tried the W3 Total Cache plugin and the results were (30s, 16s 26s).
I Tried Autoptimize and it was tested at 45s.
It looks like WP Faster Cache is the fastest, ill turn it back on until try setup a CDN.
Fast Forward to Sept 2017
Since writing this post I have moved away from a shared C-Panel host and have moved my domain to a self-managed Vultr server closer to me, I have moved my email to Google G-Suite. I have learned how to deploy and manage WordPress by command line tools. I have set up servers on Digital Ocean before but the servers are located in Singapore and not Sydney and latency and scalability was poor. SSL will make sites slower and servers far away will just compound the issues.
Re enabling the WP Fastest Cache Plugin
I tried reinstalling the WP Fastest Cache plugin and for me, the plugin just slows down my site by 6 seconds.
I opened my NGINX config and got my NGINX user
1 | sudo nano /etc/nginx/nginx.conf |
My user is: www-data
I enabled the WP Fastest Cache plugin and ensured the WP Fastest Cache has ownership and access to the cache folder.
1 2 3 4 | sudo chown www-data:www-data /www/wp-content/plugins/cache sudo chown www-data:www-data /www//wp-content/plugins/cache/all sudo chmod 755 /www/wp-content/plugins/cache * sudo chmod 755 /www/wp-content/plugins/cache/all * |
Below are the settings I use.
installing the WP-Optimize Plugin
I recommend setting up WP-Optimize plugin as it will optimize your database and keep things fast, it only saves me a second on my load times but this helps.
WP-Optimize will allow for to review database optimizations
Setting up Nginx GZip Compression
I set up my Nginx config to include
1 2 3 4 5 6 7 8 9 | gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; |
I set the minimum size to gzip too
1 | gzip_min_length 20; |
Benchmark with G-Zip, Caching and WP Fastest Cache
With WP Fastest Cache I now load my site in 13.9 seconds from Singapore. Time to disable WP Fastest cache plugin as it does not seem to be helping without linking to a CDN.
Setting up Browser Caching
I also setup browser caching by editing in NginX.
1 | sudo nano /etc/nginx/sites-available/default |
Added
1 2 3 | location ~* \.(jpg|jpeg|png|gif|ico|svg|js|css)$ { expires 365d; } |
Not sure if caching CSS and JS will cause problems in future?
Benchmark with G-Zip, Caching and without WP Fastest Cache (Singapore)
I re-ran the tests and got 10.9 seconds and got a B for cached content. When in Started on C-Panel I was getting near 30s
Benchmark with G-Zip, Caching and without WP Fastest Cache (Sydney)
I have always benchmarked from Singapore (as Sydney was not an option when I started) but now it is. Out f curiosity is my website load time in Sydney?
8.2 seconds. Distance does affect performance.
Google Speed Insights
Google has an awesome tools to help you increase your benchmark mobile and desktop website speeds and reccomend focus areas to resolve problems: https://developers.google.com/speed/pagespeed/insights/
Mobile Speed Score
Desktop Speed Score
Tips
I was getting SVG files failing compassion tests so I added the following under allowed mime types under “http gzip_types” in /etc/nginx/nginx.conf
1 | image/svg+xml text/html+svg |
Minifying JS and CSS
This needs to be done and 50% of my site files appears to be CSS and JS related.
It looks like 30%~40 of your sites google speed index is related to minified/combined JS/CSS.
I installed the Fast Velocity Minify WordPress plugin.
I ran this to install it from the command line
1 2 3 4 5 6 7 8 9 10 11 12 | cd /www/wp-content/plugins# sudo wget https://downloads.wordpress.org/plugin/fast-velocity-minify.2.2.1.zip --2017-09-23 19:51:46-- https://downloads.wordpress.org/plugin/fast-velocity-minify.2.2.1.zip Resolving downloads.wordpress.org (downloads.wordpress.org)... 66.155.40.187, 66.155.40.203, 66.155.40.188, ... Connecting to downloads.wordpress.org (downloads.wordpress.org)|66.155.40.187|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 821621 (802K) [application/octet-stream] Saving to: ‘fast-velocity-minify.2.2.1.zip’ fast-velocity-minify.2.2.1.zip 100%[=================================================>] 802.36K 830KB/s in 1.0s 2017-09-23 19:51:47 (830 KB/s) - ‘fast-velocity-minify.2.2.1.zip’ saved [821621/821621] |
Unzip
1 | sudo unzip merge-minify-refresh.zip |
I activated the plugin and set some settings
Verified minify logs
Google Page Insights can now see the minifies, css, js and html
Google Page Insights – Possible Optimizations
And Google Ad Words and Google Analytics appear to be holding back Google Page Insight scores
I am getting a few false positives with plugins javascript but that can be resolved another day.
Pingdom (Melbourne results)
3.2 seconds, a few false positives though.
I was going to test with https://www.webpagetest.org/ (from Singapore) but the service kept stalling and had too many tests before me (even from Sydney).
Address First Byte Time (todo)
If I look at the first-byte load results in the waterfall view my site is taking many seconds to deliver the first byte, this lowers the performance scores about 20%. I need to setup a CDN and or configure NGINX following this guide based on this manual configuration entry (I tried some of the Nginx settings but it appears I need to compile some performance settings into Nginx).
CDN (todo)
I am sure a Content Delivery Network (CDN) will help with the whole page deliver and first-byte times but I am trying to milk as much free as possible and limit future costs. A CDN will trigger higher monthly costs (any CDN providers want to donate a temporary pro plan for review purposes).
Misc Speed Articles
Configuring Ubuntu for Performance
Preventing applications swapping for disk (read more here)
1 | sudo nano /etc/sysctl.conf |
I added this memory related setting.
1 | vm.swappiness = 1 |
This will all but prevent applications writing to disk (swap) when they are not active. I had free memory on my VM so I may as well use it.
I will monitor the free ram after reboot and play with php memory settings.
Setup Lazyload for images in posts
1 2 3 4 | cd /www/wp-content/plugins/ sudo wget https://downloads.wordpress.org/plugin/bj-lazy-load.zip unzip bj-lazy-load.zip # activate the plugin |
Lazyload Plugin Settings
Placeholder Image ( Image: https://fearby.com/wp-content/uploads/2017/09/placeholder.jpg )
Web Performance Test from Sydney
8.4 seconds ( Score Card F A A A C, was F F F A F ). I was getting up to 28 second load times with Net Registry C Panel servers.
Static Content is cached but Googe Ad Sence, Google Analytics, and some plugins do block the score. The front page does have some features content that has to be loaded and can’t be minified or cached much.
It is obvious I need to work in the initial websitee load (DNS, CDN or SSL), there sis 3 seconds I can save here.
Configuring PHP for Performance
todo: PHP base config.
todo: PHP caching.
Conclusion
I was expecting WP Fastest Cache to deliver faster speeds but in reality but I am getting 4 seconds faster in WordPress. I was going to configure MaxCDN but they are to expensive. Fast Velocity Minify Plugin is working a treat 🙂
I ended up ditching the shared CPanel hosted domain and setup my own server for WordPress. My site seems a lot faster now. A friend set up CloudFlare with great success, more soon. I blogged about my server setup here.
Adding browser cache and compressing and moving away from CPanel to a self-managed server helped.
The only things to try now is to use a CDN and speed up the delivery of my site and improve the First Byte Time.
Donate and make this blog better
Ask a question or recommend an article
Revision History
v1.932 added lazy load information (24th Sep 2017)
v1.952 added small changes (23rd Sep 2017)
etc
