Installation, optimization, and security settings of Apache2.x in CentOS

Source: Internet
Author: User
Tags modsecurity
Web server software installation sequence: Mysql -- & gt; Apache (httpd) -- & gt; PHPApache: Installation

Web server software installation sequence: Mysql --> Apache (httpd) --> PHP
Apache: http://www.apache.org/dist/httpd/

Decompress the package and enter the decompressed Directory. execute:

. /Configure -- prefix =/home/apache -- enable-so -- with-mysql =/home/mysql -- enable-track-vars -- enable-MoD-shared = all -- enable-cache -- enable-disk-cache -- enable-mem-cache -- enable-rewrite -- with-mpm = worker
Make
Make install

So far, the Apache main program has been installed! The main program of Apache will be installed under/home/apache /.

After the installation is complete, Apache is automatically started after it is not shut down. you need to perform some manual settings:
Copy the apachectl file to/etc/init. d and change it to httpd.
Cp/home/apache/bin/apachectl/etc/init. d/httpd
Edit the file, kate/etc/init. d/httpd.
And #! Add the following sentence to/bin/sh:
# Add for chkconfig
# Chkconfig: 2345 70 30
# Descr restart ption: Activate/Deactive Apache Web Server
# Processname: httpd
Save and exit.
2345 refers to the apache running level, that is, it can be run in the four modes of 2345, 234 is a text interface, and 5 is a graphical interface X
70 refers to the sequence number of apache startup. if the sequence number of other programs is smaller than 70, such as, apache must be started only after these programs are started. We recommend that you set the apache startup sequence after mysql!
30 indicates the stop sequence number of apache when the system is shut down.
Finally, run chkconfig -- add httpd to add the apache auto-start file to the corresponding directory under rc. d. Only in this way can Linux automatically start the boot correctly.

Certificate ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

To optimize Apache performance, we need to configure the worker. c module. Servers with different configurations and traffic must have different settings to optimize performance!
Kate/home/apache/conf/httpd. conf
Add the following options at the bottom ( ...... Before)


ServerLimit 20
# The maximum number of processes allowed by the server. This command is used with ThreadLimit to set the maximum allowed value of MaxClients. Any changes to this command during the restart will be ignored, but the changes to MaxClients will take effect.
ThreadLimit 200
# The maximum number of threads that can be configured for each sub-process. This command sets the maximum number of threads that can be configured for each sub-process. Any change to this command during the restart will be ignored, but the change to ThreadsPerChild will take effect. The default value is "64 ".
StartServers 5
# Number of sub-processes created when the server starts. the default value is "3 ".
MinSpareThreads 50
# Minimum number of idle threads. the default value is "75 ". This MPM monitors the number of idle threads based on the entire server. If the total number of idle threads on the server is too small, the child process will generate a new idle thread.
Maxsparethread S 250
# Set the maximum number of idle threads. The default value is 250 ". This MPM monitors the number of idle threads based on the entire server. If the total number of idle threads on the server is too large, the child process will kill the redundant idle threads. The value range of MaxSpareThreads is limited. Apache will automatically modify the value you set according to the following restrictions: worker requires that the value is greater than or equal to MinSpareThreads and the sum of ThreadsPerChild
MaxClients 2000
# Maximum number of access requests (maximum number of threads) that can be simultaneously servo ). Any request that exceeds the MaxClients limit will enter the waiting queue. The default value is "400", 16 (ServerLimit) multiplied by 25 (ThreadsPerChild. Therefore, to add MaxClients, you must add the ServerLimit value at the same time.
ThreadsPerChild 100
# The number of resident execution threads created by each sub-process. The default value is 25. After these threads are created at startup, the child process will no longer create new threads.
MaxRequestsPerChild 10000
# Set the maximum number of requests allowed by the servo for each sub-process during its lifetime. When the limit of MaxRequestsPerChild is reached, the sub-process will end. If MaxRequestsPerChild is "0", the child process will never end.
# Setting MaxRequestsPerChild to a non-zero value has two advantages:
#1. it can prevent (accidental) infinite memory leakage and thus exhaust the memory.
#2. a limited life cycle is provided for the process, which helps reduce the number of active processes when server load is reduced.

To speed up page reading on the client, we need to install and configure the page compression module mod_deflate. This module has been built into Apache 2.x and does not need to be re-installed. you can directly configure it in/home/apache/conf/httpd. conf.
Kate/home/apache/conf/httpd. conf
Add the following options

# Enable the webpage compression module mod_deflate
LoadModule deflate_module modules/mod_deflate.so

# Deflate enabled logs
# DeflateFilterNote ratio
# LogFormat "% v % h % l % u % t" % r "%> s % B" % {Referer} I "" % {User-Agent} I ""( % {ratio} n) deflate
# CustomLog logs/deflate_log deflate
# Deflate enabled logs

# Insert a filter
SetOutputFilter DEFLATE
# Some problems with Netscape 4.x...
BrowserMatch ^ Mozilla/4 gzip-only-text/html
# More problems with Netscape 4.06-4.08
BrowserMatch ^ Mozilla/4.0 [678] no-gzip
# MSIE will pretend to be Netscape, but in fact it is okay
BrowserMatch MSIE! No-gzip! Gzip-only-text/html
# Do not compress images
SetEnvIfNoCase Request_URI
.(? : Gif | jpe? G | png) $ no-gzip dont-vary
# Ensure that the agent does not send the wrong content
Header append Vary User-Agent env =! Dont-vary


Certificate ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
To prevent malicious users from attacking Apache, we need to install the mod_security security module.

Download and install the mod_security 1.9.x module

: Http://www.modsecurity.org/download/index.html

We recommend that you use 1.9.x because the configuration instructions of 2.x are different from those of 1.x. decompress the package and run the following command to decompress the package:

/Home/apache/bin/apxs-cia mod_security.c

After compilation, a mod_security.so file is generated under/home/apache/modules.

Then kate/home/apache/conf/httpd. conf

Add the following options (if not)

# Enable the mod_security security module
LoadModule security_module modules/mod_security.so (This sentence is usually automatically added)

# Enable the filter engine. If it is Off, the following will not work.
SecFilterEngine On
# Pass the settings to the word Directory
SecFilterInheritance Off
# Check url encoding
SecFilterCheckURLEncoding On
# Check the content length to avoid heap overflow attacks
# SecFilterForceByteRange 32 126.
# Log files and locations. Make sure to set up the directory first. Otherwise, an error will be reported when apache is restarted.
SecAuditLog logs/audit_log
# Debug settings
# SecFilterDebugLog logs/modsec_debug_log
# SecFilterDebugLevel 1
# When matching commands such as chmod and wget, you can redirect to a special page, making it difficult for attackers to leave.
SecFilter chmod redirect: http://www.sina.com
SecFilter wget redirect: http://www.sina.com
# Check POST data. Note that using this switch may cause some post pages to be inaccessible. For more information, see www.modsecurity.org.
# SecFilterScanPOST Off
# Default action
SecFilterDefaultAction "deny, log, status: 406"
# Redirecting users
# SecFilter xxx redirect: http://www.sina.com
# Preventing operating system keyword attacks
SecFilter/etc/* passwd
SecFilter/bin/* sh
# Prevent double dot attacks
SecFilter "../"
# Preventing cross-site scripting (CSS) attacks
SecFilter "<(|) * scr limit pt"
# Prevent XSS atacks (HTML/effeccr effecpt injection)
SecFilter "<(. |) +>"
# Prevent SQL injection attacks
SecFilter "delete [[: space:] + from"
SecFilter "insert [[: space:] +"
SecFilter "select. + from"
# REDIRECT exe and asp requests
SecFilterSelective REQUEST_URI ". exe" "redirect: http://www.google.com"
SecFilterSelective REQUEST_URI ". asp" "redirect: http://www.google.com"
The following section limits the upload. php files that can only be used to upload images. BMP and gif.
#
# SecFilterInheritance On
# SecFilterSelective POST_PAYLOAD "! Image/(jpeg | bmp | gif )"
#
# Disguised server ID
SecServerSignature "Microsoft-IIS/6.0"

Save and restart apache!
Certificate ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

To prevent Web servers from being attacked by DDoS attacks, we need to install the mod_evasive anti-DDoS module.
Download and install the mod_evasive 1.10.x anti-DDoS module

: Http://www.zdziarski.com/projects/mod_evasive/

Decompress the package and enter the decompressed directory.
/Home/apache/bin/apxs-cia mod_evasive20.c

After compilation, a mod_evasive20.so file is generated under/home/apache/modules.

Then kate/home/apache/conf/httpd. conf

Add the following options (if not)

# Enable mod_evasive for Apache 2.x anti-DDoS module
LoadModule evas

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.