The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Web-server-stack"
(→Webapp Firewalls: nginx_modules_http_naxsi : An open source, high performance, low rules maintenance, Web Application Firewall module for Nginx.) |
(StartCom no longer offers free ssl CA certificates. Added explanation of CA authority. dev-db/postgresql-server doesn't exist, changed to dev-db/postgresql.) |
||
(6 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
== Pre-install considerations == | == Pre-install considerations == | ||
=== ssl === | === ssl === | ||
A CA signed certificate is a certificate that has been issued and signed by a publicly trusted certificate authority (CA). | |||
=== | Ssl [http://en.wikipedia.org/wiki/Wildcard_certificate wild card certificates] can use the same certificate to cover several subdomain names. As in https://wiki.funtoo.org https://www.funtoo.org https://forums.funtoo.org can all use the same certificate. https://funtoo.org would not be covered under the wildcard. All that is required to setup a CA signed ssl certificate is an email on the server. Free ssl CA certificates are available through several certificate [http://en.wikipedia.org/wiki/Certificate_authority#Providers providers]. Many web apps require you set your URL & will have problems if your URL is set to http://, rather than https:// when using ssl/tls. | ||
Sockets have less overhead but can not be shared across jails, or to other machines. | |||
[https://www.startssl.com StartCom CA] no longer offers free ssl ca certificates as it is closed as of Jan. 1st, 2018, it doesn't issue any new certificate from StartCom name roots. | |||
=== Unix Sockets vs TCP stack === | |||
Sockets have less overhead but can not be shared across jails, or to other machines. The TCP stack has more overhead but is far more flexible. | |||
=== Email Servers === | === Email Servers === | ||
* {{Package|mail-mta/postfix}} <-- suggested | * {{Package|mail-mta/postfix}} <-- suggested, installed by default. | ||
=== FTP Servers === | === FTP Servers === | ||
Line 19: | Line 19: | ||
* {{Package|net-ftp/vsftpd}} <-- suggested | * {{Package|net-ftp/vsftpd}} <-- suggested | ||
* {{Package|net-ftp/proftpd}} | * {{Package|net-ftp/proftpd}} | ||
== Webserver == | == Webserver == | ||
Web servers come in several varieties. The most common stack is known as LAMP which stands for linux apache mysql php. | Web servers come in several varieties. The most common stack is known as LAMP which stands for linux apache mysql php. Funtoo suggests setting up the web server stack by selecting the database first, then scripting language second, and web server 3rd. | ||
=== Databases === | === Databases === | ||
Line 29: | Line 27: | ||
mariadb is a drop in replacement for mysql | mariadb is a drop in replacement for mysql | ||
* {{Package|dev-db/mariadb}} <-- suggested | * {{Package|dev-db/mariadb}} <-- suggested for mysql users | ||
percona is a drop in replacement for mysql | percona is a drop in replacement for mysql | ||
* {{Package|dev-db/percona-server}} | * {{Package|dev-db/percona-server}} | ||
* {{Package|dev-db/postgresql | * {{Package|dev-db/postgresql}} <-- suggested over mysql | ||
* {{Package|dev-db/sqlite}} | * {{Package|dev-db/sqlite}} | ||
Line 44: | Line 42: | ||
=== Web Servers === | === Web Servers === | ||
* {{Package|www-servers/apache}} | * {{Package|www-servers/apache}} | ||
* {{Package|www-servers/ | * {{Package|www-servers/nginx}} | ||
* {{Package|www-servers/ | * {{Package|www-servers/tengine}} <-- suggested | ||
* {{Package|www-servers/lighttpd}} | * {{Package|www-servers/lighttpd}} | ||
=== SSL Termination, Reverse Proxies, & load balancing === | === SSL Termination, Reverse Proxies, Caching, & load balancing === | ||
Reverse proxies are useful, some cache static data, and shuck out cached pages rather than hitting the web server. Some pass requests to backend nodes high availability clustering your website, some web servers have this functionality built in. | Reverse proxies are useful, some cache static data, and shuck out cached pages rather than hitting the web server. Some pass requests to backend nodes high availability clustering your website, some web servers have this functionality built in. | ||
* {{Package| | * {{Package|net-misc/memcached}} <-- suggested database cache to speed up database queries. | ||
* {{ | * {{Package|dev-db/redis}} | ||
* {{ | * {{Package|www-servers/nginx}}<-- suggested for ssl termination & load balancing | ||
* {{Package|www-servers/tengine}} | |||
* {{Package|www-servers/varnish}} <-- suggested for caching to reduce power consumption & reduce the need of constantly rebuilding pages | * {{Package|www-servers/varnish}} <-- suggested for caching to reduce power consumption & reduce the need of constantly rebuilding pages | ||
* {{Package|net-proxy/squid}} | * {{Package|net-proxy/squid}} | ||
Line 63: | Line 61: | ||
=== Firewalls === | === Firewalls === | ||
* {{Package|net-firewall/nftables | * {{Package|net-firewall/nftables}} <-- suggested | ||
* {{Package|net-firewall/iptables}} | |||
* {{Package|net-firewall/ | * {{Package|net-firewall/firewalld}} note: broken under *too | ||
* {{Package|net-firewall/ | |||
=== Dynamic Firewalling === | === Dynamic Firewalling === | ||
* {{Package|app-admin/sshguard}} <-- suggested | * {{Package|app-admin/sshguard}} <-- suggested | ||
=== Webapp Security === | |||
https:// | Install mod_security on your web servers. See the [https://www.owasp.org/index.php/Main_Page open web app security project] | ||
=== Benchmarking === | === Benchmarking === | ||
It's a good idea to benchmark your system, server, & websites. There are several tools to assist you in doing this. | It's a good idea to benchmark your system, server, & websites. There are several tools to assist you in doing this. | ||
* http://toolbar.netcraft.com/site_report?url=undefined#last_reboot | |||
* http://gtmetrix.com/ | |||
* http://www.showslow.com/ | |||
* http://yslow.org/ | * http://yslow.org/ | ||
* http://getfirebug.com/ | * http://getfirebug.com/ | ||
* {{Package|app-admin/apache-tools}} | * {{Package|app-admin/apache-tools}} | ||
Latest revision as of 06:11, July 2, 2021
Pre-install considerations
ssl
A CA signed certificate is a certificate that has been issued and signed by a publicly trusted certificate authority (CA).
Ssl wild card certificates can use the same certificate to cover several subdomain names. As in https://wiki.funtoo.org https://www.funtoo.org https://forums.funtoo.org can all use the same certificate. https://funtoo.org would not be covered under the wildcard. All that is required to setup a CA signed ssl certificate is an email on the server. Free ssl CA certificates are available through several certificate providers. Many web apps require you set your URL & will have problems if your URL is set to http://, rather than https:// when using ssl/tls.
StartCom CA no longer offers free ssl ca certificates as it is closed as of Jan. 1st, 2018, it doesn't issue any new certificate from StartCom name roots.
Unix Sockets vs TCP stack
Sockets have less overhead but can not be shared across jails, or to other machines. The TCP stack has more overhead but is far more flexible.
Email Servers
- mail-mta/postfix <-- suggested, installed by default.
FTP Servers
It is common practice to use FTP servers to host files for downloading.
- net-ftp/vsftpd <-- suggested
- net-ftp/proftpd
Webserver
Web servers come in several varieties. The most common stack is known as LAMP which stands for linux apache mysql php. Funtoo suggests setting up the web server stack by selecting the database first, then scripting language second, and web server 3rd.
Databases
mariadb is a drop in replacement for mysql
- dev-db/mariadb <-- suggested for mysql users
percona is a drop in replacement for mysql
- 没有结果
- 没有结果 <-- suggested over mysql
- dev-db/sqlite
Languages
- dev-lang/php <-- suggested
- dev-lang/perl
- 没有结果
Web Servers
SSL Termination, Reverse Proxies, Caching, & load balancing
Reverse proxies are useful, some cache static data, and shuck out cached pages rather than hitting the web server. Some pass requests to backend nodes high availability clustering your website, some web servers have this functionality built in.
- 没有结果 <-- suggested database cache to speed up database queries.
- 没有结果
- www-servers/nginx<-- suggested for ssl termination & load balancing
- www-servers/tengine
- www-servers/varnish <-- suggested for caching to reduce power consumption & reduce the need of constantly rebuilding pages
- net-proxy/squid
Post install
There are several considerations to take into account with a web server install, such as setting up an email server, setting up a firewall, firewalling web applications, and dynamically firewalling attackers.
Firewalls
- net-firewall/nftables <-- suggested
- net-firewall/iptables
- net-firewall/firewalld note: broken under *too
Dynamic Firewalling
- app-admin/sshguard <-- suggested
Webapp Security
Install mod_security on your web servers. See the open web app security project
Benchmarking
It's a good idea to benchmark your system, server, & websites. There are several tools to assist you in doing this.