Performance & Security Satish C Ayappan (Drupal Architect- Capgemini)

Performance  F ront end performance.  Drupal out of box optimization  Mysql Optimization  MySQL Query Optimization  Memcache for database caching  Scalable File System options  PHP and Apache Configuration  Use Reverse proxies like Varnish  A fail over server landscape

Security  SQL injection  Cross Site Scripting (XSS)  Cross Site Request Forgery (CSRF)  File Permissions  Harden Apache and PHP  Securing Linux Server.

Performance What we can do?

Front end performance – Limit HTTP Requests. – Use Drupal Aggregator or Advanced CSS/JS Aggregation – Use Pagespeed or Yslow – Enable gzip compression – Specify image dimensions – Single Points of Failure (SPOFs)

Front end performance contd.. – Use CDN for Images and CSS – Use Image Sprites. – Optimize Images (Yahoo! Smush.it). – Client side caching ( Cache control and Expires, Don’t use Etag, In Apache you can disable the Etag with FileFlag)

Drupal out of box optimization – Page Caching Page caching will not work when there is a PHP session. It will work for anonymous user. – JS and CSS Aggregation – Use Boost – Use View Cache – Use Entity Cache along with Redis – Cache Warming / Priming (Drush Entity Cache Loader, Cache Warmer) – Use Fast 404 Module – Use Syslog Module – Disable PHP Filter Module

Mysql Optimization – Enable query cache – Variables Like innodb_buffer_pool_size, table_cache thread_cache etc. – Use innodb_file_per_table. -to-tune-in-mysql-server-after-installation/ -to-tune-in-mysql-server-after-installation/

Mysql Query Optimization – Use Indexes – Use Explain to understand the query plan – Avoid full table scan, file sort and temporary table creation by looking at query plan – Look here for query optimization optimization.html optimization.html

Memcache/Redis for database cache – Memcache /Redis can be used in front of Mysql to offload database server load, the data can be cached at memcache/Redis and serve the data from memcache/Redis without hitting the MySQL Server

Scalable File System options – NFS file system – If you are using NFS, increase the size for Real Path Cache – Glusterfs File system – Use can use lsyncd or rsync. – File Conveyor – Mounting SSFS – NAS – SAN

PHP and Apache Configuration – Use OPCache (PHP 5.5 has free version of Zend optimizer) – opcache.memory_consumption – opcache.max_accelerated_files – opcache_revalidate_freq = 240 – Disable the modules of Apache in production if you are not using. – Set keepalive setting to 1 or 2 seconds – Include.htaccess file using include directive and change the parameter AllowOverride to None.

Reverse proxies like Varnish – Don’t use Etags for static pages. – Don’t session id or cookies for static pages.

A fail over server landscape (No DR)

Security What we can do?

SQL Injection – Use always parameterized Queries uid = 1; $result = db_query('SELECT n.nid, n.title, n.created FROM {node} n WHERE n.uid = :uid', array(':uid' => $uid)); // Result is returned as a iterable object that returns a stdClass object on each iteration foreach ($result as $record) { // Perform operations on $record->title, etc. here. } uid = 1; $result = db_query('SELECT n.nid, n.title, n.created FROM {node} n WHERE n.uid = $uid'); // Result is returned as a iterable object that returns a stdClass object on each iteration foreach ($result as $record) { // Perform operations on $record->title, etc. here. }

Cross Site Scripting (XSS) – Apply filter for content Should not use Full HTML – Use Check URI check_url($url) for URLs before displaying the content – Use check plain check_plain($text) method to check the text before displaying the content. – Use t() and % and not !, this will apply check_plain automatically for translation – Use l() to create links

Cross Site Request Forgery (CSRF) – Use always form API

File Permissions – Files: 770 or 754 chmod -R 770 /var/www/html/sites/default/files – Themes: 755 chmod -R 755 /var/www/html/sites/all/themes – Default: 755 chmod 755 /var/www/html/sites/default – Settings.php: 444 chmod 444 /var/www/html/sites/default/settings.php

Hardening Apache – Set ServerSignature Off in apache configuration file – Set ServerTokens Prod in apache configuration file – Disable unnecessary modules – Disable unnecessary Options like Indexes, Options -Indexes – Disable ETAG – Run Apache with its owns user and group – Set cookie with HttpOnly and Secure flag – Configure for X-XSS Protection – Disable HTTP 1.0 Protocol – Disable Trace Requests – Limit HTTP Request Methods to GET POST HEAD – Use use mod_security – install the mod_evasive to avoid dos attacks

Hardening PHP – Set expose_php Off in php.ini – Set display_errors Off – Log errors using Syslog Module – Set maximum File Upload size – Turn off allow_url_fopen and allow_url_include – Set post_max_size – Use disable_functions to disable functions that are dangerous (exec, shell_exec etc) – Limit PHP Access To File System – Turn off enable_dl – Disable Unnecessary PHP modules

Securing Linux Server – Close unnecessary ports – Uninstall unnecessary applications like FTP server if not required – Prevent IP Spoofing – Harden Apache and PHP – Protect from DDOS – Install Intrusion Detection – PSAD – Use SELinux – Apparmor’ – Protect su by limiting access only to admin group – Install denyhosts, fail2ban

Satish C Ayappan (Drupal Architect- Capgemini)