Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd November 2010, 09:45
itsnedkeren itsnedkeren is offline
Senior Member
 
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Default ISPC 3.0.3 - Help me optimize Apache+MySQL

Hi all,

I really could use some assistance with optimizing my server. It seems to be running just fine, but when I load test it with for example -> http://loadimpact.com/ I get response times of up to 60seconds++

System info:

Core i7 930 2,8Ghz Quad-Core
4GB RAM
RAID 1 disk array
100Mbit Internet


I have tried optimizing MySQL with "MySQLTuner.pl". Here is the output:

Code:
-------- General Statistics --------------------------------------------------
[--] Skipped version check for MySQLTuner script
[OK] Currently running supported MySQL version 5.0.51a-24+lenny4-log
[OK] Operating on 64-bit architecture

-------- Storage Engine Statistics -------------------------------------------
[--] Status: +Archive -BDB -Federated +InnoDB -ISAM -NDBCluster
[--] Data in MyISAM tables: 14M (Tables: 136)
[--] Data in InnoDB tables: 124M (Tables: 77)
[!!] Total fragmented tables: 9

-------- Performance Metrics -------------------------------------------------
[--] Up for: 12h 20m 57s (174K q [3.935 qps], 5K conn, TX: 697M, RX: 39M)
[--] Reads / Writes: 64% / 36%
[--] Total buffers: 530.0M global + 15.2M per thread (100 max threads)
[OK] Maximum possible memory usage: 2.0G (51% of installed RAM)
[OK] Slow queries: 4% (7K/174K)
[OK] Highest usage of available connections: 17% (17/100)
[OK] Key buffer size / total MyISAM indexes: 64.0M/5.3M
[OK] Key buffer hit rate: 99.8% (999K cached / 1K reads)
[OK] Query cache efficiency: 85.1% (119K cached / 140K selects)
[OK] Query cache prunes per day: 0
[OK] Sorts requiring temporary tables: 0% (0 temp sorts / 1K sorts)
[!!] Joins performed without indexes: 476
[OK] Temporary tables created on disk: 19% (912 on disk / 4K total)
[OK] Thread cache hit rate: 98% (105 created / 5K connections)
[OK] Table cache hit rate: 67% (253 open / 373 opened)
[OK] Open file limit used: 14% (322/2K)
[OK] Table locks acquired immediately: 100% (68K immediate / 68K locks)
[!!] Connections aborted: 15%
[OK] InnoDB data size / buffer pool: 124.5M/192.0M
And here is my.cnf:

Code:
#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
# 
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port		= 3306
socket		= /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket		= /var/run/mysqld/mysqld.sock
nice		= 0

[mysqld]
#
# * Basic Settings
#
user		= mysql
pid-file	= /var/run/mysqld/mysqld.pid
socket		= /var/run/mysqld/mysqld.sock
port		= 3306
basedir		= /usr
datadir		= /var/lib/mysql
tmpdir		= /tmp
language	= /usr/share/mysql/english
log-slow-queries = /var/log/mysql/log-slow-queries.log
long_query_time = 5
log-queries-not-using-indexes

skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address		= 127.0.0.1
#
# * Fine Tuning
#
join_buffer_size=1M
innodb_buffer_pool_size = 192M
query_cache_limit = 2M
key_buffer = 256M
key_buffer_size=64M
max_allowed_packet = 16M
table_cache = 1024
sort_buffer_size = 8M
read_buffer_size = 2M
read_rnd_buffer_size = 4M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 256M
# Try number of CPU's*2 for thread_concurrency
thread_concurrency = 8

#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
#log		= /var/log/mysql/mysql.log
#
# Error logging goes to syslog. This is a Debian improvement :)
#
# Here you can see queries with especially long duration
#log_slow_queries	= /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id		= 1
#log_bin			= /var/log/mysql/mysql-bin.log
expire_logs_days	= 10
max_binlog_size         = 100M
#binlog_do_db		= include_database_name
#binlog_ignore_db	= include_database_name
#
# * BerkeleyDB
#
# Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.
skip-bdb
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
# You might want to disable InnoDB to shrink the mysqld process by circa 100MB.
#skip-innodb
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem



[mysqldump]
quick
quote-names
max_allowed_packet	= 16M

[mysql]
no-auto-rehash	# faster start of mysql but no tab completition

[isamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

# * NDB Cluster
#
# See /usr/share/doc/mysql-server-*/README.Debian for more information.
#
# The following configuration is read by the NDB Data Nodes (ndbd processes)
# not from the NDB Management Nodes (ndb_mgmd processes).
#
# [MYSQL_CLUSTER]
# ndb-connectstring=127.0.0.1

[mysqlhotcopy]
interactive-timeout


#
# * IMPORTANT: Additional settings that can override those from this file!
#   The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d/
MySQL is optimized for about 2GB of RAM, which should be fine.
At the time of writing this post, my system has 75MB of free RAM according to the TOP command. Uptime is only 10hours.

All my sites are running Fast-CGI with standard ISPConfig settings. Here is Apache2.conf:
Code:
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#<IfModule !mpm_winnt.c>
#<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
#</IfModule>
#</IfModule>

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
#MaxKeepAliveRequests 100

#21/11-2010
MaxKeepAliveRequests 1000

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
## 

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
#<IfModule mpm_prefork_module>
#    StartServers          5
#    MinSpareServers       5
#    MaxSpareServers      10
#    MaxClients          150
#    MaxRequestsPerChild   0
#</IfModule>

#21/11-2010
<IfModule mpm_prefork_module>
StartServers       50
MinSpareServers   15
MaxSpareServers   30
MaxClients       225
MaxRequestsPerChild  4000
</IfModule>


# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75 
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain


#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

# Include all the user configurations:
Include /etc/apache2/httpd.conf

# Include ports listing
Include /etc/apache2/ports.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

#http://www.howtoforge.org/setenvif_apache2
#SetEnvIf Request_URI "^/monit/token$" dontlog
#CustomLog /var/log/apache2/access.log combined env=!dontlog
#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# Putting this all together, we can internationalize error responses.
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections.  We use 
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line:
#
#   Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /usr/share/apache2/error/include/ files and copying them to /your/include/path/, 
# even on a per-VirtualHost basis.  The default include files will display
# your Apache version number and your ServerAdmin email address regardless
# of the setting of ServerSignature.
#
# The internationalized error documents require mod_alias, mod_include
# and mod_negotiation.  To activate them, uncomment the following 30 lines.

#    Alias /error/ "/usr/share/apache2/error/"
#
#    <Directory "/usr/share/apache2/error">
#        AllowOverride None
#        Options IncludesNoExec
#        AddOutputFilter Includes html
#        AddHandler type-map var
#        Order allow,deny
#        Allow from all
#        LanguagePriority en cs de es fr it nl sv pt-br ro
#        ForceLanguagePriority Prefer Fallback
#    </Directory>
#
#    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
#    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
#    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
#    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
#    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
#    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
#    ErrorDocument 410 /error/HTTP_GONE.html.var
#    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
#    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
#    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
#    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
#    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
#    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
#    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
#    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
#    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
#    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var



# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
Include /etc/apache2/conf.d/

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

I'm thinking that Apache2 must be the bottleneck here. I have installed Memcached and eAccelerator without much luck.

Any help is much appreciated.
__________________
Best regards

Jim

Last edited by itsnedkeren; 23rd November 2010 at 09:47.
Reply With Quote
Sponsored Links
  #2  
Old 23rd November 2010, 11:12
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,500 Times in 4,329 Posts
Default

which php method do you use for that website and how many requests per second did you use in the test?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 23rd November 2010, 11:22
itsnedkeren itsnedkeren is offline
Senior Member
 
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Default

I use FastCGI for all my sites. I used the standard free test from the above link. But allready at 10 connections it started crumbling

Thanks Till.
__________________
Best regards

Jim
Reply With Quote
  #4  
Old 23rd November 2010, 11:40
itsnedkeren itsnedkeren is offline
Senior Member
 
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Default

I forgot, here is a snip from my iptables firewall.

I'm not sure if this could cause any problems regarding the test.

Code:
########################################
# Kernel flags
########################################

echo -e "	- Setting kernel flags"

# set log level to 1 so only panic messages are printed to the console(s)
dmesg -n 1

# enable forwarding in the kernel
echo "0" > /proc/sys/net/ipv4/ip_forward

# enable response to ping
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all 

# disable response to broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source routing to generate 
# traffic pretending to be from inside your network. 
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Log spoofed packets, source routed packets, redirect packets. 
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

########################################
# Loading modules
########################################

echo -e "	- Loading modules"

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

########################################
# Reset iptables
########################################

echo -e "	- Resetting IPTables"

# setup default drop policy indtil de andre regler er paa plads
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# clean up

iptables -F
iptables -X
iptables -Z

iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z


########################################
# Enable loopback (localhost)
########################################

echo -e "	- Enabling Loopback interface"

# allow unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

########################################
# Enable connection tracking
########################################

echo -e "	- Enabling connection tracking"

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

########################################
# SYN-flooding protection 
########################################

echo -e "	- Enabling SYN-flood protection"

# begraenser antallet af nye indgaaende connections til maksimum 20 pr. sekund.  
iptables -N SYNCHECK
iptables -A INPUT -i $PUBLIC_ETH -p tcp --syn -j SYNCHECK 
iptables -A SYNCHECK -m limit --limit 1/s --limit-burst 20 -j RETURN 
iptables -A SYNCHECK -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN flood: "
iptables -A SYNCHECK -j DROP 

########################################
# Make sure NEW tcp connections are SYN packets 
########################################

echo -e "	- Making sure new connections are SYN packets"

iptables -A INPUT -i $PUBLIC_ETH -p tcp ! --syn -m state --state NEW -j DROP 

########################################
# Deny OS detection
########################################

echo -e "	- Denying OS Detection"

iptables -A FORWARD -p tcp --tcp-flags RST,RST ACK  -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "OS detect: "
iptables -A FORWARD -p tcp --tcp-flags RST,RST ACK -j DROP

########################################
# Don't allow fragments
########################################

echo -e "	- Disallowing fragments"

iptables -A FORWARD -f -j LOG --log-prefix "IP fragment: "
iptables -A FORWARD -f -j DROP

########################################
# Prevent spoofing 
########################################

echo -e "	- Preventing spoofing"

# Most of this anti-spoofing stuff is theoretically not really necessary 
# with the flags we have set in the kernel above

# Refuse spoofed packets pretending to be from your IP address. 
iptables -A INPUT  -i $PUBLIC_ETH -s $PUBLIC_IP -j DROP 

# Refuse packets claiming to be from a Class A private network. 
# iptables -A INPUT  -i $PUBLIC_ETH -s $CLASS_A -j DROP 

# Refuse packets claiming to be from a Class B private network. 
# iptables -A INPUT  -i $PUBLIC_ETH -s $CLASS_B -j DROP 

# Refuse packets claiming to be from a Class C private network. 
# iptables -A INPUT  -i $PUBLIC_ETH -s $CLASS_C -j DROP 

# Refuse Class D multicast addresses. Multicast is illegal as a source address. 
iptables -A INPUT -i $PUBLIC_ETH -s $CLASS_D_MULTICAST -j DROP 

# Refuse Class E reserved IP addresses. 
iptables -A INPUT -i $PUBLIC_ETH -s $CLASS_E_RESERVED_NET -j DROP 

# Refuse packets claiming to be to the loopback interface. 
iptables -A INPUT  -i $PUBLIC_ETH -d $LOOPBACK -j DROP 

# Refuse broadcast address packets. 
iptables -A INPUT -i $PUBLIC_ETH -d $PUBLIC_BROADCAST -j DROP 

########################################
# Deny bad packets 
########################################

echo -e "	- Denying bad packets"

iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "NMAP: "
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN/FIN: " 
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST  -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN/RST: "
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
__________________
Best regards

Jim
Reply With Quote
  #5  
Old 23rd November 2010, 12:13
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,421
Thanks: 834
Thanked 5,500 Times in 4,329 Posts
Default

The website that you tested, is it handmade or does it use a common cms system? If its a common cms, do you have caching extensions for the cms installed?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 23rd November 2010, 12:21
itsnedkeren itsnedkeren is offline
Senior Member
 
Join Date: May 2009
Location: Denmark
Posts: 128
Thanks: 32
Thanked 10 Times in 10 Posts
Default

It's a common CMS, e107 site. I don't use any caching on it. It does support memcache, but enabling that, makes the site VERY slow.



I uncommented this in the firewall:

Code:
########################################
# SYN-flooding protection 
########################################

#echo -e "	- Enabling SYN-flood protection"

# begraenser antallet af nye indgaaende connections til maksimum 20 pr. sekund.  
#iptables -N SYNCHECK
#iptables -A INPUT -i $PUBLIC_ETH -p tcp --syn -j SYNCHECK 
#iptables -A SYNCHECK -m limit --limit 1/s --limit-burst 20 -j RETURN 
#iptables -A SYNCHECK -m limit --limit 5/minute -j LOG --log-level notice --log-prefix "SYN flood: "
and the test ran much better, which really is quite obvious.

Allthough I would like to optimize the server.
__________________
Best regards

Jim
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fixing 404 Not Found Errors on Apache on Centos 5 x86_64 Dedi LinuxOnMyMac HOWTO-Related Questions 11 16th October 2010 04:29
problems with suexec gobokster Installation/Configuration 7 7th May 2009 13:33
Apache VirtualHosts with mySQL barney.parker HOWTO-Related Questions 6 19th December 2008 18:18
MySQL 5.0 and Apache 2.0.xx Lil'Brudder General 2 11th November 2005 01:08
apache , mysql and php aolex Server Operation 4 15th October 2005 20:19


All times are GMT +2. The time now is 21:04.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.