I would like to showcase how incredibly well Virtualmin scales. Here is a server that we’re running for a client. The client has customised their templates when deploying sites to make it perfectly automated. They are current running 386 email domains with Roundcube and SSL, and 772 total email users. Every day they add around 5 to 10 new domains.
This all on a 4 core server with only 5 GB of RAM, and 5 GB of swap space.
This incredible efficiency is paired with 100% uptime. The server simply never has issues. Virtualmin is a superior system by any degree.
Two secrets? (1) Stick with the defaults (2) Observe CPU and RAM to determine where your load is going and match resources to it.
Nope, each one of those 772 email users rely on their IMAP mailboxes for important emails. The disk is very small but it’s a tightly controlled closed user group.
The client wanted to scale the server as we go along. It’s beautiful, we can just enlarge the disk in the hypervisor in real-time to add more space.
what kind of sites are running? lamp/lemp stack or just static html? public or private?
what sort of protection on those? (waf?)
running ~150 busy sites (~140 on php), on 32G RAM and 8cpus (iron). with an average load of 2-3.
but not virtualmin defaults. blocking bots (ai + bad), +modsec, firewall with a few thousand blocked ips cache, tweaked apache+php-fpm, -spamd +rspamd, and various tweaks in system/network.. without those i guess virtualmin defaults wouldn’t manage more than 50 sites..
(have a real example of colleagues running 32 sites w/ very heavy load most of the time on similar hw.)
so, depends on what you host, how you protect it from bad traffic/ddos/etc, and how good tweaking you do.. defaults are fine for sites with small traffic and behind ddos protection services.
1 x IPv4 and 1 x IPv6. Email domains have SPF with both configured automatically.
To get around Let’s Encrypt limitations, the client launches a new apex domain every 100 domains, and then aliases it for webmail.
No restrictions whatsoever! Just stock FirewallD and Fail2ban doing it’s job. The restrictions by country would the kind of customisation we want to avoid when scaling on this system. Users are mostly international.
On the firewall side we also have a cluster firewall so that all VMs are protected by those really persistent denial of service attackers which we pick up on other systems. This is a lifesaver in terms of saving CPU load for the entire cluster.
Yep I guess! The clue is not serving websites but nevertheless. The return on investment is huge due to Virtualmin being so efficient, stable, and scalable!
Apologies, I noticed the title of this post was misleading so I fixed that now. There are no websites, just 386 email domains.
The firewall is stock FirewallD and Fail2ban. But the screenshot below is our life saver for keeping all the machines safe. On each VM we have just two rules, the default accept and a drop tied to an IPSet (master list).
So when we see certain CPU spikes, monitored by either CPU or load or both, we can tail the log file and see who is hammering what. Then we document and kill them with one shot across the cluster.
In reality, in the last two years, xmlrpc.php from WordPress has been the biggest culprit. Those zombies kill load.
ok, just for email you don’t need much resources.
and maybe virtualmin is overkill just for email.. are you sure you haven’t disabled web features and kept vanilla virtualmin/defaults?
