Difference between pages "Portage Profile Logic" and "Web-server-stack"

(Difference between pages)
 
m (Benchmarking: MOAR)
 
Line 1: Line 1:
== Gentoo Initialization ==
 
  
Gentoo profile initialization has been documented in [https://github.com/funtoo/portage-funtoo/commit/4c6826a0029c3c8f0aa92e70b4e50f2ffc58c7fa#diff-0 this GitHub commit], and describes how Gentoo's Portage finds and processes profiles. Basically, Gentoo's Portage looks for profiles using this algorithm:
+
== Pre-install considerations ==
 +
=== ssl ===
 +
Ssl [http://en.wikipedia.org/wiki/Wildcard_certificate wild card certificates] can use the same certificate to cover several subdomain names.  As in https://wiki.funtoo.org https://www.funtoo.org https://forums.funtoo.org can all use the same certificate.  https://funtoo.org would not be covered under the wildcard, so [[User:Threesixes|Threesixes]] ([[User talk:Threesixes|talk]]) suggests using http://domain.tld as a http navigation splash page directory.  All that is required to setup a ca signed ssl certificate is an email on the server.  https://www.startssl.com offers free ssl ca certificates, though there are several other certificate [http://en.wikipedia.org/wiki/Certificate_authority#Providers providers].  Many web apps require you set your URL & will have problems if your URL is set to http://, rather than https://
  
# Does <tt>/etc/make.profile</tt> exist? If so, it defines the primary profile.
+
=== sockets vs tcp stack ===
# If not, does <tt>/etc/portage/make.profile</tt> exist? If so, it defines the primary profile.
+
Sockets have less overhead but can not be shared across jails, or to other machines. Tcp stack has more overhead but is far more flexible.
# Recursively process the <tt>parent</tt> file found in the primary profile to build a list of all cascading profiles
+
# if <tt>/etc/portage/profile</tt> exists, it is a user-defined profile - tack it to the end of our profile list so it can modify anything in the cascading profiles.
+
  
Here is a more detailed description of the steps:
+
=== Email Servers ===
 +
* {{Package|mail-mta/postfix}}  <-- suggested
 +
* {{Package|mail-mta/ssmtp}}
 +
* {{Package|mail-mta/exim}}
 +
* {{Package|mail-mta/sendmail}}
 +
* {{Package|mail-mta/nullmailer}}
  
# Look for a profile directory/symlink at <tt>/etc/make.profile</tt>, if one exists, use this as the main profile directory.
+
=== FTP Servers ===
# If <tt>/etc/make.profile</tt> doesn't exist, use <tt>/etc/portage/make.profile</tt> as a back-up location if it exists.
+
It is common practice to use FTP servers to host files for downloading.
# If neither location exists, then a main profile directory doesn't exist and is undefined (None)
+
  
Using the main profile directory/symlink found above, the <tt>LocationsManager._addProfile()</tt> recursive function will be called that will create a list of all cascading profiles. This works by looking for a <tt>parent</tt> file in the profile directory. If this file exists, then each line is treated as a ''relative path'' and used to modify the path to the current profile, pointing to a "parent" profile that this particular profile modifies. There can be more than one parent, one per line. ''The first line in the <tt>parent</tt> file is the highest-priority parent.''
+
* {{Package|net-ftp/vsftpd}} <-- suggested
 +
* {{Package|net-ftp/proftpd}}
 +
* {{Package|net-ftp/pure-ftpd}}
 +
* {{Package|net-ftp/qshare}}
  
Once this list is created, the code checks to see if <tt>/etc/portage/profile</tt> directory exists. If it does, it is tacked at the end of the cascading profile list, meaning that it is evaluated last and this user-defined profile has the ability to modify any of the cascading profile settings. It provides an ideal hook point for a user-defined profile that can tweak anything the user wants to modify in the profile.
+
== Webserver ==
 +
Web servers come in several varieties.  The most common stack is known as LAMP which stands for linux apache mysql php. [[User:Threesixes|Threesixes]] ([[User talk:Threesixes|talk]]) suggests setting up the web server stack by selecting the database first, then scripting language second, and web server 3rd.
  
[[Category:Portage]]
+
=== Databases ===
 +
* {{Package|dev-db/mysql}}
 +
 
 +
mariadb is a drop in replacement for mysql
 +
* {{Package|dev-db/mariadb}} <-- suggested
 +
 
 +
percona is a drop in replacement for mysql
 +
* {{Package|dev-db/percona-server}}
 +
 
 +
* {{Package|dev-db/postgresql-server}}
 +
* {{Package|dev-db/sqlite}}
 +
 
 +
=== Languages ===
 +
* {{Package|dev-lang/php}} <-- suggested
 +
* {{Package|dev-lang/perl}}
 +
* {{Package|dev-lang/python}}
 +
 
 +
=== Web Servers ===
 +
* {{Package|www-servers/apache}}
 +
* {{Package|www-servers/cherokee}}
 +
* {{Package|www-servers/nginx}} <-- suggested
 +
* {{Package|www-servers/tengine}}
 +
* {{Package|www-servers/lighttpd}}
 +
 
 +
 
 +
=== SSL Termination, Reverse Proxies, & load balancing ===
 +
Reverse proxies are useful, some cache static data, and shuck out cached pages rather than hitting the web server.  Some pass requests to backend nodes high availability clustering your website, some web servers have this functionality built in.
 +
 
 +
* {{Package|www-servers/nginx}}
 +
* {{package|net-misc/stunnel}}
 +
* {{package|www-servers/pound}} <-- suggested for ssl termination & load balancing
 +
* {{Package|www-servers/varnish}} <-- suggested for caching to reduce power consumption & reduce the need of constantly rebuilding pages
 +
* {{Package|net-proxy/squid}}
 +
 
 +
== Post install ==
 +
There are several considerations to take into account with a web server install, such as setting up an email server, setting up a firewall, firewalling web applications, and dynamically firewalling attackers.
 +
 
 +
=== Firewalls ===
 +
* {{Package|net-firewall/nftables}}
 +
* {{Package|net-firewall/iptables}} <-- suggested
 +
* {{Package|net-firewall/firewalld}}
 +
* {{Package|net-firewall/ufw}}
 +
 
 +
=== Dynamic Firewalling ===
 +
* {{Package|app-admin/sshguard}} <-- suggested
 +
* {{Package|net-analyzer/fail2ban}}
 +
 
 +
=== Webapp Firewalls ===
 +
 
 +
Apache has an option for webapplication firewalling.  as far as [[User:Threesixes|Threesixes]] ([[User talk:Threesixes|talk]]) can tell this passes login errors & excessive site fuzzing to logs for fail2ban/sshguard to deal with.
 +
https://github.com/nbs-system/naxsi is a web app firewall for nginx.
 +
 
 +
=== Benchmarking ===
 +
It's a good idea to benchmark your system, server, & websites.  There are several tools to assist you in doing this.
 +
 
 +
* http://toolbar.netcraft.com/site_report?url=undefined#last_reboot
 +
* http://gtmetrix.com/
 +
* http://www.showslow.com/
 +
* http://yslow.org/
 +
* http://getfirebug.com/
 +
* {{Package|app-admin/apache-tools}}
 +
* {{Package|app-benchmarks/sysbench}}
 +
* {{Package|app-benchmarks/phoronix-test-suite}}
 +
* {{Package|app-benchmarks/iozone}}
 +
* {{Package|app-benchmarks/piozone}}
 +
* {{Package|app-benchmarks/siege}}
 +
* {{Package|app-benchmarks/ramspeed}}
 +
* {{Package|app-benchmarks/jmeter}}

Latest revision as of 13:55, January 18, 2015

Pre-install considerations

ssl

Ssl wild card certificates can use the same certificate to cover several subdomain names. As in https://wiki.funtoo.org https://www.funtoo.org https://forums.funtoo.org can all use the same certificate. https://funtoo.org would not be covered under the wildcard, so Threesixes (talk) suggests using http://domain.tld as a http navigation splash page directory. All that is required to setup a ca signed ssl certificate is an email on the server. https://www.startssl.com offers free ssl ca certificates, though there are several other certificate providers. Many web apps require you set your URL & will have problems if your URL is set to http://, rather than https://

sockets vs tcp stack

Sockets have less overhead but can not be shared across jails, or to other machines. Tcp stack has more overhead but is far more flexible.

Email Servers

FTP Servers

It is common practice to use FTP servers to host files for downloading.

Webserver

Web servers come in several varieties. The most common stack is known as LAMP which stands for linux apache mysql php. Threesixes (talk) suggests setting up the web server stack by selecting the database first, then scripting language second, and web server 3rd.

Databases

mariadb is a drop in replacement for mysql

percona is a drop in replacement for mysql

  • dev-db/percona-server (package not on wiki - please add)
  • dev-db/postgresql-server (package not on wiki - please add)
  • dev-db/sqlite (package not on wiki - please add)

Languages

Web Servers


SSL Termination, Reverse Proxies, & load balancing

Reverse proxies are useful, some cache static data, and shuck out cached pages rather than hitting the web server. Some pass requests to backend nodes high availability clustering your website, some web servers have this functionality built in.

  • Nginx
  • net-misc/stunnel (package not on wiki - please add)
  • www-servers/pound (package not on wiki - please add) <-- suggested for ssl termination & load balancing
  • Varnish <-- suggested for caching to reduce power consumption & reduce the need of constantly rebuilding pages
  • Squid

Post install

There are several considerations to take into account with a web server install, such as setting up an email server, setting up a firewall, firewalling web applications, and dynamically firewalling attackers.

Firewalls

  • net-firewall/nftables (package not on wiki - please add)
  • Iptables <-- suggested
  • net-firewall/firewalld (package not on wiki - please add)
  • net-firewall/ufw (package not on wiki - please add)

Dynamic Firewalling

Webapp Firewalls

Apache has an option for webapplication firewalling. as far as Threesixes (talk) can tell this passes login errors & excessive site fuzzing to logs for fail2ban/sshguard to deal with. https://github.com/nbs-system/naxsi is a web app firewall for nginx.

Benchmarking

It's a good idea to benchmark your system, server, & websites. There are several tools to assist you in doing this.