Download

Arsitektur Sistem

Overview

Internet
    │
    ▼
┌─────────┐     ┌──────────┐     ┌───────────┐
│  Nginx  │────▶│ PHP-FPM  │────▶│ MariaDB   │
│ (443)   │     │ (socket) │     │ (3306)    │
└─────────┘     └──────────┘     └───────────┘
    │                │
    │                ▼
    │           ┌───────────┐
    │           │ Memcached │
    │           │ (11211)   │
    │           └───────────┘
    │
    ▼
┌─────────┐     ┌───────────┐
│ Fail2ban│     │  UFW      │
│ (jails) │     │ (firewall)│
└─────────┘     └───────────┘

Komponen

Nginx (Web Server)

  • Listen port 80 (redirect ke HTTPS) dan 443 (SSL)
  • HTTP/2 enabled
  • Reverse proxy ke PHP-FPM via Unix socket
  • Rate limiting per IP (tiered)
  • Slowloris protection (timeout 10s)
  • Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
  • Gzip compression

PHP 8.3-FPM

  • Dynamic process manager (tiered berdasarkan jumlah client)
  • OPcache enabled
  • Pool khusus ujian dengan Unix socket
  • Disabled dangerous functions (exec, system, proc_open, dll)
  • open_basedir restriction
  • Timezone: Asia/Jakarta

MariaDB 11.4

  • Database: cbt_kedokteran
  • User: usr_kedokteran@localhost
  • Bind ke localhost only (127.0.0.1)
  • InnoDB tuning (buffer pool, flush method, file-per-table)
  • Slow query logging (threshold 2s)
  • Query cache enabled

Memcached

  • Session storage (menggantikan file-based sessions)
  • Cache layer untuk aplikasi
  • Bind ke localhost only
  • Max item size: 4MB

Fail2ban

4 jails aktif:

  • sshd: 5 retry, ban 1 jam
  • nginx-http-auth: 5 retry, ban 1 jam
  • nginx-botsearch: 10 retry, ban 24 jam
  • nginx-req-limit: 5 retry, ban 2 jam

UFW Firewall

  • Default deny incoming, allow outgoing
  • Port terbuka: 22 (SSH), 80 (HTTP), 443 (HTTPS), 53/udp (DNS)

DNSMasq

  • Local DNS resolver
  • Mapping domain ke semua IP server (untuk akses dari LAN)

File Konfigurasi

File Fungsi
/etc/examtool.conf Konfigurasi server (domain, client, credentials)
/etc/examtool.env Secrets (tokens, passwords)
/etc/nginx/sites-available/ujian Nginx vhost
/etc/nginx/conf.d/rate-limiting.conf Rate limiting zones
/etc/php/8.3/fpm/pool.d/ujian.conf PHP-FPM pool
/etc/mysql/mariadb.conf.d/99-exam-server.cnf MariaDB tuning
/etc/memcached.conf Memcached config
/etc/fail2ban/jail.d/examtool.conf Fail2ban jails
/etc/sysctl.d/99-exam-server.conf Kernel tuning
/etc/security/limits.d/99-exam-server.conf File descriptor limits

Aplikasi

Ujian (CodeIgniter)

  • Path: /var/www/ujian
  • Repository: gitlab.unpad.net/fk/ujian.git
  • Config: /var/www/ujian/application/config/cbt_kedokteran_config.php

RASCH Analysis

  • Path: /var/www/rasch
  • Repository: gitlab.unpad.net/fk/rasch.git
  • R script: /var/www/rasch/app/analisis.R
  • Python venv: /var/www/rasch/python/venv

System Tuning

Kernel parameters yang dioptimasi:

  • TCP connection backlog: 65535
  • Port range: 1024-65535
  • TCP reuse enabled, FIN timeout 15s
  • Keepalive: 300s
  • SYN cookies enabled (flood protection)
  • Swappiness: 10 (prefer RAM)
  • File descriptors: 2M