Dedicated Web Hosting ?????????????????????
Dedicated Web Hosting ??????????????????????????????????????? server ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????????????? resources ?????????????????? ????????? CPU, RAM, Storage, Bandwidth ??????????????????????????????????????????????????? ????????? performance ?????????????????? ???????????????????????????????????????????????? root access ???????????????????????????????????????????????????
Dedicated Hosting ????????????????????????????????? ??????????????????????????????????????? traffic ????????? (100,000+ visitors/???????????????), ??????????????????????????????????????????????????????????????? resources ????????? (e-commerce, SaaS), ???????????????????????????????????????????????? compliance (PCI DSS, PDPA) ????????????????????? infrastructure, ?????????????????????????????????????????????????????? custom configuration ???????????????
????????????????????????????????? hosting ????????????????????????????????? Shared Hosting ??????????????????????????? ???????????? resources ????????????????????????????????? ??????????????????????????????????????? VPS ???????????? server ???????????? virtual machines ??????????????? VPS ?????? resources ??????????????????????????? ??????????????????????????????????????????????????? Cloud Hosting scale ????????????????????????????????? ?????????????????????????????? ??????????????? traffic ??????????????????????????? Dedicated Hosting performance ?????????????????? ??????????????????????????????????????? ??????????????? enterprise workloads
??????????????????????????????????????????????????? Dedicated Server
Setup dedicated server ?????????????????? web hosting
# === Dedicated Server Initial Setup ===
# 1. Update System
apt update && apt upgrade -y
# 2. Create Non-root User
adduser webadmin
usermod -aG sudo webadmin
# 3. SSH Hardening
cat > /etc/ssh/sshd_config.d/hardening.conf << 'EOF'
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30
AllowUsers webadmin
ClientAliveInterval 300
ClientAliveCountMax 2
X11Forwarding no
EOF
systemctl restart sshd
# 4. Firewall Setup (UFW)
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp comment 'SSH'
ufw allow 80/tcp comment 'HTTP'
ufw allow 443/tcp comment 'HTTPS'
ufw enable
# 5. Install Essential Packages
apt install -y \
nginx \
certbot python3-certbot-nginx \
mariadb-server \
php8.3-fpm php8.3-mysql php8.3-curl php8.3-gd php8.3-mbstring php8.3-xml php8.3-zip \
redis-server \
fail2ban \
logrotate \
htop iotop nethogs \
unattended-upgrades
# 6. Configure Fail2ban
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 5
action = %(action_mwl)s
[sshd]
enabled = true
port = 2222
maxretry = 3
[nginx-http-auth]
enabled = true
[nginx-limit-req]
enabled = true
logpath = /var/log/nginx/error.log
[nginx-botsearch]
enabled = true
logpath = /var/log/nginx/access.log
EOF
systemctl enable --now fail2ban
# 7. Automatic Security Updates
cat > /etc/apt/apt.conf.d/50unattended-upgrades << 'EOF'
Unattended-Upgrade::Allowed-Origins {
":-security";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
EOF
echo "Server initial setup complete"Web Server Configuration
Configure Nginx ?????????????????? production
# === Nginx Production Configuration ===
# 1. Main nginx.conf
cat > /etc/nginx/nginx.conf << 'EOF'
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
# Basic
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
client_max_body_size 64m;
# MIME
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Logging
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time';
access_log /var/log/nginx/access.log main buffer=16k;
error_log /var/log/nginx/error.log warn;
# Gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript
text/xml application/xml text/javascript image/svg+xml;
# Rate Limiting
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=3r/m;
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
EOF
# 2. Virtual Host
cat > /etc/nginx/sites-available/mysite.conf << 'EOF'
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /var/www/example.com/public;
index index.php index.html;
# Rate limiting
limit_req zone=general burst=20 nodelay;
limit_conn addr 100;
# Static files caching
location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff2|woff)$ {
expires 30d;
add_header Cache-Control "public, immutable";
}
# PHP processing
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_read_timeout 300;
}
# Block sensitive files
location ~ /\.(ht|git|env) {
deny all;
}
}
EOF
ln -s /etc/nginx/sites-available/mysite.conf /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx
# 3. SSL Certificate
certbot --nginx -d example.com -d www.example.com --non-interactive --agree-tos -m admin@example.com
echo "Nginx configured"Security Hardening
????????????????????????????????????????????????????????? dedicated server
#!/usr/bin/env python3
# security_audit.py ??? Server Security Audit Tool
import json
import logging
import subprocess
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("security")
class ServerSecurityAudit:
def __init__(self):
self.results = []
def run_checks(self):
checks = {
"ssh_config": self._check_ssh(),
"firewall": self._check_firewall(),
"open_ports": self._check_ports(),
"updates": self._check_updates(),
"permissions": self._check_permissions(),
"passwords": self._check_passwords(),
}
return checks
def _check_ssh(self):
return {
"check": "SSH Configuration",
"items": [
{"item": "Root login disabled", "expected": "PermitRootLogin no", "critical": True},
{"item": "Password auth disabled", "expected": "PasswordAuthentication no", "critical": True},
{"item": "Non-standard port", "expected": "Port != 22", "critical": False},
{"item": "MaxAuthTries <= 3", "expected": "MaxAuthTries 3", "critical": True},
{"item": "Key-based auth only", "expected": "PubkeyAuthentication yes", "critical": True},
],
}
def _check_firewall(self):
return {
"check": "Firewall Rules",
"items": [
{"item": "Default deny incoming", "critical": True},
{"item": "Only necessary ports open", "critical": True},
{"item": "Rate limiting enabled", "critical": False},
{"item": "Fail2ban active", "critical": True},
],
}
def _check_ports(self):
return {
"check": "Open Ports",
"allowed": [22, 80, 443, 2222],
"command": "ss -tlnp",
}
def _check_updates(self):
return {
"check": "System Updates",
"items": [
{"item": "Auto-updates enabled", "critical": True},
{"item": "No pending security updates", "critical": True},
{"item": "Kernel up to date", "critical": False},
],
}
def _check_permissions(self):
return {
"check": "File Permissions",
"items": [
{"item": "/etc/shadow permissions 640", "critical": True},
{"item": "Web root owned by www-data", "critical": True},
{"item": "No world-writable files in web root", "critical": True},
{"item": "SSL keys permission 600", "critical": True},
],
}
def _check_passwords(self):
return {
"check": "Password Policy",
"items": [
{"item": "No accounts with empty passwords", "critical": True},
{"item": "Password complexity enforced", "critical": False},
{"item": "Account lockout after failed attempts", "critical": True},
],
}
def generate_report(self):
checks = self.run_checks()
total_items = sum(len(c.get("items", [])) for c in checks.values())
critical = sum(
sum(1 for i in c.get("items", []) if i.get("critical"))
for c in checks.values()
)
return {
"total_checks": total_items,
"critical_checks": critical,
"categories": list(checks.keys()),
}
audit = ServerSecurityAudit()
report = audit.generate_report()
print(f"Security Audit: {report['total_checks']} checks, {report['critical_checks']} critical")
checks = audit.run_checks()
for name, check in checks.items():
items = check.get("items", [])
print(f"\n{check['check']}: {len(items)} items")
for item in items[:3]:
print(f" {'[!]' if item.get('critical') else '[ ]'} {item['item']}")Performance Optimization
??????????????? performance ?????????????????? dedicated server
# === Performance Optimization ===
# 1. PHP-FPM Tuning
cat > /etc/php/8.3/fpm/pool.d/www.conf << 'EOF'
[www]
user = www-data
group = www-data
listen = /var/run/php/php8.3-fpm.sock
listen.owner = www-data
listen.group = www-data
; Process management
pm = dynamic
pm.max_children = 50
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
pm.process_idle_timeout = 10s
; Logging
php_admin_flag[log_errors] = on
php_admin_value[error_log] = /var/log/php/error.log
php_admin_value[memory_limit] = 256M
php_admin_value[max_execution_time] = 60
php_admin_value[upload_max_filesize] = 64M
php_admin_value[post_max_size] = 64M
; OPcache
php_admin_value[opcache.enable] = 1
php_admin_value[opcache.memory_consumption] = 256
php_admin_value[opcache.max_accelerated_files] = 20000
php_admin_value[opcache.validate_timestamps] = 0
php_admin_value[opcache.revalidate_freq] = 0
EOF
systemctl restart php8.3-fpm
# 2. MariaDB Tuning
cat > /etc/mysql/mariadb.conf.d/99-tuning.cnf << 'EOF'
[mysqld]
# InnoDB
innodb_buffer_pool_size = 4G
innodb_log_file_size = 512M
innodb_flush_log_at_trx_commit = 2
innodb_flush_method = O_DIRECT
innodb_io_capacity = 2000
innodb_io_capacity_max = 4000
# Query Cache (disabled for MariaDB 10.4+)
query_cache_type = 0
# Connections
max_connections = 200
thread_cache_size = 16
table_open_cache = 4096
# Temp Tables
tmp_table_size = 64M
max_heap_table_size = 64M
# Logging
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2
EOF
systemctl restart mariadb
# 3. Redis Cache
cat > /etc/redis/redis.conf.d/tuning.conf << 'EOF'
maxmemory 1gb
maxmemory-policy allkeys-lru
save ""
appendonly no
EOF
systemctl restart redis
# 4. Kernel Tuning
cat > /etc/sysctl.d/99-webserver.conf << 'EOF'
# Network
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.ip_local_port_range = 1024 65535
net.core.netdev_max_backlog = 65535
# File descriptors
fs.file-max = 2097152
fs.inotify.max_user_watches = 524288
# Memory
vm.swappiness = 10
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5
EOF
sysctl -p /etc/sysctl.d/99-webserver.conf
echo "Performance optimization complete"Monitoring ????????? Backup
????????????????????? monitoring ????????? backup ?????????????????? dedicated server
# === Monitoring & Backup ===
# 1. Install Node Exporter (Prometheus)
wget https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz
tar xzf node_exporter-1.7.0.linux-amd64.tar.gz
mv node_exporter-1.7.0.linux-amd64/node_exporter /usr/local/bin/
cat > /etc/systemd/system/node_exporter.service << 'EOF'
[Unit]
Description=Node Exporter
After=network.target
[Service]
User=node_exporter
ExecStart=/usr/local/bin/node_exporter --web.listen-address=:9100
Restart=always
[Install]
WantedBy=multi-user.target
EOF
useradd -rs /bin/false node_exporter
systemctl enable --now node_exporter
# 2. Automated Backup Script
cat > /usr/local/bin/backup.sh << 'BASH'
#!/bin/bash
set -euo pipefail
BACKUP_DIR="/backup"
DATE=$(date +%Y%m%d_%H%M%S)
RETENTION_DAYS=30
# Database backup
mysqldump --all-databases --single-transaction | \
gzip > "$BACKUP_DIR/db_$DATE.sql.gz"
# Web files backup (incremental with rsync)
rsync -a --delete /var/www/ "$BACKUP_DIR/www_latest/"
tar czf "$BACKUP_DIR/www_$DATE.tar.gz" -C "$BACKUP_DIR" www_latest/
# Nginx config
tar czf "$BACKUP_DIR/nginx_$DATE.tar.gz" /etc/nginx/
# SSL certificates
tar czf "$BACKUP_DIR/ssl_$DATE.tar.gz" /etc/letsencrypt/
# Cleanup old backups
find "$BACKUP_DIR" -name "*.gz" -mtime +$RETENTION_DAYS -delete
# Upload to remote (optional)
# rclone sync "$BACKUP_DIR" remote:backups/
echo "$(date): Backup completed" >> /var/log/backup.log
BASH
chmod +x /usr/local/bin/backup.sh
# 3. Cron Schedule
cat > /etc/cron.d/server-maintenance << 'EOF'
# Daily backup at 3 AM
0 3 * * * root /usr/local/bin/backup.sh
# Certbot renewal check twice daily
0 0,12 * * * root certbot renew --quiet --deploy-hook "systemctl reload nginx"
# Log rotation
0 0 * * 0 root logrotate /etc/logrotate.conf
# Disk usage alert
*/30 * * * * root df -h / | awk 'NR==2{if(int($5)>85) system("echo Disk usage "$5" | mail -s Alert admin@example.com")}'
EOF
echo "Monitoring and backup configured"การดูแลระบบในสภาพแวดล้อม Production
การบริหารจัดการระบบ Production ที่ดีต้องมี Monitoring ครอบคลุม ใช้เครื่องมืออย่าง Prometheus + Grafana สำหรับ Metrics Collection และ Dashboard หรือ ELK Stack สำหรับ Log Management ตั้ง Alert ให้แจ้งเตือนเมื่อ CPU เกิน 80% RAM ใกล้เต็ม หรือ Disk Usage สูง
Backup Strategy ต้องวางแผนให้ดี ใช้หลัก 3-2-1 คือ มี Backup อย่างน้อย 3 ชุด เก็บใน Storage 2 ประเภทต่างกัน และ 1 ชุดต้องอยู่ Off-site ทดสอบ Restore Backup เป็นประจำ อย่างน้อยเดือนละครั้ง เพราะ Backup ที่ Restore ไม่ได้ก็เหมือนไม่มี Backup
เรื่อง Security Hardening ต้องทำตั้งแต่เริ่มต้น ปิด Port ที่ไม่จำเป็น ใช้ SSH Key แทน Password ตั้ง Fail2ban ป้องกัน Brute Force อัพเดท Security Patch สม่ำเสมอ และทำ Vulnerability Scanning อย่างน้อยเดือนละครั้ง ใช้หลัก Principle of Least Privilege ให้สิทธิ์น้อยที่สุดที่จำเป็น
FAQ ??????????????????????????????????????????
Q: Dedicated Server ????????? VPS ???????????????????????????????????????????
A: Dedicated Server ????????? hardware ????????????????????????????????? CPU, RAM, Storage ??????????????????????????????????????? performance ?????????????????????????????? noisy neighbor ????????????????????????????????? (??????????????? 3,000-10,000+ ?????????/???????????????) ????????????????????????????????? high-traffic websites, database servers, compliance requirements VPS ???????????? virtual machine ?????? shared hardware ???????????? resources ???????????? hypervisor ????????????????????????????????? (??????????????? 200-2,000 ?????????/???????????????) performance ???????????????????????????????????? host overloaded ????????????????????????????????? SME websites, development servers, small applications ????????????????????????????????????????????? traffic 50,000+ visitors/??????????????? ????????????????????????????????? compliance ??????????????? dedicated
Q: Managed ????????? Unmanaged Dedicated Hosting ???????????????????????????????????????????
A: Managed ???????????????????????????????????????????????????????????????????????? OS updates, security patches, monitoring, backup, troubleshooting ?????? support 24/7 ????????????????????????????????? 30-50% ??????????????????????????????????????????????????????????????????????????? system admin ??????????????? Unmanaged ?????????????????? hardware ????????? network connectivity ??????????????????????????????????????????????????????????????? OS installation, configuration, security, updates, monitoring, backup ????????????????????????????????? ?????????????????? Linux admin skill ??????????????? managed ?????????????????? business critical systems ????????? unmanaged ?????????????????????????????????????????? DevOps/SRE
Q: ???????????????????????? spec server ??????????????????????
A: ????????????????????? workload Web Server + PHP CPU 4-8 cores ?????????????????????, RAM 16-32GB, SSD 500GB-1TB Database Server CPU 8-16 cores, RAM 32-128GB (InnoDB buffer pool), NVMe SSD ?????????????????? IOPS E-commerce CPU 8+ cores, RAM 32GB+, NVMe SSD, Redundant PSU ???????????????????????? spec ???????????? ???????????? monitor actual usage ????????? CPU < 30% average ????????????????????? upgrade ????????? RAM usage > 80% ???????????? upgrade ????????? disk I/O wait ????????? ????????????????????????????????? NVMe bandwidth ??????????????? peak traffic ????????? 95th percentile > 80% ????????? limit ???????????? upgrade
Q: Dedicated Server ???????????? backup ??????????????????????
A: Backup strategy ???????????????????????? 3-2-1 Rule ???????????? 3 copies, 2 media types, 1 offsite Database backup ?????????????????? ????????? mysqldump --single-transaction ?????????????????? InnoDB ????????? lock tables ????????????????????? backup Files backup ????????? incremental backup (rsync) ?????????????????? full backup ?????????????????????????????? Configuration backup ???????????? nginx, php, mysql configs ????????? SSL certificates backup ???????????????????????? ?????????????????? ???????????? re-issue Offsite backup upload ?????? S3, Google Cloud Storage ???????????? remote server ?????????????????? Test restore ???????????????????????? backup ????????? restore ?????????????????? ????????????????????????
