Fedora - Apache Configuration
Let's take a look at the main httpd.conf for our Fedora 10 Apache install.
We're not actually going to change a lot at this point, just look at the main settings and see what they mean and what a change will actually do.
Why no specific changes to the default? Well, it's difficult to give a definitive configuration as there are so many variables to consider such as expected site traffic, Cloud Server size, site type, etc.
However, we'll discuss the main settings and you can make any decisions as to what settings you feel are best for your site.
My advice is very simple: experiment. Find what works best on your setup.
Open up the main CentOS Apache config file:
sudo nano /etc/httpd/conf/httpd.conf
I won't list the whole contents here but, if you are not familiar with the settings, have a read of the comments. I find them very informative and straight to the point.
Let's look at some of the main settings and what they mean (you may notice that we skip some settings but don't worry, many of them will be discussed in the 2nd Apache configuration article):
This sets (in simple terms) the maximum time, in seconds, to wait for a request, action it and the response to the request.
The default is deliberately set high to allow for varied situations. You can reduce this to something more sane, such as 45 or even lower. A decrease may also help in reducing the effects of a DOS attack.
Setting this to 'On' allows for persistent connections to a client so each file, image, etc is not requested with a new connection. This allows for more efficiency. Define the KeepAlive settings as shown below:
So how long does the persistent connection wait for the next request? The default setting is very high and can easily be reduced to 2 or 3 seconds. If no new requests are received during this time the connection is killed.
What does this mean? Well, once a connection has been established and the client has requested the files needed for the web page, this setting says "sit there and ignore everyone else until the time limit is reached or you get a new request from the client".
Why would you want a higher time? In cases where there will be a lot of interactivity on the site. However, in most cases, people will go to a page, read it for a while and then click for the next page. You don't want the connection sat there doing nothing and ignoring other users.
During the Apache install we installed Apache using prefork and not Apache using worker. If you want to know more about the differences between the two I will point you towards the official Apache docs (which are actually very good).
<IfModule mpm_prefork_module> StartServers 8 MinSpareServers 5 MaxSpareServers 20 ServerLimit 256 MaxClients 256 MaxRequestsPerChild 4000 </IfModule>
Again, it's difficult to give a suggestion here as to what is best for your site but, most the time, they can be left at the defaults.
StartServers: number of child server processes created at startup
MinSpareServers: minimum number of child server processes not doing anything (idle).
MaxSpareServers: maximum number of child server processes not doing anything (idle) - any more than the maximum will be killed.
Don't set Max lower than Min but Apache will ignore silly numbers here and set the Max at Min+1.
ServerLimit: sets the server limit
MaxClients: sets the maximum simultaneous requests that Apache will handle. Anything over this number will be queued until a process is free to action the request.
MaxClients is not the same as the maximum number of visitors you can have. It is the maximum requests.
Remember the KeepAliveTimeout? This was set low so the next request can be actioned but the original (now 'idle') client will still be sat there reading your webpage - the new (active) request will be actioned or, if the MaxClients limit has been reached, will be queued ready for the next available process.
In most cases, the client is not 'active'. Take this page. You requested it (using an active process) and then spent a while reading it which uses no processes - you are 'idle' (as far as the server is concerned!).
MaxRequestsPerChild: sets how many requests a child process will handle before terminating. The default is 4000. If you set it to 0, it will never die.
Default: Not Set
The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).
If you followed the Fedora 10 articles covering installing Apache and PHP5, you will have already set the ServerName configuration.
If you fail to set the ServerName then on an Apache restart you will see the following warning:
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
If you want happy users and to save traffic, keep this at Off.
Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.
All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/bin/logresolve) for this purpose. A small explanation can be found here.
The ServerTokens setting will dictate how much information is sent in the Headers with regard to Apache version and modules in use.
The default (Set as 'OS") would send something like this:
Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.
It does not make the actual install any more secure but all someone has to do right now is look for an exploit in CentOS Apache 2.2.3 and so on. Why make it easy for them?
The options are (with example outputs):
Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_ssl/2.2.3 OpenSSL/0.9.8b
It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.
Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address.
If you navigate to your Server IP address and a non-existent page:
You will see a 404 Page not found page with the footer information:
The options are:
Off: Produces no footer
On: Produces footer information (at a level defined by the ServerTokens setting)
Email: Adds an email link to the information (level defined by the ServerTokens setting)
After each change to the httpd.conf file, you will need to reload Apache for the settings to take effect:
sudo /sbin/service httpd reload
Some simple steps in this article but ones which I believe are very useful and aid in increasing the efficiency of your Server and assist in the overall security effort on your Server.
© 2015 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER