A detailed explanation of Apache's various optimizations and security configurations

Source: Internet
Author: User
Tags bz2 http authentication memory usage rar domain lookup

Introduction:

Apache is running the hardware environment is the most impact on performance factors, even if the hardware can not be upgraded, it is best to give Apache a separate host to avoid

Interference to other applications. Of the hardware indicators, the most impact on performance is memory, for static content (pictures, javascript files, CSS files, etc.)

It determines how much content Apache can cache, the more it caches, the less opportunity to read content on the hard disk, the larger memory can greatly improve the static site speed;

For dynamic high load sites, each request saves more time, and the Apache MPM module derives the corresponding process or thread for each request,

The number of processes or threads is approximately proportional to the consumption of memory, so increasing memory is also advantageous for increasing the load and running speed of dynamic sites.

The second is the speed of the hard disk, static site is particularly prominent, the Apache constantly read files and sent to the corresponding request, hard disk reading and writing is extremely frequent; dynamic site

Also to continue to load the Web program (PHP, etc.), a request even read more than 10 files to process the completion, so as much as possible to improve the speed and quality of the hard drive

The performance of Apache has a positive meaning.

The last CPU and network, CPU impact is the speed of the Web program execution, network impact traffic size.

several working modes and tuning of Apache

Apache detailed installation process please click this link to view: http://blog.csdn.net/kangshuo2471781030/article/details/79171344

The Apache HTTP server is designed to be a powerful, flexible server that works in a variety of platforms and environments. This modular design is called

"Multi-process module" (Multi-Processing module,mpm), also called work mode.

1.Prefork (a non-threading type):

The main way of doing this is: when the Apache server is started, the Mpm_prefork module will create multiple child processes (default 5), each child process has only one thread, when the request to the client, the Mpm_prefork module to transfer the request to the child process processing, And each child process can only be used to process a single request. If the current number of requests is to exceed the number of previously created child processes, the Mpm_prefork module creates a new subprocess to process the additional requests. This allows the client to wait for the child process to be generated after receiving the request.

Because each request corresponds to a child process in the Mpm_prefork module, it occupies more system resources than the other two modules. The advantage of the Mpm_prefork module, however, is that each of its children processes the individual request independently, so that if one of the requests fails, the other request is not affected. Prefork is more efficient than work, but memory usage is much larger and is not good at handling high concurrency scenarios.

The important parameters of Apache affecting performance in Prefork working mode are described:


Parameter explanation:

# prefork MPM

<ifmodule mpm_prefork_module>

Startservers 5: #Apache启动时默认开始的子进程数

Minspareservers 5 #最小的闲置子进程数

Maxspareserver #最大的闲置子进程数

Maxrequestworkers 250

#MaxRequestWorkers设置了允许同时的最大接入请求数量. Any request exceeding the Maxrequestworkers limit will enter the waiting queue, and the old name is still supported in the previous version of Apache2.3.1 maxrequestworkers known as maxclients.

Maxconnectionsperchild 500

#设置的是每个子进程可处理的请求数. Each subprocess is automatically destroyed after processing the "Maxconnectionsperchild" request.

0 means infinite, that is, the child process never destroys. Although the default setting of 0 allows each subprocess to handle more requests, it has two important benefits if set to a value other than 0:

(1.) to prevent accidental memory leaks

(2) The number of sub processes is automatically reduced when the server load drops. Therefore, you can adjust this value based on the server's load. Called Maxrequestsperchild before the Apache2.3.9.

</IfModule>

Note:

(1.) Maxrequestworkers is one of the most important of these directives, setting the request that Apache can handle at the same time, which is the most influential parameter to Apache performance. If the total number of requests has reached this value (available via Ps-ef | grep httpd | WC-L) to confirm, then the subsequent request will be queued until a request has been processed. This is the main reason that there are a lot of system resources left and the HTTP access is slow. Although theoretically the larger the value, the more requests can be processed, it is recommended that the initial value be set to (the maximum physical memory/2 in megabytes), and then dynamically adjusted according to the load.

such as a 4G memory machine, then the initial value is 4000/2=2000.

(2.) The Prefork control process creates a process, waits a second, continues to create two, waits a second, continues to create four, after the "startservers" child process is initially established to meet the minspareservers settings. This increases the number of processes created, up to 32 per second, until the value of the Minspareservers setting is met. This pattern can reduce system overhead to increase performance by eliminating the need to generate new processes when requests arrive.

Maxspareservers sets the maximum number of idle processes, and if the number of idle processes is greater than this value, Apache automatically kill some redundant processes. This value should not be set too large, but if the value set is smaller than Minspareservers, Apache will automatically adjust it to minspareservers+1. If the site load is large, consider increasing both minspareservers and maxspareservers.

(3) What is the difference between Serverlimit and maxclients (maxrequestworkers)?

Because in the Apache1 era, the maximum number of processes to control only maxclients this parameter, and the maximum value of this parameter is 256, and is written dead, trying to set more than 256 is invalid, this is due to the server hardware limitations of the Apache1 era. But Apache2 times because of server hardware upgrades, hardware is no longer limited, so use serverserverlimit this parameter to control the maximum number of processes, Serverlimit value >=maxclient value is valid. Serverlimit to be placed before maxclients, the value is either less than maxclients.

(4.) View the Apache loaded modules

[Root@kang ~]# apachectl-t-D dump_modules

Or

[Root@kang ~]# Apachectl-m
Or

Apachectl–l
How do I look at Apache working mode? You can use the HTTPD-V command to view, and also use httpd-l to see


(5.) How to modify Prefork parameters and enable Prefork mode

1.[root@kang ~]# vim/usr/local/http-2.4.23/conf/extra/httpd-vhosts.conf 
2.[root@kang ~]# vim/usr/local/http-2.4.23/conf/httpd.conf 

Restart the HTTPD service:

[Root@kang ~]# service  httpd restart

2.Work Mode (multithreaded multi-process):

Compared with the prefork mode, work uses a multiple-process multithreaded blending mode, and the work pattern also derives some of the child processes, and then each subprocess creates some threads, including a listener thread, each of which is assigned to a thread service. Threads are lighter than processes because threads are shared by the memory space of the parent process. As a result, the memory footprint will be reduced, and in a high concurrency scenario there will be more threads available than prefork, and the performance will be better; In addition, if a thread has a problem, it can cause a problem with the thread in the same process. If there is a problem with multiple threads, it only affects part of Apache, not all of them. Due to the use of multiple process multithreading, the need to consider the security of the thread, when using the keep-alive long connection, a thread will be occupied, even if there is no request in the middle, you need to wait for the timeout to be released (the problem exists in prefork mode)

Overall, the prefork mode is slightly faster than the worker, but it requires a little more CPU and memory resources than the worker.

The important parameters of Apache affecting performance in the worker working mode are described:



Parameter explanation:

# worker MPM

<ifmodule mpm_worker_module>

Startservers 3: #apache启动时候默认开始的子进程数

Minsparethreads: #最小空闲数量的工作线程

Maxsparethreads: #最大空闲数量的工作线程

Threadsperchild: #每个子进程产生的线程数量

Maxrequestworkers: #与prefork模式相同

Maxconnectionsperchild 0: #与prefork模式相同

</IfModul>


Note:

(1.) Work the "Startservers" subprocess generated by the main control process, each containing a fixed number of threadsperchild threads, and each thread handles the request independently. Similarly, in order not to generate a thread when the request arrives, the Minsparethreads and maxsparethreads set the minimum and maximum number of idle threads, while maxrequestworkers sets the maximum total number of simultaneous clients. If the total number of threads in the existing child process does not meet the load, the control process derives the new child process.

The maximum default values for Minsparethreads and Maxsparethreads are 75 and 250, respectively. These two parameters have little effect on the performance of Apache, and can be adjusted according to the actual situation.

(2) Threadsperchild is the most closely related instruction in the worker MPM . The maximum default value for Threadsperchild is 64, and 64 is not enough if the load is large. To display the use of the THREADLIMIT directive, its maximum default value is 20000.

(3.) The total number of requests that can be processed concurrently in worker mode is determined by the total number of child processes multiplied by the Threadsperchild value and should be greater than or equal to maxrequestworkers. If the load is large and the number of existing child processes is not satisfied, the control process derives the new child process. The default maximum number of child processes is 16, and you need to display the declaration serverlimit (the maximum number of processes in the system configuration, the maximum is 20000). It is important to note that, as the song shows the Serverlimit, then the value multiplied by threadsperchild must be greater than or equal to Maxrequestworkers, And Maxrequestworkers must be a threadsperchild integer multiple, otherwise Apache will automatically adjust to a corresponding value.

(4.) The difference between a process and a thread

A thread is a unit of execution within a process and a scheduled entity within a process.

The difference from the process is:

Address space: An execution unit within a process in which a process has at least one thread that shares the address space of the process, and the process has its own independent address space.

Resource ownership: Processes are resource-allocated and owned units, and threads in the same process share the resources of the process

A thread is the base unit of a processor dispatch, but the process is not

Both can be executed concurrently

Processes and threads are the basic units of the program that the operating system realizes, and the system uses the basic unit to realize the concurrency of the system to the application.

The difference between a process and a thread is:

In short, a program has at least one process, and a process has at least one thread

The thread partitioning scale is smaller than the process, which makes the multithreaded procedure more concurrent.

In addition, the process has a separate memory unit during execution, while multiple threads share memory, which greatly improves the efficiency of the program.


3.Event mode:

This is the newest working mode of Apache, a variant of the worker model, which separates the service process from the connection, and the worker model is different in that it solves the problem of wasting thread resources when keep-alive long connections, in the event work mode, There will be specialized threads to manage these keep-alive types of threads, and when a real request comes in, the thread that passes the request to the server is released after execution is completed. This enhances the processing of requests under high concurrency scenarios. The event mode BU does not well support HTTPS access (HTTP authentication-related issues).

Apache configuration Parameters detailed

(1.) KeepAlive On/off

KeepAlive refers to keeping the connection active, in other words, if the keepAlive is set to on, then requests from the same client do not need to be connected again, to avoid creating a new connection for each request and burdening the server. In general, more pictures of the site should be keepalive set to ON.

(2.) Keepalivetimeoutnumber
If the second request and the first request exceed the KeepAliveTimeout time, the first connection is interrupted and the second connection is created. Its settings generally consider the picture or JS file two times request interval, generally set to 3-5 seconds.
(3.) MaxKeepAliveRequests100
The maximum number of requests for HTTP requests that can be made by a single connection. Setting its value to 0 will support an unlimited transmission request within a single connection. In fact, no client program requests too many pages in a single connection, and usually does not reach the upper limit to complete the connection.
(4.) hostnamelookupson|off|double
If you are using on, then only a reverse search, if used double, then the reverse search after a positive resolution, only two of the results are consistent with each other, and off is not to verify the domain name. If you are using double for security purposes, it is recommended that you use off domain lookup to turn on this will increase the burden of Apache and slow down the speed of access. Recommended shutdown
(5.) Timeout 5
Recommendation 5 This is Apache to accept the request or issue the corresponding time over this time disconnect
Note: The above configuration items can be set in/usr/local/http-2.4.23/conf/extra/httpd-default.conf and referenced by the Include option in the httpd.conf file

the key to MPM is the main factor that affects concurrency efficiency:

(1.) Startservers 10

Sets the number of child processes that are established when the server starts. Because the number of child processes depends on the weight of the load dynamically, it is generally not necessary to adjust this parameter.

(2.) Minspareservers 10

Sets the minimum number of idle child processes. An idle subprocess is a child process that does not have a request in process. If the current number of idle child processes is less than minspareservers, Apache will produce a new subprocess at a maximum rate of one per second. This parameter needs to be adjusted only on very busy machines. Setting this parameter too large is usually a bad idea.

(3.) Maxsparethreads 75

Sets the maximum number of idle child processes. If there is currently an idle subprocess exceeding the maxspareservers number, the parent process kills the extra child processes. This parameter needs to be adjusted only on very busy machines. Setting this parameter too large is usually a bad idea. If you set the value of the directive to be smaller than Minspareservers, Apache will automatically modify it to "Minspareservers+1″."

(4.) Serverlimit 2000

The maximum number of processes that the server allows to configure. Use only if you need to set the maxclients above the default value of 256. To keep the value of this directive the same as maxclients. The value that modifies this directive must stop the service completely before it can be started, and restarting in restart mode will not take effect.

(5.) Maxclients/maxrequestworkers 256

The maximum number of requests for a client request (the maximum number of child processes), and any requests exceeding the maxclients limit will enter the waiting queue. The default value is 256, and if you want to increase this value, you must also increase the value of serverlimit. It is recommended that the initial value be set to (the maximum physical memory/2 in megabytes), and then dynamically adjusted according to the load.

such as a 4G memory machine, then the initial value is 4000/2=2000.

(6.) maxrequestsperchild/maxconnectionsperchild0

Sets the number of requests that each subprocess can handle, and each child process is automatically destroyed after processing the "Maxrequestsperchild" request. 0 means infinite, that is, the child process never destroys. A server with a larger memory can be set to 0 or larger numbers. Servers with smaller memory may be set to 30, 50, 100. So under normal circumstances, if you find that the server's memory line up, it is recommended to modify this parameter to try.

Note: The above configuration items can be set in/usr/local/http-2.4.23/conf/extra/httpd-mpm.conf and referenced by the Include option in the httpd.conf file.

4. Turn on Apache's gzip (deflate) features:

Gzip can greatly accelerate the site, and sometimes the compression ratio is high to 80%, at least 40% or more, or quite good.

After the Apache2 version, the module name is not called Gzip, but is called mod_deflate

No gzip used

Open use gzip

(1.) If you want to open deflate, be sure to open the following two modules

LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so


Set the compression ratio, the value range between 1 (lowest) to 9 (highest), does not recommend too high, although there is a high compression rate, but take up more CPU resources

(2.) Mod_deflate module Inspection and installation

[Root@kang ~]# Apachectl-  m  | grep deflate

Note:

if not installed:

A: Compile-time installation method:

When compiling, keep up with--enable-deflate to implement installation

b:dso mode installation:

[Root@www ~]# cd/root/httpd-2.4.23/modules/filters/#切到apache源码包mod_deflate所在的目录下
#/usr/local/http-2.4.23/bin/apxs-c-i-a mod_deflate.c #以dso的方式编译安装到apache中
#/usr/local/http2.2/bin/apxs-c-i-a/root/httpd-2.2.17/modules/metadata/mod_headers.c #以dso的方式编译安装到apache中
[Root@www filters]# ll/usr/local/http-2.4.23/modules/mod_deflate.so #检查mod_deflate是否安装, the file will be displayed for the successful installation here
-rwxr-xr-x. 1 root 98144 Oct 23:14/usr/local/http-2.4.23/modules/mod_deflate.so

APXS Command parameter Description:

-I: This option indicates that you need to perform an installation operation to install one or more dynamic shared objects into the modules directory of the server.

-A: This option automatically adds a loadmodule line to the httpd.conf file to enable this module, or enable if this row already exists.

-C: This option indicates that you need to perform a compile operation


Attention:
If there is an error during reboot:
Reference:

Cannot load/usr/local/apache/modules/mod_deflate.so into server:/usr/local/apache/modules/mod_deflate.so: Undefined symbol:inflateend
Needs to be loaded in front of the Loadmoduledeflate_module modules/mod_deflate.so zlib.so

Here's what you need to be aware of: Loadmoduledeflate_module need to be placed after loadmodulephp5_module.
Reference:
Loadfile/usr/lib/libz.so (the library file in the x64 system is located under the/usr/lib64 directory and can be soft linked to/usr/lib under
LoadModule deflate_module modules/mod_deflate.so)

(3.) Reboot httpd

[Root@kang ~]# apachectl graceful# Elegant start httpd service
(4.) Modify the Apache configuration file to open gzip compression transmission parameters Detailed:

Modify the Apache main configuration httpd.conf file to increase the configuration parameters:

LoadModule deflate_module modules/mod_deflate.so

LoadModule headers_modulemodules/mod_headers.so

After opening the httpd.conf, first the above two lines to configure the front of the # number, so that Apache will enable the two modules, where Mod_deflate is a compression module, is to transfer to the client code for gzip compression; mod_ Headers then the browser will download gzip-compressed pages and not display them properly.
Add the following code to the httpd.conf, you can add it to any blank place, don't know Apache, and if you're worried about adding the wrong place, put it on the last line of the http.conf file.
Note: Before adding code, it's best to check to see if the code you want to add exists.

<ifmodule mod_deflate.c>
deflatecompressionlevel 9
setoutputfilter deflate
# Addoutputfilterbytype DEFLATE text/html text/plain text/xml application/x-javascript application/x-httpd-php
# Addoutputfilterbytype DEFLATE image/*
addoutputfilterbytype DEFLATE text/* addoutputfilterbytype DEFLATE
application/ms* application/vnd* application/postscript application/javascript application/x-javascript
Addoutputfilterbytype DEFLATE application/x-httpd-php application/x-httpd-fastphp
setenvifnocase Request_URI. : gif|jpe?g|png) $ no-gzip dont-vary
setenvifnocase Request_uri. (?: Exe|t?gz|zip|bz2|sit|rar) $ no-gzip dont-vary
setenvifnocase Request_uri. (?:p df|mov|avi|mp3|mp4|rm) $ no-gzip dont-vary
</IfModule>

<ifmodule mod_deflate.c>

deflatecompressionlevel 9 #压缩程度的等级, the preset can be 6 to maintain a balance between processor efficiency and web compression quality.
setoutputfilterdeflate# sets the output filter to enable compression on the output, it must, like a switch, tells Apache to compress the content that is transferred to the browser

#AddOutputFilterByType DEFLATE text/html text/plain text/xml application/x-javascript application/x-httpd-php
        # Addoutputfilterbytype DEFLATE image/* Note: The picture does not need to compress, otherwise the compression is bigger
        addoutputfilterbytype DEFLATE text/*
#以上设置对文件的内容进行压缩, such as text/html text/css Text/plain.
#以上对JavaScript文件进行压缩
Addoutputfilterbytype DEFLATE application/x-httpd-php application/x-httpd-fastphp
#以上对PHP类型的文件进行压缩
#以上设置不对后缀gif, jpg,jpeg,png picture files are compressed.


Attention:
. : Indicates that the contents of the () are not captured

Setenvifnocase Request_uri. (?: Exe|t?gz|zip|bz2|sit|rar) $ no-gzip dont-vary

#同上, it is set to not compress files such as Exe,tgz,gz

Setenvifnocase Request_uri. (?:p df|mov|avi|mp3|mp4|rm) $ no-gzip dont-vary
#同上就是设置不对pdf, Avi,mp3 and other files to compress

</IfModule>


(5.) set the log output.

 
Deflatefilternote input input_info# declares the byte quantity of the input stream
deflatefilternote output output_info# The byte number
of the export stream Deflatefilternote Ratio ratio_info# Declare the percentage of compression
Logformat '%r '%{output_info}n/%{input_info}n (%{ratio_info}n%%) ' deflate# declaration log format
Customlog Logs/deflate_log.log deflate


(6.) After the change save exit and restart HTTPD service
[Root@kang ~]# Service httpd restart
Using Google Browser test access, the following figure shows the results: (Hint: press F12 before accessing the test page)



To view the log:
[Root@kang ~]# CD  /usr/local/http-2.4.23/logs/


Note:

Picture is not required to enable GZIP compression, you may want to do a test, for the image to do after the compression effect verification.

(1) First upload a picture to the Apache root directory

(2.) Edit Index.html homepage to add the picture

(3.) Restart HTTPD Service

[Root@kang htdocs]# service  httpd restart
   (4.) Visit the test page to see the size of the log picture before compression

To view the log:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.