Apache
utils
- vlogger: http://n0rp.chemlab.org/vlogger
- webalizer: http://www.mrunix.net/webalizer
optimization
- disable DNS Look Up
- MaxClients ( 512 )
-
- Shorten the KeepAliveTimeout value to something like 3 seconds for instances), reducing the maximum simultaneous opened connections to 768
- Compress HTTP Content
- Turn off unwanted services - There are a few services and/or features that you will want to turn off or not allow. All of these services can be disabled in the httpd.conf file. Those services/features that could cause the most issues include:
- Directory browsing. This is done within a directory tag (the document root is a good place to start) using the Options directive and is set with “-Indexing”.
- Server side Includes. This is another feature that is disabled within a directory tag (using Options directive) and is set with “-Includes”.
- CGI execution. Unless your site needs CGI, turn this off. This feature is also set within a directory tag using the Options directive, with “-ExecCGI”.
- Symbolic links. Set this inside a (surprise, surprise) directory tag with “-FollowSymLinks”.
- None. You can turn off all options (in the same way you set the above) using “None” with the Option directive.
- Disable unused modules
- Restrict access
Order Deny, Allow Deny from all Allow from 192.168.1.0/16
- Limit request size - Denial of service attacks are always a possibility when you allow large requests on Apache. Apache has a directive, LimitRequestBody, that is placed within a Directory tag. The size of your limit will depend upon your Web site’s needs. By default, LimitRequestBody is set to unlimited.
- Hide Apache’s version number
ServerSignature Off ServerTokens Prod TraceEnable Off
in ssl.conf
SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
in vhost
Include conf/ssl.conf
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
- Disable unnecessary PHP variable
allow_call_time_pass_reference = Off magic_quotes_gpc = Off register_long_arrays = Off register_argc_argv = Off allow_url_fopen = Off expose_php = Off disable_functions = symlink,shell_exec,proc_close,proc_open,dl,passthru,escapeshellarg,escapeshellcmd,openlog, apache_child_terminate,apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,virtual, phpinfo
mod_deflate (Apache2)
also see: HowtoForce - ModDeflate, mod_deflate
<Location /> # Insert filter SetOutputFilter DEFLATE #DeflateFilterNote ratio #DeflateCompressionLevel 9 # Netscape 4.x has some problems... BrowserMatch ^Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla/4\.0[678] no-gzip # MSIE masquerades as Netscape, but it is fine # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48 # the above regex won't work. You can use the following # workaround to get the desired effect: BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html # Don't compress images SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary </Location>
This configuration will compress everything except for images. Of course, you can’t test this with curl, but you can test it with Firefox and LiveHTTPHeaders. If you don’t have Firefox handy, you can try a very handy web application that will give you the statistics about the compression of your site’s data.
deflate.load header.load
= SSL =
http://www.mail-archive.com/modssl-users@modssl.org/msg10790.html
ssl.conf
#SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCache dbm:/var/run/apache2/ssl_scache
SSLSessionCacheTimeout 300
