Optimization and Basic Problem Solving

Basic problems¶

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/

HASH BUCKET MEMORY PROBLEM¶

http://nginx.org/en/docs/hash.html

To avoid a possible hash bucket memory problem that can arise from adding additional server names, it is necessary to adjust a single value in the /etc/nginx/nginx.conf file. Open the file:

Bash

sudo nano /etc/nginx/nginx.conf

Find the server_names_hash_bucket_size directive and remove the # symbol to uncomment the line. If you are using nano, you can quickly search for words in the file by pressing CTRL and w. In Google Cloud environments, you need to use CTRL and Q to search for words in the file.

Note: Commenting out lines of code – usually by putting # at the start of a line – is another way of disabling them without needing to actually delete them. Many configuration files ship with multiple options commented out so that they can be enabled or disabled, by toggling them between active code and documentation.

Bash

...
http {
    ...
    server_names_hash_bucket_size 64;
    ...
}
...

Save and close the file when you are finished.

Next, test to make sure that there are no syntax errors in any of your Nginx files:

Nginx Security Checklist¶

https://www.nginx.com/blog/nginx-security-checklist/

Hardening Mysql¶

After the installation is complete, it is recommended to run the security script that comes pre-installed with MySQL. This script removes some insecure defaults and prevents access to the database system. Run the following command to start the script:

Bash

sudo mysql_secure_installation

You will be asked if you want to configure the VALIDATE PASSWORD PLUGIN.

Note: If enabled, MySQL will reject passwords that do not meet the specified criteria. Disabling confirmation is safe, but the system should always use strong, unique passwords for database credentials.

Answer Y if you want yes, or something else to continue without deployment:

Bash

Output
VALIDATE PASSWORD COMPONENT can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD component?

Press y|Y for Yes, any other key for No:

If the answer is "yes", you will be asked to select a password confirmation level. If the strongest level 2 is selected, errors are received when trying to set a password that does not contain numbers, uppercase and lowercase letters, or special characters:

Bash

Output
There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary              file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1

Regardless of whether the VALIDATE PASSWORD PLUGIN is selected, the server prompts the MySQL root user (root) to select and confirm a password. This should not be confused with the system root user. The database root user is a root user with full rights to the database system. Although the default authentication method for MySQL root does not use a password, even if it is set, a strong password should be set as an additional security measure.

If you have enabled password confirmation, you will be shown the strength of the root password you entered and your server will ask if you want to continue with this password. If you're happy with your current password, press Y to get "yes" to the prompt:

Bash

Output
Estimated strength of the password: 100 
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y

For other questions, press Y and press ENTER at each prompt. This will remove some Anonymous users and the test database, disable remote logins, and load these new rules so that MySQL immediately follows your changes.

Let's test whether we can log into the MySQL console:

Bash

sudo mysql

This will connect to the MySQL server as the administrator database user root.

Bash

Output
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 8.0.28-0ubuntu4 (Ubuntu)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Exit the MySQL console by typing the following:

Bash

exit

Note that there was no need to provide a password when connecting as root, even though one was set when running the mysql_secure_installation script. This is because when installed on Ubuntu, the default authentication method for the admin MySQL user is auth_socket instead of a method using a password. This may seem like a security concern at first, but it makes the database server more secure because the only users who can log in as MySQL root are system users with sudo privileges who connect from the console or through an application running the same program. In practice, this means that it is not possible to use the administrator database root user to connect from a PHP application.

For added security, it is best to have separate user accounts assigned to each database with less extensive privileges, especially if multiple databases are to be maintained on the server.