Apache Tuning Tutorial

The first two blog posts on the deployment and configuration of Apache knowledge, this article will explain in detail the production environment of the Apache service in all aspects of the optimization debugging.

Production environment, we certainly will not deploy Apache after the finished take to the line. Light pole on the battlefield waiting to be finished! Therefore, whether from the security or performance point of view, we must be in the Apache service to do a lot of debugging before the line. Therefore, the author of this article by summing up their study and work experience, summed up the Apache tuning of the 20 small points.

This article is a bit long, originally wanted to separate write, and then think or put in a blog post it. So, let's magnanimous magnanimous.

Environment:

The CentOS6.4 x86_64 bit is minimized and the system passes the basic optimization
Apache Version: httpd-2.4.6
Apr version: apr-1.4.8
Apr-util version: apr-util-1.5.2
Pcre Version: pcre-7.8
Source Package storage Location:/server/tools
Source Package Compile Installation location:/etc/local/software Name

First, the source code official, the patch in time to hit

As we mentioned in the Apache deployment, we need to validate the downloaded source package, we are in the selection of Apache source installation package, we must go to the official website, do not go to a messy site to download, to prevent the source code package by the ulterior motives of the people moved hands and feet, resulting in the face of the company's business does not need to lose.

In addition to Apache security and performance considerations, we must pay more attention to Apache's official website patch release, once there are new patches, we must play early. In particular, some security patches to prevent loss.

Second, shielding the Apache version of sensitive information

1 in the Apache main configuration file httpd.conf, locate the line containing the httpd-default.conf and unlock the annotation

[Root@c64-web/]# grep "httpd-default.conf"/usr/local/apache/conf/httpd.conf
#Include conf/extra/httpd-default.conf
[Root@c64-web/]# sed-i ' s#\ #Include conf/extra/httpd-default.conf#include conf/extra/httpd-default.conf#g '/usr/ Local/apache/conf/httpd.conf

Note: In the case of compiling the installation, only this line unlocks the annotation and the subsequent modifications take effect.

2 Open httpd-default.conf file, modify the following two places

[Root@sunsky/]# grep Server conf/extra/httpd-default.conf|grep-v "#"
Servertokens full
Serversignature off

Amended to

Servertokens Prod
Serversignature off

After the above modification, when you are in the CURL-IWWW.SUNSKY.PW, still will appear the following information

Server:apache

Completely let sensitive information such as version disappear

If you need to completely reinvent the version of the information, you'll need to prepare or recompile before compiling. At the time of recompilation, modify the Ap_release.h file under the Include directory under the source package

#define Ap_server_basevendor "Apache Software Foundation" #服务的供应商名称
#define Ap_server_baseproject "Apache HTTP SERVER" #服务的项目名称
#define AP_SERVER_BASEPRODUCT "Apache" #服务的产品名
#define Ap_server_majorversion_number 2 #主要版本号
#define AP_SERVER_MINORVERSION_NUMBER 4 #小版本号
#define Ap_server_patchlevel_number 6 #补丁级别
#define Ap_server_devbuild_boolean 0 #

The lines listed above, I have given the comments, you can modify to what you want, and then compile the installation, and then modify the httpd-default.conf file, the other party completely do not know your version number.

Third, change the default user of Apache

We can improve the security of Apache by changing the default user of Apache. In this way, even if the Apache service is compromised, hackers will not be able to damage the system and other applications by getting Apache users. The Apache user created here will be used for the control of the child processes and threads.

[Root@c64-web/]# useradd-m-s/sbin/nologin Apache create Apache user

Edit the Apache configuration file and modify the default user.

[Root@c64-web/]# vim/usr/local/apache/conf/httpd.conf
User Apache #更改默认的daemon用户为apache用户
Group Apache #更改默认的daemon用户为apache用户