Marcos Placona Blog

Programming, technology and the taming of the web.

Category: Website Optimization (page 1 of 2)

Hints and tips about website optimization, query optimization and CDN

How to secure Apache with Let’s Encrypt and CloudFlare on Centos

Reading time: 4 – 7 minutes

I took it upon myself to converting a couple of my domains to use Let’s Encrypt in order to offer a secure connection to them. If you haven’t heard about Let’s Encrypt by now you’ have probably been living under a rock. If that’s the case though, have a read at this page and you’ll get up to speed with it.

Their getting started page describes the entire process of installation, but that didn’t really resonate with me. Upon some googling I found a great Digital Ocean article which made a lot more sense to me. That is an absolutely fine tutorial if you’re not using CloudFlare. If you came to this article from a Google search though, chances are you’re also using CloudFlare and are having issues like some of the following:

  • Failed authorization procedure
  • The following ‘urn:acme:error:unauthorized’ errors were reported by the server
  • urn:acme:error:unauthorized :: The client lacks sufficient authorization ::

Hopefully this article will show you how to get that nice green padlock showing on your website. Props to the article on Cloudflare’s support page that took me halfway the process.

Install the dependencies

I usually SSH to my server to get these things done, but this step may vary if you access your server differently.

On your terminal start by installing EPEL (Extra Packages for Enterprise Linux) repository:

Then install GIT. We will use it to get the latest version of the Let’s Encrypt Client.

Download and install Let’s Encrypt Client

Start off by cloning the repository and then saving it to /opt/letsencrypt. Feel free to save it elsewhere but /opt is a good location for third party packages.

Generate a new SSL certificate

This is where we go differently from the Digital Ocean article as we will generate our SSL certificate using the webroot option.

We’ve used the following flags for this setup.

  • –webroot-path is the directory on your server where your site is located. This is not your webserver’s root directory but your website’s
  • –renew-by-default selects renewal by default when domains are a superset of a previously attained cert
  • –email is the email used for registration and recovery contact.
  • –text displays text output
  • –agree-tos agrees to Let’s Encrypt’s Subscriber Agreement
  • -d specifies hostnames to add to the SAN. You can specify as many domains and subdomains as you need here as shown above

After you run that you should get a message saying your certificate chain has been saved.

letsencrypt

Apparently I also need to read about upgrading Python on Centos without breaking everything

Setting up the SSL certificate with Apache

With your certificate created it’s time to tell Apache that you want it to use that. On terminal run:

And you should get a screen that looks like this:

letsencrypt2

Apache still doesn’t know about this new certificate but we’re about to change that by selecting option 1 and on the subsequent screen choosing whether we want to make HTTP required or optional. I chose Secure here as I want all of my requests to be redirected to HTTPS.

You should then end up with a confirmation screen that tells you to check that your certificates are correctly installed. This procedure will have modified your httpd.conf file to add redirects so all requests that are non HTTPS are now redirected to be HTTPS.

letsencrypt3

Go ahead and hit those URL’s and you should see that they both get a grade A pass.

letsencrypt4

Updating Cloudflare

We need to tell CloudFlare that we now have an SSL certificate and want the communication to our website to use it. On CloudFlare’s dashboard for your chosen website choose Crypto and under SSL choose Full (Strict). You will probably want to use Flexible here if during the previous step you chose HTTPS to be optional.

letsencrypt5

At this point you should be done and your website should be showing a nice green padlock on the URL bar.

Unless…

You’re using WordPress. In this case you will also want to update it so the URL is always HTTPS. You can do that by going into WordPress Admin, and then navigating to Settings > General.

letsencrypt6

And that will make sure every image and every URL on your WordPress site is served via HTTPS.

Varnish with Apache and WordPress on Centos

Reading time: 12 – 20 minutes

Varnish Cache

Varnish is wicked! It works on your webserver as a reverse proxy to cache HTTP requests. According to their website:

Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 – 1000x, depending on your architecture

I have only just installed it on this very website, and have already seen an improvement of about 500 times without actually having to do much. I spent about 2 hours to configure it all, but could probably attribute 1 hour to this to dumbness on my side while trying to get it all configured.

I have now come up with a configuration that works perfectly (so far) on this website, and have used a mix and match of resources such as this and this. They are both great, but I found that they didn’t particularly cater for what I was looking for as I have very particular needs.

In my VPS, I have a few domains running, but only really wanted to have this website cached, since the other domains either get their content updated too often, or get too few hits to actually justify caching.

I also didn’t want to cache any of my sub-domains, as most of them are actually running on the cloud and being proxied by Apache via mod_rewrite. It turns out those didn’t really wanna play when the HTTP requests were cached, and because they are mostly dynamic applications, I didn’t think it was worth spending time and energy configuring them to get the cache purged.

Installing Varnish

Start by making sure you have all the necessary stuff to install it. You will have to do this in your terminal either by logging in to your server or SSH’ing to it.

We now install Varnish. At the moment, the latest stable version of Varnish is 3.0.4, and I’m currently only interested in stable versions, but because I want this post to be timeless, I will give you the Installation on RedHat link which will always give you latest version.

Grab the link that corresponds to your Centos version (5 or 6) and paste it in your terminal

Now all that is left to install Varnish is to run

sudo yum install varnish

We want Varnish to run every time we restart our server, and we want it to run automatically, so let’s add it in

chkconfig --level 345 varnish on

Being able to listen to connections

You are probably running your website through port 80 (which is the most often used port by HTTP). that is fine, and you obviously already have it running fine. But because we will be running Varnish before our webserver, we will also need to use another port, which means we need to make sure that port also accepts TCP connections. We will be using port 8080 here, which is fine if you’re not running tomcat (it normally defaults to this port), but you can use any other port you want really, as long as it’s not already in use by anything else. We will end up with the following architecture:

Varnish + Apache

To be able to use this port, we need to make sure our firewall actually allows that port to receive HTTP connections. luckily I have already written an article about this, so give it a read to understand a little better why we’re doing this. a tl;dr version of it would be as such:

sudo vim /etc/sysconfig/iptables

Find where port 80 is being opened, and add a new line under it with the following:

-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT

Restart iptables

sudo service iptables restart

Configuring Varnish

Once you have installed Varnish, it will create a file under /etc/sysconfig/varnish. This file contains 4 alternatives of pre-configured settings for Varnish. It’s very good to get you going, but you will probably find there will be things you’re going to want to change. I have used “Alternative 2” as I found it to be the one that suits me the most. Feel free to read through all the other alternatives though, and choose the one that takes your fancy. Make sure you comment the other alternatives out so you end up with only one.

One thing you should definitely do, is set how much memory you will allow Varnish to take up. Depending on how much memory you have on your server, you will want to configure it accordingly.

Varnish Options

I have configured mine as follows:

DAEMON_OPTS="-a :80 \
-T localhost:6082 \
-f /etc/varnish/default.vcl \
-u varnish -g varnish \
-S /etc/varnish/secret \
-s file,/var/lib/varnish/varnish_storage.bin,256m"

On the first line, I’m telling Varnish to listen to port 80, and on the last line I’m specifying how much memory I want Varnish to take up. 256mb is quite a lot to be honest, but you can allow more in case you have some to spare.

The VCL Configuration

Put it this way… you configure your websites here, so you will want to pay some attention to this file. Getting it wrong will give you a lot of grief, and likely to take your website down for a few minutes until you get whatever you got wrong right. The configuration you will see here is my suggested configuration, and again, is an amalgam of a few configurations I found plus a few extra things I wanted to add myself.

backend default {
.host = "127.0.0.1";
.port = "8080";
.connect_timeout = 600s;
.first_byte_timeout = 600s;
.between_bytes_timeout = 600s;
.max_connections = 800;
}
sub vcl_recv {
# all domains in here will return a "pass" which means they won't be cached
if (req.http.host ~ "(www\.)?(site1.com|site2.co.uk|site3.me)") {
return (pass);
}
# all sub-domains listed here will also return a pass, so no caching either
else if(req.http.host ~ "(ads|cfaday|cffunctionaday|cftagaday|wallpapers|examples|coinconverter|langithub|top40)(\.placona.co.uk)"){
return (pass);
}
# now this is cached
else if(req.http.host == "placona.co.uk"){
set req.backend = default;
}
else {
set req.backend = default;
}
remove req.http.X-Forwarded-For;
set req.http.X-Forwarded-For = client.ip;
set req.http.Cookie = regsuball(req.http.Cookie, "(^|;\s*)(_[_a-z]+|has_js)=[^;]*", "");
set req.http.Cookie = regsub(req.http.Cookie, "^;\s*", "");
if( req.url ~ "^/wp-(login|admin)" || req.http.Cookie ~ "wordpress_logged_in_" ){
return (pass);
}
if (req.request == "PURGE") {
return (lookup);
}
if (req.url ~ "^/phpmyadmin") {
return (pass);
}
if( req.url ~ "\?s=" ){
return (pass);
}
if ( req.request == "POST" || req.http.Authorization ) {
return (pass);
}
unset req.http.Cookie;
return (lookup);
}
#
# accept purges from w3tc and varnish http purge
sub vcl_hit {
if (req.request == "PURGE") { purge; }
return (deliver);
}
#
# accept purges from w3tc and varnish http purge
sub vcl_miss {
if (req.request == "PURGE") { purge; }
return (fetch);
}
#
#
sub vcl_fetch {
# allow phpmyadmin
if (req.url ~ "^/phpmyadmin") {
return (hit_for_pass);
}
#
# remove some headers we never want to see
unset beresp.http.Server;
unset beresp.http.X-Powered-By;
#
# only allow cookies to be set if we're in admin area - i.e. commenters stay logged out
if( beresp.http.Set-Cookie && req.url !~ "^/wp-(login|admin)" ){
unset beresp.http.Set-Cookie;
}
#
# don't cache response to posted requests or those with basic auth
if ( req.request == "POST" || req.http.Authorization ) {
return (hit_for_pass);
}
#
# only cache status ok
if ( beresp.status != 200 ) {
return (hit_for_pass);
}
#
# don't cache search results
if( req.url ~ "\?s=" ){
return (hit_for_pass);
}
#
# else ok to cache the response
set beresp.ttl = 24h;
return (deliver);
}
#
#
sub vcl_deliver {
# add debugging headers, so we can see what's cached
if (obj.hits > 0) {
set resp.http.X-Cache = "HIT";
}
else {
set resp.http.X-Cache = "MISS";
}
# remove some headers added by varnish
unset resp.http.Via;
unset resp.http.X-Varnish;
remove resp.http.Age;
remove resp.http.X-Powered-By;
remove resp.http.X-CF-Powered-By;
}
#
sub vcl_hash {
hash_data( req.url );
# ensure separate cache for mobile clients (WPTouch workaround)
if( req.http.User-Agent ~ "(iPod|iPhone|incognito|webmate|dream|CUPCAKE|WebOS|blackberry9\d\d\d)" ){
hash_data("touch");
}
return (hash);
}

A few important things here happen in the very beginning of the file. I will repeat it down here to be able to explain it better:

backend default {
.host = "127.0.0.1";
.port = "8080";
.connect_timeout = 600s;
.first_byte_timeout = 600s;
.between_bytes_timeout = 600s;
.max_connections = 800;
}

We are telling Varnish our host IP address is localhost, so it should proxy requests to it, and am also telling it to proxy them through port 8080. If you have chosen a different port, this is where you should change it to that port.

On sub vcl_recv we then specify which domains we don’t want to cache by returning “pass”. This according to the documentation defines:

When you return pass the request and subsequent response will be passed to and from the backend server. It won’t be cached. pass can be returned from vcl_recv

# all domains in here will return a "pass" which means they won't be cached
if (req.http.host ~ "(www\.)?(site1.com|site2.co.uk|site3.me)") {
return (pass);
}
# all sub-domains listed here will also return a pass, so no caching either
else if(req.http.host ~ "(ads|cfaday|cffunctionaday|cftagaday|wallpapers|examples|coinconverter|langithub|top40)(\.placona.co.uk)"){
return (pass);
}

So we are skipping Varnish here and doing our own thing, which in this case is exactly what we want to do.

We then move on by telling Varnish what we actually want to cache

# now this is cached
else if(req.http.host == "placona.co.uk"){
set req.backend = default;
}

Bonus Varnish trick

Great, if you have made all your changes, but somehow messed up, Varnish is likely to not even start, but if it does, it will cause you a lot of heartache, so what you should do, is check that your configuration is correct. you can do so by running:

varnishd -C -f /etc/varnish/default.vcl

And if everything is OK, you should see that your configuration got compiled correctly and nothing like “Running VCC-compiler failed, exit 1” was returned. If it does, you will then need to go back to your file and edit it. The compiler is pretty OK though and will tell you in which line the error happened.

Configuring Apache

If you’re still with me, you’re just a few moments away from being pretty pleased with your new setup, but bear with me for another moment as we still need to make a couple of changes in Apache.

Remember back in the last image where we discussed Apache would now listen to port 8080? Well there we go, it’s time to change this.

Let’s open our Apache configuration file by running the following:

sudo vim /etc/httpd/conf/httpd.conf

We will then change

To be

This is now effectively telling Apache to listen to port 8080, which in our case is the port Varnish will be communicating with.

Configuring Virtual Hosts

This step can be considered optional, as not everyone uses virtual hosts. I use quite a few of them, so in my case, I had to go to each and every virtual host and also modify them to listen to port 8080 as opposed to 80. You would do this as follows:

<VirtualHost *:8080>
DocumentRoot /var/www/awesome
ServerName awesome.placona.co.uk
ServerAlias awesome.placona.co.uk
</VirtualHost>

Bonus Apache trick

Wanna check your Apache configurations are all working before you go on restarting it? Just run:

/usr/sbin/httpd -t

If you get “Syntax OK” you’re laughing!

Guess what?

Your website is just about to be faster than about 70% of the web. which is absolutely incredible if you consider the amount of time we spent together getting this done.

But we need to turn it on…

sudo service varnish start
sudo service httpd restart

 Bonus browser trick

Check that your content is really being cached by opening an incognito window (or private browsing if you’re in Firefox) and press the F12. this should show your developer toolbar (or firebug).

Now click on the Network tab (or Net tab) and expand the first GET request (this should be the same as the URL of your website). Also pay attention to how long this item took to complete.

Look in request headers, and if this is the first request to that page you should see something like:

HTTP/1.1 200 OK
Vary: Accept-Encoding,Cookie
X-Pingback: http://www.placona.co.uk/xmlrpc.php
Content-Encoding: gzip
Expires: Thu, 15 Apr 2015 20:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 14529
Accept-Ranges: bytes
Date: Wed, 23 Apr 2014 08:17:33 GMT
Connection: keep-alive
X-Cache: MISS

If you’re seeing this, it means your cache is actually working, but because you’re the first one to hit this page, you’ve got a cache miss, which basically means Varnish still didn’t have that entry cached.

If you refresh the page, you should see two things here:

  1. Your page load is now much faster
  2. X-Cache now says HIT

Because you’re now caching your request, your page loads will be much faster in general. Obviously this won’t account for page loads on external resources, but you can use other methods to cache those resources (see my CDN post here).

Every subsequent request you make to that page will also come from cache. The more hits you get in different pages, the best results your users will get. Spiders also work in your favour here as by hitting pages, they are also warming up your cache for you.

But… IP’s…

That’s right, you have now noticed every new comment you get on your blog is coming from 127.0.0.1. Remember when we changed Apache to only listen to Varnish? We have also made every single request internal, which means everything now comes from localhost. There is a very simple plugin to correct this, which will resolve this by using the variable X-Forwarded-For to get the correct user’s IP. You can check it out here.

Final thoughts

I am super happy with Varnish installed on my server, I have already seen a real benefit on my server’s performance, and the CPU is pretty much always running at about 25%, which is really good considering my traffic. Memory is always running slightly above it would have been before, but that is mainly because I’m now effectively using it, instead of just throwing stuff at it and leaving it to be disposed.

I have also installed a plugin called Varnish HTTP Purge, which manages my cache, and clears it every time I post a new entry. it also allows me to purge my cache manually, or control some other things such as which kind of requests to cache. you can find it here.

Make sure you benchmark your requests and report back on how much of improvement Varnish has made into your webserver.

The unreliable Internet Explorer

Reading time: 1 – 2 minutes

The unreliable IE
(Photo: BlubrNL)

I was stuck with this problem today, and thought I should write a blog post about it, so should anyone encounter the same thing, they won’t waste time trying to track exactly what’s happening.

Basically it was flagged to me this morning by my project manager that when you tried to submit a form that calls for a report generation using the enter key, the report would not be generated.

I then tried the same pattern (on Firefox), and obviously got results. Project managers are known to use Internet Explorer, so I dusted off my IE 8, and tried the same thing. Continue reading

Updating Java on Centos

Reading time: 3 – 5 minutes

Java on Centos
(Photo: tutchiio)

I’m only writing this blog post because I usually try to keep my VPS up to date, and usually one of the things I have to do to accomplish such thing is updating the Java version.
I always need to do a little bit of “googling” in order to find my way around this, as there’s a few steps that need to be taken, so you can make sure that your classpath is correct, and that the newly installed Java is running as your default installation.
I start by going to the Java website and downloading the most recent version.
It can be a bit tricky to download Java using wget, as Java’s wesbite uses your session in order to download the file, so if you try something like:

wget http://link_to_new_java_update

You will end up with a file called something like:

http://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/VerifyItem-Start/jdk-6u16-linux-i586.bin?BundledLineItemUUID=ovdIBe.mkHUAAAEjoKEu23n3&OrderID=7iFIBe.
mxpUAAAEjiKEu23n3&ProductID=Dx1IBe.prBgAAAEirRcTvuC_&FileName=/

I’ve just downloaded the file to my downloads folder.
It’s got everything you need, but a big name you don’t need, so let’s simply rename it, and move it to where we want it to be installed.
If you want to find out where your java installation is, simply execute the following command:

which java

In my case I normally install things in “/opt/soft”, so I simply issue the following command:

sudo mv *.bin /opt/soft/jdk-6u16-linux-i586.bin

This will move everything with a .bin extension to the place where I like to install my software. Notice that as I’m moving it to a protected folder “/opt”, I need to use sudo in front, so I have the necessary permissions to create files.
The file should now be called “jdk-6u16-linux-i586.bin” and be located at “/opt/soft” in my case, so:

cd /opt/soft

We then need to give it some permissions, as we are going to have to call this file as an executable:

sudo chmod a+x jdk-6u16-linux-i586.bin

If you execute ls-l on the command line, you should now see that this file has execute permissions.
You can now execute the file by issuing:

./jdk-6u16-linux-i586.bin

It will then ask to read a bunch of terms & conditions, and you are going to have to type “yes” to accept it.
Once you’ve accepted it, you will have to change your classpath, so your system becomes “aware” that a new java version has been installed, and is going to be used.
Create or edit the file /etc/profile.d/java.sh:

sudo nano /etc/profile.d/java.sh

This file must have the following code:

export JAVA_HOME=/opt/soft/jdk1.6.0_16/
export PATH=$JAVA_HOME/bin:$PATH
export PATH=$PATH:$JAVA_HOME/bin

In this case we are updating to JDK 1.6 release 16, but you should replace it with whatever versio you are installing.
By running:

java -version

You should see that the current version is the one you’ve just installed. If it’s not, it means you’ve done something wrong, so just repeat all the steps carefully, and you should be ok.

I truly hate you IE!

Reading time: 1 – 2 minutes

Firefox vs. IE
(Photo: Kay Kim)

I just came across a very interesting bug on my website. I’ve made a post on twitter today asking the local CSS gurus if they knew of any way to fix this:
IE screws up again
As you can see, the contents were being shifted about 150px to the left from where they were supposed to be (you can click on the image above to see it bigger). Only IE does it, every other browser (Safari, Chrome, Opera, Firefox (few different versions including Linux)) simply displays the page correctly. Continue reading

Older posts