Apache Optimization

29. February 2012 SysAdmin 0

All the important configuration options are stored by Apache in a config file called httpd.conf that is located at /usr/local/apache/conf/httpd.conf. We will start by opening this file in your favorite text editor. For example:

– vi /usr/local/apache/conf/httpd.conf

Total number of concurrent connections.
Locate it in the configuration file. This should be set to a reasonable value. I suggest using this formula to determine the right value for your server.

– MaxClients = 150 x RAM (GB)

So for example if you have 2 GB or RAM set this value to 300.
There is no reason for you to set it any higher unless you have a specific problem with this value. A high value can lead to a complete server hang in case of a DOS attack. A value too low can create timeout problems for your clients if the limit is reached.
This value should be same as MaxClients

– ServerLimit = 150 x RAM (GB)

**MinSpareServers and MaxSpareServers**
MaxSpareServers and MinSpareServers control how many spare (unused) child-processes Apache will keep alive while waiting for more requests to put them to use. Each child-process consumes resources, so having MaxSpareServers set too high can cause resource problems. On the other hand, if the number of unused servers drops below MinSpareServers, Apache will fork (an expensive operation) new child-processes until MinSpareServers is satisfied.
Leave those values to:

– MinSpareServers 5

– MaxSpareServers 10

If you have more them 2 GB of RAM and you run a resource intensive website consider increasing MaxSpareServers.
Controls the number of request the a child serves before the child is killed. This should not be set too low as it will put an unnecessary load on the apache server to recreate the child. I suggest setting it to:

– MaxRequestsPerChild 1000 for 1 GB RAM

10,000 for 2 GB and 0 for more than 2 GB RAM
**KeepAlive and MaxKeepAliveRequests**
KeepAlive provides long-lived HTTP sessions which allow multiple requests to be sent over the same TCP connection. In some cases this has been shown to result in an almost 50% speedup in latency times for HTML documents with many images, but having keepalive on is also a resource intensive setting.
Here comes the big question: To KeepAlive or not to KeepAlive?
Well the opinions are mixed here, some say to KeepAlive some say not to.

– KeepAlive off

If you want to hear my option I would say NOT to KeepAlive if you are running a shared hosting business or if you want to get the most out of your hardware. You should KeepAlive only if the loading time of your pages is the most important factor in your business and you have the money to invest in a more powerful hardware. If you decide to KeepAlive I suggest you set MaxKeepAliveRequest low to something like 2 seconds.
Sets the number of child server processes created on startup. This setting depends greatly on the type of webserver you run. If you run low traffic websites on that server set it low to something like 5. If you have resource intensive websites on that server you should set it close to MaxClients.
– StartServers 5

The amount of time Apache will wait for three things: the total amount of time it takes to receive a GET request, The amount of time between receipt of TCP packets on a POST or PUT request, the amount of time between ACKs on transmissions of TCP packets in responses.
The default value is 300. You should set time to something a bit lower. A setting of 150 is probably ok. This will also help in case of small DOS attacks like to ones targeting some phpBB forums. Do NOT set it any lower then 10 as your users will start having timeout problems.
– Timeout 150

After you have done all the necessary changes you can go ahead and restart Apache.
There is an extra step that you have to do so that the changes that you done to httpd.conf aren’t lost when a recompile is done.
To also save the changes in the database you will have to run:
/usr/local/cpanel/bin/apache_conf_distiller –update
You can check to see if the changes were accepted and will not be discarded at the next apache recompile by running
**Sample values:**
MinSpareServers 5
MaxSpareServers 10
ServerLimit 600
MaxClients 600
MaxRequestsPerChild 0
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3
Timeout 30
**Configure httpd.conf**

Set the following in your httpd.conf file. You can also download an example httpd.conf with these settings here.

Directive and setting

ServerSignature Off
Prevents server from giving version info on error pages.

ServerTokens Prod
Prevents server from giving version info in HTTP headers

User apache
Ensure that the child processes run as unprivileged user
Group apache
Ensure that the child processes run as unprivileged group

ErrorDocument 404 errors/404.html
ErrorDocument 500 errors/500.html

To further obfuscate the web server and version, this will redirect to a page that you should create, rather than using the default Apache pages.

ServerAdmin [email protected]
Use a mail alias – never use a person’s email address here.

UserDir disabled root
Remove the UserDir line, since we disabled this module. If you do enable user directories, you’ll need this line to protect root’s files.

Order Deny, Allow
deny from all

Deny access to the root file system.

deny from all

Options -FollowSymLinks -Includes -Indexes -MultiViews
AllowOverride None
Order allow,deny
Allow from all

LimitExcept prevents TRACE from allowing attackers to find a path through cache or proxy servers.

The “-“ before any directive disables that option.

FollowSymLinks allows a user to navigate outside the doc tree, and Indexes will reveal the contents of any directory in your doc tree.

Includes allows .shtml pages, which use server-side includes (potentially allowing access to the host). If you really need SSI, use IncludesNoExec instead.

AllowOverride None will prevent developers from overriding these specifications in other parts of the doc tree.
AddIcon (remove)
IndexOptions (remove)
AddDescription (remove)
ReadmeName (remove)
HeaderName (remove)
IndexIgnore (remove)
Remove all references to these directives, since we disabled the fancy indexing module.

Alias /manual (remove)
Don’t provide any accessible references to the Apache manual, it gives attackers too much info about your server.

You should familiarize yourself with the following parameters. Unless you are running a high-volume web site, you can safely leave the settings at their default values. If you are running a high-volume web site, you’ll want to adjust these directives upward to better withstand denial-of-service attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *