Apache server configuration overview

Source: Internet
Author: User
Tags types of functions

Configuration files control all aspects of the server, so you need to set these three files for normal operation of the server.

In addition to these three settings files, Apache uses the mime. types file to identify different files.

For the corresponding MIME type, the magic file sets some special identifiers for different MIME types, so that the Apache server cannot determine the MIME type of the file from the document suffix, the MIME type of a document can be determined by these special tags in the file content.

Bash-2.02 $ ls-l/usr/local/apache/conf

Total 100

-Rw-r -- 1 root wheel 348 Apr 16 16:01 access. conf

-Rw-r -- 1 root wheel 348 Feb 13 access. conf. default

-Rw-r -- 1 root wheel 30331 May 26 08:55 httpd. conf

-Rw-r -- 1 root wheel 29953 Feb 13 httpd. conf. default

-Rw-r -- 1 root wheel 12441 Apr 19 :42 magic

-Rw-r -- 1 root wheel 12441 Feb 13 magic. default

-Rw-r -- 1 root wheel 7334 Feb 13 mime. types

-Rw-r -- 1 root wheel 383 May 13 srm. conf

-Rw-r -- 1 root wheel 357 Feb 13 srm. conf. default

In fact, the current version of Apache will be httpd. conf, srm. conf and access. all configuration parameters in conf are placed in a configuration file httpd. conf only uses three configuration files for compatibility with previous versions (NCSA-httpd is used to use these three configuration files. The access. conf and srm. conf files provided do not have specific settings.

In the new version of Apache, all the settings are placed in httpd. conf, so you only need to adjust the settings in this file. The following uses the httpd. conf provided by default as an example to explain the configuration options of the Apache server. However, you don't have to worry about setting too many parameters. Basically, these parameters are clear and you can run the Apache server without modifying them. However, if you need to adjust the performance of the Apache server and increase support for certain features, you need to understand the meaning of these settings parameters.

There is a lot of controversy about the performance of Apache servers on the Internet. Basically, users who use Apache have almost no doubt about its excellent performance, apache also supports many well-known high-load websites. However, in the evaluation of commercial organizations, Apache often has a low score. Many people pointed out that in these evaluations, the performance of commercial Web servers and their operating systems is often adjusted by engineers of their professional companies, free operating systems and Web servers often use their default configurations or make minor changes. It should be noted that, apart from the performance adjustment of the operating system, the default configuration of the Apache server itself is by no means optimal and most efficient, however, to adapt to the configurations of almost all types of operating systems and all types of hardware, multi-platform software cannot provide optimal default configurations for specific platforms and hardware. Therefore, performance adjustment is essential when Apache is used.

Another fact that is ignored in business evaluation is that different types of functions are often compared during evaluation. For example, the performance of Standard CGI using Apache is compared with server APIs such as ISAPI and NSAPI, in fact, the functions that Apache servers can compare with are modperl, FastCGI, and PHP. However, due to the open mode of Apache, these functions are developed independently, implemented as an independent module. However, during the evaluation, the tester did not add a corresponding module to evaluate its performance.

Running Parameters of the HTTP daemon

Httpd. conf defines the parameters required by the httpd daemon to determine the running mode and environment.

ServerType standalone

ServerType defines the server startup mode. The default value is standalone. The httpd server will be started by itself and will stay in the host to monitor connection requests. In Linux, the Web server will be automatically started in the startup file/etc/rc. d/rc. local/init. d/apache. This method is recommended.

An inet method is another way to start the Apache server. The super server inetd is used to monitor connection requests and start the server. When you need to use the inetd startup method, you need to change it to this setting and block/etc/rc. d/rc. local/init. d/apache file, and change/etc/inetd. conf and restart inetd, then Apache can start from inetd.

The difference between the two methods is that the independent method is that the server itself manages its own startup processes, so that multiple copies of the server can be started immediately at startup, and each copy will reside in the memory, A connection request can be processed immediately without the need to generate a sub-process. The response to client browser requests is faster and the performance is high. The inetd method requires inetd to start the http server only after detecting a connection request. Because inetd needs to listen to too many ports, the response is slow and the efficiency is low, however, this saves the resources occupied by the Web server when no connection request is available. Therefore, the inetd method is only used on servers that are occasionally accessed and do not require access speed. In fact, the inetd method is not suitable for http burst and multi-connection features, because a page may contain multiple images, and each image will cause a connection request, even though the number of visitors causes less teaching, however, there are many transient connection requests, which are limited by the inetd performance and may even affect other server programs started by inetd.

ServerRoot "/usr/local"

ServerRoot is used to specify the running directory of the daemon httpd. After httpd is started, the current directory of the process is automatically changed to this directory. Therefore, if the file or directory specified in the file is set to a relative path, the actual path is located under the path defined by ServerRoot.

Because httpd often performs concurrent file operations, it is necessary to use the locking method to ensure that file operations do not conflict. Due to the limited file lock capabilities of the NFS file system, therefore, this directory should be a local disk file system instead of an NFS file system.

# LockFile/var/run/httpd. lock

The LockFile parameter specifies the lock file of the httpd daemon. Generally, you do not need to set this parameter. The Apache server will automatically perform operations in the path under ServerRoot. However, if ServerRoot is an NFS file system, you need to use this parameter to specify the path in the local file system.

PidFile/var/run/httpd. pid

The process Number of the httpd daemon is recorded in the file specified by PidFile. Because httpd can automatically copy itself, there are multiple httpd processes in the system, but only one process is the process initially started, it is the parent process of other processes. sending signals to this process affects all httpd processes. The process Number of the httpd parent process is recorded in the file defined by PidFILE.

ScoreBoardFile/var/run/httpd. scoreboard

Httpd uses ScoreBoardFile to maintain internal data of a process. Therefore, you do not need to change this parameter unless the administrator wants to run several Apache servers on a computer, at this time, each Apache server requires an independent configuration file htt pd. conf, and use different ScoreBoardFile.

# ResourceConfig conf/srm. conf

# AccessConfig conf/access. conf

The two parameters ResourceConfig and AccessConfig are used to be compatible with the old version of Apache that uses the srm. conf and access. conf file. If there is no compatibility requirement, you can specify the corresponding setting file as/dev/null. This indicates that no other setting file exists and only httpd is used. conf file to save all the settings.

Timeout 300

Timeout defines the Timeout interval between the client program and the server. After the Timeout interval (in seconds) is exceeded, the server will be disconnected from the client.

KeepAlive On

In HTTP 1.0, only one HTTP request can be transmitted over one connection, while the KeepAlive parameter is used to support one connection and multiple transmission functions in HTTP 1.1, in this way, multiple HTTP requests can be transmitted in a connection. Although this function is only supported by newer browsers, this option is still enabled.

MaxKeepAliveRequests 100

MaxKeepAliveRequests is the maximum number of HTTP requests that a connection can perform. Setting this value to 0 will allow unlimited transmission requests in one connection. In fact, no client program requests too many pages in a single connection. Generally, the connection is completed if this limit is not reached.

KeepAliveTimeout 15

KeepAliveTimeout tests the time between multiple requests in a connection. If the server has completed a request but has never received the next request from the client program, after the interval exceeds the value set by this parameter, the server will be disconnected.

MinSpareServers 5 MaxSpareServers 10

On the Web server that uses a sub-process to process HTTP requests, the response time is delayed because the sub-process must be generated first to process the customer's requests. However, the Apache server uses a special technique to get rid of this problem. This means that multiple idle sub-processes are generated in advance and reside in the system. Once a request appears, immediately use these idle sub-processes for processing, so that there is no latency caused by the generation of sub-processes. As client requests increase, the number of sub-processes started increases. However, these server copies do not exit immediately after an HTTP request is processed, instead, wait in the computer for the next request. However, the number of idle sub-process Replicas cannot be increased or decreased. Too many idle sub-processes do not process tasks and occupy the server's processing capabilities. Therefore, the number of idle copies must be limited, maintain a proper number of processes so that you can respond to customer requests in a timely manner and reduce the number of unnecessary processes.

Therefore, you can use the MinSpareServers parameter to set the minimum number of idle sub-processes, and use the MaxSpareServers parameter to limit the maximum number of idle sub-processes. Redundant server process copies will exit. Set according to the actual situation of the server. If the server has high performance and is frequently accessed, you should increase the settings of these two parameters. For high-load professional websites, these two values should be roughly the same, and are equivalent to the maximum number of server replicas supported by the system, and unnecessary copies should be removed.

StartServers 5

The StartServers parameter is used to set the number of subprocess replicas started at httpd startup. this parameter is related to the MinSpareServers and MaxSpareServers parameters defined above, it is used to start idle sub-processes to speed up server response. This parameter should be set to a value between the first two values, which is less than MinSpareServers and greater than MaxS pareServers.

MaxClients 150

On the other hand, the server's capabilities are limited after all, and it is impossible to process an infinite number of connection requests at the same time. Therefore, the Maxclient s parameter is used to specify the maximum number of concurrent access customers supported by the server, if this value is set too large, the system has to switch between too many processes during busy hours to serve too many customers. This slows down the response to each customer, and reduced the overall efficiency. If this value is set to a small value, some customer connection requests will be rejected when the system is busy. When the server performance is high, you can add this setting as appropriate. For professional websites, the policy to improve server efficiency should be used. Therefore, this parameter cannot exceed the hardware limit. If access is frequently denied, the server hardware needs to be upgraded. For non-professional websites, users are not very concerned about the response speed to the customer's browser, or think that the response speed is slower than that of the rejected connection. This parameter can also be set slightly beyond the hardware conditions.

This parameter limits the settings of MinSpareServers and MaxSpareServers. They should not be greater than the settings of this parameter.

MaxRequestsPerChild 30

A sub-process is a commonly used method for providing Web services. A sub-process is a connection service, the problem is that each connection requires system operations to generate and exit sub-processes, so that these additional processes occupy a large amount of processing capabilities of the computer. Therefore, the best way is that a sub-process can connect to the service for multiple times, so that the system consumption of the generated and exited processes is not required. Apache uses this method. After a connection is completed, the sub-process does not exit, but stays in the system waiting for the next service request, which greatly improves the performance.

However, due to the constant application and release of memory in the processing process, a large number of times may cause some memory spam, which will affect the system stability and the effective use of system resources. Therefore, after a copy has been processed for a certain number of requests, the sub-process can exit the copy and re-copy a clean copy from the original httpd process, in this way, the system stability can be improved. In this way, the number of service requests processed by each sub-process is defined by MaxRe questPerChild. The default value is 30. This value is too conservative for Linux systems with high stability and can be set to 1000 or higher, set to 0 to support unlimited service processing for each copy.

# Listen 3000.

# Listen 12.34.56.78: 80

# BindAddress *

The Listen parameter allows the server to monitor HTTP requests from other ports in addition to the standard port 80. Because the FreeBSD system can have multiple IP addresses at the same time, you can also specify that the server only listens to HTTP requests for the IP address of a BindAddress </B>. If this item is not configured, the server will respond to requests from all IP addresses.

Even if the BindAddress parameter is used, the server can only respond to requests from one IP address. However, by using the extended Listen parameter, the HTTP daemon can still respond to requests from other IP addresses. In this case, the Listen parameter is used in the same way as the second example above. This complicated usage is mainly used for setting. Later, you can use the VirtualHost parameter to define different IP addresses. However, this method is set in the earlier HTTP 1.0 standard. an IP address is required for each IP address. In fact, it is not very useful. In HTTP 1.1, the support for multiple domain names with a single IP address is added to make the settings more meaningful.

LoadModule mime_magic_module libexec/apache/mod_mime_magic.so

LoadModule info_module libexec/apache/mod_info.so

LoadModule speling_module libexec/apache/mod_speling.so

LoadModule proxy_module libexec/apache/libproxy. so

LoadModule rewrite_module libexec/apache/mod_rewrite.so

LoadModule anon_auth_module libexec/apache/mod_auth_anon.so

LoadModule db_auth_module libexec/apache/mod_auth_db.so

LoadModule digest_module libexec/apache/mod_digest.so

LoadModule cern_meta_module libexec/apache/mod_cern_meta.so

LoadModule expires_module libexec/apache/mod_expires.so

LoadModule headers_module libexec/apache/mod_headers.so

LoadModule usertrack_module libexec/apache/mod_usertrack.so

LoadModule unique_id_module libexec/apache/mod_unique_id.so

ClearModuleList

AddModule mod_env.c

AddModule mod_log_config.c

AddModule mod_mime_magic.c

AddModule mod_mime.c

AddModule mod_negotiation.c

AddModule mod_status.c

AddModule mod_info.c

AddModule mod_include.c

AddModule mod_autoindex.c

AddModule mod_dir.c

AddModule mod_cgi.c

AddModule mod_asis.c

AddModule mod_imap.c

AddModule mod_actions.c

AddModule mod_speling.c

AddModule mod_userdir.c

AddModule mod_proxy.c

AddModule mod_alias.c

AddModule mod_rewrite.c

AddModule mod_access.c

AddModule mod_auth.c

AddModule mod_auth_anon.c

AddModule mod_auth_db.c

AddModule mod_digest.c

AddModule mod_cern_meta.c

AddModule mod_expires.c

AddModule mod_headers.c

AddModule mod_usertrack.c

AddModule mod_unique_id.c

AddModule mod_so.c

AddModule mod_setenvif.c

An important feature of the Apache server is its modular structure, which not only shows that it can add new functions through new modules during compilation, it also shows that its module can dynamically load http service programs without loading unnecessary modules. To use the Dynamic loading Module of Apache, you only need to set the Load Module and AddModule parameters. This feature is the DSO (Dynamic Shared Object) feature of Apache, however, to make full use of the DSO feature is still not a simple task. Modifying the settings here may cause the server to fail to start normally. Therefore, if you do not want to add or reduce the features provided by the server, do not change the settings here.

The list above shows the modules supported by the default Apache server in Linux. In fact, many modules are unnecessary and unnecessary modules are not loaded into the memory. The module can be statically connected to the pache server, or dynamically loaded in this way. This Port is used to compile all Apache features into dynamic and loadable modules, rather than the default Apache approach, in this way, at the expense of a small amount of performance, it brings great flexibility.

Therefore, the ability to dynamically load has a slight impact on performance. Therefore, you can re-compile Apache and compile the functions you need into the Apache server to make the system clean, the efficiency has also been slightly improved. It is not necessary to recompile Apache for this purpose only. If you need to add other features and re-compile Apache, when adding other modules, you may wish to statically connect all modules to the Apache server. Some users prefer Dynamic Loading modules.

These modules are placed in the/usr/local/apache/libexec/directory, and each module corresponds to a feature of the Apache server. A detailed explanation of the functions of each module requires a considerable amount of space. The more important features will be explained in the following sections, for specific functions and usage of each module, You need to view the Apache documentation.

# ExtendedStatus On

The Apache server can report its own running status through special HTTP requests. Enabling this ExtendedStatus parameter allows the server to report more comprehensive running status information.

Master server settings

The Apache server requires various settings to define its own use of various parameters to provide Web services. In use cases, except for the settings covered in the definition items (some settings must be redefined), the settings here are also the default settings.

Port 80

Port defines the Port used by the httpd daemon in Standalone mode. The standard Port is 80. This option is only valid for servers started in an independent mode. For servers started in inetd mode, define the port used in inetd. conf.

Root permission is required to use port 80 in Unix. For security reasons, some administrators believe that the httpd server cannot have security vulnerabilities. Therefore, they prefer to use the permissions of common users to start the server, in this way, port 80 and other ports smaller than 1024 cannot be used, but port greater than 1024 must be used to start httpd. Generally, port 8000 or 8080 is also a common port. The Apache httpd server can be run as a common user after Port 80 is opened with the root permission. This reduces the risk and thus does not need to be considered. However, if you want to install and configure your own WWW server, you have to use a port greater than 1024.

User nobody

Group nogroup

User and Group configurations are the security guarantee of Apache. After Apache opens the port, it sets itself as the User and Group permissions set for these two options to run, this reduces the risk of servers. This option is only used in Standalone mode. The inetd mode specifies the user that runs Apache in inetd. conf. Because the server must perform the setuid () operation to change the identity, the initial process should have root permissions. If a non-root user is used to start Aapche, this configuration will not work.

The default value is nobody and nogroup. This user and group do not have files in the system, which ensures that the server itself and the CGI process started by it do not have the permission to change the file system. In some cases, for example, to run CGI and Unix interaction, you also need to have the server access the files on the server. If nobody and nogroup are still used, in this case, files belonging to the nobody will appear in the system, which is detrimental to system security because other programs will execute some operations with the nobody and nogroup permissions, it is possible to access the files owned by these nobodies, resulting in security problems. Generally, you need to set a specific user and group for the Web service, and change the user and group settings here.

ServerAdmin

Only ServerAdmin should be changed in the configuration file. This item is used to configure the email address of the administrator of the WWW server. This will be returned to the browser when an HTTP service error occurs, this allows the Web user to contact the Administrator to report errors. Traditionally, webmaster on the server is used as the administrator of the WWW server. Through the alias mechanism of the mail server, emails sent to webmaster are sent to the real Web administrator.

# ServerName new. host. name

By default, you do not need to specify this ServerName parameter. The server automatically obtains its name through the name resolution process, however, if there is a problem with server name resolution (usually incorrect reverse resolution), or there is no formal DNS name, you can also specify an IP address here. When ServerName is set incorrectly, the server cannot start normally.

Generally, a Web server can have multiple names. The client browser can use all these names or IP addresses to access the server. However, the server always responds to the browser with its own official name. ServerName defines the formal name recognized by the Web server. For example, if the name of A server (A type is defined in DNS) is exmaple.org.cn, at the same time, an alias (CNAME record) is defined for convenience of memory, so the name automatically parsed by Apache is example.org.cn, so no matter which name the client browser uses to send the request, the server always tells the customer that the program is example.org.cn. Although this generally does not cause any problems, considering that the server may be migrated to another computer one day, the Migration task is completed only by changing the www alias configuration in DNS, therefore, if you do not want to use Linux to record the address of the server in their bookmarks, you must use ServerName to re-specify the official name of the server.

DocumentRoot "/www /"

DocumentRoot defines the path for storing Hypertext files released by the server. The ur l requested by the client program is mapped to the webpage files under this directory. The subdirectories under this directory, as well as the files and directories identified by the symbolic connection, can be accessed by the browser, but the same relative directory name must be used on the URL.

Note: although the symbolic connection is logically located under the root document directory, it can actually be located in any directory on the computer, so that the client program can access directories outside the root document directory, this increases flexibility while reducing security. Apache provides the FollowSymLinks option in Directory Access Control to enable or disable the feature that supports symbolic connections.

Options FollowSymLinks

AllowOverride None

The Apache server can control document access to directories. However, access control can be implemented in two ways. One is to set the file httpd. conf (or access. conf). Another method is to set the access control file under each directory. Generally, the name of the access control file is. htaccess. Although both methods can be used to control browser access, the configuration file method requires that the httpd daemon be restarted after each change, which is not flexible, therefore, it is mainly used to configure the overall security control policy of the server system and use. it is more flexible and convenient to set access control for specific directories in the htaccess file.

The Directory statement is used to define the access restriction of a Directory. here we can see its standard syntax, which defines the access restriction for a Directory. In the preceding example, this setting is for the root directory of the system. The FollowSymLinks option is set to allow symbolic connections, and use AllowOverride None to indicate that the access control file in this directory is not allowed to change the configuration here, which means that you do not need to view the corresponding access control file in this directory.

Because Apache's access control settings for a directory can be inherited by the lower-level directory, the setting of the root directory will affect its sub-directory. Note that due to the AllowOverride None setting, the Apache server does not need to view the access control files in the root directory or access control files in the following directories until httpd. conf (or access. in conf), Alloworride is specified for a directory to allow access control files to be viewed. Because Apache uses the Inheritance Method for directory access control, if you can view the access control file from the root directory, Apache must view the access control file at the first level, this will affect system performance. By default, the root directory feature is disabled, which enables Apache to search down from the specific directory specified in httpd. conf, reducing the search level and increasing system performance. Therefore, setting AllowOverride None in the system root directory is not only helpful to system security, but also beneficial to system performance.

Options Indexes FollowSymLinks

AllowOverride None

Order allow, deny

Allow from all

Here, we define access settings for directories in the system's external release documents, and set different AllowOverride options to define the relationship between directory settings in the configuration file and security control files in the user directory, the Options option defines the features of this directory.

You can set access restrictions for the configuration file and the access control file in each directory. The setting file is set by the Administrator, the access control file in each directory is set by the directory owner. Therefore, the administrator can specify whether the directory owner can overwrite the settings in the setting file, in this case, you need to use the AllowOverride parameter to set it. Generally, the value can be set:

The impact of AllowOverride settings on the role of access control files in each directory

The default value of All enables the access control file to overwrite the system configuration.

None server ignores Access Control File Settings

Options allows the access control file to use the Options parameter to define the DIRECTORY Options.

FileInfo allows parameters such as AddType in the access control file.

AuthConfig allows access control files to use authentication mechanisms such as AuthName and AuthType for each user, this allows the directory owner to use passwords and user names to protect the directory Limit and restrict the IP addresses and names of clients accessing the directory.

Each directory has certain attributes. You can use Options to control some access feature settings in this directory. The following are common feature Options:

Options settings Server feature settings

All directory features are valid, which is the default status

None. All directory features are invalid.

FollowSymLinks allows symbolic connections, which makes it possible for the browser to access documents outside the document root directory (DocumentRoot) SymLinksIfOwnerMatch only when the purpose of the symbolic connection and the symbolic connection itself are owned by the same user, access is allowed. This setting adds security.

ExecCGI allows you to execute the CGI program Indexes in this directory to allow the browser to send a list of files in this directory when no index.html (or other index files) exists in this directory.

In addition, parameters such as Order, Allow, and Deny are used in the preceding example. This is a method used to control access based on the browser domain name and IP address in the Limit statement. Here, Order defines the Order in which Allow and Deny are processed, while Allow and Deny set access control for the name or IP address. In the above example, allowfrom all is used to Allow all clients to access this directory, without any restrictions.

UserDir public_html

When running the Apache server on a Linux server, all users on this computer can have their own webpage paths, such, you can map the user to the user's webpage directory by adding the user name to the Tilde symbol. The ing directory is a sub-directory in the user's home directory. Its name is defined using the UseDir parameter. The default value is public_html. If you do not want to provide webpage services for official users, use DISABLED as the UserDir parameter.

#

# AllowOverride FileInfo AuthConfig Limit

# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

#

# Order allow, deny

# Allow from all

#

#

# Order deny, allow

# Deny from all

#

#

Here we can see another usage of Directory, that is, you can use a simple pattern matching method to define access control permissions for subdirectories distributed in different directories. In this way, the Apache server needs to perform additional processing on each path, which reduces the server performance. Therefore, this access restriction is not enabled by default.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.