How to manage huge multisites?

Discussion in 'General' started by Guillaume Subiron, Mar 18, 2020.

  1. Guillaume Subiron

    Guillaume Subiron New Member

    Hi,

    I am hosting 5 Wordpress multisites with 500 to 700 sites each. And I need to put a Let's Encrypt certificate on each site. So far, I made the following decisions :
    - Each multisite is a Website.
    - Then, Let's Encrypt forces me to use "Aliasdomain (vhost)" for each site, because if I use normal Aliasdomains every domains will be put in one big certificate. I would be very limited in the number of aliases for each site.
    - PHP-FPM is unthinkable, because ISPConfig would create one pool per Alias, so I am using FastCGI.

    ISPConfig is having a hard time managing so many vhosts. So far, I made a cron to unmount the logs, because the system was not working properly with thousands of bind mounts. I also have problems with the restart of Apache, which can take 30s to parse all the vhosts. But globally, it is stable.

    One huge problem I have, is that every Aliasdomain runs it's own fastcgi process. It is not a problem when the server is idle, but sometimes I see bots that opens hundreds of differents sites in a few minutes. When it happens, hundreds of processes are launched and it ends in huge load, freezing the server, and sometimes OOMs.

    So my question is, how would you manage huge multisites with ISPConfig?

    Thank you.
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    I have no experience with that many domains in a single setup, so take these comments accordingly.

    Did you use php-fpm in on-demand mode? The default is still dynamic mode, which is not nearly as efficient (though a little more performant at initial connections).

    You can rate limit by ip with mod_evasive, but not by user agent; there is probably a way to do so, I just doing know it offhand.

    Ensure you have caching setup, either in wordpress itself, or externally (eg. varnish). Maybe even consider a cdn. Either of those should add Expires headers, but you can also setup mod_expires as well.

    Make sure you have setup http2.

    And use various security measures to block known bad actors/bots/attacks.

    If you would, update this post with what you find to work (or not work), I'd be interested in that.
     
  3. Guillaume Subiron

    Guillaume Subiron New Member

    Hi @Jesse Norell , thank you.

    I didn't try php-fpm in on-demand, but I don't see how it could help in this case. One pool per site means a lot a process anyway.

    Rate limit is helping, but not in the way you describe. I made a script that parses access logs to search for bots that are contacting more than X sites in Y minutes, and send them in fail2ban. It is helping, but not everytime. And it is not a pretty solution.

    We have wp-rocket, but this is not a performance problem. One website can manage a huge loads, hundreds of query per seconds. But hundred of websites contacted in two minutes makes the server fail because of RAM (we have 100Gb of RAM on this server).

    Not to brag, just to help understand the context. We are a team professionnals sysadmins. We manage around 300 servers, 50 ISPConfig. So we already have security measures in place, and already made a lot of workaround to make this work. Obviously I have setup http2, but I don't believe it has something to do with the problem I describe.
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    I don't see any way in the current UI to do much different than you have. You could just manage the aliases and certificates outside of ISPConfig, eg. create a vhost file based on your main website vhost file (pointing to the same php processor, same log files, etc.) with a ServerName and less than 100 aliases, which points to a single certificate file, then write a little script that reads the names right from the vhost file and requests a certificate with all of those domains. It wouldn't be too difficult to set that up, and would let you get by with just a handful of certificates in use.

    Or if you're inclined to, you could modify ISPConfig to make this use case work a little nicer. Eg. it probably wouldn't be very hard to change the code for adding an Aliasdomain so the select list of Websites also includes vhost Aliasdomains (and even vhost Subdomains while at it), and then of course the code which writes those vhost Aliasdomains and the code which requests/manages certificates. If it's within your skill set to do that (or hire it done?), I expect you could submit a merge request to include that in upstream code.
     
  5. Guillaume Subiron

    Guillaume Subiron New Member

    Hm. I see what you mean, also at this point I would be as easy do remove ISPConfig and just manage vhosts depending on the Wordpress multisite database.

    If I made a patch on ISPConfig, I think it would be on the vhost template. If I find a way to use the DocumentRoot and the FCGIWrapper of the main Website instead of the Aliasdomain, it should fix my problem.
     
  6. Steini86

    Steini86 Active Member

    Do
    Code:
    cp /usr/local/ispconfig/server/conf/vhost.conf.master /usr/local/ispconfig/server/conf-custom
    Then edit file "/usr/local/ispconfig/server/conf-custom/vhost.conf.master" to your needs.

    I can't really think of a legitimate reason to do what you want, so I will not help here. In your case you might be better off with a manual configuration rather then ispconfig. Keep in mind that in a single letsencrypt certificate can only be 100 (sub-)domains
     
  7. ahrasis

    ahrasis Well-Known Member

    Interesting... I can only think of load balancing at this point of time, if your caching is already optimum.
     

Share This Page