|
CentOS - Apache configuration
(from slicehost.com)
Let's take a look at the main httpd.conf for our CentOS Apache install.
We're not actually going to change a lot at this point, just look at
the main settings and see what they mean and what a change will
actually do
Defaults
Why no specific changes to the default? Well, it's difficult to give
a definitive configuration as there are so many variables to consider
such as expected site traffic, Slice size, site type, etc.
However, we'll discuss the main settings and you can make any decisions as to what settings you feel are best for your site.
My advice is very simple: experiment. Find what works best on your setup.
apache2.conf
Open up the main CentOS Apache config file:
sudo nano /etc/httpd/conf/httpd.conf
I won't list the whole contents here but, if you are not familiar
with the settings, have a read of the comments. I find them very
informative and straight to the point.
Let's look at some of the main settings and what they mean (you may
notice that we skip some settings but don't worry, many of them will be
discussed in the 2nd Apache configuration article):
Timeout
Default:
Timeout 120
This sets (in simple terms) the maximum time, in seconds, to wait for a request, action it and the response to the request.
The default is deliberately set high to allow for varied situations.
You can reduce this to something more sane, such as 45 or even lower. A
decrease may also help in reducing the effects of a DOS attack.
KeepAlive
Default:
KeepAlive Off
Setting this to 'On' allows for persistent connections to a client
so each file, image, etc is not requested with a new connection. This
allows for more efficiency. Define the KeepAlive settings as shown
below:
MaxKeepAliveRequests
Default:
MaxKeepAliveRequests 100
Now we have our persistent connection, set the maximum number of
requests per connection. Keep this high more maximum efficiency. If you
have a site with images, javascripts, etc, try increasing this to 200.
KeepAliveTimeout
Default:
KeepAliveTimeout 15
So how long does the persistent connection wait for the next
request? The default setting is very high and can easily be reduced to
2 or 3 seconds. If no new requests are received during this time the
connection is killed.
What does this mean? Well, once a connection has been established
and the client has requested the files needed for the web page, this
setting says "sit there and ignore everyone else until the time limit
is reached or you get a new request from the client".
Why would you want a higher time? In cases where there will be a lot
of interactivity on the site. However, in most cases, people will go to
a page, read it for a while and then click for the next page. You don't
want the connection sat there doing nothing and ignoring other users.
prefork MPM
During the Apache install
we installed Apache using prefork and not Apache using worker. If you
want to know more about the differences between the two I will point
you towards the official Apache docs (which are actually very good).
Default:
<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>
Again, it's difficult to give a suggestion here as to what is best
for your site but, most the time, they can be left at the defaults.
StartServers: number of child server processes created at startup
MinSpareServers: minimum number of child server processes not doing anything (idle).
MaxSpareServers: maximum number of child server processes not doing anything (idle) - any more than the maximum will be killed.
Don't set Max lower than Min but Apache will ignore silly numbers here and set the Max at Min+1.
ServerLimit: sets the server limit
MaxClients: sets the maximum simultaneous requests
that Apache will handle. Anything over this number will be queued until
a process is free to action the request.
MaxClients is not the same as the maximum number of visitors you can have. It is the maximum requests.
Remember the KeepAliveTimeout? This was set low so the next request
can be actioned but the original (now 'idle') client will still be sat
there reading your webpage - the new (active) request will be actioned
or, if the MaxClients limit has been reached, will be queued ready for
the next available process.
In most cases, the client is not 'active'. Take this page. You
requested it (using an active process) and then spent a while reading
it which uses no processes - you are 'idle' (as far as the server is
concerned!).
MaxRequestsPerChild: sets how many requests a child
process will handle before terminating. The default is 4000. If you set
it to 0, it will never die.
Continuing from the first CentOS Apache configuration article, we now look at some of the other settings in the main httpd.conf file and what they can do.
Concentrating on efficiency and security, this will end our httpd.conf journey (for now).
ServerName
Default: Not Set
The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).
If you set followed the CentOS installing Apache and PHP5 article, you will have already set the ServerName configuration.
If you fail to set the ServerName then on an Apache restart you will see the following warning:
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name,
using xxxxxx for ServerName
Where xxxxxx is your Slice hostname.
HostnameLookups
Default:
HostnameLookups Off
If you want happy users and to save traffic, keep this at Off.
Setting this to 'On' will enable DNS lookups so host names can be
logged (it performs a reverse DNS check), setting it to 'Double' will
not only perform the reverse DNS check it will then check the resulting
hostname.
All a bit much and if you desperately need hostname information from
your visitors it is advised to use logresolve (located in
/usr/bin/logresolve) for this purpose. A small explanation can be found
here.
ServerTokens
Default:
ServerTokens OS
The ServerTokens setting will dictate how much information is sent
in the Headers with regard to Apache version and modules in use.
The default (Set as 'OS") would send something like this:
Apache/2.2.3 (CentOS)
Does this make a difference? Well, yes. If we can suppress that
information it will make it harder for someone to find an exploit.
It does not make the actual install any more secure but all
someone has to do right now is look for an exploit in CentOS Apache
2.2.3 and so on. Why make it easy for them?
The options are (with example outputs):
Full
Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_ssl/2.2.3 OpenSSL/0.9.8b
OS
Apache/2.2.3 (CentOS)
Minimal
Apache/2.2.3
Minor
Apache/2.2
Major
Apache/2
Prod
Apache
It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.
ServerSignature
Default:
ServerSignature On
Server generated pages, such as 404 pages or directory listings, can
contain a footer line which includes server information and can include
the ServerAdmin email address.
If you navigate to your Slice IP address and a non-existent page:
http://123.45.67.890/blahblah
You will see a 404 Page not found page with the footer information:
Note the image shown has ServerTokens set to 'Prod' so little information is shown in the footer.
The options are:
Off: Produces no footer
On: Produces footer information (at a level defined by the ServerTokens setting)
Email: Adds an email link to the information (level defined by the ServerTokens setting)
Reload
After each change to the httpd.conf file, you will need to reload Apache for the settings to take effect:
sudo /etc/init.d/httpd reload
 Quote this article on your site | Views: 167
Powered by AkoComment Tweaked Special Edition v.1.4.6
AkoComment © Copyright 2004 by Arthur Konze - www.mamboportal.com
All right reserved |
