Monday, September 12, 2011

How to tune Apache performance and harden it


  • understand How Apache works first
the main process is responsible to accept the new incoming connections and pass it to "worker" process, once the worker finishs its job which is reading user's request and send back response. it tells the main process it has done the job and waiting for the new connection

  • Apache and keepalive issue - reduce keepalive value to 2 seconds to allow Apache to terminate the connection soon enough, also 
Imagine there're 1000 users connecting to your website at the same moment, how do you handle it? by default, Apache has setting for keepalive 15 seconds and timeout 300 seconds(5 minutes).

If there's no keepalive, each connection will only serve one file which needs to be downloaded for browser display, this is not efficient method since normally a website page contains a few files in order to be properly displayed.

You can reduce the KeepAlive timeout to 2 seconds (do not turn if off). 2 seconds is enough to let the client has the enouchg time to request all the files needed for a page display, also without having to open more than one connection, also let Apache to terminate the connection soon enough so that it can handle more clients then normal.
  • use a worker threaded MPM
use a work thread MPM will use less memory and increase the connection it will be able to handle.

  • Some other tips
Disable ExtendedStatus
HostnameLookups off
Setting Options -Indexes FollowSymLinks (so Apache doesn't have to check if the file is symbolic link or not, it just follow)
reasonable connection timeout value than 300 (use 30 seconds or less to avoid those modem user hog the connection)
  • use thttpd for static files
You can farm all your static files like images to thttpd , make sure it supports keep alive.

  • Apache is the only service on the web server
You can tune StartServers, MinSpareServers, MaxSpareServers, MaxClients and MaxRequestsPerChild parameters accordingly if you are running 3-tier archtecture such as Apache, Java-enabled middle server and database backend.

You can have a big StartServers value and MinSpareServer(0) and MaxSpareServers value the same as StartServers value.

If you trust your application, you can set MaxRequestPerClient a very big value.

  • hardening
user apache 2.2 builtin chroot (chrootdir /path)
use 'TraceEnable Off' to disable trace/track in main httpd.conf
use ServerTokens Prod