Why you shouldn’t download a MySQL config from the net

Working on servers, people seem to think there is a cheat sheet to it at times. While there are many ways to simplify and automate a lot of configurations on a server, MySQL is not the time nor the place to cut corners. If you bog MySQL in turn the system will feel the wrath of your misconfigurations. Here are a few super common mistakes.

  • max_connections set way high-Why people think this is even remotely near a good idea is beyond me. It is common to go out to a server, find out it has either flat out hung or is spitting out of memory errors on the screen and has gone brain dead. Just because you can set your connections to 1500 doesn’t mean it’s a good idea. In fact it’s probably better for MOST people to set their connections to 150. The reason is simple; each connection available uses RAM. If a query comes by and there are 150 connections available, you will probably get an out of connections error and can log into the system, figure out what broke and fix it; If you hang the system you get an out of memory error and no real data to work off of. CPanel sets this to 500 by default, if you are using 500 connections (and the system is still up) YOU PROBABLY HAVE A PROBLEM.
  • huge buffer sizes-Guess what if you have 100 megabytes of InnoDB tables setting your innodb_buffer_size to 5GB isn’t going to help you out. Plain and simple. If you start adding more tables you could possibly even run out of RAM (see above.)
  • Big RAM-MySQL does not like RAM use above 2GB on 32 bit systems. They do not recommend running it because it can cause stability problems. In turn this means that there is little reason not to run a 64 bit OS any more unless you’re running a low end server. You NT guys are pretty much stuck with 2GB no matter if you’re running X86 or X64. That being said for hard core DB applications you should probably be putting it on a unix based OS anyways.

Besides this there is the single biggest reason of all:You will probably have lousy performance compared to a custom my.cnf. When tuning databases, one needs to keep in mind that the my.cnf  is tailored to a combination of the database content, how the database is used and the server its self. If there was a magical my.cnf that would make any server work great don’t you think that Oracle/Sun/MySQL would have included it with the server software? We will go into a few things in later blogs such as software to help tuning MySQL, what the parameters mean and how to actually tune a database properly.

Mod_limitipconn

I have had a few clients with chronic security issues on machines, DoSes are by far the most common attack. It’s easy enough for anyone of average (or below average, up for debate) intelligence to carry out. A few zombie machines and some basic software and all of a sudden you can take down a decently massive web site.

There are a few caveats to mod_limitipconn, the biggest being if you run a site with a very large amount of images. Images are loaded last on a page, and also are loaded at once. This can be a perilous position because of the fact that mod_limitipconn can cause issues with dead images if not done properly. This is why you have to tune it. In general there is no CPanel integration so you’re going to be doing this by hand. For you people out there with other panels, your milage may vary.

First thing is installing it. This is a relatively simple process, be sure you have APXS installed so you can do this. Download the software from http://dominia.org/djao/limitipconn2.html and install it using their commands. You can also probably get packages from a place like Dag if that’s your thing. Certain distros such as Debian also come with a ready to rock version. After we get it installed, we need to go into httpd.conf and make some alterations.

MaxConnPerIP 10
NoIPLimit images/*

There are a few things to note here. For people that have static content on their systems, you would set an instance of “images” for each static content directory that you were using. This includes things like Javascript, CSS, and conventional images. The reason for this is if using mod_limitipconn for system hardening an attacker will usually not target an image. This can happen, but it’s also not as “profitable” as a DoS using a page because you don’t pull the images and other content on the page (increasing bandwidth usage) and static content tends to be super efficient compared to PHP or other server side scripting so it tends to be far more robust.

You can also do other cool tricks such as format based setting of the connection limits.


# local per-directory settings here
MaxConnPerIP 1
OnlyIPLimit audio/mpeg video

By putting this in with the main confiugration above, you can set up additional subdirectories and limit connections based on media type. This can slow a leecher down significantly because they can’t pull everything at once.

Since we have the basics covered, just a few words on tuning the configuration. The biggest thing you need to do is view the sites you use this on. Sites with mod_limitipconn can behave erratic behavior if an initial setup is done but left untuned. This can include random broken images and other content not showing up. There are two things we are concerned with to tune; the first is that the most static content possible is set to very loose or no limitations, the second being that you get the base connections as low as sanely possible. If you can get it around 5 that would likely be the most pages someone would “sanely” load of a typical site without having issues. The other thing is that if you have embedded pages in your site you will have to increase this number significantly. Just go slowly and when the page fully loads add say 10-20% to that amount. If you get reports of broken content it would likely be safe to up this number some at that point to “dial in” that perfect configuration.

Best and Most Cost Effective Solution for Application Hosting

I’ve been working on some new business solutions for a while now involving heavy Colocated setups. Finally have the foot work done and have started offering a solution called “managed Colocation” to clients. Some of you may have heard of this concept before, RackSpace current offers something slightly similar. RackSpace offers managed Colocation in the sense that you have full control over the hardware and can get custom parts installed but never actually “own” the base system. The idea of Colocation is to rent space and bandwidth to the customer for any gear they want, if you’re not allowing them to have ownership of their servers or hardware then its NOT Colocation!

We’ve began to offer a solution that allows clients to ship us their gear or have us order it directly for them. We then rack it for them and take care of any hardware or extreme software failures that may happen.  We are essentially a babysitter for their hardware, this is extremely valuable to small/medium business where hiring someone to handle it just simply not cost effective.

Colocation Vs. Dedicated

Now here’s a topic a lot of people truly don’t understand and I see them paying WAY more than they need to for servers.  Just recently one of our new clients migrated to our Managed Colocation from Liquid Web, they were paying around $1,800 a month in server rental for 3 mid range boxes.   With managed Colocation they are now paying $700/mo for 5U Rack Space, Bandwidth & Power. They also now own their hardware so you will have to account for failure of disk and power supply’s, thankfully most OEM servers have a 3 year warranty on all components.  Depending on how important your server is you will need to at keep extra disk and power supply’s on hand.  Over the period of 3 years we will have saved this client $30,000.

Interested in our Colocation services?  Give us a call http://beyondhosting.net (1-724-790-4678)

Dealing with time consuming customers

It’s not daily but I do have to deal with customers that feel as if I should be doing nothing but slaving over them and their web projects. Today one of my newer customers, 2 months now, asked me to setup a store and update a few pages on his website for him. Went ahead and invoiced the work, got it paid and started the procedure. Turns out his entire site is a Frontpage mess and a total headache of scattered unclosed tags. Trying to figure which tags went to what was an absolute nightmare. One of these moments actually,

Anyway, this customer also wanted us to post some ads from CJ.com on his site, no idea where he wanted them or how he wanted them placed, just throw them on there. Well he calls up after we make the changes saying how terrible they look and how he didn’t want them on certain pages, see the irony yet?

Just another one of those days dealing with people who truly have no idea what they want.  I won’t even mention how the e-commerce store went over,  apparently credit card processing is something magical..

The internet as of 2000

Back when I was younger and working on gaining knowledge of such things as Linux, I used to listen to this online radio show all the time. It really gives a feel for the industry as of about the years 2000-2001 and how it was evolving at the time. The show has long since gone off the air, but they do have archives up still. ftp://ftp.dhbit.ca/DHBiT/ I also used to listen to Off The Hook, Emmanuel Goldstien’s radio show. I think it’s still on, but it’s been forever for that as well.

Setting up DNS for a dedicated server or VPS with Godaddy

The series of blogs I write is actaully a lot of tech support questions that are common. This question gets bonus points because it is actually very difficult to explain over the phone due to the complexity in which DNS works. That being said pictures are worth their weight in gold. For this reason I have included the pictures below as well captions explaining what you need to do.

First off this is the domain menu. If you look here, the name servers are already defined. Chances are that unless you have a new domain, they will be pointed to the DNS of your host or your old server. What we are going to do is scroll all the way down the page, at the bottom left where it says “Host Summary” then click “Add.” This will open the next menu.

There are two fields we are going to edit here. The first one is for the Host record that the DNS server is going to be called. Normally I use “NS1” and “NS2.” don’t sweat capitals or not here, it’s not case sensitive. The other field we need to change is the one labeled “Host IP 1.” After this is done, we click “ok” and simply repeat the procedure for the secondary name server. When I set a new dedicated up I prefer to set it up with the first two IPs as NS1 and NS2 respectively.

Now that this has been done, we can finally add our name servers. Please note that if the other information hasn’t been updated in Godaddy’s information that it can take some time for it to allow you to do this. If you have NS1 and NS2 showing up in the Hosts Summary but it gives you an error about the name server not existing this is why. If you already have this set up, the only other change required is to change the Host Records so that the IPs are pointing to the new server and wait on propagation.

CSF + Passive FTP

If you running a FTP server (Pureftp/Proftp) in your linux server, it is very important to to enable passive mode, because this mode, works best for ftp clients protected by firewall since the client initiates the connection.

If you are running a CSF firewall in your linux box, along with FTP server running Pure-ftp or Proftp, just follow the below steps…

1. Add Passive Port range 30000-350000 to your Pureftp or Proftp configuration file

(i) Pureftpd

open /etc/pure-ftpd.conf, and this line

PassivePortRange    30000 35000

(ii) ProFTP

Open /etc/proftpd.conf, and add this line

PassivePorts    30000 35000

2. Open the ports from 30000 – 35000 in your CSF firewall configuration file under TCP_IN

Open /etc/csf/csf.conf

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,30000:35000"

Then restart firewall and ftp server.

service csf restart
service pureftpd restart (or)
service proftpd restart

Once this is done, open your ftp client and try connecting to ftp server. It should be able to work in passive mode.