Apache fine tuning configuration

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.

Install apache2 in debian etch

#apt-get install apache2

Install openssl using the following command

#apt-get install openssl ssl-cert

Install PHP5 support for apache2 in debian etch

#apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi

Once you install apache server you need to Generate a certificate,Enable Apache SSL support and Configure your SSL options.

Generate A certificate

Generating a certificate will provide to protect the traffic exchanged between clients and your server, however it will be unsigned by a trusted certificate authority so it will generate warnings.

If you want to avoid these warning messages you need to get a trusted certificate from SSL certificate vendors.If you want to Generating an SSL certificate for Apache2 you need to use the openssl. This will ask you questions interactively then generate the certificate file appropriately.

Note:-For generating certificate you might have used the apache2-ssl-certificate command in debian sarge but in debian etch this command not available.If you want to generate certificates you need to use openssl from you command prompt Use the following command to generate certificates

#openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

Generating a 1024 bit RSA private key
………………………………………….++++++
…………………………………….++++++
writing new private key to ‘/etc/apache2/apache.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Debian
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

This will complete the certificate now you need to make sure you have the correct permissions for .pem file if not use the

following command to set the correct permissions

#chmod 600 /etc/apache2/apache.pem

By default the server will listen for incoming HTTP requests on port 80 - and not SSL connections on port 443. So you need to enable SSL support by entering the following entry to the file /etc/apache2/ports.conf save and exit the file.

Listen 443

Enable SSL Support

If you want to enable SSL support for your apache web server you need to use the following comamnd

#a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable.

Now you need to restart the apache2 server using the following command

#/etc/init.d/apache2 restart

Configuring SSL Certificate to Virtual Hosts in Apache2

First you need to edit the /etc/apache2/sites-available/default file change

NameVirtualHost *
to

NameVirtualHost *:80
NameVirtualHost *:443

Now you need to configure Virtual hosts using port 80

Example
ServerAdmin webmaster@localhost
.
.
.
configure Virtual hosts using port 443 the main difference is you need to use the following two lines for each SSL hosts.

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

Example
ServerAdmin webmaster@localhost
.
.
.
SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

Now you need to restrat your apache web server using the following comamnd

# /etc/init.d/apache2 reload

Reloading web server config… XXXX

You will probably have to tune little more for adapt all this to your personal server usage, server load, development & architecture. So, use those tips as a kind of inspiration instead of an “how to”. Don’t forget that when you do such tuning, take care to keep a backup of your previous configuration files.

We will try to tune the following server :

Current OS : Debian GNU Linux Kernel 2.4.32 ipv4 + GRSEC
1Go RAM DDR
Intel(R) Celeron(R) CPU 2.66GHz
SWAP 512Mo
3Go on / and 226Go on /home
Running services are Qmail, Bind9, mrtg, Apache 2.2.2, PHP 5.1.4, MySQL 5.0.21

The best way for tuning a server is to have dedicated services on one server and so, having multiple server especially for MySQL and Apache.

We were runing a heavy website with DotClear and the heavy PhpADS with all its stuff (geoip, all counters, etc.)
The server up to a load of 114 in some peak with a swap totally used ! And so.. a big freeze of services… 70k mails/day , 110k pv/day, 12k v/day, 47 sql queries/sec

In fact, services weren’t so loaded but the box was crashing a lot and swapping often without using too much CPU.

First things that I do was to change the Linux Kernel from a 2.4.32 to a 2.6.18. Lot of things were improves in 2.6. I convey you to take a look at those posts :
http://www-128.ibm.com/developerworks/linux/library/l-web26/
http://developer.osdl.org/craiger/hackbench/
http://kerneltrap.org/node/903

After this update, I take the time to update all version software for using a MySQL 5.0.27, PHP 5.2 etc. Without looking at the changelogs, bugfixes will still help us :-)
After this, we will tune our software configuration that still use default values (this is really bad ! :) then we will tune a little the kernel without recompile a new one.

Apache 2.2.2 Prefork
Our HTTPD is using some modules as url rewriting, server info, php5, GeoIP and other basic modules. We could optimize much more by using an Apache 2.2.3 Worker and only useful modules or even more delivering static pages and using proxy for dynamic pages. All this depend on your developments and your server usage. Here we will only focus on the Apache Prefork.
Nowadays, it’s important to keep active the KEEPALIVE functionality. This will increase the speed of delivring pages for lot of modern browsers (it’s supported by ie, firefox, safari, opera, etc.). The only thing is to touch a little to the default value. In fact, if your keepalive time out is too big, you will keep an entire apache slot open for a user that is probably gone ! A 4 seconds timeout is enough for delivering a full web page and take care of any network congestion. MaxKeepAliveRequests is used to define the maximum number of request manage by an apache slot during a keepalive session. Except if you have lot of pictures to load on your web pages you don’t really need to have a big value at this state.

A complete mod_deflate configuration (See related posts)

<IfModule mod_deflate.c> 
#General Configuration settings: use ratio method and highest compression
DeflateFilterNote ratio
DeflateCompressionLevel 9

#Approach 1: Implicit ("Set") compression
## There are potential issues with compressing everything 
## It will for example send xml compressed to web services or flash
#SetOutputFilter DEFLATE
#SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
#SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
#SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
#SetEnvIfNoCase Request_URI \.avi$ no-gzip dont-vary
#SetEnvIfNoCase Request_URI \.mov$ no-gzip dont-vary
#SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary
#SetEnvIfNoCase Request_URI \.mp4$ no-gzip dont-vary
#SetEnvIfNoCase Request_URI \.rm$ no-gzip dont-vary

##Approach 2: Explicit ("Add") compression by mime-type

AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html
# Or by extension
# AddOutputFilter DEFLATE html
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript

# Implicit compression on the way in
SetInputFilter DEFLATE

# Explicit compression on the way in, there is no AddInputFilterByType
# AddInputFilter DEFLATE html

</IfModule>

KeepAlive On
KeepAliveTimeout 4
MaxKeepAliveRequests 500

As I don’t have lot of memory available on the server I ‘m constraint to decrease drastically the number of running servers from 150 to 60. As I have an apache using approximatly 13Mo of memory (withdraw 3Mo of shared memory), I need approximately 600 Mo of available memory when all the apache child process are running. We have to consider, for our further tuning, that this memory is used. It’s really important in our case to dedicate memory for avoid to swap too much and lost the box in a freeze. you can follow your memory usage by using TOP and looking for your apache/httpd process. (Do a quick “man top” for know more). If you have little more free memory you can take a look to the apache documentation for further tuning.

ServerLimit 60
MaxClients 60

Our server is often overload, with lot of traffic. When I need to restart the apache, or in case of any crashes the apache server start with only 5 Child server process and will add new one 1 second later, 2 new child 2 second later, 4 new at the third second, etc. It’s really too long when you are in a peak ! So, I configured StartServers for let us start directly with 30 child Server process. That will help us to deliver quickly the clients and minimize the impact of the server restart.

MinSpareServers and MaxSpareServers is used in same way as StartServer. When your apache server isn’t load, there is idle child waiting for connection. It’s not usefull to have all your child still open but, In case of a new peak the best way to minimize its impact on your server is to deliver web pages as quick as possible. So keeping some idle Child Process still waiting for client isn’t so stupid. Furthermore in case of our touchy server we consider to be able to allocate 600Mo of RAM. So, We can use it even if it’s for idle Child Process as we dedicate this RAM for apache. For avoid any module Memory Leak, and having fully available Child I set the MaxRequestPerChild to 1000, that mean that each 1000 request, the child will be kill and Apache Server will spare a new one. You’ll probably have to set this value to a higher number. It’s depend of the structure of your web page. You will have to monitor a little your server after those change for being sure to don’t have too much child kill/spare instead of delivering web pages.

StartServers 30
MinSpareServers 30
MaxSpareServers 30
MaxRequestsPerChild 1000

Follow some security issue, we don’t display too much information about our server. As we don’t need the reverse lookup on the client ip, we keep the default value of HostnameLookups to Off and by this way we save some network traffic and server load.

ServerTokens Prod
ServerSignature Off
HostnameLookups Off

PHP 5.1.4
For perform our page generation and save some cpu we use the php extension eaccelerator. Take a look at the documentation for install it.
We dedicate 32Mo of our RAM for eaccelerator (shm_size) and will use it with shared memory and file cache (”shm_and_disk” value for keys, sessions and content variable). (Memory is really useful in our case, because of all the mails, apache log and MySQL disk access that generate too much i/o and slow down considerably all the server). As we don’t change often the php script on the server we don’t need to use the check_mtime functionality. When set to “1″, that will do a stat on the php script for checking of last modification date We don’t need this because we want to save disk access and we don’t have so many updates on the running scripts. We just have to clean the cache directory after an update.

eaccelerator.shm_size=”32″
eaccelerator.cache_dir=”/www/tmp/eaccelerator”
eaccelerator.enable=”1″
eaccelerator.optimizer=”1″
eaccelerator.check_mtime=”0″
eaccelerator.debug=”0″
eaccelerator.filter=”"
eaccelerator.shm_max=”0″
eaccelerator.shm_ttl=”3600″
eaccelerator.shm_prune_period=”1″
eaccelerator.shm_only=”0″
eaccelerator.compress=”1″
eaccelerator.compress_level=”9″
eaccelerator.keys = “shm_and_disk”
eaccelerator.sessions = “shm_and_disk”
eaccelerator.content = “shm_and_disk”

MySQL 5.0.24
As I don’t manage how has been coding many of running script, I decrease all the timeout MySQL connection for avoid congestion. Then I increase the number off simultaneous MySQL connection as we had lot of “Too many connection” error message.

wait_timeout=6
connect_timeout=5
interactive_timeout=120
max_connections = 500
max_user_connections = 500

Now we change the touchiest part of the MySQL configuration : The RAM usage. It’s touchy because a bad value can really decrease your server performance and result in a big server swap. After some test I decrease the table cache and the key buffer cache to 256Mo. In fact we don’t have so many available ram as we had 600Mo for our HTTPD and we have lot of other services running. I tried to set it up little higher, hopping that the swap won’t be to big, but in fact, due to our i/o load the swap were totaly not a good thing for MySQL :-)

If you are using MYISAM tables I suggest you to use the “concurrent_insert=2” that will really increase your server performance in many case. MYISAM use table lock, with concurrent insert, the engine will sometime bypass the lock and allow INSERT and SELECT to run concurrently. We also disable all engine that is not used (innodb, bdb). Take a look at the MySQL documentation for better tuning.

join_buffer_size=1M
sort_buffer_size=1M
read_buffer_size=1M
read_rnd_buffer_size=1M
table_cache=256M
max_allowed_packet=4M

key_buffer=256M
key_buffer_size=256M
thread_cache=256M
thread_concurrency=2
thread_cache_size=40
thread_stack=128K

concurrent_insert=2

query_cache_limit=1M
query_cache_size=256M
query_cache_type=1
skip-bdb
skip-innodb

Linux Kernel 2.6.18
Here is a touchy part of our tuning, we will try to perform the Linux Kernel behavior with our server load for save some memory and avoid too much swap. Furthermore, has we done a great stuff above this part, we have to manage more TCP connection and support correctly the peak. We will use the command “sysctl” for doing our update on values.

# display value of a variable or group of variable
sysctl [-n] [-e] variable …
# set a new value toe the specified variable
sysctl [-n] [-e] [-q] -w variable=value …
# display all the variable
sysctl [-n] [-e] -a
# load a sysctl config file
sysctl [-n] [-e] [-q] -p (default /etc/sysctl.conf)

For our test we will create a test config file “/etc/sysctl.conf.testing” and we will load it by using the following command line :

sysctl -p /etc/sysctl.conf.testing

When you will be glad of your change you could rename the file for “/etc/sysctl.conf”. All the sysctl variable are documented with the Kernel Sources. I suggest you to download the documentation corresponding to your kernel version and read it carefully if you decide to change some values.
A really good article on Security Focus give us some key for minimize the impact of a SYN ATTACK / SYN SPOOFING. In this goal we activate the syncookies and the route validation

net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_synack_retries=3
net.ipv4.tcp_syn_retries=3

As we had some swap troubles, important thing to do is to change the value of vm.swappiness where the default value is 60. This variable control how much the kernel should favor swapping out applications, its value can be 0 to 100. I set it to 10 for minimize the swap.

vm.swappiness=10

We upgrade the max backlog for support more TCP traffic and we change the congestion control algorithm to BIC. The Linux Kernel support lot of congestion algorithm like Reno (default one), htcp, vegas, westwood, etc.

net.core.netdev_max_backlog=2500 # Interface buffering
net.ipv4.tcp_max_syn_backlog=4096
net.core.somaxconn=1024 # Limit of socket listen() backlog. Default is 128.
net.ipv4.tcp_congestion_control=bic

For avoid to have a big TCP queue and so memory usage for not really active connection I decrease some TCP timeout and force the kernel to recycle quickly tcp connection. We don’t cache the value of ssthresh (Slow Start Threshold) for avoid to impact a given host to have a reduced ssthresh for all is next connections.

net.ipv4.tcp_keepalive_time=900
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_max_orphans=16384
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_no_metrics_save=1

It’s critical to use the optimal SEND and RECEIVE socket buffer size for the link you are using. In our case we have a 100Mbits link connection. So for a better TCP connection and congestion control we had to increase the TCP Buffer. You can read more about this here.

net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216

That’s all ! :)

Other Way of installing and configuring Apache 2

PrerequisiteApache 2 installed and running
The following apache 2 modules installed (they should be shipped with apache 2)
mod_cache
mod_deflate
mod_disk_cache
mod_headers
mod_mime_magic
mod_proxy
mod_proxy_http
mod_rewrite
Zope installed and running
This howto is about Zope 2.7 under Python 2.3.3 but it should work with every other zope2 version. For Zope 2.7 you need

Zope 2.7 as source tar.gz or cvs checkout (Zope-2_7-branch) from http://zope.org/
Python 2.3.3 with unicode enabled (python2.3)
python2.3-xml (PyXML)
python2.3-dev (headers, distutils)
python2.3-psyco (python code optimizer)
some additional packages like python2.3-docutils (reST), python2-3-imaging (PIL)
PrefaceThis howto describes how to set up an apache 2 webserver as proxy with disk caching and deflating (compressing like mod_gzip) for zope under Debian testing. It may or may not be working with other distributions. Please send me feedbacks.

ScenarioWe have an apache 2 server listening on both http and https requests on all interfaces. The site http://example.org/ is a zope with http://www.example.org/ as an alias. Every request to a manage url is rewritten to https://secure.example.org/ to secure management access. The zope http server is running on port 10080 at localhost and the site is stored in /example_org/.

Apache 2 directory layoutDebian is using the following directory structur for apache 2

/etc/apache2/
base directory for all configuration files /etc/apache2/apache2.conf
main configuration file. This file loads the other configurations from the directories mentioned below. /etc/apache2/ports.conf
configuration file for Listen $Port /etc/apache2/conf.d
directory for additional configuration options /etc/apache2/sites-available
available sites /etc/apache2/sites-enabled
enabled sites, may contain softlinks to files in /etc/apache2/site-available. Only this sites are loaded /etc/apache2/mods-available
available modules (*.load) and module configurations (*.conf) /etc/apache2/modules-enabled
enabled modules, may contain softlinks to files in /etc/apache2/mods-available. Only this modules are loaded. You must also link the conf file if it exists. /etc/apache2/ssl
directory containing ssl cert files. I suggest creating three directories crl, crt and key in this directory. To enable a site or a module symlink it from the -available to the -enabled directory:

user@myhost:/etc/apache2/sites-enabled$ ln -s ../sites-available/default
Loading the apache 2 modulesDebian users should be save to use the default files.

deflate.load:

LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so
headers.load:

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
mime_magic.load:

LoadModule mime_magic_module /usr/lib/apache2/modules/mod_mime_magic.so
mime_magic.conf:

<IfModule mod_mime_magic.c>
    MIMEMagicFile /etc/apache2/magic
</IfModule>
proxy.load:

LoadModule cache_module /usr/lib/apache2/modules/mod_cache.so
LoadModule disk_cache_module /usr/lib/apache2/modules/mod_disk_cache.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
proxy.conf

Don't symlink it! We will use our own configuration file.
rewrite.load:

LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
ssl.load

Don't symlink it until you have a valid configuration and the all necessary ssl keys:

LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
ssl.conf

Don't symlink it! We will use our own configuration file.
After you check or created the files symlink every file mods-enabled. Keep in mind that the module load order in the modules.load files are very important. If there are already some files in the mods-enabled directory make shure no module is loaded twice!

Custom configurationsCreate the following files in /etc/apache2/conf.d. This files contains our own configurations so we won't bust the default configurations from debian.

deflate.conf:

<IfModule mod_deflate.c>
 DeflateCompressionLevel 3

 DeflateFilterNote Input instream
 DeflateFilterNote Output outstream
 DeflateFilterNote Ratio ratio

 LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate

 # Netscape 4.x has some problems...
 BrowserMatch ^Mozilla/4 gzip-only-text/html

 # Netscape 4.06-4.08 have some more problems
 BrowserMatch ^Mozilla/4\.0[678] no-gzip

 # MSIE masquerades as Netscape, but it is fine
 #BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

 # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
 # the above regex won't work. You can use the following
 # workaround to get the desired effect:
 BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

 # Don't compress images, java scripts and style sheets
 SetEnvIfNoCase Request_URI \
   \.(?:gif|jpe?g|png|js|css)$ no-gzip dont-vary

 # Make sure proxies don't deliver the wrong content
 # this needs mod_headers but it's very important
 # so I don't add a IfModule around it
 Header append Vary User-Agent env=!dont-vary

</IfModule>
namevirtualhost.conf:

# we will add some configuration options later
proxy.conf (you can copy the file from mods-available and alter it):

<IfModule mod_proxy.c>

      #turning ProxyRequests on and allowing proxying from all may allow
      #spammers to use your proxy to send email.

      ProxyRequests Off

      #<Proxy *>
      #       Order deny,allow
      #       Deny from all
      #       #Allow from .your_domain.com
      #</Proxy>

      # allow to connect to localhost with port ending with 80 and 90 (www, webdav)
      # the having at least 2 digets before the 80 or 90
      <ProxyMatch http://localhost:[0-9]{2,}?[8|9]0/.*>
              Order deny,allow
              Allow from all
      </ProxyMatch>

      # Enable/disable the handling of HTTP/1.1 "Via:" headers.
      # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
      # Set to one of: Off | On | Full | Block

      ProxyVia On

      # To enable the cache as well, edit and uncomment the following lines:
      # (no cacheing without CacheRoot)

      CacheRoot "/var/cache/apache2/proxy"
      # 300MB
      CacheSize 307200
      # in hours
      CacheGcInterval 4
      CacheMaxExpire 24
      CacheLastModifiedFactor 0.1
      CacheDefaultExpire 1
      CacheForceCompletion 100
      # Again, you probably should change this.
      #NoCache a_domain.com another_domain.edu joes.garage_sale.com

</IfModule>
ssl.conf:

<IfModule mod_ssl.c>
  SSLEngine on
  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  # path to a directory containing the ssl ca keyring and revocation list
  # you must create hash symlinks using the right Makefile!
  SSLCACertificatePath    /etc/apache2/crt/
  SSLCARevocationPath     /etc/apache2/crl/

  SSLSessionCache shm:/var/log/apache2/ssl_scache(128000)
  SSLMutex sem
  SSLRandomSeed startup file:/dev/urandom 512
  SSLRandomSeed connect file:/dev/urandom 512
</IfModule>
If you think everything is ok, restart apache2:

$ /etc/init.d/apache2 restart
Preparing virtual hostingVirtual hosting means serving more than one domain from one ip address. The apache 2 webservers knows what domain the browser wants by using the domain name that is send by the browser. Therefor it isn't possible to use virtual hosting for secure http (https, http over ssl) because the ssl handshake must be done before negotiationing the domain name. It's a shame that browsers and webservers aren't TLS aware.

Check the file /etc/apache2/ports.conf and see if apache 2 is listening on the default port for http:

Listen 80
If you want to use SSL, you need to listen on the default port for https, too:

Listen 80
<IfModule mod_ssl.c>
  Listen 443
</IfModule>
If you have multiple network devies and/or ip adresses you can bind apache to a single address:

Listen 192.168.7.1:80
Next you need to configure apache 2 to use so called NameVirtualHost for virtual hosting. This is the easiest setup because you just need to provide the server name and the address/port in each virtual domain configuration section. Change the file /etc/apache2/conf.d/namevirtualhost.conf and add this line:

NameVirtualHost *:80
<IfModule mod_ssl.c>
  NameVirtualHost *:443
</IfModule>
The entries must look like the entries in ports.conf but with a leading *: if apache 2 is listening on every address.

Restart apache 2 and see if you can browse to your server. Maybe apache 2 is complaining that it cannot find any virtual hosts matching the NameVirtualHost configuration but that's no problem. We'll fix that later.