From 9c1abd8abdc30e5f8feb375d6a4e698c4b50825c Mon Sep 17 00:00:00 2001 From: Stefan Keller Date: Sun, 28 Jan 2024 17:36:15 +0100 Subject: [PATCH 1/4] First version of nice things to have --- .vitepress/config.mts | 4 + admin-guide/settings-you-might-want/index.md | 89 ++++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 admin-guide/settings-you-might-want/index.md diff --git a/.vitepress/config.mts b/.vitepress/config.mts index 46f2c43..759f99f 100644 --- a/.vitepress/config.mts +++ b/.vitepress/config.mts @@ -169,6 +169,10 @@ function navbar21() { text: 'Froxlor console scripts (CLI)', link: '/admin-guide/cli-scripts/' }, + { + text: 'Settings You Might Want', + link: '/admin-guide/settings-you-might-want/' + }, ] }, { diff --git a/admin-guide/settings-you-might-want/index.md b/admin-guide/settings-you-might-want/index.md new file mode 100644 index 0000000..286f6c8 --- /dev/null +++ b/admin-guide/settings-you-might-want/index.md @@ -0,0 +1,89 @@ +# Settings you might want + +There is a lot you can do with froxlor. However, some defaults may seem not very intuitive to you. This is - for the most part - on purpose. froxlor aims to be as lightweight as possible. It tries to only modify your system where necessary and otherwise tries to get along with the defaults. Things that are changed are for froxlor and its own services to work. **Froxlor is a toolkit. It is not meant to replace the administrator!** + +Yet, there are settings you might want to modify yourself This guide will give you a few points you may want to set for yourself as it's common to have them - or for web software to work. + +# Apache + +## `mod_rewrite` +An awful lot of PHP software these days uses `mod_rewrite` to create so-called clean URLs, e.g. `/my-first-post/` instead of `/index.php?p=69`. In order for this to work, you will need the module `rewrite` which is not enabled by default. To enable it, run these commands as root: +```shell +a2enmod rewrite +service apache2 restart +``` + +## HTTP/2 +You can enable support for HTTP/2 in froxlor on a per-domain basis. But it also has to be enabled in the web server itself. Furthermore, it only works with Apache's Multi-Processing-Module (MPM) `event` whereas the default is `prefork`. + +If you want to enable HTTP/2, and thus `mpm_event`, you first have to check, and maybe adjust and reconfigure, your PHP settings. Because `mpm_event` will not work with `mod_php` enabled. You would have to use FCGId or PHP-FPM instead. + +If you meet all requirements, you can enter these commands as root in your shell to enable HTTP/2 and mpm_event. +```shell +a2dismod php* mpm_prefork +a2enmod http2 mpm_event +``` + +Apache will check if there are no other incompatibilities and will tell you if there is something that needs your attention. If not, restart Apache now: +```shell +service apache2 restart +``` + +After you enabled `mpm_event`, you may want to adjust settings. You will find them in `/etc/apache2/mods-available/mpm_event.conf`. Every time you change something, you would have to restart Apache to apply your changes. + +## Hide `ServerSignature` and `ServerTokens` +Apache is a little chatty about itself in error messages and HTTP response headers. It is considered bad practise to have it disclose version numbers, or better yet, also loaded extensions. While you absolutely still should make sure all your packages are up-to-date, we on the other hand don't have to serve an attacker more information than necessary on a silver platter. + +To make Apache less chatty about itself, point your favorite editor to the file `/etc/apache2/conf-available/security.conf` and find the lines that start with `ServerTokens` and `ServerSignature` (and that are not comments, starting with a hash (`#`)). Change them accordingly: +``` +ServerTokens Prod +ServerSignature Off +``` + +# HTTPS/SSL + +## What settings should I use? +Froxlor allows you to specify settings that are related to SSL. You will find them in System > Settings > SSL settings. The most common usecase is HTTPS. The defaults froxlor comes with are selected with two considerations in mind: What would supported Linux distributions offer out of the box and what would be the best compromise between security and compatibility. + +### TLS protocol version +Decision here is fairly easy, TLSv1.2 is fine for most usecases. If your software is recent enough to support it, it won't hurt to **additionally** check TLSv1.3. TLSv1 and TLSv1.1 are considered insecure so only select those if you know you need them. If not, don't. + +## SSL ciphers +This is a list of methods on how a client should talk to the server. There are ciphers that are more or less considered broken, and there are those that are considered still fine. However, only relying on modern ciphers means that you'd exclude older browsers or services from getting a connection established. Because the list of what to use may change over time, we recommend you getting [a recent one from Mozilla](https://ssl-config.mozilla.org/). + +## Other settings to get you an A+ on SSLLabs +The other settings that would make common SSL testers happy can be found in your domain settings. You should enable the `SSL redirect` so the first order of business is to redirect a user from http to https. The other one is to enable `HTTP Strict Transport Security` and set it to at least one year (min. `31536000` seconds). Also, using `OCSP stapling` is considered best practise, e.g. [from Let's Encrypt](https://letsencrypt.org/docs/integration-guide/#implement-ocsp-stapling). + +# MySQL/MariaDB +MySQL, and MariaDB for that matter, come with default settings from the last century (quite literally). They are meant to universally work, but not necessarily work well on modern systems. + +If you want to use your own settings, you should create a file in `/etc/mysql/conf.d/` that ends with `.cnf`, e.g. `/etc/mysql/conf.d/own.cnf`. You only need to adjust what you want changed, everything else is inherited from the defaults. + +::: tip +We will start our listings with the option group, e.g. `[mysqld]`. If you want to adjust multiple settings in the same group, it is perfectly sufficient to have it only once in your file. + +After each modification in configuration, you have to restart your database service in order to apply the changes: +```shell +service mysql restart +``` +::: + +## `max_connections` +One of the most common database error messages is `Too many connections`. This happens when MySQL's `max_connections` is lower than your web server's maximum clients that are served at any one time. So it would advisable to set this value higher than that - also to have a little buffer for edge-cases (such as some migration from one software to another, e.g. Drupal to WordPress). So if your web server is allowed to serve 500 clients at once, this setting should be around 550. + +You will find the relevant options in your web server configuration. For Apache using `mpm_event`, this would be in `/etc/apache2/mods-available/mpm_event.conf`, the setting `MaxRequestWorkers`. +``` +[mysqld] +max_connections = 550 +``` + +## `innodb_buffer_pool_size` +Nowadays, databases use InnoDB as their data structure which is a lot more robust than the old MyISAM but also requires more ressources. Unfortunately, default values as supplied out of the box are so that it works on a little Raspberry Pi as well, but on a real server, those values will result in a bad performance. + +The most important setting regarding InnoDB tables is `innodb_buffer_pool_size`. The database uses this as a buffer of frequently used data, both for reading and writing operations. So having a pool size that is too small means more disk access which is slower than your RAM. + +As a rule of thumb, the pool should be set to half of your available system memory. You definitely should check every once in a while if that works for your system, i.e. if it does not swap too hard, and see if you can make adjustments. So on a host with 64 GB of RAM in total, and 50 GB available, set it to 25 GB: +``` +[mysqld] +innodb_buffer_pool_size = 25G +``` From ba30a864b9e460b3fb310fc161c040dcdcc56067 Mon Sep 17 00:00:00 2001 From: Stefan Keller Date: Sun, 28 Jan 2024 19:17:26 +0100 Subject: [PATCH 2/4] Minor typos fixed --- admin-guide/settings-you-might-want/index.md | 31 ++++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/admin-guide/settings-you-might-want/index.md b/admin-guide/settings-you-might-want/index.md index 286f6c8..822bf7a 100644 --- a/admin-guide/settings-you-might-want/index.md +++ b/admin-guide/settings-you-might-want/index.md @@ -1,20 +1,20 @@ # Settings you might want -There is a lot you can do with froxlor. However, some defaults may seem not very intuitive to you. This is - for the most part - on purpose. froxlor aims to be as lightweight as possible. It tries to only modify your system where necessary and otherwise tries to get along with the defaults. Things that are changed are for froxlor and its own services to work. **Froxlor is a toolkit. It is not meant to replace the administrator!** +There is a lot you can do with froxlor. However, some defaults may not seem very intuitive to you. This is - for the most part - on purpose. Froxlor aims to be as lightweight as possible. It tries to only modify your system where necessary and otherwise to get along with the defaults. Things that are changed are for froxlor and its own services to work. **Froxlor is a toolkit. It is not meant to replace the administrator!** -Yet, there are settings you might want to modify yourself This guide will give you a few points you may want to set for yourself as it's common to have them - or for web software to work. +Yet, there are settings you might want to modify in your installation. This guide will give you a few points you may want to set for yourself as it's common to have them - or for web software to work. # Apache ## `mod_rewrite` -An awful lot of PHP software these days uses `mod_rewrite` to create so-called clean URLs, e.g. `/my-first-post/` instead of `/index.php?p=69`. In order for this to work, you will need the module `rewrite` which is not enabled by default. To enable it, run these commands as root: +An awful lot of PHP software uses `mod_rewrite` these days to create so-called clean URLs, e.g. `/my-first-post/` instead of `/index.php?p=69`. In order for this to work, you will need the module `rewrite` which is not enabled by default. To enable it, run these commands as root: ```shell a2enmod rewrite service apache2 restart ``` ## HTTP/2 -You can enable support for HTTP/2 in froxlor on a per-domain basis. But it also has to be enabled in the web server itself. Furthermore, it only works with Apache's Multi-Processing-Module (MPM) `event` whereas the default is `prefork`. +You can enable support for HTTP/2 in froxlor globally and then on a per-domain basis. But it also has to be enabled in the web server itself. Furthermore, it only works with Apache's Multi-Processing-Module (MPM) `event` whereas the default is `prefork`. If you want to enable HTTP/2, and thus `mpm_event`, you first have to check, and maybe adjust and reconfigure, your PHP settings. Because `mpm_event` will not work with `mod_php` enabled. You would have to use FCGId or PHP-FPM instead. @@ -29,27 +29,32 @@ Apache will check if there are no other incompatibilities and will tell you if t service apache2 restart ``` -After you enabled `mpm_event`, you may want to adjust settings. You will find them in `/etc/apache2/mods-available/mpm_event.conf`. Every time you change something, you would have to restart Apache to apply your changes. +After you've enabled `mpm_event`, you may want to adjust settings. You will find them in `/etc/apache2/mods-available/mpm_event.conf`. Every time you change something, you would have to restart Apache to apply your changes. ## Hide `ServerSignature` and `ServerTokens` -Apache is a little chatty about itself in error messages and HTTP response headers. It is considered bad practise to have it disclose version numbers, or better yet, also loaded extensions. While you absolutely still should make sure all your packages are up-to-date, we on the other hand don't have to serve an attacker more information than necessary on a silver platter. +Apache is a little chatty about itself in error messages and HTTP response headers. It is considered bad practice to have it disclose version numbers, or better yet, also loaded extensions. While you absolutely should make sure to keep all your packages up-to-date, we on the other hand don't have to serve an attacker more information than necessary on a silver platter. -To make Apache less chatty about itself, point your favorite editor to the file `/etc/apache2/conf-available/security.conf` and find the lines that start with `ServerTokens` and `ServerSignature` (and that are not comments, starting with a hash (`#`)). Change them accordingly: +To make Apache more discreet about itself, point your favorite editor to the file `/etc/apache2/conf-available/security.conf` and find the lines that start with `ServerTokens` and `ServerSignature` (and that are not comments, starting with a hash (`#`)). Change them accordingly: ``` ServerTokens Prod ServerSignature Off ``` +Again, don't forget to restart Apache to make these changes work. +```shell +service apache2 restart +``` + # HTTPS/SSL ## What settings should I use? -Froxlor allows you to specify settings that are related to SSL. You will find them in System > Settings > SSL settings. The most common usecase is HTTPS. The defaults froxlor comes with are selected with two considerations in mind: What would supported Linux distributions offer out of the box and what would be the best compromise between security and compatibility. +Froxlor allows you to specify settings that are related to SSL. You will find them in System > Settings > SSL settings. The most common use case is HTTPS. Froxlor comes with defaults that are selected with two considerations in mind: What would supported Linux distributions offer out of the box and what would be the best compromise between security and compatibility. ### TLS protocol version -Decision here is fairly easy, TLSv1.2 is fine for most usecases. If your software is recent enough to support it, it won't hurt to **additionally** check TLSv1.3. TLSv1 and TLSv1.1 are considered insecure so only select those if you know you need them. If not, don't. +Decision here is fairly easy, TLSv1.2 is fine for most use cases. If your software is recent enough to support it, it won't hurt to **additionally** check TLSv1.3 (because clients and your server will decide upon the initial handshake what they will use). TLSv1 and TLSv1.1 are considered insecure so only select those if you know you need them. If not, don't. ## SSL ciphers -This is a list of methods on how a client should talk to the server. There are ciphers that are more or less considered broken, and there are those that are considered still fine. However, only relying on modern ciphers means that you'd exclude older browsers or services from getting a connection established. Because the list of what to use may change over time, we recommend you getting [a recent one from Mozilla](https://ssl-config.mozilla.org/). +This is a list of methods on how a client should talk to the server. There are ciphers that are more or less considered broken, and there are those that are considered still fine. However, only relying on modern ciphers means that you'd potentially exclude older browsers or services from getting a connection established. Because the list of what to use may change over time, we recommend you to get [a recent one from Mozilla](https://ssl-config.mozilla.org/). ## Other settings to get you an A+ on SSLLabs The other settings that would make common SSL testers happy can be found in your domain settings. You should enable the `SSL redirect` so the first order of business is to redirect a user from http to https. The other one is to enable `HTTP Strict Transport Security` and set it to at least one year (min. `31536000` seconds). Also, using `OCSP stapling` is considered best practise, e.g. [from Let's Encrypt](https://letsencrypt.org/docs/integration-guide/#implement-ocsp-stapling). @@ -69,7 +74,7 @@ service mysql restart ::: ## `max_connections` -One of the most common database error messages is `Too many connections`. This happens when MySQL's `max_connections` is lower than your web server's maximum clients that are served at any one time. So it would advisable to set this value higher than that - also to have a little buffer for edge-cases (such as some migration from one software to another, e.g. Drupal to WordPress). So if your web server is allowed to serve 500 clients at once, this setting should be around 550. +One of the most common database error messages is `Too many connections`. This happens when MySQL's `max_connections` is lower than your web server's maximum clients that are served at any one time. So it would be advisable to set this value higher than that - also to have a little buffer for edge-cases (such as some migration from one software to another, e.g. Drupal to WordPress). So if your web server is allowed to serve 500 clients at once, this setting should be around 550. You will find the relevant options in your web server configuration. For Apache using `mpm_event`, this would be in `/etc/apache2/mods-available/mpm_event.conf`, the setting `MaxRequestWorkers`. ``` @@ -78,9 +83,9 @@ max_connections = 550 ``` ## `innodb_buffer_pool_size` -Nowadays, databases use InnoDB as their data structure which is a lot more robust than the old MyISAM but also requires more ressources. Unfortunately, default values as supplied out of the box are so that it works on a little Raspberry Pi as well, but on a real server, those values will result in a bad performance. +Nowadays, databases use InnoDB as their data structure which is a lot more robust than the old MyISAM but also requires more resources. Unfortunately, default values as supplied out of the box are so that it works on a little Raspberry Pi as well, but on a real server, those values will result in a bad performance. -The most important setting regarding InnoDB tables is `innodb_buffer_pool_size`. The database uses this as a buffer of frequently used data, both for reading and writing operations. So having a pool size that is too small means more disk access which is slower than your RAM. +The most important setting regarding InnoDB tables is `innodb_buffer_pool_size`. The database uses this as a buffer of frequently used data, both for read and write operations. So having a pool size that is too small means more disk access which is slower than your RAM. As a rule of thumb, the pool should be set to half of your available system memory. You definitely should check every once in a while if that works for your system, i.e. if it does not swap too hard, and see if you can make adjustments. So on a host with 64 GB of RAM in total, and 50 GB available, set it to 25 GB: ``` From 9cf0cddc1937e48bf9822dd78329e4ac058dd5b7 Mon Sep 17 00:00:00 2001 From: Stefan Keller Date: Sun, 28 Jan 2024 22:22:14 +0100 Subject: [PATCH 3/4] Honoring The Styling Guide --- .vitepress/config.mts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.vitepress/config.mts b/.vitepress/config.mts index 759f99f..f8ffa86 100644 --- a/.vitepress/config.mts +++ b/.vitepress/config.mts @@ -170,7 +170,7 @@ function navbar21() { link: '/admin-guide/cli-scripts/' }, { - text: 'Settings You Might Want', + text: 'Settings you might want', link: '/admin-guide/settings-you-might-want/' }, ] From 5224c4a87fb8285a3f34af68742d569d9806f309 Mon Sep 17 00:00:00 2001 From: Stefan Keller Date: Mon, 29 Jan 2024 17:22:13 +0100 Subject: [PATCH 4/4] Typos --- admin-guide/settings-you-might-want/index.md | 48 ++++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/admin-guide/settings-you-might-want/index.md b/admin-guide/settings-you-might-want/index.md index 822bf7a..d68835c 100644 --- a/admin-guide/settings-you-might-want/index.md +++ b/admin-guide/settings-you-might-want/index.md @@ -1,38 +1,38 @@ # Settings you might want -There is a lot you can do with froxlor. However, some defaults may not seem very intuitive to you. This is - for the most part - on purpose. Froxlor aims to be as lightweight as possible. It tries to only modify your system where necessary and otherwise to get along with the defaults. Things that are changed are for froxlor and its own services to work. **Froxlor is a toolkit. It is not meant to replace the administrator!** +There are many things you can do with froxlor. However, some defaults may not seem very intuitive to you. This is - for the most part - intentional. Froxlor tries to be as lightweight as possible. It tries to modify your system only where necessary, and otherwise make do with the defaults. Things that are changed are for froxlor and its own services to work. **Froxlor is a toolkit. It is not meant to replace the administrator!** -Yet, there are settings you might want to modify in your installation. This guide will give you a few points you may want to set for yourself as it's common to have them - or for web software to work. +Still, there are settings you may want to change in your installation. This guide will give you some items you might want to set for yourself as it's common to have them - or for web software to work. # Apache ## `mod_rewrite` -An awful lot of PHP software uses `mod_rewrite` these days to create so-called clean URLs, e.g. `/my-first-post/` instead of `/index.php?p=69`. In order for this to work, you will need the module `rewrite` which is not enabled by default. To enable it, run these commands as root: +A lot of PHP software nowadays uses `mod_rewrite` to create so-called clean URLs, e.g. `/my-first-post/` instead of `/index.php?p=69`. For this to work, you need the `rewrite` module which is not enabled by default. To enable it, run these commands as root: ```shell a2enmod rewrite service apache2 restart ``` ## HTTP/2 -You can enable support for HTTP/2 in froxlor globally and then on a per-domain basis. But it also has to be enabled in the web server itself. Furthermore, it only works with Apache's Multi-Processing-Module (MPM) `event` whereas the default is `prefork`. +You can enable HTTP/2 support globally in froxlor and then on a per-domain basis. However, it must also be enabled in the web server itself. Also, it only works with Apache's Multi-Processing Module (MPM) `event`, while the default is `prefork`. -If you want to enable HTTP/2, and thus `mpm_event`, you first have to check, and maybe adjust and reconfigure, your PHP settings. Because `mpm_event` will not work with `mod_php` enabled. You would have to use FCGId or PHP-FPM instead. +If you want to enable HTTP/2 and thus `mpm_event`, you must first check your PHP settings and possibly adjust and reconfigure them. Because `mpm_event` will not work with `mod_php` enabled. You would have to use FCGId or PHP-FPM instead. -If you meet all requirements, you can enter these commands as root in your shell to enable HTTP/2 and mpm_event. +If you meet all the requirements, you can enter these commands as root in your shell to enable HTTP/2 and mpm_event. ```shell a2dismod php* mpm_prefork a2enmod http2 mpm_event ``` -Apache will check if there are no other incompatibilities and will tell you if there is something that needs your attention. If not, restart Apache now: +Apache will check to see if there are any other incompatibilities and tell you if there is anything that needs your attention. If not, restart Apache now: ```shell service apache2 restart ``` -After you've enabled `mpm_event`, you may want to adjust settings. You will find them in `/etc/apache2/mods-available/mpm_event.conf`. Every time you change something, you would have to restart Apache to apply your changes. +After you've enabled `mpm_event`, you may want to adjust the settings. You can find them in `/etc/apache2/mods-available/mpm_event.conf`. Each time you change something, you will need to restart Apache for your changes to take effect. ## Hide `ServerSignature` and `ServerTokens` -Apache is a little chatty about itself in error messages and HTTP response headers. It is considered bad practice to have it disclose version numbers, or better yet, also loaded extensions. While you absolutely should make sure to keep all your packages up-to-date, we on the other hand don't have to serve an attacker more information than necessary on a silver platter. +Apache is a bit chatty about itself in error messages and HTTP response headers. It is considered bad practice to make it reveal version numbers, or better yet, loaded extensions. While you should make sure all your packages are up to date, we don't need to hand an attacker more information than necessary on a silver platter. To make Apache more discreet about itself, point your favorite editor to the file `/etc/apache2/conf-available/security.conf` and find the lines that start with `ServerTokens` and `ServerSignature` (and that are not comments, starting with a hash (`#`)). Change them accordingly: ``` @@ -40,7 +40,7 @@ ServerTokens Prod ServerSignature Off ``` -Again, don't forget to restart Apache to make these changes work. +Again, don't forget to restart Apache for these changes to take effect. ```shell service apache2 restart ``` @@ -48,46 +48,46 @@ service apache2 restart # HTTPS/SSL ## What settings should I use? -Froxlor allows you to specify settings that are related to SSL. You will find them in System > Settings > SSL settings. The most common use case is HTTPS. Froxlor comes with defaults that are selected with two considerations in mind: What would supported Linux distributions offer out of the box and what would be the best compromise between security and compatibility. +Froxlor allows you to specify settings related to SSL. You can find them in System -> Settings -> SSL settings. The most common use case is HTTPS. Froxlor comes with defaults that were chosen with two considerations in mind: What supported Linux distributions offer out of the box and what is the best compromise between security and compatibility. ### TLS protocol version -Decision here is fairly easy, TLSv1.2 is fine for most use cases. If your software is recent enough to support it, it won't hurt to **additionally** check TLSv1.3 (because clients and your server will decide upon the initial handshake what they will use). TLSv1 and TLSv1.1 are considered insecure so only select those if you know you need them. If not, don't. +The choice here is fairly straightforward; TLSv1.2 is fine for most use cases. If your software is new enough to support it, it won't hurt to **additionally** select TLSv1.3 (because clients and your server will decide which to use on the first handshake). TLSv1 and TLSv1.1 are considered insecure so only select them if you know you need them. If you don't, don't. ## SSL ciphers -This is a list of methods on how a client should talk to the server. There are ciphers that are more or less considered broken, and there are those that are considered still fine. However, only relying on modern ciphers means that you'd potentially exclude older browsers or services from getting a connection established. Because the list of what to use may change over time, we recommend you to get [a recent one from Mozilla](https://ssl-config.mozilla.org/). +This is a list of methods for how a client should talk to the server. There are ciphers that are more or less considered broken, and there are those that are still considered good. However, relying only on modern ciphers means that you're potentially excluding older browsers or services from being able to connect. Since the list of what to use may change over time, we recommend getting [a recent one from Mozilla](https://ssl-config.mozilla.org/). -## Other settings to get you an A+ on SSLLabs -The other settings that would make common SSL testers happy can be found in your domain settings. You should enable the `SSL redirect` so the first order of business is to redirect a user from http to https. The other one is to enable `HTTP Strict Transport Security` and set it to at least one year (min. `31536000` seconds). Also, using `OCSP stapling` is considered best practise, e.g. [from Let's Encrypt](https://letsencrypt.org/docs/integration-guide/#implement-ocsp-stapling). +## Other settings that will get you an A+ on SSLLabs +The other settings that would make most SSL testers happy can be found in your domain settings. You should enable `SSL redirect` so the first order of business is to redirect a user from http to https. The other is to enable `HTTP Strict Transport Security` and set it to at least one year (i.e. `31536000` seconds). Also, using `OCSP stapling` is considered best practice, e.g. [from Let's Encrypt](https://letsencrypt.org/docs/integration-guide/#implement-ocsp-stapling). # MySQL/MariaDB -MySQL, and MariaDB for that matter, come with default settings from the last century (quite literally). They are meant to universally work, but not necessarily work well on modern systems. +MySQL and MariaDB come with defaults from the last century (literally). They are meant to work universally, but may not work well on modern systems. -If you want to use your own settings, you should create a file in `/etc/mysql/conf.d/` that ends with `.cnf`, e.g. `/etc/mysql/conf.d/own.cnf`. You only need to adjust what you want changed, everything else is inherited from the defaults. +If you want to use your own settings, you should create a file in `/etc/mysql/conf.d/` that ends with `.cnf`, e.g. `/etc/mysql/conf.d/own.cnf`. You only need to change what you want to change, everything else is inherited from the defaults. ::: tip -We will start our listings with the option group, e.g. `[mysqld]`. If you want to adjust multiple settings in the same group, it is perfectly sufficient to have it only once in your file. +We will start our listings with the option group, e.g. `[mysqld]`. If you want to change several settings in the same group, it is sufficient to have it only once in your file. -After each modification in configuration, you have to restart your database service in order to apply the changes: +After each change to the configuration, you must restart your database service for the changes to take effect: ```shell service mysql restart ``` ::: ## `max_connections` -One of the most common database error messages is `Too many connections`. This happens when MySQL's `max_connections` is lower than your web server's maximum clients that are served at any one time. So it would be advisable to set this value higher than that - also to have a little buffer for edge-cases (such as some migration from one software to another, e.g. Drupal to WordPress). So if your web server is allowed to serve 500 clients at once, this setting should be around 550. +One of the most common database error messages is `Too many connections`. This happens when MySQL's `max_connections` is lower than the maximum number of clients your web server can serve at one time. So it would be advisable to set this value higher than that - also to have a little buffer for edge cases (such as some migrations from one software to another, e.g. Drupal to WordPress). So if your web server is allowed to serve 500 clients at once, this setting should be around 550. -You will find the relevant options in your web server configuration. For Apache using `mpm_event`, this would be in `/etc/apache2/mods-available/mpm_event.conf`, the setting `MaxRequestWorkers`. +You can find the appropriate options in your web server configuration. For Apache using `mpm_event`, this would be in `/etc/apache2/mods-available/mpm_event.conf`, the `MaxRequestWorkers` setting. ``` [mysqld] max_connections = 550 ``` ## `innodb_buffer_pool_size` -Nowadays, databases use InnoDB as their data structure which is a lot more robust than the old MyISAM but also requires more resources. Unfortunately, default values as supplied out of the box are so that it works on a little Raspberry Pi as well, but on a real server, those values will result in a bad performance. +Nowadays, databases use InnoDB as their data structure which is much more robust than the old MyISAM, but also requires more resources. Unfortunately, the default values that come out of the box are such that it works on a small Raspberry Pi, but on a real server, these values will result in poor performance. -The most important setting regarding InnoDB tables is `innodb_buffer_pool_size`. The database uses this as a buffer of frequently used data, both for read and write operations. So having a pool size that is too small means more disk access which is slower than your RAM. +The most important setting for InnoDB tables is `innodb_buffer_pool_size`. The database uses this as a buffer for frequently used data, both for read and write operations. So a pool size that is too small means more disk accesses which are slower than your RAM. -As a rule of thumb, the pool should be set to half of your available system memory. You definitely should check every once in a while if that works for your system, i.e. if it does not swap too hard, and see if you can make adjustments. So on a host with 64 GB of RAM in total, and 50 GB available, set it to 25 GB: +As a rule of thumb, the pool should be set to half of your available system memory. You should definitely check from time to time to see if this is working for your system, i.e. if it is not swapping too hard, and see if you can make adjustments. For example, on a host with a total of 64 GB of RAM and 50 GB available, set it to 25 GB: ``` [mysqld] innodb_buffer_pool_size = 25G