Pimping a wordpress for high-performance and against DDoS attacks – series

September 24th, 2016 by admin | Permalink

For quite a while, I am supporting the finance blog of a friend of mine. He started this as a small blog project (it is still a blog) and quickly got a lot of traffic.

The initial setup was a hosted website with a provider including PHP and MySQL.
Quickly there was too much traffic and the site became really really slow. On top, the possibilities in this environment are limited.

Next step – own server. So we booked him a machine at Hetzner, a German ISP with quite good conditions. I put VMWare in place and virtualizied the entire thing.
As time goes, the machine became old and had to be replaced. So we decided for a new machine and to install everything bare metal (no VMs).
The current machine holds a Skylark Quad-Core processor, 64 GB of RAM, SATA HDD and a lot of more cool things.

So a fairly decent setup.

Recently the site was attacked using several different technics.

This series is about the steps we took to keep the site alive and also gain speed, performance, reduce load and file sizes.

The result of this series should be a WordPress installation on steroids.

You will use and run:

– Nginx
http/2
https / SSL encryption
– Caching for WordPress
– Optimized compression for images and files
– CDN
– Fail2Ban to avoid to many requests from one source
– Optimized caching on client side
Faster page loads
– Lazyload for images
– and many things more

Nginx, don’t redirect to https for specific site / url

September 24th, 2016 by admin | Permalink

After you have read my article on redirecting all traffic to https, you discovered that some content is not appearing correctly anymore.

For the finance blog I am supporting, this is the case for some pages like “10 goldene Regeln für binaere Optionen” were http content is embedded. In this case it is an external javascript (unfortunately, you should try to avoid this whenever possible) that could not be served using https.

So, we needed an exception to do this.

In your server {} configuration for port 80 (non-ssl) add this:

location ^~ /10-goldene-regeln-fur-den-handel-mit-binaren-optionen {
try_files $uri $uri/ /index.php?$args;
}

In the configuration for port 443 (ssl / https) add this:

location /10-goldene-regeln-fur-den-handel-mit-binaren-optionen {
return 301 http://$server_name$request_uri;
try_files $uri $uri/ /index.php?$args;
}

Of course you need to adjust that for your needs. This overrides the configuration for the redirect all, for an exception with the URL “/10-goldene-regeln-fur-den-handel-mit-binaren-optionen”

HTST – Strict Transport Security

May 1st, 2016 by admin | Permalink

I recently stumbled across a pretty cool, but also painful if you don’t know it, functionality within the HTTP/S protocol.

It is called HTST or HTTP Strict Transport Security. Basically it tells the browser over a header to request everything from this server only via HTTPS instead of HTTP.
The first request will set something like a cookie, but it is, depending on the browser, not a regular cookie. For example Safari stores this information in a file called HTST.plist.

The header sets a lifetime like for a cookie.

In my specific case, I had an entire server redirected to https by a rewrite rule, but one specific URL redirected to http. HTST avoided that drastically and it took me a few hours and some external help to figure this out.

Details about my case can be found here.

What’s the state on IPv6 – 2016 Edition

April 9th, 2016 by admin | Permalink

Nearly three years ago, I tested a list of popular website for there IPv6 support. Back then the adoption was shockingly small.

ARIN recently ran out of IPv4 addresses and now has a waiting list for new address spaces. This makes the situation even more dramatic.

Time to run my test again.

Only 8 websites that didn’t support IPv6 three years ago now support it.

yahoo.com
linkedin.com
microsoft.com
apple.com
instagram.com
aol.com
netflix.com
dropbox.com

Consolidating / merge several DNS zone files into one server

March 5th, 2016 by admin | Permalink

I recently worked on a datacenter move including migration of internal and external DNS servers.

the old datacenter had a history of around 20 years.
Unfortunately back in the days it was decided to use the same domain for internal and external records, but split it so that there is two zone files. One holding internal, the other one public records. Each zone file had around 1800 single records. A total mess!

We decided to move for DNS to AWS Route53, so a merge was necessary.

During that journey I found two really helpful tools.

One is dns_compare which helps you checking a zone file against a DNS server. E.g. internal file against external server.

The second tool is cli53, which is literally a command line tool that lets you manipulate and import/export DNS records into Route53.

Unfortunately the import within the AWS interface is only available for the initial import and only supports a maximum of 1000 records. cli53 helps with this as well.

Apple Mail set S/Mime as default before GPGTools

July 30th, 2015 by admin | Permalink

This is fairly simple. Open a Terminal type:

defaults write org.gpgtools.gpgmail DefaultSecurityMethod -int 2

Close Mail, open it again and you are set.

No matter what you prefer either GPG/PGP encryption over S/MIME – it is always a good thing to encrypt your email.
Setting up S/Mime on a Mac is simpler then you think.

Go for example to Comodo, get a free certificate by filling out the simple form (name + email), wait for the email, click on the link, download the certificate, double click, restart Mail – DONE!

SOLVED – tftpd-hpa won’t start after upgrade

July 25th, 2015 by admin | Permalink

I just ran into an old TFTPD-HPA bug from 2009, that is still not fixed.

What happened:

Upgrading my Raspberry PI and using it as a PXE Boot server resulted in TFTPD-HA not starting with an error message like this:

Jul 23 12:12:32 xxxx in.tftpd[27342]: cannot open IPv6 socket, disable IPv6: Address family not supported by protocol
Jul 23 12:12:32 xxxx in.tftpd[27342]: Cannot set nonblock flag on socket: Bad file descriptor

This problem is also mentioned here in more detail.

Apparently the TFTPD-HPA tries to support IPv6 even that the kernel is not. See bug note.

The only thing you need to do is to start the daemon only in IPv4 mode.

edit your /etc/init.d/tftpd-hpa file.

Change the line (in my case 58) from

start-stop-daemon --start --quiet --oknodo --exec ${DAEMON} -- \
--listen --user ${TFTP_USERNAME} --address ${TFTP_ADDRESS} \
${TFTP_OPTIONS} ${TFTP_DIRECTORY}

to

start-stop-daemon --start --quiet --oknodo --exec ${DAEMON} -- \
--listen --ipv4 --user ${TFTP_USERNAME} --address ${TFTP_ADDRESS} \
${TFTP_OPTIONS} ${TFTP_DIRECTORY}

and finally:

service tftp-hpa restart

This should solve the issue and only provide support for IPv4.

Stop spying on us!

February 11th, 2014 by admin | Permalink



Akamai releases numbers on IPv6 usage in Q3/13

January 30th, 2014 by admin | Permalink

Akamai recently released the latest numbers on traffic they see coming from IPv6 networks.

Romania and Switzerland are leading the board, which is pretty impressive.

stateoftheinternet

Source: State of the Internet – Akamai

Why you want to support IPv6 now!

November 17th, 2013 by admin | Permalink

I recently change ISP and surprise I now have a native IPv6 network ending up at my router instead of an IPv4 internet address.

My new ISP uses something called DualStack Lite, which means I can still reach IPv4 (old internet), but I get routed (nat) thru one of their IPs. In fact I am sharing an IPv4 with hundreds of other customers. In the usual case this is not an issue as people do not need fixed IPv4 addresses at their home network.

I switched from 50Mbit/s to 100Mbit/s. The second I reach a website that supports IPv6 I see the content extremely fast, connections are brilliant and everything. The second I access IPv4, I get a feeling that everything feels more slowly.
This is happening because of the DualStack-Lite, as lots and lots of other users have to be re-routed thru my ISPs system.

Beside the fact that there are just no IPv4 addresses left, the user experience using IPv6 is way better now.

If you are in the internet industry, get your stuff finally ready for IPv6. It is shocking how many companies are still only supporting IPv4 out of laziness.

In case you are not sure if your website/service support IPv6 yet, check it at IPv6 Test

%d bloggers like this: