Topic: Using SME as webhost

[jameswilson]

Ive done this for decades and has always been brilliant even though many have told me not to.
But with affa to backup, openvpns2s to keep everything secure id be daft not to.
Its more than that.
I know its secure i cant get it wrong. Ive got a command system that protects me (me and the clueless reading x on the web doesnt mean do y with root or sudo)
All because of the sme way this is a strong ask
We have the web hosting contrib which helps me loads. Can we have a similar for the php-fpm side.
I only ask because i went through a security test for credit cards ant it hammered the server for 24hrs till i cancelled it. It may as well of been a dos attack on php-fpm. Ive changed a few mysql things that helped but i cant let that test hit the server i see 1m loads of 20 and loads of php processes.
Little ask cos i know your way too busy on proper stuff

[ReetP]

You say a php-fpm contrib, but to do what?

The webhosting contrib does some stuff and there are some manual settings too.

Beyond that PHP has dozens, if not hundreds, of variables that can change between versions. Most are acceptable defaults. Everyones requirements are different so it's hard to know exactly what you think we should do?

I'm also not sure what this has got to do with security tests? Describe your issue?

[jameswilson]

As part of credit card checks etc we have to use a company to scan the server for open ports non secure apps etc.
But it nails the web server with 40 or 50 concurrent connections.
It looks like php-fpm (i could be wrong) creates a new process on every request. This quickly goes to 100% processor and then the loads climb and the page load time takes ages.
Looking on line there are options to control php-fpm but i dont know how to alter the settings in sme.

[ReetP]

So the question is really "how can I rate limit web connection requests as my server can't handle it?"

First, what spec is your server? Perhaps you need more grunt?

Yes there are limits you can add to php-fpm - as you have with other custom templates - to limit maximum connections. But the consequence may be your server gives an error to them, which you may not want?

You can consider some of these (example) settings.

Code: [Select]

pm.max_children = 20
pm.start_servers = 10
pm.min_spare_servers = 2
pm.max_spare_servers = 4
pm.max_requests = 1000

Another option may be rate limiting via apache.

Eg
https://stackoverflow.com/questions/131681/how-can-i-implement-rate-limiting-with-apache-requests-per-second

You need to think about your desired outcome....

[Jean-Philippe Pialasse]

this is ddos.  you need
- fail2ban
- mod_security
- mod_evasive

they are testing if they get your server down, or if they get banned.  you have nothing to get them banned. 


you already have all you need to set fpm as the webhosting contrib is doing that.