Download Drupal Performance & Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts

Clusterpoint wikipedia , lookup

Database model wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Versant Object Database wikipedia , lookup

Transcript 
Performance & Security
Satish C Ayappan (Drupal Architect- Capgemini)
[email protected]
Performance

Front end performance.








Drupal out of box optimization
Mysql Optimization
MySQL Query Optimization
Memcache for database caching
Scalable File System options
PHP and Apache Configuration
Use Reverse proxies like Varnish
A fail over server landscape
Security
SQL injection
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
File Permissions
Harden Apache and PHP
Securing Linux Server.
Performance
What we can do?
Front end performance
– Limit HTTP Requests. – Use Drupal Aggregator or
Advanced CSS/JS Aggregation
– Use Pagespeed or Yslow
– Enable gzip compression
– Specify image dimensions
– Single Points of Failure (SPOFs)
Front end performance contd..
– Use CDN for Images and CSS
– Use Image Sprites.
– Optimize Images (Yahoo! Smush.it).
– Client side caching ( Cache control and Expires,
Don’t use Etag, In Apache you can disable the
Etag with FileFlag)
Drupal out of box optimization
– Page Caching
Page caching will not work when there is a PHP session.
It will work for anonymous user.
– JS and CSS Aggregation
– Use Boost
– Use View Cache
– Use Entity Cache along with Redis
– Cache Warming / Priming (Drush Entity Cache Loader, Cache Warmer)
– Use Fast 404 Module
– Use Syslog Module
– Disable PHP Filter Module
Mysql Optimization
– Enable query cache
– Variables Like innodb_buffer_pool_size,
table_cache thread_cache etc.
– Use innodb_file_per_table.
http://www.percona.com/blog/2006/09/29/what
-to-tune-in-mysql-server-after-installation/
Mysql Query Optimization
– Use Indexes
– Use Explain to understand the query plan
– Avoid full table scan, file sort and temporary table
creation by looking at query plan
– Look here for query optimization
http://dev.mysql.com/doc/refman/5.0/en/selectoptimization.html
• http://dev.mysql.com/doc/refman/5.0/en/optimization.html
Memcache/Redis for database cache
– Memcache /Redis can be used in front of Mysql to offload
database server load, the data can be cached at
memcache/Redis and serve the data from
memcache/Redis without hitting the MySQL Server
Scalable File System options
– NFS file system – If you are using NFS, increase the size for
Real Path Cache
– Glusterfs File system
– Use can use lsyncd or rsync.
– File Conveyor
– Mounting SSFS
– NAS
– SAN
PHP and Apache Configuration
–
–
–
–
–
Use OPCache (PHP 5.5 has free version of Zend optimizer)
opcache.memory_consumption
opcache.max_accelerated_files
opcache_revalidate_freq = 240
Disable the modules of Apache in production if you are not
using.
– Set keepalive setting to 1 or 2 seconds
– Include .htaccess file using include directive and change
the parameter AllowOverride to None.
Reverse proxies like Varnish
– Don’t use Etags for static pages.
– Don’t session id or cookies for static pages.
A fail over server landscape (No DR)
Security
What we can do?
SQL Injection
– Use always parameterized Queries
uid = 1;
$result = db_query('SELECT n.nid, n.title, n.created
FROM {node} n WHERE n.uid = :uid', array(':uid' => $uid));
// Result is returned as a iterable object that returns a stdClass object on each iteration
foreach ($result as $record) {
// Perform operations on $record->title, etc. here.
}
uid = 1;
$result = db_query('SELECT n.nid, n.title, n.created
FROM {node} n WHERE n.uid = $uid');
// Result is returned as a iterable object that returns a stdClass object on each iteration
foreach ($result as $record) {
// Perform operations on $record->title, etc. here.
}
Cross Site Scripting (XSS)
– Apply filter for content
Should not use Full HTML
– Use Check URI check_url($url) for URLs before displaying
the content
– Use check plain check_plain($text) method to check the
text before displaying the content.
– Use t() with @ and % and not !, this will apply check_plain
automatically for translation
– Use l() to create links
Cross Site Request Forgery (CSRF)
– Use always form API
File Permissions
– Files: 770 or 754
chmod -R 770 /var/www/html/sites/default/files
– Themes: 755
chmod -R 755 /var/www/html/sites/all/themes
– Default: 755
chmod 755 /var/www/html/sites/default
– Settings.php: 444
chmod 444 /var/www/html/sites/default/settings.php
Hardening Apache
–
–
–
–
–
–
–
–
–
–
–
–
–
Set ServerSignature Off in apache configuration file
Set ServerTokens Prod in apache configuration file
Disable unnecessary modules
Disable unnecessary Options like Indexes, Options -Indexes
Disable ETAG
Run Apache with its owns user and group
Set cookie with HttpOnly and Secure flag
Configure for X-XSS Protection
Disable HTTP 1.0 Protocol
Disable Trace Requests
Limit HTTP Request Methods to GET POST HEAD
Use use mod_security
install the mod_evasive to avoid dos attacks
Hardening PHP
–
–
–
–
–
–
–
Set expose_php Off in php.ini
Set display_errors Off
Log errors using Syslog Module
Set maximum File Upload size
Turn off allow_url_fopen and allow_url_include
Set post_max_size
Use disable_functions to disable functions that are
dangerous (exec, shell_exec etc)
– Limit PHP Access To File System
– Turn off enable_dl
– Disable Unnecessary PHP modules
Securing Linux Server
– Close unnecessary ports
– Uninstall unnecessary applications like FTP server if not
required
– Prevent IP Spoofing
– Harden Apache and PHP
– Protect from DDOS
– Install Intrusion Detection – PSAD
– Use SELinux – Apparmor’
– Protect su by limiting access only to admin group
– Install denyhosts, fail2ban
Satish C Ayappan (Drupal Architect- Capgemini)
[email protected]
Related documents
PHP and MySQL - La Salle University
PHP and MySQL - La Salle University
Three tier achitecture
Three tier achitecture
Code Academy - CfEComputing
Code Academy - CfEComputing
Equipment and Help Call Management System
Equipment and Help Call Management System
CS 380 Web Programming - UMD Department of Computer Science
CS 380 Web Programming - UMD Department of Computer Science
PH P - M ySQL
PH P - M ySQL
Server Intro
Server Intro
Web Server Administration
Web Server Administration
Resume for Rolf Martin-Hoster
Resume for Rolf Martin-Hoster
tp2543 web programming goal so far…
tp2543 web programming goal so far…
Resume - Jarryd Goodman
Resume - Jarryd Goodman
Slide 1
Slide 1
Operating System Principle (DKT 221) Tutorial 1 1. Describe how
Operating System Principle (DKT 221) Tutorial 1 1. Describe how
Intermediary PHP Language Overview and Top 10 Best Practices
Intermediary PHP Language Overview and Top 10 Best Practices
PHP and MySQL - Jacksonville University
PHP and MySQL - Jacksonville University
Tapir User Manager
Tapir User Manager