Northeast Ohio Drupal User Group 1 · • User login requests referred from /node/add • Requests for wp-admin (and other Wordpress signatures –these requests are fishing for vulnerabilities

April 19, 2017

Northeast Ohio Drupal User Group 1

Drupal Hosting

Security: PSA came out Monday regarding a d8 release for Wednesday. The notice suggested that it was a serious flaw and exploits were expected within short order after the details are released, so the early notice was to serve as warning for maintainers to plan time to upgrade immediately.

https://www.drupal.org/SA-CORE-2017-002

This issue affects sites using the RESTful Web Services module (rest) and allow PATCH requests. It also requires that the user is able to log in, but the security advisory suggests that a self-created user account would be sufficient. No more details were presented in the advisory and I didn’t have time to look into it further, but apparently under those conditions an attacker would be able to bypass access checks.

April 19, 2017


Drupal Hosting

Before we start, where is everyone’s knowledge of the basic hosting concepts? I’ll try to adjust my explanations to match what people need: I don’t want to get too technical if we have some non-technical users here, but I won’t go over the basics if everyone already understands them.

I use Ubuntu + apache with mod_fastcgi, php + fpm, and MySQL. I also have some sites using varnish and memcache for performance. I have dedicated web servers and db servers so each can be tuned for its purpose.

April 19, 2017


Drupal Hosting

• Disk• Space requirements may seem trivial, but consider the final product

• Drupal core requires something like 25MB. • Contrib projects can take you into the triple-digits if you’re really going wild, but

really if you’re getting tight on disk space at that point, you probably shouldn’t be running this yourself.

• More important consideration is space for the database, which can be 100MB+ for a base install, but depending on your content can grow quite large. Your content dictates these requirements, not Drupal.

• Also consider the filesystem: if you’ll be managing a lot of media files, they can accumulate and consume a lot of space. Many components in Drupal generate multiple-sized derivatives of images to optimize delivery, and they can add up as well.

• Performance of your disk subsystem is critical. Your disk will likely be the slow point and it can really drag things down. All through the stack, a fast disk will speed things up.

April 19, 2017


Drupal Hosting

• RAM• Minimums for Drupal core are 32MB for 7 and 64MB for 8. • “However, while these values may be sufficient for a default Drupal installation, a

production site with a number of commonly used modules enabled could require more memory. Typically 128 MB or 256 MB are found in production systems.” – from Drupal’s PHP requirements page

• At least a couple of GB, but realistically you just need a boatload of RAM. • If every component of Drupal is bootstrapped (i.e. core and all contrib modules,

which isn’t a typical page load, but it does happen at some points), that PHP process can consume up to 128MB

• PHP’s memory limit (more on that later) needs to be set high enough to accommodate this type of load and your server will need enough memory to accommodate that number times as many concurrent PHP processes as you would expect for your traffic.

• There are some ways to offset how much stuff needs to be concurrently processed, MySQL needs a lot of memory too to perform well. Just about every performance-tuning tip you’ll see about MySQL will suggest that you throw more RAM at it (or a solid state HD, which is essentially more memory). If you can fit your entire DB in RAM, that’d be great, although generally, not practical.

• There are some optional components that will benefit from more RAM, and we’ll talk about these in more detail later (if time allows)• PHP opcache• memcache or redis• varnish

April 19, 2017


Drupal Hosting

https://www.drupal.org/docs/7/system-requirements/overview

April 19, 2017


Drupal Hosting

I believe it’s no longer the default, but mod_mpm_prefork was at one time the default. Event and worker are better.

Apache needs to interface with PHP. Again, I think it’s no longer the default, but at one point, mod_php was the way apache and PHP loaded out of the box. Use a CGI method (mod_fcgid or mod_fastcgi) to interface with PHP.• Mod_php will load the entire PHP code into the apache processes, resulting in each of

those processes consuming all of that memory for its lifetime• Limits concurrent http requests to available memory• Requests for static content have the same big footprint as php requests• With those limited resources then, static requests can block php requests and vice-

versa

• If you have control of the server-level, you can place your Drupal-level configuration in the VirtualHost or Server-level configuration rather than .htaccess. This improves performance a bit because it’s preloaded rather than on-demand.

April 19, 2017


Drupal Hosting

Ubuntu 16.04 LTS bumped their default PHP version to 7. Earlier LTS versions were 5, so I’m sticking with that.

April 19, 2017


Drupal Hosting

Set these things to sensible defaults for your work load. Max request size will affect things like file uploads, so you’ll want to consider what your users will need to do. Same with processing time. Processing time is tricky and things you might not expect will happen here. This refers to the time that PHP will wait to finish processing the request, but it is somewhat isolated. If you have a DB query that runs longer than your timeout value here, the query will continue running indefinitely, even though the php process and HTTP request have terminated. Obviously, you don’t want long running queries, but if you have one, you should know that this value will not protect against them.

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

• MySQL 5.5+ will cover all Drupal Versions• Percona Server is a performance fork of MySQL that can be used as a drop-in replacement

(although I have no experience actually running it)• For Drupal 7: PostgreSQL 8.3+• For Drupal 8: PostgreSQL 9.1.2+• Drupal 7+ uses the PHP PDO Extension

April 19, 2017


Drupal Hosting

See https://dev.mysql.com/doc/refman/5.5/en/mysqld-option-tables.html for a reference to these options

April 19, 2017


Drupal Hosting

Many components, including Drupal core perform some email sending.• It may be beneficial to set up a local postfix MTA to handle mail if your site will handle

more than the basics (user account notifications and such).• For mission-critical email delivery, you will need to consider reputation of your network

and properly set up outbound mail handling or contract an external SMTP mail relay

Some components of your site may require DNS lookups. Traffic volume can create big delays for hostname lookups. A local caching dns server is very helpful here. Dnsmasq is simple and easy to set up. It’s also designed specifically for this type of use, making it easy to set up local overrides to things that might be presented by the public DNS (e.g. referring to local resources by their private IP address instead of the public address returned by an upstream DNS server)

Some way of controlling the traffic flow is helpful as well. Having an easy way to quickly ban bad actors is helpful.

April 19, 2017


Drupal Hosting

Opcache is fairly straightforward to implement.

PHP’s opcache is built in, you just have to enable it in php.ini

Memcache, redis, and varnish require some adjustments to Drupal’s default behavior.• Memcache and redis have modules that replace the default caching behavior to place

those things in memory• Varnish requires enabling external caching in Drupal core

• There’s a module that interfaces with the varnish software to purge cached items• External caching is an option in d7+, but d6 required replacing core with Pressflow, a

fork of d6 that brought in some performance enhancements, including external caching

April 19, 2017


Drupal Hosting

Drush is the “DRUpal SHell”

Some things like cache-clearing, module installations, updates, cron, and other admin-level operations predictable use more resources and take (often significantly) more time to accomplish than your typical users will do.

Since php’s CLI can use a separate config, you can allow CLI processes to run longer, and user more memory, then tune those things down in the public-facing config. If you do that, make sure you restrict who can do those things from the UI or you might end up with a partially rebuilt cache because someone thought it was a good idea to do that on the front end.

I restrict access to cron.php at the apache level and have drush run it instead.

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

Known patterns of mischief:• Direct requests for non-clean URLs• User login requests referred from /node/add• Requests for wp-admin (and other Wordpress signatures – these requests are fishing for

vulnerabilities and misconfigured things, you know they’re up to no good)• Look at your logs for patterns. Block them as early as possible in your setup (at the firewall

level or at the apache access level). I issue a 404 rather than a 401. These are usually bots and a 401 (Forbidden) can clue them into the existence of something, where a 404 says it’s not there. Doing this at the apache level or the firewall level avoids a Drupal bootstrap to issue the error.

User registration spam by bots is a HUGE problem and there are a number of modules and services to help with them. But they all respond to nuisance requests that have already occurred. Honeypot being the one exception. Blocking the pattern of behavior before it occurs is better, if you can detect it.

N.B. – These are pretty specific and advanced cases, so don’t implement them on your own without fully understanding them and accounting for alternatives. E.g. don’t block cron unless you have truly implemented a way for drush to handle it exclusively.

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

Example:

I had a remote server (out of my control) serving up images that were being consumed by imagecache, resizing them and manipulating them on demand. When an error occurred with that remote server, the home page of several sites that displayed the derivative images started timing out (the dreaded WSOD). The usual suspects did not apply, long running queries, flood of traffic tying up connections, corrupted (partially rebuilt) cache.

Turns out, the code used the php copy() function, which initiated a remote HTTP request with a default timeout of something like 60 seconds. The PHP request was timing out before that occurred. It was helpful to understand the complete anatomy of the request to know why that was occurring. Once found, I was able to change the timeout on those remote requests to a very short period so the end-user’s request wouldn’t time out.

April 19, 2017


Drupal Hosting

Most of my hosting experience is doing my own. By trial and error. Much error.

Be wary of those that offer 1-click installs and Drupal hosting for practically nothing. I’ve had experience with GoDaddy and Hostgator’s cheapo options and they’re really inadequate for all but the simplest of sites.

In my limited experience, I like what I’ve seen from Pantheon and Acquia. I was trying to get one of my sites moved up to Pantheon ahead of this talk, but I wasn’t able to, just so I could offer some personal experience there. But their specs and the way they appear to have things tuned meshes really well with my experience doing my own experience running my own environments. Their tools and deployment workflow is ideal as well.

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

April 19, 2017


Drupal Hosting

Documents

Northeast Ohio Drupal User Group 1 · • User login requests referred from /node/add • Requests for wp-admin (and other Wordpress signatures –these requests are fishing for vulnerabilities