Drupal Performance & Security

Download Report

Transcript Drupal Performance & Security

Performance & Security
Satish C Ayappan (Drupal Architect- Capgemini)
[email protected]
Performance

Front end performance.








Drupal out of box optimization
Mysql Optimization
MySQL Query Optimization
Memcache for database caching
Scalable File System options
PHP and Apache Configuration
Use Reverse proxies like Varnish
A fail over server landscape
Security
SQL injection
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
File Permissions
Harden Apache and PHP
Securing Linux Server.
Performance
What we can do?
Front end performance
– Limit HTTP Requests. – Use Drupal Aggregator or
Advanced CSS/JS Aggregation
– Use Pagespeed or Yslow
– Enable gzip compression
– Specify image dimensions
– Single Points of Failure (SPOFs)
Front end performance contd..
– Use CDN for Images and CSS
– Use Image Sprites.
– Optimize Images (Yahoo! Smush.it).
– Client side caching ( Cache control and Expires,
Don’t use Etag, In Apache you can disable the
Etag with FileFlag)
Drupal out of box optimization
– Page Caching
Page caching will not work when there is a PHP session.
It will work for anonymous user.
– JS and CSS Aggregation
– Use Boost
– Use View Cache
– Use Entity Cache along with Redis
– Cache Warming / Priming (Drush Entity Cache Loader, Cache Warmer)
– Use Fast 404 Module
– Use Syslog Module
– Disable PHP Filter Module
Mysql Optimization
– Enable query cache
– Variables Like innodb_buffer_pool_size,
table_cache thread_cache etc.
– Use innodb_file_per_table.
http://www.percona.com/blog/2006/09/29/what
-to-tune-in-mysql-server-after-installation/
Mysql Query Optimization
– Use Indexes
– Use Explain to understand the query plan
– Avoid full table scan, file sort and temporary table
creation by looking at query plan
– Look here for query optimization
http://dev.mysql.com/doc/refman/5.0/en/selectoptimization.html
• http://dev.mysql.com/doc/refman/5.0/en/optimization.html
Memcache/Redis for database cache
– Memcache /Redis can be used in front of Mysql to offload
database server load, the data can be cached at
memcache/Redis and serve the data from
memcache/Redis without hitting the MySQL Server
Scalable File System options
– NFS file system – If you are using NFS, increase the size for
Real Path Cache
– Glusterfs File system
– Use can use lsyncd or rsync.
– File Conveyor
– Mounting SSFS
– NAS
– SAN
PHP and Apache Configuration
–
–
–
–
–
Use OPCache (PHP 5.5 has free version of Zend optimizer)
opcache.memory_consumption
opcache.max_accelerated_files
opcache_revalidate_freq = 240
Disable the modules of Apache in production if you are not
using.
– Set keepalive setting to 1 or 2 seconds
– Include .htaccess file using include directive and change
the parameter AllowOverride to None.
Reverse proxies like Varnish
– Don’t use Etags for static pages.
– Don’t session id or cookies for static pages.
A fail over server landscape (No DR)
Security
What we can do?
SQL Injection
– Use always parameterized Queries
uid = 1;
$result = db_query('SELECT n.nid, n.title, n.created
FROM {node} n WHERE n.uid = :uid', array(':uid' => $uid));
// Result is returned as a iterable object that returns a stdClass object on each iteration
foreach ($result as $record) {
// Perform operations on $record->title, etc. here.
}
uid = 1;
$result = db_query('SELECT n.nid, n.title, n.created
FROM {node} n WHERE n.uid = $uid');
// Result is returned as a iterable object that returns a stdClass object on each iteration
foreach ($result as $record) {
// Perform operations on $record->title, etc. here.
}
Cross Site Scripting (XSS)
– Apply filter for content
Should not use Full HTML
– Use Check URI check_url($url) for URLs before displaying
the content
– Use check plain check_plain($text) method to check the
text before displaying the content.
– Use t() with @ and % and not !, this will apply check_plain
automatically for translation
– Use l() to create links
Cross Site Request Forgery (CSRF)
– Use always form API
File Permissions
– Files: 770 or 754
chmod -R 770 /var/www/html/sites/default/files
– Themes: 755
chmod -R 755 /var/www/html/sites/all/themes
– Default: 755
chmod 755 /var/www/html/sites/default
– Settings.php: 444
chmod 444 /var/www/html/sites/default/settings.php
Hardening Apache
–
–
–
–
–
–
–
–
–
–
–
–
–
Set ServerSignature Off in apache configuration file
Set ServerTokens Prod in apache configuration file
Disable unnecessary modules
Disable unnecessary Options like Indexes, Options -Indexes
Disable ETAG
Run Apache with its owns user and group
Set cookie with HttpOnly and Secure flag
Configure for X-XSS Protection
Disable HTTP 1.0 Protocol
Disable Trace Requests
Limit HTTP Request Methods to GET POST HEAD
Use use mod_security
install the mod_evasive to avoid dos attacks
Hardening PHP
–
–
–
–
–
–
–
Set expose_php Off in php.ini
Set display_errors Off
Log errors using Syslog Module
Set maximum File Upload size
Turn off allow_url_fopen and allow_url_include
Set post_max_size
Use disable_functions to disable functions that are
dangerous (exec, shell_exec etc)
– Limit PHP Access To File System
– Turn off enable_dl
– Disable Unnecessary PHP modules
Securing Linux Server
– Close unnecessary ports
– Uninstall unnecessary applications like FTP server if not
required
– Prevent IP Spoofing
– Harden Apache and PHP
– Protect from DDOS
– Install Intrusion Detection – PSAD
– Use SELinux – Apparmor’
– Protect su by limiting access only to admin group
– Install denyhosts, fail2ban
Satish C Ayappan (Drupal Architect- Capgemini)
[email protected]