HHVM Nginx Ubuntu with multiple Site

HHVM Nginx Ubuntu with multiple Site

To run HHVM on Nginx with Ubuntu 14.04 and multiple Site per Server you can use this Howto. I work with Nginx variables, this make it easy to have short Nginx configs.

First step is to install HHVM on the server

sudo apt-get install software-properties-common

sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0x5a16e7281be7a449
sudo add-apt-repository 'deb http://dl.hhvm.com/ubuntu trusty main'
sudo apt-get update
sudo apt-get install hhvm

Now you get the following information

********************************************************************
* HHVM is installed.
* 
* Running PHP web scripts with HHVM is done by having your webserver talk to HHVM
* over FastCGI. Install nginx or Apache, and then:
* $ sudo /usr/share/hhvm/install_fastcgi.sh
* $ sudo /etc/init.d/hhvm restart
* (if using nginx)  $ sudo /etc/init.d/nginx restart
* (if using apache) $ sudo /etc/init.d/apache restart
* 
* Detailed FastCGI directions are online at:
* https://github.com/facebook/hhvm/wiki/FastCGI
* 
* If you're using HHVM to run web scripts, you probably want it to start at boot:
* $ sudo update-rc.d hhvm defaults
* 
* Running command-line scripts with HHVM requires no special setup:
* $ hhvm whatever.php
* 
* You can use HHVM for /usr/bin/php even if you have php-cli installed:
* $ sudo /usr/bin/update-alternatives --install /usr/bin/php php /usr/bin/hhvm 60
********************************************************************

Now run the install script

sudo /usr/share/hhvm/install_fastcgi.sh
sudo /usr/bin/update-alternatives --install /usr/bin/php php /usr/bin/hhvm 60

So now you have install the HHVM. Now you must setup the multiple instances.

sudo cp /etc/init.d/hhvm /etc/init.d/hhvm_www_safematix_com
sudo cp /etc/default/hhvm /etc/default/hhvm_www_safematix_com
sudo cp /etc/hhvm/server_www_canus_at.ini /etc/hhvm/server_www_safematix_com.ini

Now you must edit the configs.

/etc/init.d/hhvm_www_safematix_com

sudo vi /etc/init.d/hhvm_www_safematix_com
...
NAME=hhvm_www_safematix_com
...
PIDFILE=/var/run/hhvm/pid_$NAME

/etc/default/hhvm_www_safematix_com

## This is a configuration file for /etc/init.d/hhvm.
## Overwrite start up configuration of the hhvm service.
##
## This file is sourced by /bin/sh from /etc/init.d/hhvm.

## Configuration file location.
## Default: "/etc/hhvm/server.ini"
## Examples:
##   "/etc/hhvm/conf.d/fastcgi.ini" Load configuration file from Debian/Ubuntu conf.d style location
CONFIG_FILE="/etc/hhvm/server_www_safematix_com.ini"

## User to run the service as.
## Default: "www-data"
## Examples:
##   "hhvm"   Custom 'hhvm' user
##   "nobody" RHEL/CentOS 'www-data' equivalent
RUN_AS_USER="www_safematix_com"
RUN_AS_GROUP="www_safematix_com"

## Add additional arguments to the hhvm service start up that you can't put in CONFIG_FILE for some reason.
## Default: ""
## Examples:
##   "-vLog.Level=Debug"                Enable debug log level
##   "-vServer.DefaultDocument=app.php" Change the default document
#ADDITIONAL_ARGS=""

## PID file location.
## Default: "/var/run/hhvm/pid"
#PIDFILE="/var/run/hhvm/pid"

/etc/hhvm/server_www_safematix_com.ini

; php options

pid = /var/run/hhvm/pid_www_safematix_com

; hhvm specific 

hhvm.server.port = 9001
hhvm.server.type = fastcgi
hhvm.server.default_document = index.php
hhvm.log.use_log_file = true
hhvm.log.file = /var/log/hhvm/error_www_safematix_com.log
hhvm.repo.central.path = /var/run/hhvm/hhvm.hhbc

Now edit the nginx settings

location ~ \.(hh|php)$ {
    fastcgi_keep_conn on;
    fastcgi_pass   127.0.0.1:$siteport;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include        fastcgi_params;
}

vhost config

server {
	listen [2a01:4f8:210:3101::12]:443 ssl spdy;
	listen 443 ssl spdy;
	spdy_headers_comp 5;

	server_name www.safematix.com safematix.com;

	root /srv/www/www_safematix_com/htdocs;
	index index.php index.html index.htm;

	access_log   /srv/www/www_safematix_com/log/www.safematix.com_ssl.access.log;
        error_log    /srv/www/www_safematix_com/log/www.safematix.com_ssl.error.log;

        ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
        ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

        ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;

	set $siteport 9001;

	include global/ssl.conf;
	include global/restrictions.conf;
	include global/wordpress.conf;
	include global/php.conf;
}

Now enable HHVM at boot and reload service

sudo update-rc.d hhvm_www_safematix_com defaults
sudo service hhvm_www_safematix_com start
sudo service nginx reload

 

 

 

External Links:
https://github.com/facebook/hhvm/wiki/Prebuilt-packages-on-Ubuntu-14.04
https://github.com/facebook/hhvm/wiki/Getting-Started
https://kinsta.com/blog/real-world-wordpress-benchmarks-with-php5-5-php5-6-php-ng-and-hhvm/
http://webdevstudios.com/2014/07/17/setting-up-wordpress-nginx-hhvm-for-the-fastest-possible-load-times/

Nginx global config

Nginx global config for you sites-enabled in Ubuntu / Debian.

Every time when you have the same config per vhost then it is better to work with global settings.

Here is an example with the SSL config in Nginx. When you have one global config it is easy to don’t forget something.

/etc/nginx/global/ssl.conf

	ssl on;

	ssl_trusted_certificate /etc/nginx/ssl/ca.pem;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:10m;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;

	add_header Strict-Transport-Security max-age=63072000;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
	ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
	add_header Strict-Transport-Security max-age=15768000; # six months
	# use this only if all subdomains support HTTPS!
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

/etc/nginx/sites-enabled/www_safematix_com

server {
	listen [2a01:4f8:210:3101::12]:443 ssl spdy;
	listen 443 ssl spdy;
	spdy_headers_comp 5;

	server_name www.safematix.com safematix.com;

	root /srv/www/www_safematix_com/htdocs;
	index index.php index.html index.htm;

	access_log   /srv/www/www_safematix_com/log/www.safematix.com_ssl.access.log;
        error_log    /srv/www/www_safematix_com/log/www.safematix.com_ssl.error.log;

        ssl_certificate /etc/nginx/ssl/safematix/www.safematix.com.crt;
        ssl_certificate_key /etc/nginx/ssl/safematix/www.safematix.com.key;

        ssl_dhparam /etc/nginx/ssl/safematix/www.safematix.com-dhparam.pem;

	set $siteport 9001;

	include global/ssl.conf;
	include global/restrictions.conf;
	include global/wordpress.conf;
	include global/php.conf;
}

HP Proliant PXE boot multible NICs

HP Proliant PXE boot multible NICs. If you have a server with more than one NIC and you like to boot not only from the first interface. Then you must turn this on in the Bios and in the NIC firmware.

Press F9 during POST to get into the system BIOS menu (ROM-Based Setup Utility).

XrKyJ

Follow the menus from System Options > Embedded NICs > NIC X Boot Options.
Select the NIC you wish to boot from and flip the Network Boot flag.

xwlFJ

Now you must enable PXE Boot also in the interface firmware. Wait for the message and press strg + s.

Screenshot - 01282015 - 04:07:20 PM

Now you are in the firmware setting menu. Enable PXE on the interface you like.

Screenshot - 01282015 - 04:18:02 PM

Nginx 1.7 Ubuntu 14.04

Nginx 1.7 ubuntu 14.04
nginx

When you have Nginx 1.7 you can also use SPDY 1.3 and other cool features.

To install Nginx 1.7 on a Ubuntu 14.04 Linux. You can use this:

curl http://nginx.org/keys/nginx_signing.key | apt-key add -
echo -e "deb http://nginx.org/packages/mainline/ubuntu/ `lsb_release -cs` nginx\ndeb-src http://nginx.org/packages/mainline/ubuntu/ `lsb_release -cs` nginx" > /etc/apt/sources.list.d/nginx.list

Update source and install or upgrade Nginx:

aptitude update
aptitude install nginx
aptitude dist-upgrade

When you use php, add this to /etc/nginx/fastcgi_params :

# add for nginx 1.7
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

 

Links: http://nginx.org/en/linux_packages.html#stable

Nginx worker_connections exceed open file resource

Nginx worker_connections exceed open file resource
nginx

When you restart the nginx service and you see this meassage then you have a problem with the file limits.

root@web01:/var/log/nginx# service nginx restart

* Restarting nginx nginx nginx: [warn] 4096 worker_connections exceed open file resource limit: 1024
 nginx: [warn] 4096 worker_connections exceed open file resource limit: 1024

You can set in manual

ulimit -n 65536

When you like to see the open files limit you can see it with

root@web01:/var/log/nginx# ulimit -n
65536

You can also see all limits with

root@web01:/var/log/nginx# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 256697
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 65536
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 256697
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

On Ubuntu and Debian you can set the limits in /etc/security/limits.conf with

* soft nofile 65536
* hard nofile 65536

Mac screenshot shortcut

Mac screenshot shortcut

 

If you like to create a screenshot under OS X, you must press the following shortcuts.

 

Screen

Cmd + Shift + 3 / Save the screen in one file
Cmd + Ctrl + Shift + 3 / Save the screen to the clipboard.

Area

Cmd + Shift + 4 / Save a selected area in a file.
Cmd + Ctrl + Shift + 4 / Save a selected area to the clipboard.

Window

Cmd + Shift + 4, space bar / Save a selected element/window in a file.
Cmd + Ctrl + Shift + 4, space bar / Save a selected element/window to the clipboard.

Nginx client intended to send too large body

If you look in the error log from your site

2015/01/25 13:01:31 [error] 7477#0: *11490 client intended to send too large body: 1424254 bytes, client: 2a02:168:66b9:0:dc3c:5449:d617:86f6, server: www.safematix.com, request: "POST /wp-admin/async-upload.php HTTP/1.1", host: "www.safematix.com", referrer: "https://www.safematix.com/wp-admin/post-new.php"

Open the nginx.conf and edit the http tag

 vi /etc/nginx/nginx.conf
 http {
 client_max_body_size 50M;
 ...
 ...
 }

It is also possible to put the settings per location tag.

location {
 client_max_body_size 50M;
 ...
 ...
 }

Don’t forget the reload from the nginx service.

service nginx reload

OpenSSL csr sha2 4096 bit – quick

OpenSSL csr sha2 4096 bit – quick

If you like to create quickly a csr with sha256 and 4096 bit

openssl req -new -newkey rsa:4096 -nodes -sha256 -out www_safematix_com_sha256.csr -keyout www_safematix_com.key -subj "/C=CH/ST=Zurich/L=Zurich/O=Safematix IT-Security & Service/CN=www.safematix.com"

If you like to create a dhparm file with OpenSSL

openssl dhparam -out www_safematix_com_dhparam.pem 4096

Unattended upgrades Ubuntu / Debian

The system can automatically install updates. If you want this, install unattended-upgrades package.vYou never miss a security update.

aptitude install unattended-upgrades

You must edit this file. Make a reconfiguration and select yes.

vi /etc/apt/apt.conf.d/50unattended-upgrades
....
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}-security";
	"${distro_id}:${distro_codename}-updates";
	"${distro_id}:${distro_codename}-proposed";
	"${distro_id}:${distro_codename}-backports";
};
....
dpkg-reconfigure unattended-upgrades

Multiple IPv6 addresses per interface Debian / Ubuntu

To set multiple IPv6 addresses on one interface in Linux, you can use the tool ip.

ip addr add first_ipv6_address dev eth1
ip addr add second_ipv6_address dev eth1

When you like to set this on the system boot, you must do this in /etc/network/interfaces

auto eth0
iface eth0 inet6 static
address first_ipv6_address Adress
netmask 128
gateway ipv6_gateway
up ip addr add second_ipv6_address/128 dev eth1
down ip addr del second_ipv6_address/128 dev eth1