Apache feature optimization

Hide sensitive information such as Apache version

$ grep server/usr/local/httpd/conf/extra/httpd-default.conf|grep-v "#"

The following changes are followed:

Servertokens prodserversignature Off

However, the word Apache will still appear:

$ curl-i localhost

Server:apache

Completely hidden method: Before compiling, modify the Include/ap_release.h file under the TAR package

#define Ap_server_basevendor "Apache software Foundation" #服务的供应商名称

#define Ap_server_baseproject "Apache HTTP SERVER" #服务的项目名称

#define AP_SERVER_BASEPRODUCT "Apache" #服务的产品名

#define Ap_server_majorversion_number 2 #主要版本号

#define AP_SERVER_MINORVERSION_NUMBER 4 #小版本号

#define Ap_server_patchlevel_number 6 #补丁级别

#define Ap_server_devbuild_boolean 0 # ...

Change the default user for Apache

$ useradd-m-s/sbin/nologin Apache

$ vim/usr/local/httpd/conf/httpd.conf

User Apachegroup Apache

Modify Apache Log Permissions

$ chmod 700/usr/local/httpd/logs

Log polling (split)

$ cd/usr/local/tools

$ wget/http/cronolog. org/download/cronolog-1.6.2.tar.gz

$ tar zxf cronolog-1.6.2.tar.gz

$ CD cronolog-1.6.2

$./configure

$ make && make install

$ grep customlog/usr/local/httpd/conf/httpd.conf

Polling by day (common use in production environments, recommended.) By the hour, the file name plus%H):

" |/usr/local/sbin/cronolog/usr/local/httpd/logs/access_%y%m%d.log " Combinederrorlog   " |/usr/local/sbin/cronolog/usr/local/httpd/logs/error_%y%m%d.log "

Error page Elegant display

$ vi/usr/local/httpd/conf/httpd.conf

" /usr/local/httpd/htdocs ">    Options Indexes followsymlinks    allowoverride None    Order allow,deny    allow from all     404 /404. html  # #新增一行</Directory>

$ vi/usr/local/httpd/htdocs/404.html

Error:lost page ...

mod_rewrite anti-theft chain

# #示例: Configuration files for virtual hosts<virtualhost *: the>ServerAdmin123456@qq. com documentroot"/usr/local/httpd/htdocs"ServerName www.test.com serveralias test.com customlog"|/usr/local/sbin/cronolog/usr/local/httpd/logs/access_%y%m%d.log"combined Errorlog"|/usr/local/sbin/cronolog/usr/local/httpd/logs/error_%y%m%d.log"<ifmodule rewrite_module>Rewriteengine on Rewritecond%{http_referer}!^http://test.com/.*$ [NC]Rewritecond%{http_referer}!^http://test.com$ [NC]Rewritecond%{http_referer}!^http://www.test.com/.*$ [NC]Rewritecond%{http_referer}!^http://www.test.com$ [NC]Rewriterule.*\. (gif|jpg|swf) $ http://www.test.com [R,NC]</IfModule></VirtualHost>

Forbidden Directory browsing : httpd.conf

" /usr/local/httpd/htdocs ">    -Indexes  # #方式1    Options followsymlinks  # #方式2</directory >

Disable allowoverride option : httpd.conf

Apache needs to find the. htaccess file in each directory. Therefore, whether or not it is actually used, enabling. Htaccess can result in degraded server performance. In addition, for each request, you need to read the. htaccess file one time.

<Directory/usr/local/httpd/htdocs>        Options None        allowoverride none  # #设置为none        Require All granted</Directory>

Close. htaccess file Usage : httpd-default.conf

All directory permission definitions are defined using httpd.conf and do not use. htaccess for definition

#AccessFileName. htaccess  # #注释掉

turn off bring -your-own CGI function : httpd.conf

In general, we do not use Apache's own CGI features, if used, you can use the Mod_perl module to replace

Modify the configuration file and delete the contents of the CGI

" /usr/local/httpd/cgi-bin/ " # " /usr/local/httpd/cgi-bin ">    #AllowOverride none    #Options none    #Order allow,deny    #Allow from all#</ Directory>

Disable PHP Parse a directory : such as the user's upload file directory

Apache the Security module

We need to add some extended security modules to the Apache site, such as Mod_evasive20 anti-DDoS, Mod_limitipconn (for single-site) configuration, mod_security2 Anti-SQL injection, and so on.

In addition, here are a few tools recommended for everyone.

1,makejail http://www.floc.net/makejail/

It is a software that automatically puts the programs needed to build jail into jail, written in Python, with Debian and OpenBSD versions.

2,mod-security http://www.modsecurity.org/

It is a module of Apche, it can not only implement filtering request and log audit and other functions, but also can prevent sqlinjection and cross-site scripting attacks, such as a very good security module.

Apache Website Architecture Optimization

1. In the production environment, it is recommended that the functions of the Program page server, picture attachment server and upload server should be separated as far as possible.

2. Or on the front-end load balancer through Haproxy/nginx to make a request to the backend server based on the directory or extension requested by the user.

Optimizing kernel parameters for Linux systems

net.ipv4.tcp_fin_timeout #表示如果套接字由本端要求关闭, this parameter determines the time it remains in the fin-wait-2 state, and the default value is 60 seconds.

net.ipv4.tcp_tw_reuse #表示开启重用. Allows time-wait sockets to be re-used for new TCP connections, with a default value of 0, which means shutdown. This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_tw_reuse 0

net.ipv4.tcp_tw_recycle #表示开启TCP连接中TIME-wait sockets Fast Recovery This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_tw_ Recycle tip: Reuse and recycle two parameters in order to prevent the production environment Web,squid time_wait too much set.

net.ipv4.tcp_syncookies #表示开启SYN cookies function. When a SYN wait queue overflow occurs, cookies are enabled to protect against a small number of SYN attacks, and the CENTOS5 series default value is 1, which means open. Therefore, this parameter can also not be added. This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_syncookies, which defaults to 1

net.ipv4.tcp_keepalive_time #表示当keepalive起用的时候, the frequency at which TCP sends keepalive messages. The default is 2 hours, which is changed to 10 minutes. This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_keepalive_time, which defaults to 7,200 seconds.

net.ipv4.ip_local_port_range #选项用来设定允许系统打开的端口范围. That is, the range of ports that are used for outward connections. This parameter corresponds to the system path:/proc/sys/net/ipv4/ip_local_port_range 32768 61000

The net.ipv4.tcp_max_syn_backlog #表示SYN队列的长度, which defaults to 1024, increases the queue length to 8192 and can accommodate more network connections waiting to be connected. The option is used by the server to record the maximum number of connection requests that have not yet received the client acknowledgment information.

This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_max_syn_backlog

net.ipv4.tcp_max_tw_buckets #表示系统同时保持TIME_WAIT套接字的最大数量, if this number is exceeded, the time_wait socket will be immediately clear and print a warning message. The default is 180000, for Apache, Nginx and other servers can be adjusted lower, such as 5000-30000, different business servers can also give large once, such as Lvs,squid. The last few rows of parameters can be a good way to reduce the number of time_wait sockets, but the squid effect is small. This parameter controls the maximum number of time_wait sockets, preventing squid servers from being dragged to death by a large number of time_wait sockets. This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_max_tw_buckets

net.ipv4.tcp_synack_retries #参数的值决定了内核放弃连续之前发送SYN The number of +ack packages. This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_synack_retries Default value is 5

net.ipv4.tcp_syn_retries #表示在内核放弃建立连接之前发送SYN包的数量. This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_syn_retries 5

Net.ipv4.tcp_max_orphans #选项用于设定系统中最多有多少个TCP套接字不被关联到任何一个用户文件句柄上. If this number is exceeded, the orphaned connection is immediately reset and a warning message is printed. This limitation is to prevent a simple Dos attack, not relying too much on this limit or even thinking of reducing this value, more of the situation is to increase this value. This parameter corresponds to the system path:/proc/sys/net/ipv4/tcp_max_orphans 65536

;

Apache feature optimization