Home | Elite | Apache | Analog | SGI Irix | Computer History | Mac Trash | Online society

Apache hints

Apache is a very useful piece of software which powers over half of the world's websites. It runs on pretty much anything, including old hardware. Apache can be set up either as a lightweight server churning out large volumes of simple pages, or as a more heavyweight application server. Here are some configuration tips.

# KeepAlive allows multiple files (eg images) to be served 
# over the same TCP connection. The problem is that KeepAlive 
# uses resources, leading to potential denial-of-service. So
# keep the timeout and number of requests low.

KeepAlive On
MaxKeepAliveRequests 30
KeepAliveTimeout 3

# We log keepalives - amongst other things. We see that about 40% of our
# connections use the facility.

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %c %T %v" custom
# So we log keepalive, processing time, and virtual host info as well as
# the usual extended log format. NOTE: the %c has changed to %X in Apache 2.0

# The number of seconds before Apache receives and sends timeout should not be too high, 
# as each process waiting uses up resources. The 3 minute default is just silly.

Timeout 30
			
# MacOSX leaves .DS_Store files around, which give potential
# attackers useful information. We don't like that.

<FilesMatch '^\.[Dd][Ss]_[Ss]'>
        Order allow,deny
	Deny from all
</FilesMatch>

# More misc information-leak type files:
<Files ~ ",v^\">
        Order allow,deny
        Deny from all
</Files>

<Files ~ "^\.imap\">
        Order allow,deny
        Deny from all
</Files>

# There are assorted Windows viruses out there which will
# probe Apache servers. Those requests are not our problem.

<Location /default.ida*>
	deny from all
	ErrorDocument 403 http://www.microsoft.com/technet/security/bestprac/isacored.mspx
</Location>

<Location /scripts/*>   
	deny from all
	ErrorDocument 403 http://www.microsoft.com/technet/Security/topics/virus/nimda.mspx
</Location>

# php configuration that leans towards security, restricting access to system and network 
# files, and  putting limits on CPU usage. For more info, read the manual.

<IfModule mod_php4.c>
		php_admin_flag short_open_tag off
		php_admin_flag safe_mode on
		php_admin_flag y2k_compliance on
		php_admin_flag  display_errors off
		php_admin_flag log_errors on
		php_admin_flag allow_url_fopen off
		php_admin_flag expose_php off
		php_admin_value max_execution_time 5
		php_admin_flag safe_mode_gid on
</IfModule>

# Add mime type for .ico and .xml
AddType image/x-icon .ico
AddType application/rss+xml .xml

For Apache versions 2.0 and up, the following settings can help performance in the right context. Assuming you have plenty of memory and CPU power, try:

#A small memory cache
CacheEnable mem / 
MCacheSize 2048 
MCacheMinObjectSize 1

#write several log entries together at once
BufferedLogs on

#compress plain text files to save bandwidth
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

Maybe one day all this stuff will find it's way into the default apache config.


$Id: apache.html,v 1.6 2006/10/19 05:38:58 david Exp $
back to top