Stroopwafels and Raspberry Pie (Joomla on Raspberry Pi with Nginx)

PowerPoint Presentation

Stroopwafels & Raspberry Pie

Peter Martin, twitter: @pe7er
JandBeyond.org 2013, Sat June 1st 2013

Joomla & Raspberry Pi

Peter Martin, twitter: @pe7er
JandBeyond.org 2013, Sat June 1st 2013

Overview Presentation

1. IntroductionLAMP Stack:

2. Raspbian

3. Nginx

4. MySQL

5. PHP

6. phpMyAdmin

7. Joomla

8. Performance

9. Security

10. Geeky stuff

>>> Sheets at: www.db8.nl Profile Information

Browser plugins, e.g. Yslow

8. Performance

Test: Refresh (3x) new setting > Refresh (3x) & compare

8. Performance 10 ways to optimize

Nginx + PHP-FPM

8. Performance Nginx + PHP-FPM

PHP-FPMSocket vs Port?fastcgi_passunix:/var/run/php5-fpm.sock;

fastcgi_pass127.0.0.1:9000;

socket connections are around 10-15% faster than TCP/IP connections because it saves the passing the data over the different layers of TCP/IP stack


Nginx + PHP-FPM

Joomla gzip

8. Performance Joomla gzip

Before1. Application 2.517 seconds (+0.037); 4.67 MB (+0.035) - afterRender

After
Global Configuration > Server > Gzip Page Compression1. Application 3.009 seconds (+0.038); 4.67 MB (+0.035) - afterRender

2. Application 2.503 seconds (+0.037); 4.67 MB (+0.035) - afterRender


Nginx + PHP-FPM

Joomla gzip

Joomla cache

8. Performance Joomla cache

BeforeApplication 2.707 seconds (+0.037); 4.67 MB (+0.035) - afterRender

After
Global Configuration > System > Cache* > ON Progressive caching

1. Application 2.718 seconds (+0.051); 4.69 MB (-0.027) - afterRender




Nginx + PHP-FPM

Joomla gzip

Joomla cache

Nginx gzip

8. Performance Nginx gzip

pi@rpi ~ $ sudo nano /etc/nginx/nginx.conf
# Gzip Settings
gzip on;
gzip_static on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 512;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml;

8. Performance Nginx gzip

BeforeApplication 1.447 seconds (+0.274); 3.95 MB (+0.334) afterRender

After gzip in Nginx

Application 1.421 seconds (+0.267); 3.95 MB (+0.334) - afterRender



Nginx + PHP-FPM

Joomla gzip

Joomla cache

Nginx gzip

Nginx cache

8. Performance Nginx cache

pi@rpi ~ $ sudo nano /etc/nginx/sites-available/petermartin.nl

server {

# caching of files
location ~* \.(ico|pdf|flv)$ {
expires 1y;
}

location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
expires 14d;
}

}

8. Performance Nginx cache


After




Nginx + PHP-FPM

Joomla gzip

Joomla cache

Nginx gzip

Nginx cache

APC

8. Performance Alternative PHP Cache

pi@rpi ~ $ sudo apt-get install php-apc php-pear php5-dev build-essential libpcre3-dev

{Settings in PHP.ini}
pi@rpi ~ $ sudo pear config-set php_ini /etc/php5/fpm/php_ini
pi@rpi ~ $ sudo pecl config-set php_ini /etc/php5/fpm/php_ini

{Download/compile/install APC}
pi@rpi ~ $ sudo pecl install apc



After install APC restart nginx AND php-fpm!!!$ sudo /etc/init.d/nginx restart

$ sudo /etc/init.d/php5-fpm reload





APC GUI
$ sudo cp /usr/share/doc/php-apc/apc.php /var/www/petermartin.nl/apc.php


Nginx + PHP-FPM

Joomla gzip

Joomla cache

Nginx gzip

Nginx cache

APC

JCH Optimize / jbetolo

8. Performance Joomla Plugins

Less data traffic:Combine CSS / JavaScript

Minify CSS / JavaScript

Gzip CSS / JavaScript

Joomla Plugins, e.g.JCH Optimize

Jbetolo

Yireo Script Merge

Plugins vs manual


JCH Optimize, beforeApplication 0.772 seconds (+0.071); 2.03 MB (-0.080) afterRender

After


Application 1.723 seconds (+0.170); 2.43 MB (-0.019) - afterRender

Application 1.016 seconds (+0.118); 2.08 MB (-0.029) - afterRender



jbetolo, beforeApplication 0.620 seconds (+0.165); 2.00 MB (+0.148) - afterRender

After





Nginx + PHP-FPM

Joomla gzip

Joomla cache

Nginx gzip

Nginx cache

APC


Memcached

8. Performance Memchached

pi@rpi ~ $ sudo apt-get install memcached php5-memcache

{Download/compile/install APC}
pi@rpi ~ $ sudo pecl install memcache

{Reboot}
pi@rpi ~ $ sudo service nginx restart
pi@rpi ~ $ sudo service mysql restart
pi@rpi ~ $ sudo service php5-fpm restart
pi@rpi ~ $ sudo service memcached restart

8. Performance Memchached


After






Nginx + PHP-FPM

Joomla gzip

Joomla cache

Nginx gzip

Nginx cache

APC


Memcached

Overclocking

8. Performance Overclocking

$ sudo raspi-config

8. Performance Overclocking


AfterApplication 0.649 seconds (+0.171); 2.05 MB (+0.153) - afterRender






Nginx + PHP-FPM

Joomla gzip

Joomla cache

Nginx gzip

Nginx cache

APC


Memcache

Overclocking

Cryogenics

8. Performance Cryogenics

Superconducting computersSuperconductivity in certain materials when cooled below a characteristic critical temperature

Cool down RPi?Fridge: RPi = small, but not enough room for beer :-(

Not cool enough... < 123 K ( = 150 C, 238 F)

Liquid nitrogen or liquid helium?Couldn't decide which...
performance gain when cooling down: N/A

8. Performance My RPi

Every server/site different configuration for performance

My RPi:PHP-FPM: fastcgi_pass to Unix Socket (not IP+port)

Joomla: (progressive) cache (2.7 -> 1.4 sec)

Alternative PHP Cache (1.4 -> 0.7 sec)

9. Security

9. Security 10 Aspects

Change default username pi & password

Backup !!!

Study logfiles (e.g. with Logwatch)

9. Security ssh logfiles

/var/log/auth.logApr 8 22:49:01 rpi sshd[10812]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 8 22:49:01 rpi sshd[10812]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.175.148.95 user=root
Apr 8 22:49:04 rpi sshd[10812]: Failed password for root from 59.175.148.95 port 43066 ssh2
Apr 8 22:49:04 rpi sshd[10812]: Received disconnect from 59.175.148.95: 11: Bye Bye [preauth]
Apr 8 22:49:07 rpi sshd[10816]: reverse mapping checking getaddrinfo for 95.148.175.59.broad.wh.hb.dynamic.163data.com.cn [59.175.148.95] failed - POSSIBLE BREAK-IN ATTEMPT!

9. Security ssh logfiles

peter@rpi ~$ whois 59.175.148.95% [whois.apnic.net node-5]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.htmlinetnum:59.174.0.0 59.175.255.255
netname:CHINANET-HB
descr:CHINANET Hubei province network
descr:Data Communication Division
descr:China Telecom
country:CNrole:CHINANET HB ADMIN
address:8th floor of JinGuang Building
address:#232 of Macao Road
address:HanKou Wuhan Hubei Province
address:P.R.China
country:CN
phone:+86 27 82862199
fax-no:+86 27 82861499
e-mail:[email protected]
remarks:send spam reports to [email protected]
remarks:and abuse reports to [email protected]
remarks:Please include detailed information and
remarks:times in GMT+8



Backup !!!


Block ssh root login !

Block portscans -> Firewall

9. Security Firewall

{check Firewall}
peter@rpi ~$ sudo iptables -LChain INPUT (policy ACCEPT)
targetprot opt sourcedestinationChain FORWARD (policy ACCEPT)
targetprot opt sourcedestinationChain OUTPUT (policy ACCEPT)
targetprot opt sourcedestination
{create rules for Firewall}peter@rpi ~$ sudo nano /etc/iptables.firewall.rules

9. Security Configure Firewall 1/2

*filter# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

9. Security Configure Firewall 2/2

# Allow SSH connections
# The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -j ACCEPT

# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

9. Security Activate Firewall 1/2

{activate Firewall}
peter@rpi ~$ sudo iptables-restore < /etc/iptables.firewall.rules
{check Firewall}
peter@rpi ~$ sudo iptables -L

Chain INPUT (policy ACCEPT)
ACCEPTall --anywhereanywhere
REJECTall --anywhereloopback/8reject-with icmp-port-unreachable
ACCEPTall --anywhereanywherestate RELATED, ESTABLISHED
ACCEPTtcp --anywhereanywheretcp dpt:http
LOGall --anywhereanywherelimit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROPall --anywhereanywhere
[..]

9. Security Activate Firewall 2/2

{script: activate Firewall at reboot}
peter@rpi ~$ sudo nano /etc/network/if-pre-up.d/firewall

{put in /etc/network/if-pre-up.d/firewall}
#!/bin/sh/sbin/iptables-restore < /etc/iptables.firewall.rules

{set script permissions}
peter@rpi ~$ sudo chmod +x /etc/network/if-pre-up.d/firewall

9. Security Automate Firewall

9. Security Fail2Ban

Scan logfiles & take action automatically

Jail configurationIf in entry in logfile matches filter

n times

Put IP on blocklist for x minutes/etc/fail2ban/jail.conf default

/etc/fail2ban/jail.local override

Filters/etc/fail2ban/filter.d/

Regex ROOT LOGIN REFUSED, POSSIBLE BREAK-IN ATTEMPT!, Failed password etc...

9. Security Fail2Ban

{install Fail2Ban}
peter@rpi ~$ sudo apt-get install fail2ban
Reading package lists... Done
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 340 kB of archives.

{check failed login attempts}
peter@rpi ~$ cat fail2ban.log
2013-04-09 16:45:59,000 fail2ban.actions: WARNING [ssh] Ban 9.8.7.6
{check Firewall}
peter@rpi ~$ sudo iptables -LChain fail2ban-ssh (1 references)
DROPall -- test123.example.comanywhere
RETURNall -- anywhereanywhere



Backup !!!




Block scriptkiddies

9. Security Webserver access logs

/var/log/nginx/petermartin.nl.access_log198.7.57.74 - - [30/Mar/2013:16:47:49 +0100] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 1565 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:52 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:53 +0100] "GET /scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:54 +0100] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 135 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin1/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:55 +0100] "GET /phpmyadmin2/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /web/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /php-my-admin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:47:56 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /sqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /mysqlmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /p/m/a/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:23 +0100] "GET /PMA2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /pma2005/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /phpmanager/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /php-myadmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /sqlweb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /webdb/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /mysqladmin/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"
198.7.57.74 - - [30/Mar/2013:16:48:24 +0100] "GET /websql/scripts/setup.php HTTP/1.1" 404 47 "-" "ZmEu"

9. Security Fail2Ban configuration

{no w00tw00t for you ;-)}
peter@rpi ~$ sudo nano
/etc/fail2ban/filter.d/nginx-w00tw00t.conf

# Fail2Ban configuration file
# Author: Peter Martin
# $Revision: 001 $
[Definition]
# Option: failregex

failregex = ^ -.*GET.*(w00tw00t|\setup.php|\wp-login.php)

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

9. Security Fail2Ban configuration

{activate nginx-w00tw00t filter}
peter@rpi ~$ sudo nano /etc/fail2ban/jail.local

[nginx-w00tw00t]
enabled = true
port = http,https
filter = nginx-w00tw00t
logpath = /var/log/nginx/*access_log
maxretry = 0
bantime = 600

{restart Fail2Ban}
peter@rpi ~$ sudo /etc/init.d/fail2ban restart



Backup !!!




Block scriptkiddies

SSL certificate for /administrator/

Block phpmyadmin (allow 1 specified IP)

Backup !!!

Passwordless login? SSH shared keys

10. Geeky stuff

10. Geeky Stuff - Webcam

Connect webcam to USB$ sudo apt-get install motion

Configuration$ sudo nano /etc/motion/motion.conf
change: daemon = ON & webcam_localhost = OFF

$ sudo nano /etc/default/motion
change the value start_motion_daemon=no to yes

$ sudo service motion start

Firewall$ sudo iptables -I INPUT -p tcp --dport 8081 -j ACCEPT

RouterPortforwarding port 8081

10. Geeky Stuff - Webcam

Display webcamhttp://192.168.0.9:8081

In Joomla article

No time left for:

Send Email from RPi:Joomla's notifications & contact forms

Logwatch mails

Exim MTA (Mail Transfer Agent)

Questions?

Questions?

Presentation is available at www.db8.nl

Peter Martine-mail: info at db8.nlwebsite: www.db8.nl

Used photos

Chinese Raspberry Pie nr.1 1 - Koen Mol http://www.sxc.hu/photo/346723

Switched On Tech Design - www.sotechdesign.com.au

Bricks - Sharlene Jackson http://www.sxc.hu/photo/759981

Hotrod Dash - Peter Mazurek http://www.sxc.hu/photo/1341923

Greased Lightnin' - Donald Cook http://www.sxc.hu/photo/690214

File Overload - Bob Smith http://www.sxc.hu/photo/367985

Rusted Gears - Angelo Rosa http://www.sxc.hu/photo/1365696

Man Made - "csremedy" http://www.sxc.hu/photo/1267108

digital world - ilker http://www.sxc.hu/photo/1206711

Crazy Man in Shower - scott adams http://www.sxc.hu/photo/760765

laptop 2 - emre nacigil http://www.sxc.hu/photo/810741

Speedometer Abdulhamid AlFadhly http://www.sxc.hu/photo/1390189

Secure - Frank Khne http://www.sxc.hu/photo/962334

Professor Tiger - Gabriel Doyle http://www.sxc.hu/photo/526749

signs signs - Jason Antony, http://www.sxc.hu/photo/751034

Face - Questions - Bob Smith, http://www.sxc.hu/photo/418215

Documents

Stroopwafels and Raspberry Pie (Joomla on Raspberry Pi with Nginx)