Apache

• vlogger: http://n0rp.chemlab.org/vlogger
• webalizer: http://www.mrunix.net/webalizer

• disable DNS Look Up
• MaxClients ( 512 )
• KeepAlive
  • Disable KeepAlive connections (by setting KeepAlive to Off)
  • Shorten the KeepAliveTimeout value to something like 3 seconds for instances), reducing the maximum simultaneous opened connections to 768
• Compress HTTP Content
• Turn off unwanted services - There are a few services and/or features that you will want to turn off or not allow. All of these services can be disabled in the httpd.conf file. Those services/features that could cause the most issues include:
  • Directory browsing. This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.
  • Server side Includes. This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.
  • CGI execution. Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.
  • Symbolic links. Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.
  • None. You can turn off all options (in the same way you set the above) using “None” with the Option directive.
• Disable unused modules
• Restrict access

Order Deny, Allow
Deny from all
Allow from 192.168.1.0/16

• Limit request size - Denial of service attacks are always a possibility when you allow large requests on Apache. Apache has a directive, LimitRequestBody, that is placed within a Directory tag. The size of your limit will depend upon your Web site’s needs. By default, LimitRequestBody is set to unlimited.
• Hide Apache’s version number

ServerSignature Off
ServerTokens Prod
TraceEnable Off

in ssl.conf

 SSLProtocol -ALL +SSLv3 +TLSv1
 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

in vhost

 Include conf/ssl.conf
 RewriteEngine on
 RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
 RewriteRule .* - [F]

• Disable unnecessary PHP variable

allow_call_time_pass_reference = Off
magic_quotes_gpc = Off
register_long_arrays = Off
register_argc_argv = Off
allow_url_fopen = Off
expose_php = Off
disable_functions = symlink,shell_exec,proc_close,proc_open,dl,passthru,escapeshellarg,escapeshellcmd,openlog, apache_child_terminate,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual, phpinfo

also see: HowtoForce - ModDeflate, mod_deflate

<Location />
 # Insert filter
 SetOutputFilter DEFLATE

 #DeflateFilterNote ratio
 #DeflateCompressionLevel 9
 # Netscape 4.x has some problems...
 BrowserMatch ^Mozilla/4 gzip-only-text/html

 # Netscape 4.06-4.08 have some more problems
 BrowserMatch ^Mozilla/4\.0[678] no-gzip

 # MSIE masquerades as Netscape, but it is fine
 # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

 # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
 # the above regex won't work. You can use the following
 # workaround to get the desired effect:
 BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

 # Don't compress images
 SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
 SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
 SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary

 # Make sure proxies don't deliver the wrong content
  Header append Vary User-Agent env=!dont-vary
</Location>

This configuration will compress everything except for images. Of course, you can’t test this with curl, but you can test it with Firefox and LiveHTTPHeaders. If you don’t have Firefox handy, you can try a very handy web application that will give you the statistics about the compression of your site’s data.

deflate.load header.load

= SSL = http://www.mail-archive.com/modssl-users@modssl.org/msg10790.html

ssl.conf
#SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCache dbm:/var/run/apache2/ssl_scache
SSLSessionCacheTimeout 300