Koozali.org: home of the SME Server

Using SME as webhost

Offline jameswilson

  • *
  • 790
  • +0/-0
    • Security Warehouse, trade security equipment
Using SME as webhost
« on: May 04, 2024, 12:43:49 AM »
Ive done this for decades and has always been brilliant even though many have told me not to.
But with affa to backup, openvpns2s to keep everything secure id be daft not to.
Its more than that.
I know its secure i cant get it wrong. Ive got a command system that protects me (me and the clueless reading x on the web doesnt mean do y with root or sudo)
All because of the sme way this is a strong ask
We have the web hosting contrib which helps me loads. Can we have a similar for the php-fpm side.
I only ask because i went through a security test for credit cards ant it hammered the server for 24hrs till i cancelled it. It may as well of been a dos attack on php-fpm. Ive changed a few mysql things that helped but i cant let that test hit the server i see 1m loads of 20 and loads of php processes.
Little ask cos i know your way too busy on proper stuff


Offline ReetP

  • *
  • 3,853
  • +5/-0
Re: Using SME as webhost
« Reply #1 on: May 04, 2024, 07:23:58 PM »
You say a php-fpm contrib, but to do what?

The webhosting contrib does some stuff and there are some manual settings too.

Beyond that PHP has dozens, if not hundreds, of variables that can change between versions. Most are acceptable defaults. Everyones requirements are different so it's hard to know exactly what you think we should do?

I'm also not sure what this has got to do with security tests? Describe your issue?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline jameswilson

  • *
  • 790
  • +0/-0
    • Security Warehouse, trade security equipment
Re: Using SME as webhost
« Reply #2 on: May 04, 2024, 07:44:03 PM »
As part of credit card checks etc we have to use a company to scan the server for open ports non secure apps etc.
But it nails the web server with 40 or 50 concurrent connections.
It looks like php-fpm (i could be wrong) creates a new process on every request. This quickly goes to 100% processor and then the loads climb and the page load time takes ages.
Looking on line there are options to control php-fpm but i dont know how to alter the settings in sme.

Offline ReetP

  • *
  • 3,853
  • +5/-0
Re: Using SME as webhost
« Reply #3 on: May 04, 2024, 11:36:33 PM »
So the question is really "how can I rate limit web connection requests as my server can't handle it?"

First, what spec is your server? Perhaps you need more grunt?

Yes there are limits you can add to php-fpm - as you have with other custom templates - to limit maximum connections. But the consequence may be your server gives an error to them, which you may not want?

You can consider some of these (example) settings.

Code: [Select]
pm.max_children = 20
pm.start_servers = 10
pm.min_spare_servers = 2
pm.max_spare_servers = 4
pm.max_requests = 1000

Another option may be rate limiting via apache.

Eg
https://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second

You need to think about your desired outcome....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,840
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Using SME as webhost
« Reply #4 on: May 05, 2024, 02:24:48 AM »
this is ddos.  you need
- fail2ban
- mod_security
- mod_evasive

they are testing if they get your server down, or if they get banned.  you have nothing to get them banned. 


you already have all you need to set fpm as the webhosting contrib is doing that.


« Last Edit: May 05, 2024, 02:27:47 AM by Jean-Philippe Pialasse »