I’ll go through a false positive example I found on my blog. False positives are inevitable, so it’s not a bad idea to run mod_security for a few weeks on detect only.

Here’s the url that was raising the alarm. The trigger was in the url.

http://chesterton.id.au/blog/2007/11/20/blue-tongue-harmonica-talk-cd/

Here’s what modsec_audit.log looked like

--f8a03521-A--
[21/Mar/2011:07:54:47 +1100] TYZpl0LcAZkAAHCLBPIAAAAA ::ffff:124.169.31.22 34169 127.0.0.1 81
--f8a03521-B--
GET /blog/2007/11/20/blue-tongue-harmonica-talk-cd/ HTTP/1.0
Host: chesterton.id.au
X-Real-IP: ::ffff:124.169.31.22
X-Forwarded-For: ::ffff:124.169.31.22
Connection: close
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.26 (KHTML, like Gecko) Ubuntu/10.10 Chromium/12.0.709.0 Chrome/12.0.709.0 Safari/534.26
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

--f8a03521-Z--


Section B –f8a03521-B– contains the request headers, and you can see the GET is /blog/2007/11/20/blue-tongue-harmonica-talk-cd/.

Section H is the audit log, why it was blocked in this case.
[msg "System Command Injection"] [data "cd/"] so it didn’t like cd/, I’m not sure that cd/ (without a space between the cd and the directory) would do much on a unix system, but perhaps it does on windows, where apache also runs.

It also tells you the pattern that matched, the file where the rule is located and the rule id.
Pattern match “\bcd\b\W*?[\/]” at REQUEST_FILENAME. [file "/etc/apache2/modsecurity_crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "396"] [id "958821"]

What we can do, is when REQUEST_FILENAME = /blog/2007/11/20/blue-tongue-harmonica-talk-cd/ remove rule id 958821.

SecRule REQUEST_FILENAME "^/blog/2007/11/20/blue-tongue-harmonica-talk-cd/(index.php)?$" "nolog,pass,ctl:RuleRemoveById=958821"


Add this rule to your local rules, the reason we don’t modify the base_rules is they get overwritten when there’s an update to the rules.

“pass” above means if the rule matches, keep processing other rules, so it will still catch xss for example:

http://chesterton.id.au/blog/2007/11/20/blue-tongue-harmonica-talk-cd/?a=%3Cscript%3Ealert(1)%3C/script%3E

I’d like to come back to this later and lock it down a little.

I’ve reinstalled apache and I’m in the process of cutting over my sites. Not completely, just for non static files, mainly php. Nginx is infront of apache serving static content and is a reverse proxy to apache which runs on 127.0.0.1:81

The reason? I want to give mod_security a spin. It’s loaded now, but it doesn’t seem to do much atm. Will read up on it in due season ;)

Basically, you google for nginx apache proxy wordpress wp-super-cache and you hit the right sort of pages to set it up. It wasn’t smooth sailing though, I used http://tech.nocr.at/tech/how-to-speed-up-wordpress-with-nginx-and-wp-super-cache/ which has a flaw.

It contains the lines at the end on the nginx config sample.
# all other requests go to WordPress
if (!-e $request_filename) {
rewrite . /index.php last;
}
and funnily enough, every url opened the front page of my blog. It took me a bit of head scratching before I commented the lines out, enabled mod_rewrite in apache, and toggled a wordpress permalink setting to get .htaccess written.

After I got it working, I read the comments and someone had already discovered the flaw. Plus another page I read is basically the same, except it’s missing those lines (it wasn’t as good looking, so I didn’t use it).

So I’m pretty happy that I understand the config now, and I’ll continue to cut over the remaining sites, then turn off php5-cgi. I’m also happy apache is back, I went a bit anti apache there for a while, but it has its uses, like mod_security for example.

I won’t go into too many details, I got everything I learned from google and my customisations aren’t very ground breaking.

Jdub tweeted about the wordpress apc object cache being updated. So I (re)installed that. I had it installed a while ago, but a wordpress upgrade broke it. http://wordpress.org/extend/plugins/apc/

Everyone knows about wp-super-cache, and there’s some good nginx recipes and discussions on the internet already about how to run the two together.

My blog isn’t very big, or updated very often, so I tried setting wp-super-cache to preload cache files once a day. Except after the first day, it seemed to get stuck and wouldn’t regenerate them. So now, it just generates (and compresses) them after the first visit and I’ve configured it so spiders can generate them, which isn’t the default. The cached files are set to expire after a day.

I’ve noticed recently that spiders are sometimes using the short url form ?p=100 rather than the long SEO style urls. With my nginx config, it won’t serve a super-cached file using the short url form. It won’t serve a super-cached file if the url has a ? in it.

This was new to me, a wordpress plugin called wp-minify. It’s an awesome idea. It combines multiple css (and, separately, js) links into one, minified version, and compresses and caches the result. So the browser only has to make one css get and one js get. Just helps pages load that little bit quicker. Good for the search engines, good for the users.

I set nginx to gzip text output, as well as look for a pre gzipped file first. So I basically ran:

for a in `find /www -name "*.js" -o -name "*.css" -o -name "*.html"`;do cat $a |gzip -c > $a.gz ;done

wp-recaptcha is a pain the bum when it comes to page load times, it slows the page display to one second. But it does a good job of stopping boring spam comments. auxesis suggested moving the <script src=…> to the end to the dom, which I’ve done, and that does help with the feel, it doesn’t reduce overall load time though. It’s just that I couldn’t find a good way to do it, and I’m going to have to merge my changes with every upgrade.

That’s about it I think, the name of the game was to decrease page load times.

Many years ago, I was a rabid (vapid?) PostgreSQL fanboi. I took the time to study how to tune postgres, it was very rewarding to see queries go from taking 30 seconds, to completing in under a second. This involved tuning knobs in the prostres config, to adding indexes. All done manually.

If some software would only work on mysql, I wouldn’t bother looking at it.

A few years ago I wanted to run WordPress on my Linode, I gave up my extremist software bias, and uninstalled postgres, and installed mysql. To tune it, I picked one of the three or four my.cnf files provided. And that was that. Although I gave up postgres for mysql, I showed it no love.

During my recent webserver admin gorge, I came across a shell script that would help you tune mysql’s knobs. Most knobs weren’t even mentioned in my my.cnf file, so were at the default. I found much delight in it telling me to raise this, and lower that. In the end, I ended up with mysql using about the same amount of memory, but much more efficiently, by using more memory here where required, and using less memory there where not needed.

The script is called tuning-primer.sh and can be found at http://www.day32.com/MySQL/.

It took me many days to tune my mysql databases, run the script, adjust knobs, restart mysql, let it run for a day or two, and repeat. It turns out some knobs don’t need adjusting until other knobs are adjusted first, so you can’t get it right the first go. Plus I was quite cautious in how much I would adjust a knob.

There’s also another script I haven’t yet looked at called mysqltuner.pl, google will hook you up.

And here’s some music I’ve been enjoying lately from Sia, (an adelaide girl) her live performances are better than her albums. Sia – Soon We’ll Be Found (Letterman)

I recently swapped over from lighty to nginx, and man, am I glad I did. I have no idea about the internals, which is faster, lighter, better, etc, but nginx is way more intuitive to configure. Which in the end means my server is set up better.

That kick started my latest obsession, speeding up web servers.

I might go into details in a later post, but first, a question. I’ve got my wordpress blog loading nice and quick, except for pages where you can leave a comment, the recaptcha pluggin slows down the display of the page to 1 second. Obviously this is unacceptable. 1 SECOND!!!!!

What I would like is a “leave a comment” link to be displayed at the end of the post or comments, and clicking it would load the comment box with the recaptcha.

Any ideas how I would go about it?

I’ve tried css tricks to hide divs, but the javascript and images still load and hold up the display of the page, even though they aren’t (immediately) displayed. Annoying.

…When I’m not working on linux, I’ve been working on some websites. Mainly blogs, but also some ebay affiliate sites that are usually attached to blogs. I’m trying to get 30 up to start with, but I’m not very commited, I’ve got five going, oldest one is five months old. Once I hit 30, I’ll aim for 100 ;);

I got interested in SEO for some reason, and have been honing my skills with these sites with the intent to make a little money. If I can make $1/day per site, that’s $10,000 a year. Very acheivable.

The basic idea is to pick a phrase, maybe a three word phrase, that has 100,000 hits or less in google and 100 searches for it a day (there’s various way to determine search volume, such as google keyword tool, google trends, and a few free SEO type sites). That will give you a good chance of getting on the front page of google for that phrase in the first week and getting some traffic. If you don’t hit the front page of google straight away, you might have to wait six months or so. You need to be patient in this game.

So far, with one blog that was very targeted I got the seventh result in google almost instantly. With another site that wasn’t so targeted, I’m nowhere to be seen. So with that last site, I’ll build up ten articles, and keep an eye on it for six months. With the first site, I’ll try to post once a week and build a few links by submitting articles to howto sites, and directories. In five months, it’s paid for itself already with only a few hours work put in to it, it has seven articles, traffic is increasing every month, I’m getting natural backlinks and subscriptions to the feed, as well as a few artifitial backlinks I’ve made. I’ve started targeting keywords that have more search volume.

To target a phrase, put it in the title, h1 tag, and anchor text in each post pointing back to the main page. Each page should have a unique title, though. Also put it in the anchor text of external links.

What I really enjoy is on page SEO and ad placement and look, what I don’t enjoy is creating artificatial links with the intent of getting an artifically high google rank. Even though google says SEO isn’t spam, I can’t help but think it’s spammy.

But I’m enjoying creating content, and studying SEO and marketing. I made my first ebay affiliate sale sale after 50 hits, very exciting. I might have a crack at amazon afiliate links next and incorporating ebay into wordpress, rather than a separate page.

BTW, targeting internet savvy people isn’t the easiest way to make money, they are blind to ads. Best to go after non techy people. I’m running ads on this site, but it’s dragging my CTR down. I’ll give it a few more months and then turn them off.

Just got to get these 30 sites up…