Here is a Guide on How To Securely Host Multiple Subdomains on LEMP on HP Cloud With Nginx PHP-FPM Settings & Router Ingress-Egress Policies. GNU/Linux, Nginx, MySQL/MariaDB and PHP is known as LEMP. Whenever we publish basic guide for the cloud servers, specially for OpenStack – be it HP Cloud or Rackspace; we normally install web softwares like WordPress on a single server. For better scalable setup we need many strategies, minimum of which is having a separate database server. We can scale in various ways depending on the need.
Securely Host Multiple Subdomains on LEMP in the Context of HP Cloud
It is practically easy to get rid of an attack and restore the website with OpenStack Raksha and Floating IP with at least one always working person from SSH side. Plus we use some minimum DDoS protection for the IaaS providers.
When the instances have one FQDN or part of the system like database we have lesser problem from the front end. But sometimes we need to host multiple subdomains or multiple domains – that is FQDN on a same server. It is technically difficult to allocate multiple IPs against one host on HP Helion OpenStack.
---
One example can be if we host WordPress wp-admin on a separate location. The setup becomes very complex and from our business experiences, we would suggest to use 100% enterprise grade help from either Rackspace or HP Cloud for such complicated setups. Ready skilled and experienced manpower is very important for these kind of setup.
Basic Security For Hosting Multiple Subdomains on LEMP in the Context of HP Cloud
Usually no hacking attempt take place on one server with many subdomains and domains for a basic reason – the domains and subdomains are actually not fully professionally used. We divide because we need cost reduction in that scenario. We are providing some help for infrastructure managed servers for server running multiple subdomains on LEMP. It is not exactly right idea that, if I divide the load in to subdomains, headache will decrease. Headache increases from the security point of view. More public facing servers, more problems.
For the router’s Ingress-Egress policy, we would suggest to keep only port 80 and if needed port 443 to keep opened. Functions like SNMP, SMTP for WordPress, ping etc. should be kept to off. It is obviously better to install OSSEC HIDS, port knocking etc.
We configure the hosts file in the way we described before to avoid sudo: unable to resolve host error. That is right. But we basically need to edit that /etc/hosts file to add a FQDN too :
1 2 | 127.0.0.1 admin.thecustomizewindows.com 10.0.0.37 admin.thecustomizewindows.com |
What we will do for the PHP5-FPM user & group part to control the chance of getting control by outsiders on one FQDN only, on /etc/php5/fpm/pool.d/, for each site/FQDN we will add a specific configuration. Example can be a file for admin.thecustomizewindows.com named admin.thecustomizewindows.com.conf :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | [admin.thecustomizewindows.com] user = admin.thecustomizewindows.com group = admin.thecustomizewindows.com listen = /var/run/php5-fpm-admin.thecustomizewindows.com.sock listen.owner = www-data listen.group = www-data php_admin_value[disable_functions] = exec,passthru,shell_exec,system php_admin_flag[allow_url_fopen] = off pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 chdir = / |
that line – listen = /var/run/php5-fpm-admin.thecustomizewindows.com.sock is already explained on on how to fix unix socket error. The linked article and articles linked from it are very important. There you’ll get the idea how we add more users on GNU/Linux.
So, user = admin.thecustomizewindows.com and group = admin.thecustomizewindows.com means, we have worked on this part to create group and users:
1 2 | sudo groupadd admin.thecustomizewindows.com sudo useradd -g admin.thecustomizewindows.com admin.thecustomizewindows.com |
Now if we run :
1 | sudo passwd admin.thecustomizewindows.com |
and then set a password, basically then that admin.thecustomizewindows.com account becomes locked. Without the private key, it becomes near impossible to login via that possible backdoor. Activating UNIX WHEEL group is a good idea.
The rest remains the same like we wrote to host multiple websites on Nginx for HP Cloud. Possibly you should read Hardening WordPress specific for this setup if you run WordPress.
