WampServer
Apache, PHP, MySQL
on Windows
How do you set it up as a production web server? Is it worthy?
Posted by:
ajsansone
(---.tampfl.fios.verizon.net)
Date: August 08, 2008 07:10AM
Many people say that WampServer is only a development web server and should not be used as your production web server. I don't know if they mean that there are too many security issues or if the simultaneous connection limits are too small.
How do you compare WampServer performance (load times) with a Lamp production web server?
How do you compare WampServer performance (load times) with a Lamp production web server?
Re: How do you set it up as a production web server? Is it worthy?
Posted by:
toivo
(---.nsw.bigpond.net.au)
Date: August 08, 2008 01:01PM
Apache can of course be configured for production environments. The number of connections and processes your server supports is fine tuned in the configuration.
When running Apache under Windows you need to add a couple of parameters to keep file transfers running smoothly, but that is well documented in apache.org.
Your first level of defence is a properly configured firewall appliance which limits the access to your network to the ports which are allowed to be accessed by users from the internet. Ideally the firewall supports a DMZ (Demilitarized Zone) interface so that your webserver is in a separate subnet.
Run only the essential services in your webserver. The user under which the Apache server runs can be set up to have access only to the minimum of folders and resources, should the server be broken into. Here is a page explaining how to jail Apache on Windows: [www.modsecurity.org]
Because you are running a webserver, you do not have to apply all the security updates to the operating system, as long as your Apache is reasonably uptodate.
However, check the Apache access log and error log regularly to see if there are any anomalies.
The forms your web applications publish may have vulnerabilities unless the developer or the CMS you are running has used safety measures and standard practices to sanitize the data that the public is entering into the forms available on the site. Do a search on 'SQL injection' and 'mail injection' to find out how to prevent both types of attacks.
When you install applications to the webserver, always check the security section of the installation instructions and release notes. Add yourself to the mailing lists of the support forum for the applications to receive early announcements about vulnerabilities and bug fixes.
Do not let the whole world knock on the door of your engineroom, meaning try to access the control panels or the administrative interfaces. Social engineering (see [en.wikipedia.org]) can reveal identities of the key players in the network and make it easier to guess passwords used by the administrators. In Apache you can use the .htaccess file to limit the access rights to particular folders to particular IP addresses or subnet(s). Allow access to the critical admin resources only from workstations or subnets you can trust.
Similar restriction should apply to the usernames in MySQL. Create a user for each application and allow it to access that particular database schema from 'localhost'. The IP addresses of the administrators of the web application or the database should be restricted to a particular host computer or a subnet.
Do not install beta versions of extensions and plugins into your production server. Maintain a separate test environment where bugs can be ironed out.
It is a good idea to run MySQL utilities from scheduled command line scripts to check the integrity of the databases and send an email and an SMS message if problems are detected. It is also possible to repair the tables on the fly in the same script.
Last, but not least, document and test a Disaster Recovery Plan (DRP), involving file system backups to removable media and regular database backups. I have scheduled a database backup just before the overnight file system backup which copies the key folders to another server, from where a backup application copies the folders to tape. The tapes are ideally stored in a secure vault off-site and rotated.
Your DRP needs to be tested regularly in a non-production environment. to prevent undetected equipment or media failures in the production of your backup media from bringing your online business to a halt after a natural catastrophy or a server failure.
Regards,
toivo
Sydney, Australia
When running Apache under Windows you need to add a couple of parameters to keep file transfers running smoothly, but that is well documented in apache.org.
Your first level of defence is a properly configured firewall appliance which limits the access to your network to the ports which are allowed to be accessed by users from the internet. Ideally the firewall supports a DMZ (Demilitarized Zone) interface so that your webserver is in a separate subnet.
Run only the essential services in your webserver. The user under which the Apache server runs can be set up to have access only to the minimum of folders and resources, should the server be broken into. Here is a page explaining how to jail Apache on Windows: [www.modsecurity.org]
Because you are running a webserver, you do not have to apply all the security updates to the operating system, as long as your Apache is reasonably uptodate.
However, check the Apache access log and error log regularly to see if there are any anomalies.
The forms your web applications publish may have vulnerabilities unless the developer or the CMS you are running has used safety measures and standard practices to sanitize the data that the public is entering into the forms available on the site. Do a search on 'SQL injection' and 'mail injection' to find out how to prevent both types of attacks.
When you install applications to the webserver, always check the security section of the installation instructions and release notes. Add yourself to the mailing lists of the support forum for the applications to receive early announcements about vulnerabilities and bug fixes.
Do not let the whole world knock on the door of your engineroom, meaning try to access the control panels or the administrative interfaces. Social engineering (see [en.wikipedia.org]) can reveal identities of the key players in the network and make it easier to guess passwords used by the administrators. In Apache you can use the .htaccess file to limit the access rights to particular folders to particular IP addresses or subnet(s). Allow access to the critical admin resources only from workstations or subnets you can trust.
Similar restriction should apply to the usernames in MySQL. Create a user for each application and allow it to access that particular database schema from 'localhost'. The IP addresses of the administrators of the web application or the database should be restricted to a particular host computer or a subnet.
Do not install beta versions of extensions and plugins into your production server. Maintain a separate test environment where bugs can be ironed out.
It is a good idea to run MySQL utilities from scheduled command line scripts to check the integrity of the databases and send an email and an SMS message if problems are detected. It is also possible to repair the tables on the fly in the same script.
Last, but not least, document and test a Disaster Recovery Plan (DRP), involving file system backups to removable media and regular database backups. I have scheduled a database backup just before the overnight file system backup which copies the key folders to another server, from where a backup application copies the folders to tape. The tapes are ideally stored in a secure vault off-site and rotated.
Your DRP needs to be tested regularly in a non-production environment. to prevent undetected equipment or media failures in the production of your backup media from bringing your online business to a halt after a natural catastrophy or a server failure.
Regards,
toivo
Sydney, Australia
Re: How do you set it up as a production web server? Is it worthy?
Posted by:
yfastud
(Moderator)
Date: August 08, 2008 04:16PM
What it means is you have to add some security yourself and it might depends on the application(s) that you use
Have fun,
FREE One A Day
FREE Photo
FREE Games
FREE Websites
FREE Portable GPS
FREE WAMP Guides
Have fun,
FREE One A Day
FREE Photo
FREE Games
FREE Websites
FREE Portable GPS
FREE WAMP Guides
Re: How do you set it up as a production web server? Is it worthy?
Posted by:
ajsansone
(---.tampfl.fios.verizon.net)
Date: August 08, 2008 06:35PM
WampServer seems promising for those that need to host their own websites. I don't know why Microsoft would limit IIS simultaneous connections to 10 even within their new Windows Vista Operating System. No wonder Apache is the number one web server on the internet. How can you host a website with only 10 simultaneous connections, that's just selfish?
When you install WampServer right out-of-the-box are there any connection limit settings you need to change in Apache so you can run WampServer as a production web server? Are there any settings you need to change within MySQL or PHP?
Any more suggestions on how to make WampServer a production web server?
Edited 6 time(s). Last edit at 08/08/2008 06:40PM by ajsansone.
When you install WampServer right out-of-the-box are there any connection limit settings you need to change in Apache so you can run WampServer as a production web server? Are there any settings you need to change within MySQL or PHP?
Any more suggestions on how to make WampServer a production web server?
Edited 6 time(s). Last edit at 08/08/2008 06:40PM by ajsansone.
Re: How do you set it up as a production web server? Is it worthy?
Posted by:
toivo
(---.nsw.bigpond.net.au)
Date: August 08, 2008 11:07PM
You need to study the settings in the configuration files like httpd.conf, php.ini and my.ini. Most of them are self explanatory.
toivo
Sydney, Australia
toivo
Sydney, Australia
Sorry, only registered users may post in this forum.
