Ubuntu Hardy - Apache configuration
As we know, Ubuntu Hardy uses a different layout from other non-Debian based systems - let's move on and take a look at the main apache2.conf and ports.conf.
We're not actually going to change a lot at this point, just look at the main settings and see what they mean and what a change will actually do.
Why no specific changes to the default?
Well, it's difficult to give a definitive configuration as there are so many variables to consider such as expected site traffic, Cloud Server size, site type, etc.
Remember that it is very unlikely the default Apache configuration will be ideal for your Cloud Server. Don't be intimidated by the thought of 'optimising' the install - following the next couple of articles will allow you to understand the meaning behind the concepts.
You'll also find the same things apply to any web server - they may call them different things, but the concepts remain the same.
My advice is very simple: experiment. Find what works best on your setup.
Let's start with the ports.conf file:
sudo nano /etc/apache2/ports.conf
The default entry is:
Listen 80 <IfModule mod_ssl.c> Listen 443 </IfModule>
Well, that seems fair enough. Port 80 is the standard HTTP port to listen on and if you have the ssl module loaded, then it will also listen on port 443 (HTTPS)
Configuring Apache to listen on another port, say 8080, is as simple as adding:
Once that is added to the file and Apache restarted, it would listen on port 8080.
now open up the main Hardy Apache config file:
sudo nano /etc/apache2/apache2.conf
I won't list the contents here but, if you are not familiar with the settings, have a read of the comments. I find them very informative and straight to the point.
You may be surprised how well config files are documented. I always recommend giving them a read - sure, they may not make a lot of sense to begin with but as time goes by you will be able to glance at them and know what to change.
Anyway, let's look at some of the main settings and what they mean: Timeout
This sets (in simple terms) the maximum time, in seconds, to wait for a request, action it and the response to the request.
The default is deliberately set high to allow for varied situations. You can reduce this to something more sane, such as 45 or even lower. A decrease may also help in reducing the effects of a DOS attack.
Keep this set at 'On' as it allows for persistent connections to a client so each file, image, etc is not requested with a new connection. This allows for more efficiency. Define the KeepAlive settings as shown below:
So how long does the persistent connection wait for the next request? The default setting is very high and can easily be reduced to 2 or 3 seconds. If no new requests are received during this time the connection is killed.
What does this mean? Well, once a connection has been established and the client has requested the files needed for the web page, this setting says "sit there and ignore everyone else until the time limit is reached or you get a new request from the client".
Why would you want a higher time? In cases where there will be a lot of interactivity on the site. However, in most cases, people will go to a page, read it for a while and then click for the next page. You don't want the connection sat there doing nothing and ignoring other users.
During the Ubuntu Hardy - Apache and PHP install we selected apache2-mpm-prefork and not apache2-mpm-worker. If you want to know more about the differences between the two I will point you towards the official Apache docs (which are actually very good).
<IfModule mpm_prefork_module> StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0 </IfModule>
Again, it's difficult to give a suggestion here as to what is best for your site but have a read of the definitions below and see if anything could be improved when you consider what your site(s) serves.
StartServers: number of child server processes created at startup
MinSpareServers: minimum number of child server processes not doing anything (idle).
MaxSpareServers: maximum number of child server processes not doing anything (idle) - any more than the maximum will be killed.
Don't set Max lower than Min but Apache will ignore silly numbers here and set the Max at Min+1.
MaxClients: sets the maximum simultaneous requests that Apache will handle. Anything over this number will be queued until a process is free to action the request.
MaxClients is not the same as the maximum number of visitors you can have. It is the maximum requests.
Remember the KeepAliveTimeout? This was set low so the next request can be actioned and the original (now 'idle') client will still be sat there reading your webpage - the new (active) request will be actioned or, if the MaxClients limit has been reached, will be queued ready for the next available process.
In most cases, the client is not 'active'. Take this page. You requested it (using an active process) and then spent a while reading it which uses no processes - you are 'idle' (as far as the server is concerned!).
MaxRequestsPerChild: sets how many requests a child process will handle before terminating. The default is zero, which means it will never die.
Why change this if the Max numbers are set as shown above? Well, it can help in managing your Cloud Server memory usage.
If you change the default you give a child a finite number of actions before it will die. This will, in effect, reduce the number of processes in use when the server is not busy. Thus freeing memory.
Freeing it for what though? If other software needed memory then it would also need it when the server is under load. It is unlikely you will have anything that requires memory only when the server is quiet.
Default: Not Set
The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).
If you followed the Ubuntu Hardy - Apache and PHP install article, you will have already set the ServerName configuration.
If you fail to set the ServerName then on an Apache restart you will see the following warning:
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
To stop the warning and set the ServerName, add the following to the apache2.conf:
Remember the test Cloud Server has a hostname of 'demo' - set this to your hostname or FQDN.
If you want happy users and to save traffic, keep this at Off.
Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.
All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation can be found here.
The ServerTokens setting will dictate how much information is sent in the Headers with regard to Apache version and modules in use.
The default (Full) would send something like this:
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch Server
Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.
It does not make the actual install any more secure but all someone has to do right now is look for an exploit in Ubuntu Apache 2.2.8 and so on. Why make it easy for them?
The options are (with example outputs):
Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch Server
Apache/2.2.8 (Ubuntu) Server
It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.
Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address.
If you navigate to your Cloud Server IP address and a non-existent page:
You will see a 404 Page not found page with the footer information:
The options are:
Off: Produces no footer
On: Produces footer information (at a level defined by the ServerTokens setting)
Email: Adds an email link to the information (email address is defined in the vhosts file with the ServerAdmin setting)
It doesn't work!
If you are experimenting with the settings in the main apache2.conf file and find that changing the ServerSignature setting does nothing then keep in mind that many settings can be overridden by the virtual host file.
In this case, the default virtual host file has:
So open the file:
sudo nano /etc/apache2/sites-available/default
Change the ServerSignature to On, Off or Email. You can even delete the ServerSignature setting from the vhost file so it takes it from the apache2.conf.
Reload Apache after any changes to the virtual host file and voilà! All is good.
Some simple steps in this article but ones which I believe are very useful and aid in increasing the efficiency of your Cloud Server and assist in the overall security effort on your Cloud Server.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER