Introducing EasyApache’s Optimal Profiles

[ScottTh]

We are happy to announce the upcoming release of a new Profile page that will make EasyApache quicker and easier to use.

This new Profile page will include cPanel & WHM’s new Optimal Profiles. The purpose of the new profiles is to ensure that you will receive a safe and secure EasyApache build without having to access the Short or Exhaustive Options list. Each new Optimal Profile will include a selection of modules to match the current PHP version we recommend, and an Apache version that will deliver safe and reliable performance.

We will also introduce profiles that utilize the advantages of the CloudLinux operating system. One of the recommendations we make for CloudLinux users is to use the Apache MPM ITK module. This upcoming release will add the MPM ITK module to EasyApache. We will provide links to learn more about CloudLinux, and an opportunity to upgrade to the operating system.

Server administrators will continue to have access to the Short and Exhaustive Options list. You will still be able to create new profiles, customize any profile you save, and use previous profiles.

Below, we have included wire frame drafts of our new EasyApache Profile pages. Please note that these drafts do not reflect a finalized product and are subject to change. We welcome your comments and suggestions.



The cPanel Recommended Profiles page will allow system administrators to build EasyApache and learn more about CloudLinux.



The cPanel + Cloud Linux Profiles page will only be visible if a server has the CloudLinux operating system installed.

Look for these exciting changes before the end of 2013!

Reminder:
The EasyApache team would like to remind all users about the removal of several End of Life items. By the end of 2013, the following items will be removed from EasyApache:

Apache 1.3
Apache 2.0
PHP 5.2*
mod_frontpage*

*These items will be available as Custom Modules. You can read more about how to use and install Custom Modules at Impending End of Life Announcements from the EasyApache Team

 

[ThinIce]

Looks interesting, how will new installs deal with this? Taking a look at that first screenshot, am I correct in thinking that a vanilla new install (i.e. non cloud linux) will include a default "basic" build with suphp but the recommended configuration will be mod_ruid2 or mpm_itk depending on apache version? Or will a new install only fall back to basic / suphp if it can't (for whatever reason) build the recommended option?

 

[ScottTh]

Looks interesting, how will new installs deal with this? Taking a look at that first screenshot, am I correct in thinking that a vanilla new install (i.e. non cloud linux) will include a default "basic" build with suphp but the recommended configuration will be mod_ruid2 or mpm_itk depending on apache version? Or will a new install only fall back to basic / suphp if it can't (for whatever reason) build the recommended option?

Hi ThinIce,

Thanks for all the great questions! Let me try and answer them one by one:

"...how will new installs deal with this?"
New installs of EasyApache will display the cPanel Recommended Profiles only. After you have built EasyApache with one of those profiles, or constructed your own custom profile, the next time you run EasyApache you will see the Previously Saved Configuration section with the build you initially selected.

"...am I correct in thinking that a vanilla new install (i.e. non cloud linux) will include a default "basic" build with suphp but the recommended configuration will be mod_ruid2 or mpm_itk depending on apache version?"
Yes, the Basic profile will include SuPHP. You are correct that Recommended profiles will contain mod_ruid2 or MPM-ITK depending on which Apache version you'd like to us. The MPM-ITK Profile will only be available with Apache 2.2

"Or will a new install only fall back to basic / suphp if it can't (for whatever reason) build the recommended option?"
I'll try my best to answer this one, but you may need to let me know if I don't address your question. If you have selected one of the Recommended profiles the build should proceed just as if you selected the Basic profile. A Recommended profile build won't fall back to a Basic if it can't complete for whatever reason.

Please remember that the development process for this new profile page is an ongoing process. The final profile page and behavior may be slightly different than described here.

Let me know if you have any additional questions!

 

[ThinIce]

Hi Scott, thanks for the reply and the extra information. So a cPanel install on a new box will be running the default basic build with suphp as it does now. Would it be possible to have a way of setting it to build one of the other (recommended) two before running the cPanel install? I realise this will be less of an issue when everything is being pulled in with rpms eventually, but it'll save some time.

Looking at How to Configure Apache Pre-Installation perhaps you could pop the recommended profiles up for download for people performing new installs?

 

[ScottTh]

So a cPanel install on a new box will be running the default basic build with suphp as it does now. Would it be possible to have a way of setting it to build one of the other (recommended) two before running the cPanel install?

Looking at How to Configure Apache Pre-Installation perhaps you could pop the recommended profiles up for download for people performing new installs?

Hi ThinIce,

I believe I can help you out with this question too. Below is a link where you can download the profiles currently offered in EasyApache. This dynamic list will change when the new profile page is introduced so you will be able to download the two new Recommended profiles.

Index of /cpanelsync/easy/profiles/easy/apache/profile/custom/

Hope that helps and let me know if you have any more questions!

 

[Duplika]

Having a custom profile built for CloudLinux, with a compatible opcode configuration and optimized settings for shared hosting servers will be great.

 

[patchwork]

Having a good config using an opcode cache would be great, I've been changing my config for hours trying to find a working configuration, I can get xcache working but I then get apache crashes and seg faults, other configs stop everything working, some stop sessions from working. I really am finding it very hard to create a good fast and secure configuration.

Pete

 

[ScottTh]

Having a custom profile built for CloudLinux, with a compatible opcode configuration and optimized settings for shared hosting servers will be great.

Hi Juanzo,

You will also be able customize each of the recommended profiles to work best for you. While the recommended Cloud Linux profiles are configured for security and reliability you may want to experiment to find the best opcode configuration for your sever.

 

[patchwork]

I tried many different apache 2.2 / PHP 5.3 / xcache variations and ended up getting a lot of seg faults, in the end I decided to try apache 2.4, PHP 5.5 and the new builtin OPCache and I'm really impressed, it seems like a very good and stable combination.

 

[gwc_wd]

Focusing on the word "optimal," will this new profile approach provide an easy way to prevent loading modules or having directives that are not being used? For example there are a lot of Alias directives (such as for Interchange) that many systems do not use. I do not use and don't want to use WebDav - but does the LoadModule directive for it get executed anyway? I would like to remove all Languages and charsets except two. Having the least amount of "stuff" going on is not only optimal, but is better security against unforeseen vulnerabilities -- I recall some time ago there was an exploit against a charset variation for example.

The includes editor in WHM allows the addition of modules and directives but I don't see a way to delete defaults from the configuration other than going in manually, which I am not confident I can do without breaking something else. I'm not qualified to know what I'm doing <smile> which is kind of the point of Easy Apache...

 

[KurtN.]

We are using the word "optimal" to refer to the combination of software and environment that an administrator can install on their machine, in order to provide the highest quality of service and experience when using EasyApache.

Micro-optimizing a web server (and related configurations) is often dependent on a server's usage pattern. Thus, it is dependent on you to understand those patterns/needs, as it varies quite wildly from customer to customer. Often times this requires a great deal of metrics and experience to determine where speed/security improvements should take place; e.g. disk, cpu, memory, and network i/o optimizations.

Given that response, if you find that your customers don't need the software that is installed, we have, and will continue to support custom profiles and configuration templates.

 

[gwc_wd]

Given that response, if you find that your customers don't need the software that is installed, we have, and will continue to support custom profiles and configuration templates.

Thank you for appearing to answer my questions. As they may have been too wordy to be clear let me try again:

Will there be an easy way to disable or exclude modules from loading?

If the answer is "no" that's fine, but it would be nice to know that my question was understood.

Is being able to exclude Interchange and WebDav really considered "Micro-optimizing"?

Given the way CPanel approaches other tasks, it seemed to me to be possible to include checkboxes for those things in Tweak Settings or in the EasyApache setup. Perhaps excluding charsets, languages and icons is too micro. But entire unused modules should be seen as major configuration choices.

CPanel obviously thinks so too, to some degree, since it is possible to disable the WebDav server, despite all the directives continuing to be loaded in Apache. Ditto Interchange. Service disabled, but it continues to have gobs of entries in different server files. But no worries as I see no apparent damage from these inconsistencies.

 

[cPanelKenneth]

Will there be an easy way to disable or exclude modules from loading?

The ability to enable or disable modules (or, if you will include or exclude) will be as simple as it currently is. That part is not changing.

Is being able to exclude Interchange and WebDav really considered "Micro-optimizing"?

We pulled Interchange from cPanel & WHM in version 11.38. Could you provide more details on what Interchange items you see being loaded with Apache? We'd like to know what still needs cleaned up.

In regards to WebDav, could you also provide more details? What directives are still being loaded when webdav is disabled in EasyApache?

 

[wintech2003]

Any idea about when we can expect EasyApache’s Optimal Profiles?

 

[chrismfz]

Any idea about when we can expect EasyApache’s Optimal Profiles?

Look for these exciting changes before the end of 2013!

I think it's on its way :p

BTW I saw ITK in screenshots. Is it considered safe enough for use ? (Because of root privileges that it requires)

 

[ScottTh]

Any idea about when we can expect EasyApache’s Optimal Profiles?

Hi wintech2003,

We're continuing to work on the new Optimal Profiles. I don't have an exact date for you quite yet, but please stay tuned to this thread for additional updates. It's our hope to release these new profiles in the near future though.

Thanks for the question and for following our progress!

 

[ScottTh]

I think it's on its way :p

BTW I saw ITK in screenshots. Is it considered safe enough for use ? (Because of root privileges that it requires)

Hi chrismfz,

That's a great question about ITK. The release will include ITK support for Apache 2.2 only. This is due to ITK's established history and stability with Apache 2.2.

Do you have more specific questions about ITK and Apache 2.2 that we can help answer?

Thanks!

 

[chrismfz]

Hi chrismfz,

That's a great question about ITK. The release will include ITK support for Apache 2.2 only. This is due to ITK's established history and stability with Apache 2.2.

Do you have more specific questions about ITK and Apache 2.2 that we can help answer?

Thanks!

Got a few questions :D

From apache2-mpm-itk :
Configuration paragraph:

MaxClientsVHost: A separate MaxClients for the vhost. This can be useful if, ...[redacted]...you could use it to simply keep one site from eating way too much resources, but there are probably better ways of doing that.)

NiceValue: Lets you nice some requests down, to give them less CPU time.

Will you give an option to edit them globally or per vhost ?
Not very useful if someone's running CloudLinux but anyway some-kind-of useful...


And from Quirks and warnings:

Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities and seccomp v2 where possible) until the request is parsed and the vhost determined. This means that any code execution hole before the request is parsed will be a potential root security hole.

We cannot predict 0-day exploits but we gonna have to worry about this ?
(Defining "more": more over other ways to run apache like prefork/worker/etc)

 

[rachweb]

Hi chrismfz,

That's a great question about ITK. The release will include ITK support for Apache 2.2 only. This is due to ITK's established history and stability with Apache 2.2.

Do you have more specific questions about ITK and Apache 2.2 that we can help answer?

Thanks!

When we will have support for Apache 2.4? MPM-ITK is already supporting this version.

 

[ScottTh]

When we will have support for Apache 2.4? MPM-ITK is already supporting this version.

Hi rachweb,

The ITK project has made some recent strides to incorporate 2.4 support which is great. We're keeping our eyes on the project and will watch the forums and feature request site to gague the interest in adding 2.4 and ITK support. At this time we are not currently pursuing 2.4 and ITK support, but we're hard at work on providing 2.2 and ITK support here in the near future.

Please post a request for Apache 2.4 and ITK support here at the cPanel feature request site.

Thank you for the question!