How to setup Litespeed LSWS for a shared environment?

Discussion in 'General' started by grniyce, Mar 27, 2009.

  1. mistwang

    mistwang LiteSpeed Staff

    If you got some spare memory in your server not being actively used, there is one tip to improve PHP and overall server performance. :)


    * there are enough free memory to spare.
    * /dev/shm/ should be mounted as tmpfs.

    Install eaccelerator with PHP suEXEC, set disk cache storage to /dev/shm/eaccelerator/ instead of /tmp/eaccelerator/, then add a cron job to clean the cache directory every 5-10 minutes, so cache files not being used frequently will not fill up the precious shared memory storage.

    Noticed that the server load going down from 4.x to 1.x on one client's server.
  2. DraCoola

    DraCoola Well-Known Member

    On my server? :p
    Thank you mistwang for your helps and advices :)

    Btw on my eAccelerator, it could only caching from 1 to 19 scripts, maximum.
    Or it perhaps caused by shm value/size has set to just 16mb?

    Because if I increase it to more than 16mb, some of random pages will suddenly blank, not completely load, or shows an alien codes on it.
    Last edited: Apr 5, 2009
  3. anewday

    anewday Well-Known Member

    Do you mean the value for "eaccelerator.shm_size" ?
  4. Tony

    Tony Well-Known Member


    We played around with eaccelerator a bit on one machine but for the density of our machines it's not even worth doing. We actually had higher i/o wait due to the amount of cached files it ended up writing. I think in the end we had about 12GB of cached files :( eccelerator does have a memory only feature but I did not see any real improvements. I'm guessing it has to do with the timeout of the PHP processes and such.

    This /dev/shm idea seems interesting though. I might play around with that when we start deploying nehalem based servers with 12+GB of ram.
  5. DraCoola

    DraCoola Well-Known Member

    Yes that is.
    I've been with php as DSO (on Cpanel-Apache), and set the eaccelerator.shm_size to 2048 and that were fine.
    Except it were doesn't fine on DSO-nobody security.
  6. Tony

    Tony Well-Known Member

    If my memory serves me right with PHP processes running as their user this changes the meaning of this slightly. The shm size would be on a per process or user basis I cannot remember which. So when you say a max of 2048 when running LSAPI or even FastCGI on Apache it's not doing shared between all the pools that's just one user set.

    This is also why it gets confusing the reporting of eaccelerator you'd need the script for each user account to see the accurate numbers.

    I'm pretty sure on most of this as I did some testing to see what exactly happens as I had never ran caching extensions when PHP was running as various users.
  7. mistwang

    mistwang LiteSpeed Staff

    Yes, that's true that it will cause high I/O wait if you use /tmp/eaccelerator/ as the storage. However, using /dev/shm/ is more like using a memory disk, which is lightening fast without increasing I/O wait.
  8. mistwang

    mistwang LiteSpeed Staff

    No need to increase it or let it cache more pages in memory, as the disk cache is actually in memory, also PHP process will start/stop more frequently in PHP suEXEC mode for shared hosting. As long as PHP process can grab a copy of parsed PHP opcode from memory disk, it is fine.
  9. anewday

    anewday Well-Known Member

    Are these setting right to optimize? I'm confused on what value eaccelerator.shm_size should be if i set the disk cache to /dev/shm with 1.5G of space.

    extension_dir = "/usr/local/lsws/lsphp4/lib/php/extensions/no-debug-non-zts-20020429"
    none                    /dev/shm                tmpfs   noexec,nosuid   0 0
    df -h
    none                  1.5G     0  1.5G   0% /dev/shm
  10. mistwang

    mistwang LiteSpeed Staff

    looks good to me.
  11. anewday

    anewday Well-Known Member

    Does it have to be PHP suExec?
  12. grniyce

    grniyce Well-Known Member

    usr/local/lib/ php.ini
  13. masood_y

    masood_y Well-Known Member

    How can do it?

    * there are enough free memory to spare.
    * /dev/shm/ should be mounted as tmpfs.
  14. mistwang

    mistwang LiteSpeed Staff

    df shows that you already have it. check /etc/fstab for configuration.
  15. anewday

    anewday Well-Known Member

    George, could you answer this?
    Last edited: Apr 6, 2009
  16. Michael.Terence

    Michael.Terence Active Member

    I'm not george but I'll take a stab - this portion of the thread is mostly about eaccelerator and /dev/shm - so if your question was whether or not you can use eaccelerator, and place the cache files in /dev/shm while not using PHP suEXEC the answer is yes, just be sure the user php is running as has access to the directory.
  17. mistwang

    mistwang LiteSpeed Staff

    it benefit PHP suEXEC most as each PHP process use its own in memory cache, this way, just like we share a global in-memory cache.
  18. grniyce

    grniyce Well-Known Member

    I have done most of the above, however I don't know how to get the mod_security logs and so forth to work with csf and litespeed. I think I need to specify the paths and so forth.

    I uploaded a couple scripts to the server and after disabling all of the functions and everything above, they still ran. :(

    I'm confused and might need to hire someone to help me make sure my server is secure against these attacks, because a lot of my associates are experiencing these attacks, and I myself have unfortunately lost an entire server due to an attack about 4 months ago.

    Please help.
  19. DraCoola

    DraCoola Well-Known Member

    They still can run on XSS way?
    On my server, I have put all of those php disable_function, except php_uname, and I try my self for some of shell scripts can not execute any important command to hack to another account.
  20. grniyce

    grniyce Well-Known Member

    I added the commands, and rebuilt apache with modsecurity, suhosin, php 5.2.9, ea accelerator, zend optimizer, and then I added the suhosin suggestion above to php.ini and added the includes line to httpd.conf for mod security at the bottom. I also have ClamAv installed.

    I then built matching php, and I reinstalled LSWS most recent with the chroot on and set it to /usr/local/lsws

    Now I went to the scripts site and had to turn off my pc antivirus, and then I downloaded a handful of the scripts there, uploaded them thru ftp to a mock domain on my server, and relabled them like c99.php, r57.php etc etc. I accessed each one of them just like regular pages, and they let me navigate my server. It is my understanding that these scripts should have been stopped by ClamAV, as well as ModSecurity and CSF, but none of them have. ALL of the php.ini functions suggested above have been disabled also, and devshm has been remounted also. I'm totally confused. This isn't working.... :((

    However, when I go to view modsecurity log in CSF here is what I get:


    So, I am assuming I need to redefine somewhere in the server where the log should be found? How can I setup LSWS and WHM and CSF to all collaborate with the modsecurity log?

Share This Page