Optimize HestiaCP for speed and fast WordPress

HestiaCP is an actively developed fork of popular VestaCP, whos development somewhat stalled in the last little while.

This guide in ispired by excelent post on the official HestiaCP forum by user desp:
How to optimize memory and speed?

Here are three easy steps:

1. Determine hosting/server provider speed

Use excelent YABS script to determine the speed of your hosting solution.

*Geekbench 6 update: since 27 Feb 2023 update YABS uses Geekbench 6 as default benchmark – we’ll use flag -5 to run version 5 so we can compare the results.

wget -qO- yabs.sh | bash  -s -- -5

Or if you just want Geekbench score (skipping disk (fio) -f and network (iperf) -i tests):

wget -qO- yabs.sh | bash -s -- -5fi

Test will return something like this:

Geekbench 5 Benchmark Test:
---------------------------------
Test            | Value                         
                |                               
Single Core     | 832                           
Multi Core      | 867                           
Full Test       | https://browser.geekbench.com/v5/cpu/<test_id_number>

Single core performance is the score we are interested in:

1000 or more	Great core performance, very good provider
700 – 1000	Normal performance, okay provider
500 – 700	Normal performance, can be better
500 or less	Awful performance, avoid the provider

Keep in mind, it’s the performance and page speed we’re after, if this is storage/backup optimized server with SAS (spinning) drives, lower numbers are completly accaptable.

Disk performance (IOPS):

fio Disk Speed Tests (Mixed R/W 50/50):
---------------------------------
Block Size | 4k            (IOPS) | 64k           (IOPS)
  ------   | ---            ----  | ----           ----
Read       | 22.76 MB/s    (5.6k) | 173.71 MB/s   (2.7k)
Write      | 22.76 MB/s    (5.6k) | 174.62 MB/s   (2.7k)
Total      | 45.52 MB/s   (11.3k) | 348.33 MB/s   (5.4k)
           |                      |
Block Size | 512k          (IOPS) | 1m            (IOPS)
  ------   | ---            ----  | ----           ----
Read       | 170.55 MB/s    (333) | 213.61 MB/s    (208)
Write      | 179.61 MB/s    (350) | 227.84 MB/s    (222)
Total      | 350.16 MB/s    (683) | 441.45 MB/s    (430)

1000 or more

Great performance, SSD/NVMe with high IOPS

RAM is not as important unless you’re running into heavy swapping.

Now that we established our KVM VPS / dedi server is fast enough, we can move on to the next step.

2. Lean HestiaCP install

Classic installation of hestiaCP will result in good enough general setup, that works for most, but it costs us performance. It uses Apache as webserver and Nginx only for caching proxy. Apache is slow.

So let’s trim of the fat and install only
Nginx + PHP + MySQL/MariaDB – without Apache.

Let’s use the handy Install string generator:

For example:

wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh

sudo bash hst-install.sh --apache no --phpfpm yes --multiphp no --vsftpd no --proftpd no --named no --mysql yes --postgresql no --exim yes --dovecot yes --sieve no --clamav no --spamassassin no --iptables yes --fail2ban yes --interactive yes

This will give us minimal installation, without BIND (DNS), and only EXIM as mailing solution.

3. Set WordPress template and caching

Set tamplate

Edit Web domain → Advanced Options → Web Template → WordPress

Set caching

Enable Fast CGI Cache
Set Cache duration → 5m, 10m
(if you have a lot of dynamic content, you can try microcache of 30s).

That’s it on the HestiaCP side, now your website should be crazy fast. For further optimisations, look into optimizing WP plugins and theme code.

HestiaCP fresh install & cleanup

HestiaCP is an actively developed fork of popular VestaCP, whos development somewhat stalled in the last little while.

There’s a couple of steps we can take to make our crispy fresh HestiaCP install even crispier!

Depending on your needs, you can make a full install and then remove unnecessary packages, or you can opt to not include it in the installation in the first place:

Install options

First, we need to download the installation script:

wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install.sh

No we can add additional parameters to install only what we need
(-h lists all available options or use the Install string generator):

bash hst-install.sh -h

Installing without Bind and with Multi-PHP support:

bash hst-install.sh -k no -o yes

You can of course customise your installer, depending on your specific server use case (for DNS cluster, there is no use of vsftp/apache/nginx and so on).

Set host domain SSL certificate (Lets Encrypt)

To set or update host domain certificate, first generate Lets Encrypt certificate for a specific hostname (domain) for one of the users in the GUI control panel or CLI, then run the following command in CLI:

Parameters: [USER] [HOSTNAME]
v-update-host-certificate admin domain.com

Restore user or only specific domain

Restoring complete user data from a HestiaCP (or VestaCP) backup:

v-restore-user admin admin.2020-07-10.tar

We can also restore only a specific domain, database, or any other part of the user data from the backup tar file. Let’s say we just want to restore domain.com and its respectful database admin_domaindb, while saving the log file to restore.log:

USER BACKUP [WEB] [DNS] [MAIL] [DB] [CRON] [UDIR] [NOTIFY]
v-restore-user admin admin.2020-07-10.tar 'domain.com' 'no' 'no' 'admin_domaindb' 'no' 'no'  yes >> /usr/local/vesta/log/restore.log 2>&1

Change domain and DB owner

To move domain to another user (change the owner of the domain):

v-change-domain-owner domain.com newuser

To move database to another user (change the owner of the database):

v-change-database-owner db_name newuser

Get the DKIM public key

Run the following command to get the DKIM public key:

v-list-mail-domain-dkim USER DOMAIN [FORMAT]

Use the public key in TXT record in your DNS:

mail._domainkey IN TXT "v=DKIM1; k=rsa; p=<your_public_key>"

UFW or iptables redirect (forward) to new IP

A simple steps for redirecting, forwarding or tunnelling all traffic from one host IP to another in Ubuntu.

Using UFW

Edit /etc/default/ufw to accept forwarding requests:

 DEFAULT_FORWARD_POLICY="ACCEPT"

Edit /etc/ufw/sysctl.conf to allow IP forwarding:

net.ipv4.ip_forward=1

Edit /etc/ufw/before.rules and add the following before *filter options:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination external_ip:8080
COMMIT

On some configurations, MASQUERADE option needs to be enabled as well:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination external_ip:8080
-A POSTROUTING -j MASQUERADE
COMMIT

Reload and commit the new rules:

ufw reload

Using iptables

Edit /etc/sysctl.conf to allow IP forwarding (add or uncomment):

net.ipv4.ip_forward=1

Save the existing rules using iptables-save:

iptables-save > /etc/iptables/rules.v4

Edit /etc/iptables/rules.v4 and add the following before *filter options:

*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination external_ip:8080
COMMIT

Again, if you need to MASQUERADE, add the line before the COMMIT:

:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE

Restore the edited rules with iptables-restore:

 iptables-restore < /etc/iptables/rules.v4

To make the rules persistent on the system reboot, use iptables-persistent or custom solution with on-boot scripts.

Recursively chmod files (or folders) only

Modifying permissions with chmod and using recursive -R tag is handy, but it will be executed on both, files and folders:

chmod -R 755 /path/to/directory

To change permissions on files (or folders) inside directory structure, we can use the following commands:

Files only

cd /path/to/directory
find . -type f -exec chmod 644 -- {} +

Folders only

cd /path/to/directory
find . -type d -exec chmod 755 {} +

VestaCP fresh install cleanup

There’s a couple of steps we can take to make our crispy fresh VestaCP install even crispier!

Depending on your needs, you can make a full install and then remove unnecessary packages, or you can opt to not include it in the installation in the first place:

Install without Softaculous and PostgreSQL

First, we need to download the installation script:

curl -O http://vestacp.com/pub/vst-install.sh

No we can add additional parameters to install without Softaculous and PostgreSQL:

bash vst-install.sh --softaculous no --postgresql no

These are two packages we don’t use so we usually skip them. You can of course customize your installer on VestaCP’s official advanced install settings site, depending on your specific server use case (for DNS cluster, there is no use of vsftp/apache/nginx and so on).

Remove Softaculous

In case you already installed Softaculus and wish to remove it, you can disable it in the web GUI, but it usually still sends update email notifications. To completely disable it, run these three commands:

/usr/local/vesta/bin/v-delete-vesta-softaculous

And remove the crontab files:

rm -rf /etc/cron.d/softaculous
rm -rf /etc/cron.d/softaculous2

Remove pre-made user packages

We can do some additional cleanup and remove the (usually unused) user demo packages:

/usr/local/vesta/bin/v-delete-user-package palegreen 
/usr/local/vesta/bin/v-delete-user-package gainsboro 
/usr/local/vesta/bin/v-delete-user-package slategrey

Restore only specific domain

Another not so well documented VestaCP feature is restoring only a specific domain or database from the backup tar file. So let’s say we just want to restore domain.com and its respectful database admin_domaindb, while saving log file to restore.log:

USER BACKUP [WEB] [DNS] [MAIL] [DB] [CRON] [UDIR] [NOTIFY]
v-restore-user admin admin.2019-08-14.tar 'domain.com' 'no' 'no' 'admin_domaindb' 'no' 'no'  yes >> /usr/local/vesta/log/restore.log 2>&1

VestaCP/HestiaCP Office 365 SRV DNS records

You might be wondering, how to enter SRV values into your fresh VestaCP/HestiaCP install. Bellow is an example for Office 365 settings:

Type	Target	Protocol	Service	Priority	Weight	Port
SRV	sipdir.online.lync.com	_tls	_sip	100	1	443
SRV	sipfed.online.lync.com	_tcp	_sipfederationtls	100	1	5061

You might be tempted to put weight and port into IP/Value field (as this is what is suggested on Microsoft’s tutorial page), but that’s not how it works in VestaCP/HestiaCP. Instead, put them together with the priority as shown bellow.

Records in VestaCP/HestiaCP control panel

Domain: example.com
Record: _sip._tls
Type:  SRV
IP or Value: sipdir.online.lync.com.
Priority (optional): 100 1 443

Domain: example.com
Record: _sipfederationtls._tcp
Type:  SRV
IP or Value: sipfed.online.lync.com.
Priority (optional): 100 1 5061

That’s it for the SRV values, of course, don’t forget your A, CNAME and TXT!

Increase swap file on Raspberry Pi

Changing swap size on your rPi is pretty straight forward. Raspbian uses a swap file solution dphys-swapfile, and is much easier to change the size of the swap than with standard partition based options.

Edit configuration file /etc/dphys-swapfile, default value on Raspbian is 100 MB of swap:

CONF_SWAPSIZE=100

Simply change the number to desired size in MB and restart dphys-swapfile:

/etc/init.d/dphys-swapfile stop
/etc/init.d/dphys-swapfile start

Of course, don’t forget swap file is physically located on your SD card (usually /var/swap) so it also takes the space there.

That’s it, enjoy your increased size of your swap!

Vsftpd with SSL/TLS support on Ubuntu

Configure vsftpd to use SSL/TLS on Ubuntu VPS, dedi or physical machine. This how-to assumes vsftpd is already configured and running without encryption support.

Generate SSL certificate

Let’s create some SSL certificates to use with vsftpd. Change -nodes-days to desired number of days, example bellow assumes one year (365 days).

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Edit /etc/vsftpd.conf

Add the following lines to vsftpd config file:

# Uncomment or add the path to cert
# we generated in previous step
rsa_cert_file=/etc/ssl/private/vsftpd.pem

# Enable SSL support
ssl_enable=YES

# Force local users to use SSL
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

# allow only TLS, not SSL
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

# Some additional security and compatibility settings
# Filezilla reports GnuTLS error without strong ciphers
require_ssl_reuse=NO
ssl_ciphers=HIGH

# Optional: enable passive connection if not already configured
# (add appropriate rules to your firewall - iptables/UFW etc.)
pasv_enable=YES
pasv_min_port=63000
pasv_max_port=63100

Restart service

sudo service vsftpd restart

Connect with client

Now connect with your favourite client (like Filezilla), don’t forget to set Require explicit FTP over TLS. Port stays default 21, if you didn’t specify otherwise in the config file of course.

Fix SSL sec_error_unknown_issuer with Comodo PositiveSSL in Firefox (Apache2)

Installing Comodo PositiveSSL certificate on Apache server for a client, everything worked fine in Chrome, Firefox on OS X and (surprisingly) even in IE, but Firefox on Windows was complaining with the following error (might be something to do with older version or some other settings, but didn’t really test it that extensively):

Invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)

After a bit of googling I came across a blog post by John Bakker, where he describes a quick and easy fix, merging all .crt files you receive from Comodo into one .ca_bundle.

To do this, the easiest way is to combine (concatenate) multiple certificates into one file, named www_yourdomain_com.ca_bundle (of course replace www_yourdomain_com with your actual domain with underscores):

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
www_yourdomain_com.crt

cat www_yourdomain_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > www_yourdomain_com.ca_bundle

Note: Device/Entity Cert Intermediates need to be in reversed order.

Place it in the same place you put your .key and .crt and .csr files for your certificate.
Now instead of pointing it to the individual files you point to just the bundle from your vhost.

SSLEngine on
SSLCertificateFile /etc/ssl/certs/www_yourdomain_com.crt
SSLCertificateKeyFile /etc/ssl/certs/www_yourdomain_com.key
SSLCertificateChainFile /etc/ssl/certs/www_yourdomain_com.ca-bundle

Restart apache and enjoy secure connection to your site without SSL errors in all browsers.

Remove Ubuntu sysinfo on user login

Do you also hate the (not so) slight delay for the system information to appear when you login to your Ubuntu Server console? Here are a couple of ways how to change the displayed information or even get completely rid of it.

Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.2.0-29-generic x86_64)
  * Documentation: https://help.ubuntu.com/

System information as of Thu Jul 31 12:12:12 CEST 2014

System load: 0.08               Processes: 86
Usage of /: 11.9% of 155.51GB   Users logged in: 0
Memory usage: 72%               IP address for eth0: 74.125.12.12
Swap usage: 0%

Graph this data and manage this system at:
  https://landscape.canonical.com/

Disable with reconfigure

To hide system information you can either remove the landscape-common package or just run dpkg-reconfigure again and choose to not display the landscape-sysinfo on login.

dpkg-reconfigure landscape-common

Remove the package

apt-get remove --purge landscape-common

Choose what to display

Alternatively, you can choose to display just certain parts on sysinfo.

Edit /etc/landscape/client.conf, and add them comma separated:

[sysinfo]
exclude_sysinfo_plugins = LandscapeLink,Temperature,Processes

You can remove any of these plugins (information):

Load, Disk, Memory, Temperature, Processes, LoggedInUsers, LandscapeLink, Network

Or just test it on the command line:

landscape-sysinfo  --exclude-sysinfo-plugins=Temperature,LandscapeLink,Processes

Random IT Hacks

Public mental notes

Ubuntu Caffè