APACHE :-
Apache is an open source web server which guarantees availability of active websites online . The original version of apache was especially designed for unix-like operating system Nowadays, it can be implemented on variety of O.S. platforms. According to Apache Software Foundation and Net craft web server survey, 65% of websites on the internet uses Apache server.
Features of Apache :-
1) Modularity
2)Uniformity
3)Portability
4)Powerful and Flexible webserver
5)Easily operable on wide variety of OS Platforms.
which made possible technologies like apache modules an API for apache module enabling features such as PHP, Mysql integration, URL Rewrite, PHP Handlers, Global variables and other features.
Apache Web Server Versions :-
Apache 1.3 :-
-Useful configuration files.
-Windows and Netware support
-DSO Support
-APXS tool (Basically APXS is located at /usr/local/apache/bin/apxs and the APXS is a tool used for building and installing extension modules for Apache HTTP Server).
Apache 2.0 :-
-Most comprehensive configuration files.
-Efficiency
-Supports IPV6 version.
-Unix Threading
-Introduced new compilation system and multi-langauge error messaging.
Apache 2.2 :-
-Offers more and new flexible modules.
-User Authentication and Proxy caching features.
-SQL Support
-Support files exceeding 2Gb.
————————————————————————————————————————–
You may felt boredom while reading below concept, But its the core and most important functional body of Apache.
MPM :-
MPM stands for Multiple Processing Modules. The main purpose of MPM is binding network ports on machine, accepting request and dispatching children to handle the requets.
Apache implements specialized MPM. MPM must be choosen while configuring and must be compiled in the server. MPM behaves like Apache module, the basic difference is only one MPM must be loaded into the server at any time.
List of Apache MPM modules are available. Refer the link for the same :-
http://httpd.apache.org/docs/2.0/mod/
Some of the well know and widely implemented MPM’s :-
1) Prefork :-
“The prefork MPM runs multiple processes with each child process handling one connection”.
Merits :-
-Stable and Secure
-Compatible with all implementations (cgi, fcgi, suPHP, DSO).
-Failure of one process wont affect other connections.
De-Merits :-
-Simultaneous execution of multiple processes >> indicates more memory usage.
A typical configuration of the process controls in the Preform MPM could look as follows:
StartServers 8
MinSpareServers 5
MaxSpareServers 20
MaxClients 256
MaxRequestsPerChild 1000
More Information
2) Worker :-
“The worker MPM has one control process that launches multi-threaded child processes which handles one connection per thread”.
Merits :-
-Multi-threaded design utilizes less memory usage irrespective of high connections.
-Fast performance.
De-Merits :-
-DSO Module Incompatible.
A typical configuration of the process-thread controls in the Worker MPM could look as follows:
ServerLimit 16
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
More Information
3) Event :-
“The Event MPM is similar to worker MPM but allows high performance by passing some of the listener thread work to each work processes. Each process can act as worker or listener depending on need and activity in CPU for respective time”.
Merits :-
-Better optimization.
De-Merits :-
-DSO Module Incompatible.
A typical configuration of the process-thread controls in the Event MPM could look as follows:
KeepAlive On
KeepAliveTimeout 2
MaxKeepAliveRequests 20
More Information
Distinguish between Perform, Worker, Event MPM’s
Configurations Definitions :-
* StartServers :- The number of child processes created on startup.
*MinSpareServers : Minimum number of idle child processes. apache will continue to create new processes. This should be high enough, idle processes should be on hand.
*MaxSpaceServers : Max number of idle child process, parent process will kill idle process in excess of limit.
*MaxClients : Max number of simultaneous request i.e Max number of Apache requests.
*MaxRequestsPerChild : Max number of request a child process will handle before it dies. if set to 0 ; process will never die
*ServerLimit : Max number of child process, must be greater on equal to maxclient divided by thread per child.
*ThreadsPerChild : No. of threads per child process.
*MaxSpareThread : Min no.of idle thread.
*KeepAlive ; allows for persistent connection to improve latency for connections that require multiple requests.
*KeepAliveTimeout : Length of time connection will be kept open for further request before closing.
*MaxKeepAliveRequests : Max no. of requests through a single keep alive connection.
Mod_Deflate
Mod_Deflate :-
mod_deflate is an module of an Apache HTTP Web Server. The basic purpose of mod_deflate is to speedup download web page access time. It provides DEFLATE output filter that allows output from webserver to webbrowser in the form of compression format.
It results in faster website access and decreases the amount of time in data transmission from web server to web browser.
mod_gzip or mod_gz modules are similar to mod_deflate which compresses the contents using different implementations like gzip implementations and external zlib library respectively.
You can check the gzip compression for website using below link :-
http://aruljohn.com/gziptest.php
How to Enable Mod_Deflate :-
1) # /scripts/easyapache
2) Adding the code under .htaccess file
<IfModule mod_deflate.c>
AddOutPutFilterByType DEFLATE text/html text/plain text/xml
<IfModule mod_setenvif.c>
# Netscape 4.x has some problems…
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won’t work. You can use the following
# workaround to get the desired effect:
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
# Don’t compress images
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
# Make sure proxies don’t deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
</IfModule>
3) Append below code under httpd.conf
LoadModule deflate_module modules/mod_deflate.so
Append following configuration <Location /> directive:
<Location />
AddOutputFilterByType DEFLATE text/html text/plain text/xml
….
…
<Location>
Above line only compress html and xml files. Here is the configuration from one of my production box:
<Location />
…
…
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html
…
…
<Location>
Close and save the file. Next restart apache web server. All of the above extension file should compressed by mod_deflate:
# /etc/init.d/httpd restart
More Information
Zip files corrupt when downloaded via IE but not via FF.
Firefox would download the zip and it was fine, but the file was coming through corrupt when downloading via Internet Explorer. This is a result of IE not handling gzip encoded files properly.
RLimits
RLimits
Resource limits, or RLimits, are sometimes appropriate on older hardware, or if a customer requests them specifically. It can only be set on VPS/Dedicated servers.
RLimits can be added to :-
# /usr/local/apache/conf/include/pre_main_global.conf
The most common entries are: Limits memory usage to 100MB. (note: will not work on VZ VPS)
RLimitMEM 104857600 104857600
Limits CPU usage.
RLimitCPU 150 200
Limits Number of processes per user (This is what regulates the process limits on shared servers).
RLimitNPROC 25 30
Mod_Expires/_Cache/_PageSpeed/_Bandwidth/_
Mod_Expires
The mod_expires module allows Cache-Control and expires headers to be added to a site without any changes to the existing site code. You can determine if a site is already providing cache headers by checking the current site headers: No caching headers:
~ $ curl -I http://www.hostgator.com
HTTP/1.1 200 OK
Date: Wed, 22 Sep 2010 20:30:25 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Content-Type: text/html; charset=UTF-8
Cloudflare’s caching headers:
HTML:
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Wed, 22 Sep 2010 20:19:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
ETag: “a568013-14dd2-490de3c42e8c0”
Accept-Ranges: bytes
Cache-Control: max-age=300, must-revalidate
Expires: Wed, 22 Sep 2010 20:24:48 GMT
Image:
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Wed, 22 Sep 2010 20:19:56 GMT
Content-Type: image/jpeg
Connection: keep-alive
Last-Modified: Tue, 03 Aug 2010 03:10:53 GMT
ETag: “a5683b0-10558-48ce2aa35e940”
Accept-Ranges: bytes
Content-Length: 66904
Expires: Wed, 22 Sep 2010 22:19:56 GMT
Cache-Control: max-age=7200
Note how the image is being cached for 2 hours while the html is only being cached for 5 minutes. You can reproduce those settings with the following .htaccess rules.
<filesmatch “\.(flv|gif|ico|jpg|jpeg|png|swf)$”>
header set Cache-Control “max-age=2592000”
</filesmatch>
<filesmatch “\.(css|js|pdf|txt)$”>
header set Cache-Control “max-age=604800”
</filesmatch>
<filesmatch “\.(html|htm)$”>
header set Cache-Control “max-age=43200”
</filesmatch>
<filesmatch “\.(cgi|fcgi|php|pl|scgi|spl)$”>
header unset Cache-Control
<ifmodule mod_expires.c>
expiresactive off
</ifmodule>
</filesmatch>
<ifmodule mod_expires.c>
expiresdefault “access plus 1 year”
</ifmodule>
Mod_Cache and Mod_Pagespeed
mod_pagespeed
mod_pagespeed is an Apache module that adjusts html output to help the page render faster in the clients browser and performs some caching for the output as well. Some of the more common tasks would be removing whitespaces between html code, unifying CSS and java scripts into one file, gziping and rearranging the html on the page.
Install script:
GET http://hgfix.net/heckel/install-pagespeed | bash
Mod_Bandwidth :-
“Mod_bandwidth” is a module for the Apache HTTP webserver that enable the setting of server-wide or per connection bandwidth limits, based on the directory, size of files and remote IP/domain.
You can find the specific file types affected and other configuration settings in the “/usr/local/apache/conf/includes/mod_bandwidth.conf” file.
Mod Security
mod_sec is the important module of an Apache web Server which is concerned with security. Shared/reseller servers run mod_security. mod_security is a real-time, application layer, web-application firewall that runs as an apache module.
The mod_security system watches each connection and looks for suspicious use/access based on defined rule sets. When a connection matches a rule set, the connection is blocked with an error (almost always a 403 (forbidden) error). Unfortunately, mod_security – by its very nature – has to be strict. This means that occasionally, a customer’s legitimate script use will be caught by mod_security. In those instances, we will have to white list the rules being hit in order for the script to continue to function.
Step 1: Determine which rule to whitelist. First, you must tail the apache error_log and determine which mod_security rule(s) need to be whitelisted. The easiest way to do this is with the command:
tail -f /usr/local/apache/logs/error_log | grep ‘216.110.94.228’
Once you have that running, reload the page. You will see something similar to the following appear:
[Mon Feb 15 20:59:28 2010] [error] [client 216.110.94.227] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(?:http|https|ftp):/” at REQUEST_URI. [file “/opt/mod_security/98_asl_jitp.conf”] [line “881”] [id “1234234”] [rev “1”] [msg “JITP:1234234”] [severity “CRITICAL”] [hostname “www.hilili.com”] [uri “/tgp/st/st.php”] [unique_id “S3oKEK546YIAABcnxBAAAABK”]
Step 2: Determine the rule # being hit and white list Find the rule number, which would be the ID. In this case, the ID is highlighted, above. 1234234. Once you find the ID/rule, you will whitelist with the command: wlmodsec domain.tld rule# y/n In this case, you would use: wlmodsec hilili.com 1234234 y The y/n allows you to choose whether or not to automatically restart apache after the rule is whitelisted. This way, if you are whitelisting several domains (say a customer requests all of their domains be whitelisted against a specific rule), you can run it in a loop without having to restart after each whitelist. A loop would look similar to the following:
while read -r DOMS; do wlmodsec $DOMS 1234234 n; done < domain-list
After which, you would restart apache, manually.
Step 3: Repeat until all rules are found/whitelisted. You’ve found on rule. Where one rule is hit, invariably there are more. Go back to step 1, and repeat until you can reload the page (or repeat the process) without triggering an error. Whitelist each rule that you trigger. It is also possible to disable mod_security, completely, for a domain; however, we do not recommend this. If a customer is wishing to do this, it must be handled by an upper tier administrator It you need to manually edit the rules they are in
/opt/mod_security/whitelist.conf
Example (need to replace domain.com and ruleid):
SecRule SERVER_NAME “domain.com” phase:1,nolog,pass,ctl:ruleRemoveByID=ruleid
Example whitelisting a rule affecting a temporary url (replace username and ruleid):
SecRule REQUEST_URI “~username” phase:1,nolog,pass,ctl:ruleRemoveByID=ruleid Error
Message: ModSecurity: Unable to retrieve collection (name “global”, key “global”).
Use SecDataDir to define data directory first. mkdir -p /var/asl
mkdir -p /var/asl/data/
mkdir -p /var/asl/data/msa
mkdir -p /var/asl/data/audit
mkdir -p /var/asl/data/suspicious
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
Then we need to add following lines to /usr/local/apache/conf/modsec2.user.conf
SecUploadDir /var/asl/data/suspicious
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit Error Message: Rule execution error – PCRE limits exceeded (-8): (null). Add this to php.ini:
pcre.backtrack_limit = 50000
pcre.recursion_limit = 50000 Add this to modsec2.user.conf
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 5000
Recent Comments