Drupal Performance & Security
Download
Report
Transcript Drupal Performance & Security
Performance & Security
Satish C Ayappan (Drupal Architect- Capgemini)
[email protected]
Performance
Front end performance.
Drupal out of box optimization
Mysql Optimization
MySQL Query Optimization
Memcache for database caching
Scalable File System options
PHP and Apache Configuration
Use Reverse proxies like Varnish
A fail over server landscape
Security
SQL injection
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
File Permissions
Harden Apache and PHP
Securing Linux Server.
Performance
What we can do?
Front end performance
– Limit HTTP Requests. – Use Drupal Aggregator or
Advanced CSS/JS Aggregation
– Use Pagespeed or Yslow
– Enable gzip compression
– Specify image dimensions
– Single Points of Failure (SPOFs)
Front end performance contd..
– Use CDN for Images and CSS
– Use Image Sprites.
– Optimize Images (Yahoo! Smush.it).
– Client side caching ( Cache control and Expires,
Don’t use Etag, In Apache you can disable the
Etag with FileFlag)
Drupal out of box optimization
– Page Caching
Page caching will not work when there is a PHP session.
It will work for anonymous user.
– JS and CSS Aggregation
– Use Boost
– Use View Cache
– Use Entity Cache along with Redis
– Cache Warming / Priming (Drush Entity Cache Loader, Cache Warmer)
– Use Fast 404 Module
– Use Syslog Module
– Disable PHP Filter Module
Mysql Optimization
– Enable query cache
– Variables Like innodb_buffer_pool_size,
table_cache thread_cache etc.
– Use innodb_file_per_table.
http://www.percona.com/blog/2006/09/29/what
-to-tune-in-mysql-server-after-installation/
Mysql Query Optimization
– Use Indexes
– Use Explain to understand the query plan
– Avoid full table scan, file sort and temporary table
creation by looking at query plan
– Look here for query optimization
http://dev.mysql.com/doc/refman/5.0/en/selectoptimization.html
• http://dev.mysql.com/doc/refman/5.0/en/optimization.html
Memcache/Redis for database cache
– Memcache /Redis can be used in front of Mysql to offload
database server load, the data can be cached at
memcache/Redis and serve the data from
memcache/Redis without hitting the MySQL Server
Scalable File System options
– NFS file system – If you are using NFS, increase the size for
Real Path Cache
– Glusterfs File system
– Use can use lsyncd or rsync.
– File Conveyor
– Mounting SSFS
– NAS
– SAN
PHP and Apache Configuration
–
–
–
–
–
Use OPCache (PHP 5.5 has free version of Zend optimizer)
opcache.memory_consumption
opcache.max_accelerated_files
opcache_revalidate_freq = 240
Disable the modules of Apache in production if you are not
using.
– Set keepalive setting to 1 or 2 seconds
– Include .htaccess file using include directive and change
the parameter AllowOverride to None.
Reverse proxies like Varnish
– Don’t use Etags for static pages.
– Don’t session id or cookies for static pages.
A fail over server landscape (No DR)
Security
What we can do?
SQL Injection
– Use always parameterized Queries
uid = 1;
$result = db_query('SELECT n.nid, n.title, n.created
FROM {node} n WHERE n.uid = :uid', array(':uid' => $uid));
// Result is returned as a iterable object that returns a stdClass object on each iteration
foreach ($result as $record) {
// Perform operations on $record->title, etc. here.
}
uid = 1;
$result = db_query('SELECT n.nid, n.title, n.created
FROM {node} n WHERE n.uid = $uid');
// Result is returned as a iterable object that returns a stdClass object on each iteration
foreach ($result as $record) {
// Perform operations on $record->title, etc. here.
}
Cross Site Scripting (XSS)
– Apply filter for content
Should not use Full HTML
– Use Check URI check_url($url) for URLs before displaying
the content
– Use check plain check_plain($text) method to check the
text before displaying the content.
– Use t() with @ and % and not !, this will apply check_plain
automatically for translation
– Use l() to create links
Cross Site Request Forgery (CSRF)
– Use always form API
File Permissions
– Files: 770 or 754
chmod -R 770 /var/www/html/sites/default/files
– Themes: 755
chmod -R 755 /var/www/html/sites/all/themes
– Default: 755
chmod 755 /var/www/html/sites/default
– Settings.php: 444
chmod 444 /var/www/html/sites/default/settings.php
Hardening Apache
–
–
–
–
–
–
–
–
–
–
–
–
–
Set ServerSignature Off in apache configuration file
Set ServerTokens Prod in apache configuration file
Disable unnecessary modules
Disable unnecessary Options like Indexes, Options -Indexes
Disable ETAG
Run Apache with its owns user and group
Set cookie with HttpOnly and Secure flag
Configure for X-XSS Protection
Disable HTTP 1.0 Protocol
Disable Trace Requests
Limit HTTP Request Methods to GET POST HEAD
Use use mod_security
install the mod_evasive to avoid dos attacks
Hardening PHP
–
–
–
–
–
–
–
Set expose_php Off in php.ini
Set display_errors Off
Log errors using Syslog Module
Set maximum File Upload size
Turn off allow_url_fopen and allow_url_include
Set post_max_size
Use disable_functions to disable functions that are
dangerous (exec, shell_exec etc)
– Limit PHP Access To File System
– Turn off enable_dl
– Disable Unnecessary PHP modules
Securing Linux Server
– Close unnecessary ports
– Uninstall unnecessary applications like FTP server if not
required
– Prevent IP Spoofing
– Harden Apache and PHP
– Protect from DDOS
– Install Intrusion Detection – PSAD
– Use SELinux – Apparmor’
– Protect su by limiting access only to admin group
– Install denyhosts, fail2ban
Satish C Ayappan (Drupal Architect- Capgemini)
[email protected]