rc7 is out! We’ve upgraded to Varnish 3.0.2, fixed bugs, and made improvements to make your cPanel WHM server run even more faster than litespeed! Head out to the varnish download page: http://www.unixy.net/varnish

In brief:

• Upgrade Varnish to 3.0.2
• Increase httpd hdr len for req/resp
• Increase session WS
• Add Varnish monitoring crontab job

rc8 will see two neat features. The first will is a Slashdot Survive URL opt-in list where if you were to receive enormous traffic, Varnish can shield your server by responding directly to those requests (completely bypassing Apache or any server-side processing). So serving a slashdot-like audience will require a small fixed amount of memory as opposed to an unpredictable amount of resources (and most likely a server crash). The second feature will deal with aggressive bots. This addition creates a shared memory store for bots so they sources pages from the same store and prevent server crashes due to aggressive bots.

There’s more in 1.4.5rc8 so stay tuned!

Enjoy!

Litespeed users on cPanel WHM servers are realizing the benefits of running Varnish Cache in front of Litespeed to improve performance. While we (UNIXy) don’t officially provide support to subscribers running the cPanel Varnish Plugin with Litespeed, it does work with only a few extra manual steps. Keep in mind that we support this configuration for our fully managed VPS, dedicated server, and cluster clients. If you are a current client and need this configured, please open a ticket request.

In this post, I’m going to list the steps required to pair the cPanel Varnish Plugin with Litespeed on cPanel WHM servers. These few procedures apply to a blank cPanel installation (no Litespeed, no Varnish Plugin). The order below is important so don’t skip!

• 1. Configure your Apache / PHP with the desired options and extentions. Let EasyApache finish the build.
• 2. Install Litespeed using the command line installer with the port offset at 2000 (default).
• 3. From WHM -> Litespeed -> Build Matching PHP binaries. Let the Litespeed builder complete before proceeding.
• 4. Proceed with installing the cPanel Varnish Plugin. Let it complete.
• 5. Set the Litespeed Port offset to zero in Admin Console.
• 6. In Admin Console, Configuration -> Server -> General Settings -> Use Client IP in header -> Yes. Restart Litespeed.

About UNIXY

UNIXY is a long-time Varnish Cache user and evangelist. They have been offering Varnish acceleration to their clients for more than three years. They have released the first cPanel Varnish plugin as well as spun a new startup, Fastlayer, the on-demand HTTP accelerator for the cloud.

That’s all folks! I hope you find this useful.

In this short post, I would like to share a technique that will protect your confidential data even if your backup store were to be compromised. We shall leverage the powerful open source Encryption Filesystem. I’ll go through all steps required to install the software, use it, and finally integrate it with your back up strategy. This is a one-time configuration that doesn’t require much maintenance to keep it going and is well worth it in my opinion.

Off-server or off-network backup procedures are essential to any disaster recovery strategy. Current trends, however, show that little effort is directed at securing the backup node(s) and / or strategy. By storing plain text copies of your confidential databases, accounts, emails, and passwords on remote systems you’re exposing yourself to a host of issues. In light of the incident that affected WHT, if a capable intruder were to compromise your backup store (VPS, FTP, NFS, or server), it won’t take long before the intruder gains access to your production system. The consequences are material and the loss of productivity and revenue can break a business.

Installing EncFS

While I’m only covering installation of EncFS on Debian and Redhat derivatives, it’s relatively easy to install it on other Linux distributions. Special instructions are required to install the tools on OpenVZ. See http://wiki.openvz.org/FUSE

ON DEBIAN DISTRIBUTIONS

Let’s install EncFS and libraries. As root inside the shell prompt, execute the following two commands:

ON REDHAT DISTRIBUTIONS

First you have to add a yum application repository. Create a file called rpmforge.repo under /etc/yum.repos.d/rpmforge.repo and, with a text editor, copy / paste the following in it (this is for centos 5 / redhat 5. Checkout DAG for other versions):

Save and exit. Then run the following commands as root:

Using EncFS

EncFS is a set of tools that allow the creation of a filesystem that is by default encrypted. The encrypted filesystem can be mounted similarly to a hard drive. With EncFS, however, the encrypted filesystem is protected by a password. And this is where it’s useful. When you transfer your backup files from your production server to an off-server backup store, you’re transferring and storing clear text files and information. So, how do we use these tools to secure our backup store?

In brief, here are the steps we’re setting to accomplish

A) Initialize a folder on the production server as an EncFS volume and mount it
B) Point our backup scripts to the encrypted volume to store the generated backups
C) Seal the encrypted volume
D) Finally, transfer the encrypted files over to the backup store

A) First of all, we need to initialize the backup filesystem. Here’s are the steps:

At this point in the steps, we have created an encrypted and a decrypted folder. Plain text backups should always be copied in the /decrypted folder. Once copied, we unmounted the decrypted folder and leave all as is. Make sure you remember the Encfs password as it’s the only way to decrypt your backup files.

As a quick demo, let’s copy a random file in /decrypted to see all of this in action

Let’s pick a random file

Mount the encrypted filesystem:

B) If you have custom backup scripts, all you have to do in this step is the following

1) Before we modify the backup scripts, we need to store the encryption password in a file under the folder /root. Call it file /root/enc.txt and on the first line type in the password after running the below chmod command.

Add this command at the top of the backup script:

What this does is “feed” the encryption password to the command “encfs” so it runs unattended. Otherwise, encfs is interactive and might hand waiting for you to enter the password. Remember, we want to set this up and let it run itself.

Add this command at the end of the backup script:

For cPanel users, you can put include the above two steps in script files called /scripts/precpbackup and /scripts/postcpbackup as such:

Inside file /scripts/precpbackup

# In file /scripts/postcpbackup

Finally, make sure the two scripts are executable:

From WHM, in backup configuration, put /decrypted as the backup folder. And we’re done!

C) Let’s unmount the unencrypted filesystem since we’re done copying our files.

Sweet!

D) Transfer the encrypted backup files to the destination backup store

Now your backup files are secure. You can simply SCP or rsync the encrypted files from the encrypted FS /encrypted. Make sure to copy the .encfs5 file located inside the /encrypted directory. Without this file, the encrypted file are NOT recoverable!