Adding nginx to the LAMP stack for performance

The Apache HTTP Server is a very flexible server that can be used with almost all open source projects with little to no customisation due to Apache’s ubiquity within the community, however being a jack of all trades unfortunately means it isn’t necessarily a master of everything. One of the more commonly cited issues with Apache HTTP, is that its resource usage is more considerable compared to other options available, which can lead to issues when under heavy load.

In order to obtain the benefits of lower resource usage, there are plenty of other options available such as the choice for this article of nginx as well as others such as Apache Traffic Server or lighttpd, however making use of these options as your server software of choice may lead to compatibility issues with your applications. To avoid any of these issues, this article outlines how to add nginx into the mix, without losing Apache.

Continue reading “Adding nginx to the LAMP stack for performance”

Example iptables configuration for Web Servers

Setting up a host based firewall on your server to protect it from the nasties of the internet is a very simple step, that can easily backfire when you lock yourself out of SSH….

Below is a very simple script to setup basic firewall restrictions for a web server such as Apache or Nginx, allowing the below:

  • Allow all traffic from the server to its local loopback interface – this is needed for lots of system and application level functions
  • Allow ports 80 and 443 inbound access from all sources for your HTTP and HTTPS websites
  • Allow all connections outbound from your server to the internet and allow the reply traffic from those connection – this is needed to connect to repositories, APIs, send email etc.
  • Allow SSH inbound connections from the internet, but at the same time, blocking anyone trying to connect more than 4 times a minute in order to prevent easy SSH Brute Forcing

Continue reading “Example iptables configuration for Web Servers”

SSL Certificate discovery script

Heartbleed…. well….if you were vulnerable you need to replace (and importantly re-key) all your certificates that may have had their private keys revealed. Remember that although it is only OpenSSL that was vulnerable, if you use a certificate on multiple platforms, you will need to re-certificate everything, not just the devices running the now patched OpenSSL.

Not only is the task of identifying all your vulnerable devices a task in itself, finding where all your certificates are to begin the process of re-installation can be a pretty impressive feat on its own.

Scripting a discovery scan

The below bash script can be used to complete a scan against a list of IP addresses or DNS entries and will report back on the Common Name of the certificate installed.

Continue reading “SSL Certificate discovery script”

Improving email deliverability using MX, SPF and PTR records

Junk email is a widely acknowledged bain of any email inbox, with current statistics suggesting that spam email is responsible for over 60% of all email traffic. What can be worse however, for both users and valid service operators, is email being misclassified as spam.

The below is a guide to allow email services such as Gmail, Yahoo and Outlook/Hotmail to determine effectively whether email you are sending should be classified as spam or not.

Continue reading “Improving email deliverability using MX, SPF and PTR records”

Best practice Apache SSL configuration – Ciphers

Upon installation, the default Apache SSL configuration for SSL standards are not optimal and will achieve low scores when run through SSL implementation testing services such as Qualys’ SSL Labs.

The below configuration lines can be added to your Apache configuration to achieve a higher grade and improve the security of your SSL/HTTPS implementation using Apache and OpenSSL. As of February 2014 this configuration achieves an “A-” on the Qualys results when using RedHat/CentOS operating system and standard repo installations of Apache and OpenSSL. The main reason that the result is not better is due to the fact that RedHat currently has concerns over “possible patent issues”.

Continue reading “Best practice Apache SSL configuration – Ciphers”