In my work Apache can play a big part of the web serving chain, especially for most PHP based sites (like Drupal). Here are tips I've collected along the way. Of course YMMV (your mileage may vary).

Conf settings

These settings can be placed inside various places, the best would be in the *.cnf file for your domain or site. At worst this stuff can go inside httpd.conf which is the global configuration file for Apache.

Compress output of common text based files

AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/js
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html

... or in a shorter way...
AddOutputFilterByType DEFLATE text/plain text/xml application/xhtml+xml text/css text/javascript text/js application/xml image/svg+xml application/rss+xml application/atom_xml application/x-javascript application/x-httpd-php application/x-httpd-fastphp application/x-httpd-eruby text/html

Remove ETags

Header unset ETag
FileETag None

Easy changes

  • Disable or remove any extensions not used (like mod_perl if you only are using PHP).
  • Consider moving configuration overrides from .htaccess file(s) into *.cnf files

Performance Tuning

  • MaxClients - to prevent swapping when hit hardMaxRequestsPerChild - to terminate a process faster and free up memory* MaxClients - to prevent swapping when hit hardMaxRequestsPerChild - to terminate a process faster and free up memory
  • KeepAlive - either keep it low (~3 seconds) or raise it (5-10 seconds but no more than that otherwise it ties up processes)
  • AlllowOverrides - Set to None and move .htaccess contents to vhosts.Utilize mod_deflate (mod_gzip on Apache 1.x) to compress response output to browsers.
  • MPM Worker - threaded mode; uses less memory for static content; does not work with some PHP setups like mod_php.
  • Add log configuration rules to exclude logging for jpg, png, gif, js, css, and ico files. This can throw off common stats software like AWStats since the bandwidth calculation would be missing the excluded file types.
  • Buffered Logs ON
  • mod_log_config (experimental)
  • Consider FastCGI mode
  • HostNameLookups - Disable hostname lookups
  • Don't log bytes separately
  • Use MPM Worker threaded server versus MPM prefork when site is dynamic (saves memory).KeepAlive - either keep it low (~3 seconds) or raise it (5-10 seconds but no more than that otherwise it ties up processes)
  • AlllowOverrides - Set to None and move .htaccess contents to vhosts.Utilize mod_deflate (mod_gzip on Apache 1.x) to compress response output to browsers.
  • Consider FastCGI mode for PHP/Perl
  • Use mod_deflate extension to compress output of static files like XML, plain text, HTML/HTM, JavaScript, CSS, etc., but not images or media types. Consider using high compression (DeflateCompressionLevel 9)

Performance Checklist

  • Tune MaxClients (too low will not scale when hit hard, too high and memory cannot keep up with the load and server starts swapping then can die)
  • RAID 0 striping on fast SSD/SCSI drives
  • HDD DMA settings, read-ahead (hdparam)
  • Disable unnecessary log writing. LogLevel 0
  • Adequate levels for: HARD_SERVER_LIMIT, HARD_THREAD_LIMIT, MAX_SERVER_LIMIT, MAX_THREAD_LIMIT
  • Strip out unused Apache extensions/modules & processes
  • Eliminiate mod_so (build as static)
  • Set 'Expiry' & 'Cache_Control'
  • Cut 'KeepAlive' to 5 seconds or less (or disable it entirely).
  • Make apps persistent with mod_fastcgi, or replace with static content.
  • Use mod_nmap_static & mod_file_cache for commonly cached files.
  • Avoid redundant DNS lookups.
  • Move SSL connections to a different server.
  • Cluster Apache
  • Apache pre-forks (too low users complain, too high server starts swapping)

Security

  • Avoid root services
  • Maintain rotating logs
  • Block abusive clients
  • Maintain backups & restore processes (plan for availability, capacity, disaster recovery)
  • Monitor servers
  • Do not enable mod_proxy for publicly visible servers
  • Consider mod_security (wep app firewall)

Useful Command & Software

apachectl or httpd (-l = display modules; -L = command definitions; -S = parsed settings report; -R = load new config; -t or -I = test config; -v or -V get version; status; fullstatus)

ifconfig -a

netstat

tcpdump (snoop on Solaris)

spray - floods pings

traceroute

nmap

apachetop

Links

http://httpd.apache.org - the official Apache HTTPD project page.

http://syhunt.com - provides vulnerability assessment software.

http://modsecurity.org - web application firewall that can work either embedded or as a reverse proxy. A book is available at: https://www.feistyduck.com/books/modsecurity-handbook/

http://www.foundstone.com/us/resources/proddesc/ssldigger.htm - SSLDigger is a tool to assess the strength of SSL servers by testing the ciphers supported.

http://apachesecurity.net - complete guide to securing your Apache web server.

http://nstalker.com/products/free - N-Stalker Web Application Security Scanner 2009 Free Edition provides a restricted set of free Web Security Assessment checks, using the most complete web attack signature database available in the market.

http://www.nessus.org/nessus - vulnerability scanner

4
Your rating: None Average: 4 (1 vote)

Tags: Apache, httpd