The problem was that I use ModSecurity2 with separate configurations for each site, and that requires a quite significant amount of memory for a VPS (depending on the size of the rulesets), combined with the fact that I use Apache’s “worker” MPM. I was aware of all that, but apparently I hadn’t done my job well enough when it comes to monitoring the VPS’ resources lately. It was already using a lot of swap, and after adding this site to the collection of enabled web sites, all physical and swap memory was quickly depleted. All the swapping obviously led to really bad performance, but the complete depletion of memory resources also led to occasional termination of CGI processes.

Long story short, I moved the site over to my home web server (which is also virtual), where I had a nearly identical setup. Just in case, I carefully tuned the settings for the worker MPM and increased the amount of physical memory available for the virtual web server machine. Even on the much, much slower bandwidth of my home server, this blog is performing a lot better now.

I just need to start actually writing stuff now.

I had some privacy concerns and didn’t want to share the same IP address for all of my sites. It’s very simple to locate other sites running on the same web server IP. Therefore I requested an additional IP address (IPv4) from DynDNS.

DynDNS Support were very forthcoming and I quickly had an extra IP address at my disposal. But where to go from there? Different providers have different ways to go about this. Some assign an extra network interface (virtual NIC device) to the VPS, while others (including DynDNS) simply reserve the IP address to you. In my case, IP aliasing was the way to go (creating a virtual interface – see Debian’s reference documentation on this).

I defined a new virtual interface in /etc/network/interfaces:

auto eth0:0
iface eth0:0 inet static
 address 200.200.200.200
 gateway 200.200.200.1
 netmask 255.255.255.0

Then I connected to the VPS through serial console (see springconsole.com) and restarted the network interfaces:

invoke-rc.d networking restart

Then the real work remained – configuration. To get things working the way I wanted, I needed to reconfigure iptables, Apache (httpd), my MTA and more.

I won’t go into too many details when it comes to the iptables configuration, but basically I wanted to restrict some services to only be reachable on a specific IP. Configuring a service to only listen to a certain IP is fine, but it is always good to filter this with iptables. In DynDNS’ Debian VPS template, you have a .conf file available for this  – /etc/iptables.conf (and /etc/ip6tables.conf for IPv6). Just to give a simple example of an input accept rule restricted to a specific local IP, here is a line which would cause incoming SMTP connections to only be accepted if 100.100.100.100 was the destination IP:

-A INPUT -p tcp -m tcp -d 100.100.100.100/32 --dport 25 -j ACCEPT

The Apache configuration was the most important one for me. In Debian (up to and including Debian 5.0), the Listen directive and such for Apache2 is placed in /etc/apache2/ports.conf (in Debian 6.0 “apache2″ is renamed to “apache”, so it will likely use /etc/apache). Made some simple changes here. Added explicit IP addresses to the NameVirtualHost directives:

NameVirtualHost 100.100.100.100:80
NameVirtualHost 200.200.200.200:80

That way, I became able to have a separate set of name-based virtual hosts for each IP address.

Next on my list was to ensure that a specific source IP was used for all outgoing SMTP connections. To achieve this in Postfix, one has to edit the master.cf file and add an option for the smtp service:

smtp      unix  -       -       -       -       -       smtp
  -o smtp_bind_address=100.100.100.100

That’s pretty much the gist of it.

However, I haven’t done things particularly easy for myself here, because I wanted to make the blog multilingual. I need to have as much as possible in both English and Norwegian. Since I couldn’t find any decent Norwegian translation of Subscribe to Comments Reloaded, I created one.

It’s available here if any fellow Norwegians are interested:
subscribe-reloaded-nb_NO

The down-side, though, is that because of the way that plugin works, with all messages being configurable from the WP administration pages, and the way these messages are finally “echoed”, there are still some obstacles to resolve before I have it working optimally on a multilingual blog. It seems I may have to do some minor alterations in the plugin’s code, but that’s for a future post, when I’ve actually thought it through properly.