This is part 2 of the setup, where we concentrate on making the server production ready. Part 1 focus on the basic server setup to get Drupal running, you can find Part 1 here.

Performance

Opcode cache helps speed up your PHP considerably. We are using APC here, there are other alternatives such as XCache, eAccelerator, Zend Optimizer, etc.

Install APC Opcode

This will install APC 3.0.18-1

Restart Apache for APC to take effect

Optimized MySQL

To get started quickly, get the tuning-primer.sh from MySQL Performance Tuning Primer Script

Get your MySQL root password ready

It is recommended to let your site run for few days to gather enough query data to know how your DB performs. The tuning-primer.sh covers slow queries, worker threads, max connections, memory usage, key buffer, query cache, sort operations, join operations, open files limit, table cache, temp tables, table scans and table locking. You may want to refer Tuning your MySQL server for a better idea what each one does.

Throw in memcached to squeeze more out from the server.

To further boost webpage delivery performance, use Drupal built-in caching, boost module to serve static pages for anonymous user or deploy lightweight reverse proxy (Squid, nginx, Varnish cache)

Protect the Server

For SSH, it is a good practice to change the port from 22 and disable root login. Add a new user before disable root's SSH.

Give yourself 'sudo' right to assume root user role for administration tasks.

Edit /etc/ssh/sshd_config

Let's firewalled our server to make us feel more secure. =)
We are using Ubuntu Firewall for easy configuration

This will install iptables as well. Let's set the default to block all traffics by default, allow HTTP & SSH traffics and show the rules. Note that we enable ufw after allow SSH & HTTP, you don't want to block yourself out from the server. It takes port or service name.

To remove a rule

To deny

To disable ufw

You can still use other firewall tools or iptables command as usual. Take a look of the generated firewall rules

You may want to enable logging for the firewall

Apache

Make it harder for script kiddies, edit /etc/apache2/conf.d/security, change to the following

MySQL

Restrict MySQL to localhost only, edit /etc/mysql/my.cnf

Give it Attention

Monitoring the services to ensure it is running fine, alert you when there is a sign of problem and help you fix them if the rule triggered. We are using Monit for this purpose. Alternatively you can use Nagios, Zabbix, or website online checker.

Edit the configuration file, /etc/monit/monitrc. We changed it to check every minute, output to syslog, set to localhost smtp, keep the alerts under /var/monit up to 100 alerts, the user to receive all the alerts and include all configuration files found under /etc/monit.d we created in previous steps.

Head over to Configuration Examples and copy paste the pieces into separate file under /etc/monit.d for easy maintenance.

Backup, backup, backup

We use Backup and Migrate to dump the database to drupal files folder on schedule, which we backup together with the rest of web folder /var/www.

There are a lot of backup solutions depending on your need. You could use

• Linode latest backup service,
• backup to another server using Amanda, Bacula, rsanpshot, rdiff-backup, Duplicity or just the plain rsync
• to storage services like Amazon S3, rsync.net
• or just tar gzip

These wrapped up our second part of server setup articles. A lot of areas are only briefly mentioned as they deserved a full blown article of their own. Share you experience with us using the comment form below.