Ever since google started to like https sites, having more mass installation of SSL-and where you can. Overall, in addition to more harassment for servers we have and degradation in speed. The good thing is, that HTTP2 the standard for more than a year and a half is integrated in all major browsers and servers and http support sufficiently stable. Unfortunately there is no stable debian packages to keep in the main http servers HTTP2. The versions that are necessary for us to operate HTTP2 are as follows:

Mešanicata to me is great and according to be used depends on apache or nginx. I'm still not playing to let loose on the http2 apache debian 8 Since I've never had but have it so repoto backports, It won't be a big problem. For nginx has already played several times. Overall, the steps are few and relatively simple:

  1. Add nginx official repo – in debian is 1.6 x vesiâta. 🙄
  2. Install openssl yourself from backports is currently 1.0.2 (k) – What we need for alpn maintenance for all works and is fast
  3. you install the devscripts – This is the time to share that will bildnem our package because the official is compiled with openssl 1.0.1 t which does not work ALPN and not the browsers respond well and works only if http2-revving it
  4. inkrementirame the version to do not hold packages such as ciganiâta and there's a new version only to sinkenm sorsovete

Let's start step by step

Add nginx repo

deb http://nginx.org/packages/debian/ codename nginx
deb-src http://nginx.org/packages/debian/ codename nginx

Add a k dev openssl library 1.0.2 and otherwise bildnem it again with 1.0.1 I t is the target

echo 'deb http://ftp.debian.org/debian jessie-backports main' | tee /etc/apt/sources.list.d/backports.list

apt update && apt install libssl-dev -t jessie-backports


Now stuck to his add libraries needed for compilation of nginx

apt install devscripts

apt build-dep nginx

mkdir nginx-build

cd nginx-build

apt-get source nginx

If you are working correctly you should have a structure like

~/nginx-build # ll
total 1004
drwxr-xr-x 10 root root   4096 Feb 21 18:37 nginx-1.10.3
-rw-r--r--  1 root root 103508 Jan 31 17:59 nginx_1.10.3-1~jessie.debian.tar.xz
-rw-r--r--  1 root root   1495 Jan 31 17:59 nginx_1.10.3-1~jessie.dsc
-rw-r--r--  1 root root 911509 Jan 31 17:59 nginx_1.10.3.orig.tar.gz

Enter PPTA in which users code nginx in my case, this nginx-1.10.3 run the command with which incrementare version, I personally prefer to add 1 to this build

debchange --newversion 1.10.3-1

After you add a changelog and can proceed to the actual compilation

debuild -us -uc -i -I -b -j6

A little clarification on the configuration of the command:

-us -uc they say the script not to “signed” .dsc and changes files.. -i and -I make the script to ignore files for version control. -B to generate a binary only package. -j as with make how many parallel process to recompile 🙂


Once you've completed the above process should we install our new packages. If you have already installed nginx is better to uninstall it

apt remove nginx nginx-*

Also not a bad idea to make a backup of the nginx folder under /etc. In principle, when updating 1.6.5 to 1.10.3 I didn't have drama, but you never know. New Partei are in the higher-level directory, and must be installed with a command like:

dpkg -i ../*.deb

If everything went smoothly, you just have to launch the nginx process, and to set http2 that is not the purpose of this article.

We can easily kill all mysql queries to a specific user with elegant:

select concat('KILL ',id,';') from information_schema.processlist where user='user123';

Substitute user123 with us users want and we implement in mysql and everything is OK 🙂

New Debian Stable fact about a week and I shirbaha hands, it will update virtualdata to him, but I don't have time to today. As my day started early decided to devote time updates. Промених сорс листа ми като промених wheezy на jessie

sed -i "s/wheezy/jessie/g" /etc/apt/sources.list && apt-get update

Here, perhaps, 2 mirror:

  • MariaDB – this mirror is no longer necessary in wheezy includes version 10.0.6 in myself that I don't really.. After 5.5 Michelob and mysql is not entirely compatible, because currently urjtag back to mysql 5.5.42 – it is the default in jessie
  • DotDeb – I used it before, to php55 here also is not necessary because Jessie comes with 5.6.7-1

After azkarah extra mirrors and urjtag MariaDB from Mysql apt-get dist-upgrade on my pure, reboot and I already with Debian 8.0. I opened my web server, and to my surprise, worked here a long history – a few words with Nginx-my collected additional source with additional Directive. dpkg-l nginx-full 1.2 mdaaa someone forgot unhold-not packages. Unhold and upgrade all the plan nginx-and broke 😆 . Nginx and running, processes requests and php-fpm process is up and runnign but php code is not executed and not spit errors 🙄 MY FAVORITE.

After some research for a change I found the following passage

Fastcgi configuration issues ============================

shipped a modified nginx fastcgi_params, which declared fastcgi_param SCRIPT_FILENAME. This line has now been removed. From now on we are also shipping fastcgi.Conf from the upstream repository, which includes a sane SCRIPT_FILENAME parameter value.

So, if you are using fastcgi_params, you can try switching to fastcgi.conf or manually set the relevant parameters.

Bingo. I changed the virtual hosts to use fastcgi.conf instead, to make a rude noise, and all light. Then hit a quick diff to see the difference, which was between the 2nd apache

diff /etc/nginx/fastcgi_params /etc/nginx/fastcgi.conf
> fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;

I remember that pouring large configurations in virtualite hosts not a great idea. It remains to be precompilers again Nginx and add-ons that I want mod_sec + pagespeed but it can wait. Much more important is, the rule I repeat if you don't look at the sources and the 3rd costume performances not in Debian dist upgrade break-!


Anyone who deals with professional web hosting knows what a threat they represent infected users with malware, web shells etc. In the obšiât case is used maldet not a bad script. It is distinguished by 3 things

  1. Terribly slow
  2. It is horribly slow and if you drop it in the monitoring regime will mess with your server
  3. Maintain your own database with md5/hex definici for bad code.

Just his last feature makes it useful, as you can s″bmitvaš files which have not been detected so far, and at a later stage will enter into the database. As I shared in section 1 and 2 its speed is shockingly low – at low load of the machine 70 k file are scanned for about an hour and a half. For this reason I started to help my good friend by ShadowX Malmo – an alternative to the maldet written in python with a little more flexibility. Unfortunately due to lack of time (mainly but not only) We're not a finished project, which at the moment is not very usable – There are quite a few bugs that need to be cleaned. In the past few days I had problems with clients infected with CryptoPHP who had the huge public_html files ~ 60 k + inod-user. Since the total had to be scanned over 200 k file which in rough accounts would take 5+ hours I decided to Nip/Tuck maldet configuration, to reduce the files that will be scanned to a more reasonable number and time. While čopleh konfa I noticed the following lines

# Attempt to detect the presence of ClamAV clamscan binary
# and use as default scanner engine; up to four times faster
# scan performance and superior hex analysis. This option
# only uses ClamAV as the scanner engine, LMD signatures
# are still the basis for detecting threats.
# [ 0 = disabled, 1 = enabled; enabled by default ]

Interesting… Apparently, there is a possibility to use the ClamAV – who also is distinguished by its great speed but why not try. The quickly installed it

/scripts/update_local_rpm_versions --edit target_settings.clamav installed

/scripts/check_cpanel_rpms --fix --targets=clamav

I run maldet and click the small folder – I don't see a difference in speed and behavior – He used his perl-ski scanner instead of clamav. After a brief delving through the source I found maldet the following lines

 clamscan=`which clamscan 2> /dev/null`
 if [ -f "$clamscan" ] && [ "$clamav_scan" == "1" ]; then
        eout "{scan} found ClamAV clamscan binary, using as scanner engine..." 1
    for hit in `$clamscan -d $inspath/sigs/rfxn.ndb -d $inspath/sigs/rfxn.hdb $clamav_db -r --infected --no-summary -f $find_results 2> /dev/null | tr -d ':' | sed 's/.UNOFFICIAL//' | awk '{print$2":"$1}'`; do

Yes I did a which clamscan and to my great surprise I discovered that clamav is not in PATH-what a stupid Cpanel has left him only in/usr/local/cpanel/3rdparty/bin/from where he uses binarkite. A quick fix the problem ln:

ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/bin/clamscan

In re scan now maldet top reports

{scan} found ClamAV clamscan binary, using as scanner engine...

After already uses ClamAV maldet ends your scan 3-4-5 times faster than before. The test showed – 70k-izt″rkla inod them for about 25 min which is about 3 and a half times faster than before.

Before I start with another random hate toward 50 with OS ’ found that inside the cave I mean, that daily have to administriram her and know her from the first person singular quite well. Today I took my time to iztestvam the new magical unheard and unseen distrubitiven feature upgrade (pseudo) 😀 . The first thing that amazed me is, that RedHat in their infinite wisdom have decided to cease support for the x 86 architecture 🙄 . I am fully aware that we are 2014 and server processors 32 bits long are missing instructions. Yes but what users do on a small VPS and – h64 paw more RAM, However you look at it if you thin virtual machine with 512MB-1 GB of RAM will fight for every megabaj out of it and I'm not going to waste 20-30% from her just to use on the big set of instructions. Prepsuvah as I instalil x 86 and CentOS pulled a h64. Immediately I saw a difference in ISO's – ~ 100MB at minimal 6.5. Prepsuvah one more time. I installed again as virtualkata decided to see how well the RedHat have done their job – I took/var and/usr individual 😈 LVM partitions . After the installation I've updated all the packages I installed apache and, php, bind and mysql – It was interesting if they s″rvisite. I opened as a good student guide of CentOS for the update and started diligently to follow him step by step. When I reached the moment to start the actual upgrade this sloppy excuse me, I have a critical problem 🙄 . Review the detailed output – Yo/usr can't be on a separate partition, I knew 😆, you won't be disappointed in Jim Whitehurst and company. In addition to “extreme” There were a lot of problem messages for unsigned packages, konfizi files which do not match, etc.. WTF I didn't even use 3rd all repositories from their mirrors pulled down I hadn't done any settings just a simple yum install. It was already clear so quite bluntly forsirah upgrade. They freeze back diligently as finally asks me the script and it's over for/usr shares. I was too lazy, I try to fiksna it, either way, it was only for scientific research purposes there's no product to server nadgraždam at the moment. I caught my virtualkata I have reinstalled this time everything I pushed it in 1 share. Also I took a lesson, no updates any extra s″rv″si, After the installation a direct upgrade. The final step came up again dialogue dosaniât who told me, I have a pretty High problems – invalid packets, konfizi and so on and so forth but can continue. I knew from the start they don't make them like you have things. They freeze over and waited for the – Oh what a miracle the upgrade completed successfully. And everything worked, or at least the boot loader and I tried to install additional packages, but his command halt zavisvaše – huh has still had to bug 💡 . After this the whole crowded I decided to install a clean Centos 7 see if it growls for LVM partition in/boot – 6.5 does not allow such Audacity. I started my ISO's and I was mildly shocked by the installer – It was extremely convenient not “tidy”, but in order to fully is beautiful. After some struggle I managed with the cherished goal and Yes to install gasket, You should put out/boot-and beyond-👿 a LVM This is extremely serious and not annoying, If for some reason you forget to increase the size of the boot partition by 200MB and some old cores what happens.

Basically, I didn't expect anything and I'm still disappointed in CentOS.