A high-availability, high-performance and a bullet-proof secure hosting environment are sought by businesses and enterprises. But the configuration and building stack has perplexed many. Along with the setup and configuration it also brings in the task of performance-tweaking, security-hardening and of course update and management. All this makes it an unaffordable proposition for small businesses who run high-availability and business-critical websites. Most web-hosting environment charge exorbitant rates for on-boarding, migration, hosting and support. These vary and could be as much as $30 per month for a single site.
However such websites don’t necessarily need a virtual private server for hosting. Given sufficient resources and optimal configuration, multiple websites (upwards of 20 sites) can be hosted on a single server for as low as $100 per month for the server with no limit to visitors, storage and bandwidth. This essentially would come down to $5 per site for a premium enterprise-grade web-hosting. Here’s an overview of the building blocks of such a web-hosting environment.
A web-server stack essentially comprises of an operating system, the web-server daemon, the server-side caching mechanism and server-security configuration.
The choice of these building blocks of the server stack determine the difference between a mediocre hosting and a blazing fast, fully-optimized and secure hosting perhaps the likes of WP-Engine, Synthesis and the ilk.
Choosing the operating system
There are several factors to consider when choosing your web server’s operating system. This includes the stability, the release-cycle, the support-cycle, community support and the key philosophy behind the OS architecture. This is essentially different from choosing your desktop operating system where user-experience, user-interface etc. are key differentiators. Some of the most popular choices are:
- Ubuntu Server: Ubuntu has an excellent market-penetration, a wide user-base, support and also marketing presence. It’s based on Debian and uses the same package management system.
- Red Hat Linux: RHEL is the Linux distro from Red Hat targeted for the commercial market. Support is paid. RHEL has a good penetration in enterprise server environments. RHEL based OSes are a popular alternative to the paid support and to the Debian based Ubuntu Server OS. Red Hat Enterprise Linux release schedules are around 2 year.
- CentOS: This is the community version of RHEL with the RHEL trademarks stripped off the RHEL distro to avoid licensing issues.
- Fedora: The Fedora project is a community project sponsored by Red Hat. Fedora serves as upstream for future versions of RHEL. RHEL trees are forked off the Fedora repository, and released after a substantial stabilization and quality assurance effort. For example, RHEL 6 was forked from Fedora at the end of 2009 (approximately at the time of the Fedora 12 release) and released more or less together with Fedora 14. By the time RHEL 6 was released, many features from Fedora 13 and 14 had already been backported into it. In addition, the Fedora project includes Extra Packages for Enterprise Linux (EPEL), a community-provided set of packages for RHEL going beyond the ones that Red Hat selected for inclusion in its supported distribution. Fedora aims to be on the leading edge of free and open-source technologies.
- Others: There are many other options available like Amazon Linux, SUSE etc. Amazon Linux is a derivative of CentOS. The longer the chain of the derivative the longer it takes the technology to trickle in. It is understood to be more stable with the need to keep the security patches rolling in but often outdated in terms of technology. Your server requirements should determine which OS platform you’d want to side with. And as biased as it may sound, when it comes to a web-server environment, Windows / IIS is often at the bottom of my list.
It is the philosophy and development cycle of Fedora that helped me narrow down to it. Fedora pursues a three-pronged attack, aiming to be a developer’s paradise, a flexible server, and a strong base for a fast-moving container-centric future. The web is dynamic and evolving rapidly. The OS can be a critical factor in determining when the newest technologies become available. Most support articles for RHEL & CentOS apply to Fedora. The features in in the latest versions of Fedora trickle down into RHEL, CentOS and AMZ. When HTTP2 became supported in Chrome and Firefox, only Ubuntu and Fedora featured it out of the box.
The Web Server
Again in the open-source world, the choices are many. I’m going to cover only a few prominent ones.
- Nginx: Nginx was written with an explicit goal of outperforming the Apache web server (essentially to address the C10k problem — handling 10 thousand concurrent connections). Out of the box, serving static files, Nginx uses dramatically less memory than Apache, and can handle roughly four times more requests per second. But like they say, the devil lies in the details (pun intended). Will you only be serving static files? Nginx uses an asynchronous event-driven approach to handling requests. Nginx’s modular event-driven architecture can provide more predictable performance under high loads. All this performance boost comes at a cost of decreased flexibility.
- Apache: The most widely used web-server is also the most featureful and flexible. It can be extended via dynamically loaded modules. Instead of implementing a single architecture, Apache provides a variety of MultiProcessing Modules (MPMs), which allow Apache to run in a process-based, hybrid (process and thread) or event-hybrid mode, to better match the demands of each particular infrastructure. The Event MPM essentially matches up to the event-driven approach of Nginx.
There’s no right or wrong here. But the performance and feature-set you are looking for are the determining factors here. Apache and Nginx can’t be straight up compared. There are many trade-offs involved and the intended use-case and application determine the right choice. I intend to side with Apache running with the Event MPM because it not only addresses performance bottlenecks but also retains the features and flexibility of Apache.
Critical modules
- HTTP/2: The HTTP/2 module provides support for the HTTP/2 protocol, the successor of HTTP/1.1 protocol. It was derived from the earlier experimental SPDY protocol, originally developed by Google. The primary goals for HTTP/2 are to reduce latency by enabling full request and response multiplexing, minimize protocol overhead via efficient compression of HTTP header fields, and add support for request prioritization and server push. Simply put, HTTP/2 makes the client-server communication faster with it’s non-blocking request and response multiplexing. Also see: Why upgrading your Linux Kernel will make your customers much happier.
- Pagespeed Apache Module: mod_pagespeed is an Apache module. It dynamically optimizes the web pages (and included assets) and reduces latency and bandwidth. Since it’s an apache module, the optimization all happens on the server-side. The optimized resources are also cached on the disk (or optionally into an in-memory caching system like memcached).
- PHP 7 & MariaDB: PHP is a server-side scripting language. MariaDB is a drop-in replacement of MySQL RDBMS intended to remain free under the GNU GPL. Of course using these is totally optional and is determined by the application requirements.
Server Side Caching
Memcached and Redis are two popular choices for server-side in-memory caching. While Redis has its advantages over Memcached, the Pagespeed Apache module currently only supports Memcached. This becomes a determining factor else Redis has its perks.
SELinux
Security is paramount for any pro-grade server environment. A Linux kernel integrating SELinux enforces mandatory access control policies that confine user programs and system servers, access to files and network resources. Limiting privilege to the minimum required to work reduces or eliminates the ability of these programs and daemons to cause harm if faulty or compromised (via buffer overflows or misconfigurations, for example). This confinement mechanism operates independently of the traditional Linux (discretionary) access control mechanisms. It has no concept of a “root” super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries). SELinux was developed by NSA’s Trusted UNIX (TRUSIX) Working Group. SELinux security is based on Users, policies and security contexts.
An alternative to SELinux is AppArmor but is only available on SUSE Linux Enterprise Server. SELinux can be frustrating to implement and troubleshoot and most seasoned Linux administrators tend to turn it off and count on the network firewall. But once configured, SELinux systems are as secure as it gets out there.
Operating system, web-server, caching-mechanism and security stack are building blocks of a web hosting server. However the performance, robustness and security are not only determined by making the right choice of the alternatives but also expert configuration, repeated testing and tweaking. It is thus totally possible that a stack comprised of well-configured and tweaked relatively (perhaps) inferior packages outperforms the one known to be better performers out-of-the-box.
At Convertica, we offer fully managed WordPress hosting powered by Amazon Web Services EC2 instances running on Fedora comprising of Apache running Event MPM, HTTP2 & PageSpeed modules, PHP7 & MariaDB, Memcached and Selinux. If you are geeky, you can get your hands on it with our ultimate guide for installing WordPress on EC2 with latest Apache Event MPM, HTTP2, PHP7, Fedora, Memcached, Pagespeed, Mariadb & Selinux 2017
For a high-traffic, high-availability business WordPress site this hosting is perfect and set-it-and-forget-it types. It’s enterprise-class and fully optimized for WordPress (minus the compromises made by other hostings like limited support or no-support for certain WordPress plugins). With unlimited storage and visitors and powered by Amazon’s cloud infrastructure, this is as redundant and scalable as it gets with the best up-time available.