Joomla on Raspberry Pi using Nginx
Overview Presentation 1. Introduction LAMP Stack: 2. Raspbian 3. Nginx 4. MySQL 5. PHP 6. phpMyAdmin
7. Joomla 8. Performance 9. Security
>>> Sheets at: www.db8.nl at: www.db8.nl <<<
1. Introduction – Raspberry Pi Goal – education Today's engineers: computer experience on home computers youth of today: computer classes = operate software, click menus and swipe yourself to death ...
1. Introduction – Raspberry Pi
Benefits Rpi –
small
–
Dirt cheap: $ 35 → 38 Euro Low power (3.5 Watt) No moving parts → Silent “De facto” standard (2 types)
– – –
Much documentation (Linux & RPi) Many documented applications Much additional hardware Many software
1. Introduction – Raspberry Pi
Hardware – – – –
Single-board computer, 700 Mhz RAM 512 Mbyte (1st version: 256 Mbyte) Graphics: Broadcom VideoCore IV Connections: SD Card Micro USB powerplug (5v 1A – 3,5 Watt) Ethernet HDMI & RCA Video Audio 2x USB GPIO
1. Introduction – Raspberry Pi
Community – – – –
Use Software Hardware Case
LAMP Stack
LAMP LEMP Stack L E M P
– – – –
Linux → Raspbian (Debian for Rpi) Apache → Nginx [“engine x”] MySQL PHP
(phpMyAdmin)
2. Raspbian Linux – Operating System
2. Raspbian a) Installation a)Installation b)Connect b) Connect to Network c) Update OS d)Backup d) Backup e)Configuration e) Configuration f) Internet Access
2a. Raspbian
Download Raspbian Image http://www.raspberrypi.org/downloads
2013-07-26-wheezy-raspbian.zip 2013-07-26-wheezy-raspbian.zip (518.5 MiB)
Unzip to ~\rpi\2013-07-26-wheezy-raspb ~\rpi\2013-07-26-wheezy-raspbian.img ian.img (1.8 GB)
2a. Raspbian – Installation SD Card SD Card http://elinux.org/RPi_Easy_SD_Card_Setup “gparted”, partition table, unformatted
Determine location: “dmesg”
“dd” = “dump disk” CAREFUL: “data destroyer” ! – – –
bs=BYTES (read and write BYTES bytes at a time) if=FILE (read from FILE instead of stdin) of=FILE (write to FILE instead of stdout)
2a. Raspbian – Installation SD Card $ dmesg [..] [45.361488] wlan0: no IPv6 routers present [265.278325] mmc0: new high speed SDHC card at address 0002 [265.284831] mmcblk0: mmc0:0002 7.68 GiB [265.284912] mmcblk0 mmcblk0: : p1 $
2a. Raspbian – Installation SD Card
Linux: sudo dd bs=1M if=~/rpi/2013-07-26-wheezyif=~/rpi/2013-07-26-wheezyraspbian.img of=/dev/ mmcblk0
Mac OSX: sudo dd bs=1M if=~/rpi/2013-07-26-wheezyif=~/rpi/2013-07-26-wheezyraspbian.img of=/dev/ disk1s1
Windows: dd bs=1M if=c:\temp\2013-07-26-wheezyif=c:\temp\2013-07-26-wheezyraspbian.img od=e
2a. Raspbian – Installation SD Card $ sudo dd bs=1M if=~/rpi/2013-07-26 wheezy-raspbian wheezy-r aspbian.img .img of=/dev/ of=/dev/mmcblk0 mmcblk0 {+- 4.5 minutes later} 1850+0 records in 1850+0 records out 1939865600 bytes (1.9 GB) copied, 252.656 s, 7.7 MB/s $ sudo sync
2b. Raspbian – Connect your RPi
2b. Raspbian – IP Address? Android / iPhone: iPhone: Overlook Fing
2b. Raspbian – IP Address? $ nmap -sP 192.168.0/24 Starting Nmap 5.00 ( http://nmap.org ) at 2013-04-07 14:15 CEST Host 192.168.0.1 is up (0.0018s latency). Host 192.168.0.14 is up (0.014s latency). Host 192.168.0.15 is up (0.010s latency). Host 192.168.0.16 is up (0.048s latency). Host 192.168.0.17 is up (0.0092s latency). Nmap done: 256 IP addresses (5 hosts up) scanned in 2.94 seconds $
2b. Raspbian – SSH Login $ ssh
[email protected] The authenticity of host '192.168.0.16 (192.168.0.16)' can't be established. RSA key fingerprint is 12:11:07:6b:c9:ac:ff:01:7b:2f:aa:a5:ef:02: c7:ff. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.16' (RSA) to the list of known hosts.
[email protected]'s password: raspberry
2b. Raspbian – SSH Login Linux raspberrypi 3.6.11+ #371 PREEMPT Thu Feb 7 16:31:35 GMT 2013 armv6l The programs included with the Debian GNU/Linux system are free software; [..] NOTICE: the software on this Raspberry Pi has not been fully configured. Please run 'sudo raspi-config' pi@raspberrypi ~ $
2b. Raspbian – SSH Login $ sudo raspi-config 1. expand_rootfs – use full capacity SD Card 2. memory_split – shrink RAM GPU to 16 MB – Update & Change Password –
– reboot
2c. Raspbian – Update! {update Repository information} pi@raspberrypi ~ $ sudo apt-get update {takes ± 30 seconds} {upgrade Raspbian OS} pi@raspberrypi ~ $ sudo apt-get upgrade {takes ± 22 minutes}
2d. Raspbian – Backup SD Card
Shut down securely: $ sudo shutdown -h now
Remove SD Card & in PC
Backup: $ sudo dd if=/dev/mmcblk0 of=~/rpi/sd-cardof=~/rpi/sd-cardrpi-20130421.bin
2e. Raspbian – Hostname {change hostname @raspberrypi @rpi} pi@raspberrypi ~ $ sudo nano /etc/hostname raspberrypi rpi →
→
pi@raspberrypi ~ $ sudo nano /etc/hosts 127.0.1.1 raspberrypi 127.0.1.1 rpi →
{restart hostname process} pi@raspberrypi ~ $ sudo /etc/init.d/hostname.sh start pi@rpi ~ $
2e. Raspbian – User & Password 1/2 pi@rpi ~ $ sudo passwd root Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully pi@rpi ~ $ exit Logout ssh [email protected] {rename user & user directory} root@rpi ~# usermod -l peter pi root@rpi ~# usermod -m -d /home/peter peter
2e. Raspbian – User & Password 2/2 {test new account} ssh [email protected] peter@rpi ~$ sudo apt-get update {works ok? Disable root !!!} peter@rpi ~$ sudo passwd -l root passwd: password expiry information changed. peter@rpi ~$ passwd Changing password for peter. (current) UNIX password:
2e. Raspbian – Time Zone peter@rpi ~ $ date Sun Apr 21 11:15:00 UTC 2013 peter@rpi ~ $ sudo dpkg-reconfigure tzdata Current default time zone: 'Europe/Amsterdam' Local time is now: Sun Apr 7 13:15:00 CEST 2013. Universal Time is now: Sun Apr 7 11:15:00 UTC 2013. peter@rpi ~ $
2f. Raspbian – Internet access Internet
Internet DNS –> domain name “petermartin.nl”
Modem/router:
LAN Raspberry Pi 192.168.0.x
Modem/router: LAN IP: 192.168.0.1
2f. Raspbian – Internet access Internet
Internet DNS – “petermartin.nl” “A” record to 1.2.3.4
www.whatsmyip.org
LAN Raspberry Pi 192.168.0.9
Modem/router: LAN IP: 192.168.0.1
2f. Raspbian – Internet access
Modem/Router → firewall > Port Forwarding – – –
SSH traffic = IP 192.168.0.9, port 22 Web traffic = IP 192.168.0.9, port 80 Https traffic= IP 192.168.0.9, port 443
Raspberry Pi → Static IP
2f. Raspbian – Static IP Address peter@rpi ~ $ route Kernel IP routing table Destination
Gateway
Genmask
Flags Metric Ref
Use Iface
default
192.168.0.1
0.0.0.0
UG
0
0
0 eth0
192.168.0.0
*
255.255.255.0
U
0
0
0 eth0
peter@rpi ~ $ sudo nano /etc/network/interfaces {change:} iface eth0 inet dhcp {to:} iface eth0 inet static address 192.168.0.9 netmask 255.255.255.0 gateway 192.168.0.1
3. Nginx webserver
3. Nginx
Nginx [engine ex ] – – – – –
High performance: Dynamic pages = FAST & Static = very FAST! Low memory usage (useful on Rpi!) Easy configuration Automatic configuration test after changes Reverse proxy capabilities
Nginx Popularity (netcraft.com May 2013): – – –
> 100 million sites 15.5 % of all sites (Apache 53%, IIS 16.6%) Top million busiest websites: 1. Apache 57.4% 2. Nginx 13.5%
3. Nginx – Popularity
3. Nginx – Installation peter@rpi ~ $ sudo apt-get install nginx Reading package lists... Done [..] Need to get 2,132 kB of archives. After this operation, 6,200 kB of additional disk space will be used. Do you want to continue [Y/n]? y [..] Setting up nginx (1.2.1-2.2) ... peter@rpi ~ $
3. Nginx – Configuration peter@rpi ~ $ sudo nano /etc/nginx/nginx.conf user www-data; worker_processes 1; pid /var/run/nginx.pid; peter@rpi ~ $ sudo /etc/init.d/nginx start
3. Nginx – Websites Browse URL http://192.168.0.9/ or http://petermartin.nl or http://petermartin.nl Result:
Welcome to nginx!
3. Nginx – Virtual domains Create virtual sites: 1. Location & index.html /var/www/ petermartin.nl
2. Configuration file for site /etc/nginx/sites-available/
/index.html
petermartin.nl
3. Activate with symbolic link to config file /etc/nginx/sites-enabled/ petermartin.nl
4. Nginx load new config file: $ sudo /etc/init.d/nginx reload
3. Nginx – Virtual domains peter@rpi ~ $ sudo nano /var/www/petermartin.nl/index.html petermartin.nl <title> petermartin.nl Welcome Welcome to JandBeyond 2013!
Website: Website: petermartin.nl petermartin.nl
3. Nginx – Virtual domains peter@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl server { listen 80; server_name petermartin.nl www.petermartin.nl; root /var/www/petermartin.nl; access_log /var/log/nginx/petermartin.nl.access_log; error_log /var/log/nginx/petermartin.nl.error_log info; location / { index index.php index.html index.htm; } }
3. Nginx – Virtual domains peter@rpi ~ $ sudo ln -s /etc/nginx/sites-available/petermartin.nl /etc/nginx/sites-enabled/petermartin.nl peter@rpi ~ $ sudo /etc/init.d/nginx reload Reloading nginx configuration: nginx.
3. Nginx – Virtual domains
Browser http://192.168.0.9/petermartin.nl Browser http://192.168.0.9/petermartin.nl
Welcome to JandBeyond 2013! Website: petermartin.nl
Error? 404 Not Found nginx/1.2.1
→ Check error log file: $ cat /var/log/ngin /var/log/nginx/petermartin. x/petermartin.nl.error_log nl.error_log
4. MySQL Database Server
4. MySQL
Joomla 2.5+ = no SQLite driver available
Configuration during installation: User: root Password: databasepassword databasepassword
Secure live site with: $ sudo mysql_secure_installation
4. MySQL – Installation peter@rpi ~ $ sudo apt-get install mysqlserver Reading package lists... Done [..] Need to get 9,603 kB of archives. After this operation, 91.1 MB of additional disk space will be used. Do you want to continue [Y/n]? y [..] Setting up mysql-server (5.5.30+dfsg-1)... Processing triggers for menu ... peter@rpi ~ $ sudo mysql_secure_installation
5. PHP
5. PHP – php5 + packages:
php5-fpm –
php5-mysql –
modules for MySQL database connections directly from PHP scripts
php5-cli –
FastCGI Process Manager interpreter that runs as a daemon and receives Fast/CGI requests
command-line interpreter
php5-curl –
library for getting files from FTP & HTTP server
5. PHP – Installation peter@rpi ~ $ sudo apt-get install php5-fpm php5-mysql Reading package lists... Done [..] Setting up php5 (5.4.4-14)... Processing triggers for php5-fpm... [ ok ] Restarting PHP5 FastCGI Process Manager: php5-fpm. peter@rpi ~ $
5. PHP – configuration petermartin.nl pi@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl add: location ~ \.php$ { fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; }
5. PHP – Result
Test with phpinfo(); $ sudo nano /var/www/peterm /var/www/petermartin.nl/test.p artin.nl/test.php hp with the code: "test";phpinfo();?>
Use browser to open file http://192.168.0.9/petermartin.nl/test.php
6. phpMyAdmin
6. phpMyAdmin
Database GUI –
http://192.168.0.9/phpmyadmin/
Secure: Add to one virtual virtual domain domain only→ 1 should should be enough! enough! – limit to 1 IP address –
6. phpMyAdmin – Installation peter@rpi ~ $ sudo apt-get install phpmyadmin Reading package lists... Done [..] Need to get 6,092 kB of archives. After this operation, 16.6 MB of additional disk space will be used. Do you want to continue [Y/n]? y [..] Web server to reconfigure automatically: none Configure database for phpmyadmin with dbconfigcommon? N Creating config file /etc/phpmyadmin/config-db.php with new version peter@rpi ~ $
6. phpMyAdmin – config petermartin.nl peter@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; location ~ ^/phpmyadmin/(.+\.php)$ { try_files $uri =404; root /usr/share/; #fastcgi_pass 127.0.0.1:9000; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include fastcgi_params; } location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif| css|png|js|ico|html|xml|txt))$ { root /usr/share/;
6. phpMyAdmin – config petermartin.nl peter@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl {Limit access to only one IP address?} location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; allow 4.3.2.1; deny all; location ~ ^/phpmyadmin/(.+\.php)$ {
7. Joomla
7. Joomla
Download Joomla to RPi using wget
Create database, e.g. use phpMyAdmin http://192.168.0.9/phpmyadmin/ database: “petermartin”
Use browser to start Joomla's web installer
7. Joomla – Installation petermartin.nl petermartin.nl peter@rpi ~ $ cd /var/www/petermartin.nl peter@rpi ~ $ sudo wget http://joomlacode.org/gf/download/frsrelea se/18323/80368/Joomla_3.1.1-StableFull_Package.zip peter@rpi ~ $ sudo unzip -x Joomla_3.1.1Stable-Full_Package.zip
7. Joomla – Installation petermartin.nl petermartin.nl
Webinstaller http://192.168.0.9/petermartin.nl/ Webinstaller http://192.168.0.9/petermartin.nl/ –
configuration.php Writeable: No →solve permission problem: $ sudo chown -R www-data:www-data /var/www/petermartin.nl /var/www/petermar tin.nl
SEF links: .htaccess → virtual domain configuration: try_files $uri $uri/ /index.php?q=$request_uri; /index.php?q=$request_uri;
7. Joomla – SEF URLs peter@rpi ~ $ sudo nano /etc/nginx/ sites-available/petermartin.nl location / { index index.php index.html index.htm; try_files $uri $uri/ /index.php?q=$request_uri; }
8. Performance
8. Performance “The need for speed” – Visitors + Google indexing Test different configurations – Server settings, Joomla settings, Joomla Extensions (Templates + Plugins) Testing, testing, one, two – Joomla! Debug Console > Profile Information
–
Browser plugins, e.g. Yslow
8. Performance
Test: Refresh (3x) new setting > Refresh (3x) & compare
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM
8. Performance – Nginx + PHP-FPM
PHP-FPM –
Socket vs Port? fastcg fastcgi_p i_pass ass unix:/ unix:/var var/ru /run/p n/php5 hp5-fp -fpm.s m.sock; ock; fast fastcg cgi_ i_pa pass ss 127. 127.0. 0.0. 0.1: 1:90 9000 00;;
“socket connections connections are around 10-15% faster than TCP/IP connections because it saves the passing the data over the different layers of TCP/IP stack”
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip
8. Performance – Joomla gzip
Before –
1. Application 2.517 seconds (+0.037); 4.67 MB (+0.035) - afterRender
After Global Configuration > Server > Gzip Page Compression
– –
1. Application 3.009 seconds (+0.038); 4.67 MB (+0.035) - afterRender 2. Application 2.503 seconds (+0.037); 4.67 MB (+0.035) - afterRender
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache
8. Performance – Joomla cache
Before –
Application Application 2.707 seconds seconds (+0.037); (+0.037); 4.67 MB (+0.035) (+0.035) - afterRender
After Global Configuration > System > Cache* > ON Progressive caching
– – –
1. Application 2.718 seconds (+0.051); 4.69 MB (0.027) - afterRender 2. Application 1.543 seconds (+0.114); 4.02 MB (+0.051) - afterRender 3. Application 1.426 seconds (+0.265); 3.95 MB
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip
8. Performance – Nginx gzip pi@rpi ~ $ sudo nano /etc/nginx/nginx.conf # Gzip Settings gzip on; gzip_static on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_min_length 512; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/xjavascript application/json application/xml application/rss+xml;
8. Performance – Nginx gzip
Before –
Application Application 1.447 seconds seconds (+0.274); (+0.274); 3.95 MB (+0.334) (+0.334) – afterRender afterRender
After gzip in Nginx Nginx
1. Applica 1. Application tion 1.421 seconds seconds (+0.267); (+0.267); 3.95 MB (+0.334) (+0.334) - afterRender 2. Applica 2. Application tion 1.436 seconds seconds (+0.274); (+0.274); 3.95 MB (+0.334) (+0.334) - afterRender
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache
8. Performance – Nginx cache pi@rpi ~ $ sudo nano /etc/nginx/sitesavailable/petermartin.nl server { # caching of files location ~* \.(ico|pdf|flv)$ { expires 1y; } location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ { expires 14d; } }
8. Performance – Nginx cache
Before –
Application Application 1.459 seconds seconds (+0.301); (+0.301); 3.95 MB (+0.334) (+0.334) - afterRender
After
1. Applica 1. Application tion 1.464 seconds seconds (+0.308); (+0.308); 3.95 MB (+0.334) (+0.334) - afterRender 2. Applica 2. Application tion 1.459 seconds seconds (+0.299); (+0.299); 3.95 MB (+0.334) (+0.334) - afterRender
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 6. APC
8. Performance – Alternative PHP Cache pi@rpi ~ $ sudo apt-get install php-apc phppear php5-dev build-essential libpcre3-dev {Settings in PHP.ini} pi@rpi ~ $ sudo pear config-set php_ini /etc/php5/fpm/php_ini pi@rpi ~ $ sudo pecl config-set php_ini /etc/php5/fpm/php_ini {Download/compile/install APC} pi@rpi ~ $ sudo pecl install apc
8. Performance – Alternative PHP Cache
Before –
Application Application 1.459 seconds seconds (+0.299); (+0.299); 3.95 MB (+0.334) (+0.334) - afterRender
After install APC APC restart nginx AND php-fpm!!!
– – – – –
$ sudo /etc/init.d/nginx restart $ sudo /etc/init.d/php5-fpm reload 1. Application 1.813 seconds (+0.311); 4.52 MB (+0.403) - afterRender 2. Application 0.696 seconds (+0.198); 2.00 MB (+0.148) - afterRender 3. Application 0.727 seconds (+0.221); 2.00 MB (+0.148) - afterRender
8. Performance – Alternative PHP Cache APC GUI GUI $ sudo cp /usr/share/doc/php-apc/apc.php /var/www/petermartin.nl/apc.php
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 6. APC 7. JCH Optimize / jbetolo
8. Performance – Joomla Plugins
Less data traffic: – – –
Joomla Plugins, e.g. – – –
Combine CSS / JavaScript Minify CSS / JavaScript Gzip CSS / JavaScript JCH Optimize Jbetolo Yireo Script Merge
Plugins vs manual
8. Performance – Joomla Plugins
JCH Optimize, before –
Application Application 0.772 seconds seconds (+0.071); (+0.071); 2.03 MB (-0.080) (-0.080) – afterRender afterRender
After
1. Applica 1. Application tion 0.864 seconds seconds (+0.341); (+0.341); 2.06 MB (+0.177) (+0.177) - afterRender 2. Applica 2. Application tion 1.723 seconds seconds (+0.170); (+0.170); 2.43 MB (-0.019) (-0.019) - afterRender 3. Applica 3. Application tion 1.016 seconds seconds (+0.118); (+0.118); 2.08 MB (-0.029) (-0.029) - afterRender 4. Applica 4. Application tion 0.691 seconds seconds (+0.217); (+0.217); 2.05 MB (+0.172) (+0.172) - afterRender
8. Performance – Joomla Plugins jbetolo, before
–
Application Application 0.620 seconds seconds (+0.165); (+0.165); 2.00 MB (+0.148) (+0.148) - afterRender
After
1. Applica 1. Application tion 1.810 seconds seconds (+1.234); (+1.234); 2.31 MB (+0.233) (+0.233) - afterRender 2. Applica 2. Application tion 0.751 seconds seconds (+0.222); (+0.222); 2.27 MB (+0.193) (+0.193) - afterRender 3. Applica 3. Application tion 0.769 seconds seconds (+0.223); (+0.223); 2.27 MB (+0.193) (+0.193) - afterRender
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 6. APC 7. JCH Optimize / jbetolo 8. Memcached
8. Performance – Memchached pi@rpi ~ $ sudo apt-get install memcached php5-memcache {Download/compile/install APC} pi@rpi ~ $ sudo pecl install memcache {Reboot} pi@rpi ~ pi@rpi ~ pi@rpi ~ pi@rpi ~
$ $ $ $
sudo sudo sudo sudo
service service service service
nginx restart mysql restart php5-fpm restart memcached restart
8. Performance – Memchached
Before –
Application Application 0.677 seconds seconds (+0.198); (+0.198); 2.00 MB (+0.148) (+0.148) - afterRender
After
1. Application Application 1.673 seconds seconds (+0.320); 4.52 4.52 MB (+0.403) - afterRender 2. Application Application 0.721 seconds seconds (+0.199); 2.00 2.00 MB (+0.148) - afterRender 3. Application Application 0.705 seconds seconds (+0.211); 2.00 2.00 MB (+0.148) - afterRender 4. Application Application 0.678 seconds seconds (+0.199); 2.00 2.00 MB (+0.148) - afterRender
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 6. APC 7. JCH Optimize / jbetolo 8. Memcached 9. Overclocking
8. Performance – Overclocking $ sudo raspi-config
8. Performance – Overclocking
Before –
Application Application 0.678 seconds seconds (+0.210); (+0.210); 2.00 MB (+0.151) (+0.151) - afterRender
After
Application Application 0.649 seconds seconds (+0.171); (+0.171); 2.05 MB (+0.153) (+0.153) - afterRender – Application Application 0.579 seconds seconds (+0.169); (+0.169); 2.00 MB (+0.151) (+0.151) - afterRender – Application Application 0.596 seconds seconds (+0.167); (+0.167); 2.00 MB (+0.151) (+0.151) - afterRender – Application Application 0.620 seconds seconds (+0.167); (+0.167); 2.00 MB (+0.151) (+0.151) - afterRender Application Application 0.583 seconds seconds (+0.167); 2.00 MB (+0.151) –
8. Performance – 10 ways to optimize 1. Nginx + PHP-FPM 2. Joomla gzip 3. Joomla cache 4. Nginx gzip 5. Nginx cache 6. APC 6. APC 7. JCH Optimize / jbetolo 8. Memcache 9. Overclocking 10.Cryogenics 10. Cryogenics
8. Performance – Cryogenics
Superconducting Superconducting computers –
Cool down RPi? – –
Superconductivity in certain materials when cooled below a characteristic critical temperature
Fridge: RPi = small, but not enough room for beer :-( Not cool enough... < 123 K ( = −150 °C, −238 °F)
Liquid nitrogen or liquid helium? –
Couldn't decide which... performance gain when cooling down: N/A
8. Performance – My RPi
Every server/site different configuration for performance
My RPi: PHP-FPM: fastcgi_pass to Unix Socket (not IP+port) – Joomla: (progressive) cache (2.7 -> 1.4 sec) – Alternative Alternative PHP Cache Cache (1.4 -> 0.7 sec) sec) –
9. Security
9. Security – 10 Aspects 1. Change default username “pi” & password 2. Backup !!! 3. Study logfiles (e.g. with “Logwatch”)
9. Security – ssh logfiles
/var/log/auth.log Apr 8 22:49:01 rpi sshd[10812]: reverse mapping checking getaddrinfo for for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95 [59.175.148.95]] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:01 rpi sshd[10812]: pam_unix(sshd:auth): authentication authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:04 rpi sshd[10812]: Failed password for root from 59.175.148.95 port 43066 ssh2 Apr 8 22:49:04 rpi sshd[10812]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:07 rpi sshd[10816]: reverse mapping checking getaddrinfo for for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:07 rpi sshd[10816]: pam_unix(sshd:auth): authentication authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:09 rpi sshd[10816]: Failed password for root from 59.175.148.95 port 44636 ssh2 Apr 8 22:49:10 rpi sshd[10816]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:13 rpi sshd[10820]: reverse mapping checking getaddrinfo for for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT! Apr 8 22:49:13 rpi sshd[10820]: pam_unix(sshd:auth): authentication authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root Apr 8 22:49:15 rpi sshd[10820]: Failed password for root from 59.175.148.95 port 46051 ssh2 Apr 8 22:49:16 rpi sshd[10820]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth] Apr 8 22:49:19 rpi sshd[10824]: reverse mapping checking getaddrinfo for for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT!
9. Security – ssh logfiles peter@rpi ~$ ~$ whois whois 59.175.148.95 % [whois.apnic.net node-5] % Whois data copyright terms
http://www.apnic.net/db/dbcopyright.html http://www.apnic.net/db/dbcopyright.h tml
inet etn num: netname: descr: descr: descr: country:
59.174.0.0 – 59.175.255.25 255 5 CHINANET-HB CHINANET Hu Hubei pr province ne network Data Communication Division China Telecom CN
role: addr dre ess: address: addr dre ess: address: country: phone: fax-no: e-mail: rema re mark rks: s: rema re mark rks: s: rema re mark rks s: remarks:
CHINANET HB ADMIN 8th flfloor of of JinGu Gua ang Bu Building #232 of Macao Road Han anK Kou Wuhan Hubei Province P.R.China CN +86 27 82862199 +86 27 82861499 [email protected] send se nd sp spam am re repo port rts s to to spa spam_ m_hb hb@p @pub ublilic. c.wh wh.h .hb. b.cn cn and an d abu abuse se re repo port rts s to to abu abuse se_h _hb@ b@pu publ blic ic.w .wh. h.hb hb.c .cn n Plea Pl ease se inc inclu lude de det detai aile led d info inform rmat atio ion n and and times in GMT+8
9. Security – 10 Aspects 1. Change default username “pi” & password 2. Backup !!! 3. Study logfiles (e.g. with “Logwatch”) 4. Block ssh root login ! 5. Block portscans -> Firewall
9. Security – Firewall {check Firewall} peter@rpi ~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source Chain FORWARD (policy ACCEPT) target prot opt source Chain OUTPUT (policy ACCEPT) target prot opt source {create rules for Firewall} peter@rpi ~$ sudo nano /etc/iptables.firewall.rules
destination destination destination
9. Security – Configure Firewall 1/2 *filter # Allow to 127/8 -A INPUT -A INPUT
all loopback (lo0) traffic and drop all traffic that doesn't use lo0 -i lo -j ACCEPT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT
9. Security – Configure Firewall 2/2 # Allow SSH connections # The -dport -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP
9. Security – Activate Firewall 1/2 {activate Firewall} peter@rpi ~$ sudo iptables-restore < /etc/iptables.firewall.rules {check Firewall} peter@rpi ~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -anywhere anywhere REJECT all -anywhere loopback/8 port-unreachable ACCEPT all -anywhere anywhere ESTABLISHED ACCEPT tcp -anywhere anywhere LOG all -anywhere anywhere burst 5 LOG level debug prefix "iptables denied:
reject-with icmpstate RELATED, tcp dpt:http limit: avg 5/min "
9. Security – Activate Firewall 2/2 {script: activate Firewall at reboot} peter@rpi ~$ sudo nano /etc/network/if-preup.d/firewall {put in /etc/network/if-pre-up.d/firewall} #!/bin/sh /sbin/iptables-restore < /etc/iptables.firewall.rules
{set script permissions} peter@rpi ~$ sudo chmod +x /etc/network/ifpre-up.d/firewall
9. Security – Automate Firewall
9. Security – Fail2Ban Scan logfiles & take action automatically “Jail” configuration
– – –
If in entry in logfile matches “filter” “n” times Put IP on blocklist for “x” minutes /etc/fail2ban/jail.conf → default /etc/fail2ban/jail.local → “override”
Filters
–
/etc/fail2ban/filter.d/
Regex “ROOT LOGIN REFUSED”, “POSSIBLE BREAK-IN ATTEMPT!”, “Failed password” etc...
9. Security – Fail2Ban {install Fail2Ban} peter@rpi ~$ sudo apt-get install fail2ban Reading package lists... Done 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 340 kB of archives. {check failed login attempts} peter@rpi ~$ cat fail2ban.log 2013-04-09 16:45:59,000 fail2ban.actions: WARNING [ssh] Ban 9.8.7.6
{check Firewall} peter@rpi ~$ sudo iptables -L Chain fail2ban-ssh (1 references) target prot opt source DROP all -- test123.example.com RETURN all -- anywhere
destination anywhere anywhere
9. Security – 10 Aspects 1. Change default username “pi” & password 2. Backup !!! 3. Study logfiles (e.g. with “Logwatch”) 4. Block ssh root login ! 5. Block portscans -> Firewall 6. Block scriptkiddies
9. Security – Webserver access logs
/var/log/nginx/petermartin.nl.access_log 198.7.57.74 - - [30/Mar/2013:16:47:49 +0100] "GET / w00tw00t .at.blackhats.romanian .at.blackhats.romanian.anti-sec:) .anti-sec:) HTTP/1.1" 404 1565 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /phpmyadmin/scripts /phpmyadmin/scripts/setup.php /setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:54 +0100] "GET /typo3/phpmyadmin/s /typo3/phpmyadmin/scripts/setup.php cripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /xampp/phpmyadmin /xampp/phpmyadmin/scripts/setup.php /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /sqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /p/m/a/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /pma2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /phpmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /php-myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /webdb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu" 198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
9. Security – Fail2Ban configuration {no w00tw00t for you ;-)} peter@rpi ~$ sudo nano /etc/fail2ban/filter.d/nginx-w00tw00t.conf # Fail2Ban configuration file # Author: Peter Martin # $Revision: 001 $ [Definition] # Option: failregex failregex = ^ -.*GET.*(w00tw00t|\setup.php|\wplogin.php) # Option: ignoreregex # Notes.: Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT
9. Security – Fail2Ban configuration {activate nginx-w00tw00t filter} peter@rpi ~$ sudo nano /etc/fail2ban/jail.local [nginx-w00tw00t] enabled = true port = http,https filter = nginx-w00tw00t logpath = /var/log/nginx/*access_log /var/log/nginx/*access_log maxretry = 0 bantime = 600 {restart Fail2Ban} peter@rpi ~$ sudo /etc/init.d/fail2ban restart
9. Security – 10 Aspects 1. Change default username “pi” & password 2. Backup !!! 3. Study logfiles (e.g. with “Logwatch”) 4. Block ssh root login ! 5. Block portscans -> Firewall 6. Block scriptkiddies 7. SSL certificate for /administrator/ /administrator/ 8. Block phpmyadmin (allow 1 specified IP) 9. Backup !!! 10.Passwordless 10. Passwordless login? SSH shared keys
No time left for:
Send Email from RPi: – –
Joomla's notifications & contact forms Logwatch mails
→ Exim MTA (Mail Transfer Agent)
Questions?
Questions?
Presentation is available at www.db8.nl
Peter Martin e-mail: info at db8.nl website: www.db8.nl
Used photos
Chinese Raspberry Pie nr.1 1 - Koen Mol http://www.sxc.hu/photo/346723
Switched On Tech Design - www.sotechdesign.com.au
Bricks - Sharlene Jackson http://www.sxc.hu/photo/759981
Hotrod Dash - Peter Mazurek http://www.sxc.hu/photo/1341923
Greased Lightnin' - Donald Cook http://www.sxc.hu/photo/690214
File Overload - Bob Smith http://www.sxc.hu/photo/367985
Rusted Gears - Angelo Rosa http://www.sxc.hu/photo/1365696
Man Made - "csremedy" http://www.sxc.hu/photo/1267108
digital world - ilker http://www.sxc.hu/photo/1206711 ilker http://www.sxc.hu/photo/1206711
Crazy Man in Shower - scott sc ott adams http://www.sxc.hu/photo/760765
laptop 2 - emre nacigil http://www.sxc.hu/photo/810741
Speedometer – Abdulhamid AlFadhly http://www.sxc.hu/photo/1390189
Secure - Frank Köhne http://www.sxc.hu/photo/962334
Professor Tiger - Gabriel Doyle http://www.sxc.hu/photo/526749
signs signs - Jason Antony, http://www.sxc.hu/photo/751034
Face - Questions - Bob Smith, http://www.sxc.hu/photo/418215
