A blog by a system administrator and programmer.

my Apache production checklist 
Sunday, February 20, 2011, 04:23 PM - System
Posted by Freddy Chu

Apache (httpd)



Lower KeepAliveTimeout
Default usually around 15 but I will choose from 5-10 but remember do not set the value too low as it will cause tcp overhead

Reduce extra dns lookup for log
HostnameLookups off

Disable directory listing
Remove "Indexes" from Options

Disable .htaccess files
Reduce file IO to search and access permission files, put all access control into your apache configuration files
just simply comment out all AccessFileName lines

Make sure Apache is not run by root
remember to check the "User" and "Group" in configure file

Hide system information
ServerTokens Prod
ServerSignature off

If you really want to hide the name of Apache, you will need to modify the source code and compile for yourself. I believe it is not a necessary step as there still have many ways to discover your web server easily.

Disable weak cipher
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT


Limit the use of mod_status
If you really need that better change the Location to non default links and make sure it is protected by source host or any authentication

Turn on FollowSymLinks but disable SymLinksIfOwnerMatch
which reduce disk IO to check the file type but make sure that nobody put links in your server that point to your private files
Options FollowSymLinks

remove "SymLinksIfOwnerMatch" from Options

Enable compress module (if application do not implement compression.)
<Location />
# Insert filter
SetOutputFilter DEFLATE

# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html

# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip

# MSIE masquerades as Netscape, but it is fine
# BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
# the above regex won't work. You can use the following
# workaround to get the desired effect:
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Don't compress images
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</Location>


Disable all useless Apache modules
in some OS the default config files include many useless moduels
e.g.
ldap_module
proxy_ajp_module
proxy_balancer_module
proxy_connect_module
proxy_ftp_module
proxy_http_module
proxy_module
speling_module


install some protection modules (optional)
mod_securitye
mod_evasive


OS


Disable access time update
Set noatime to your web document root if your OS support
e.g.
/dev/md0 /var/www ext3 defaults,noatime 0 0


Tune network options of the OS
net.core.netdev_max_backlog = 3000
net.core.rmem_default = 16777216
net.core.rmem_max = 16777216
net.core.wmem_default = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

Here is just some examples by my experience.

Check disk usage
Make sure there is enough space for log file and don't forget to check the log rotation config.


PHP


Change the session name
session.name = SESSION
It is my habit that do not use default session name

hiding php version information X-Powered-By
expose_php = Off

Deploy php accelerator
List of accelerators
Alternative PHP Cache
eaccelerator
ionCube PHP Accelerator
XCache
Zend Accelerator
Windows Cache Extension for PHP
1876 comments ( 5173 views )   |  permalink   |   ( 3 / 4570 )

<Back | 1 | 2 | Next> Last>>