Wednesday, June 6, 2012

Add These Modules to Enhance Apache Web Server

Apache remains the world’s most popular web server, thanks in part to the abundance of powerful modules that work in synergy to extend the web server’s core functionality. Here are some useful Apache modules that can improve your web server’s performance, content delivery, and overall security.

Modules for Performance Improvement

While the latest version of Apache performs well on its own, you can optimize the web server to consume fewer resources and improve content delivery by deploying modules that compress the output, remove unnecessary payload, and optimize the HTML and CSS code.
In CentOS, by default, Apache runs its Multi-Processing Module (MPM) in prefork mode, in which one parent process is responsible for forking enough child processes to serve all the remote clients that are trying to access the server. However, managing processes dynamically in accordance with clients’ needs is not very efficient, because each start and stop operation takes time and resources. ModPrefork addresses this drawback by allowing you to configure a minimum (and maximum) number of spare Apache children instances waiting for clients’ requests. Still, this feature is not flexible and agile enough for busy sites with sporadic peaks in requests.
ModWorker addresses ModPrefork’s performance problem by using threads to serve large numbers or requests with fewer system resources. To enable ModWorker in CentOS, edit the file /etc/sysconfig/httpd and uncomment the line HTTPD=/usr/sbin/httpd.worker. Then restart Apache with service httpd restart. To verify in what mode Apache is running use the command apachectl -l to list all of Apache’s loaded modules and look for worker.c.
Unfortunately, ModWorker is not fully compatible with all Apache modules, including such common ones as ModPHP. Prior to enabling it you should check for compatibility and find alternatives where needed. If you need both ModWorker and PHP, for instance, you can use Mod_FastCGI in place of ModPHP.

Content Optimization with ModPagespeed

Once you have optimized Apache’s server side, it’s time to improve the content delivery. ModPagespeed, a third-party, all-in-one optimization module developed by Google, rewrites and compresses output using ModDeflate to provide a faster client experience. It automatically applies the best practices from PageSpeed, a toolset for optimizing the performance of web pages. Though ModPagespeed is still officially in beta, it is a mature project. By using ModPagespeed you can avoid forcing your developers and designers to manually optimize HTML, CSS, JavaScript code, and images. Check the module’s features page for more information and useful comparisons.
You can install ModPagespeed either from source or via binary package. For CentOS, you can use the official installation package available from ModPagespeed’s download page. Once you download the package corresponding to your CentOS architecture (32-bit or 64-bit) run the command rpm -ivh mod-pagespeed*.rpm to install it. Restart Apache and ensure that ModPagespeed is installed and loaded by running the command apachectl -t -D DUMP_MODULES. In the output of the command you should be able to find pagespeed_module among the listed modules.
Next, open the configuration file /etc/httpd/conf.d/pagespeed.conf and examine all the available options. Allow your local client IP address in the directive by adding a new row after Allow from; for example, if your IP address is, add Allow from Once you reload Apache you will be able to see the statistics of ModPagespeed at http://yourserverip/mod_pagespeed_statistics. This allows you to learn it faster and see the results of your optimizations.

Absolute Security with ModSecurity

ModSecurity is the most popular security module for Apache. We’ve already covered it in the article Protect and Audit Your Web Server with ModSecurity, so we’ll just say that it provides full web traffic inspection, blocking, and auditing, allowing you to protect your web server from known and unknown vulnerabilities, including DDOS attacks.

Detect Visitors’ Countries with ModGeoIP

ModGeoIP, based on MaxMind’s GeoIP data and technology, allows you to determine a visitor’s country using a locally saved GeoIP database. Once you know a visitor’s country, you can do things like redirecting him to a specific page or denying him access.
To install ModGeoIP you first need its C library and the package zlib-devel, which is a prerequisite. Download GeoIP C library’s latest version, extract it, and go through the usual installation steps, executing ./configure && make && make install.
APache eXtenSion tool
Not all Apache modules are available as precompiled packages. When you run into one that’s not, you can install it from source with APache eXtenSion tool (apxs), provided by the CentOS package httpd-devel. Apxs creates Apache modules as dynamic shared objects (DSO) from three types of files – C language source files (.c), object files (.o), and library archives (.a). DSO files are loaded during runtime in Apache through the mod_so module. Check whether your Apache has mod_so installed by running apachectl -l and look for mod_so.c in the output.
Next, install ModGeoIP itself. Download the latest version, extract it, and execute apxs -i -a -L/usr/local/lib -I/usr/local/include -lGeoIP -c mod_geoip.c. The arguments to the apxs command mean install the module in the default modules directory /usr/lib/httpd/modules/, activate it by loading it into Apache with the LoadModule directive, use the libraries inside /usr/local/lib, include the /usr/local/include directory, search for the library GeoIP, compile it from the C source file.
Once you restart Apache, the ModGeoIP module should be listed in the output of the command apachectl -t -D DUMP_MODULES. To enable it, create a file /etc/httpd/conf.d/geoip.conf and place inside of it the command to enable the module server-wide and the path to the binary file that contains the GeoIP database:
GeoIPEnable On
GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat
You can then start using ModGeoIP on a per Apache directory or vhost configuration basis, or with local .htaccess files. The configuration options are the same. As an example, if you wanted to deny access to any visitors from outside the United States:
Deny from all
Allow from env=AllowCountry
For more examples and information check ModGeoIP’s home page.

Monitoring with ModStatus

You should always monitor Apache, or any service, to ensure optimal performance. Apache’s ModStatus module gives you information about the current server’s health and business.
ModStatus is installed by default in CentOS, but it’s not enabled. To enable it, open Apache’s main configuration file /etc/httpd/conf/httpd.conf, uncomment the following, and substitute your IP for your_ip with:

    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from your_ip

Also, uncomment ExtendedStatus On so that you can see more information, such as URLs accessed by current requests. Reload Apache and try to access http://yourserver/server-status to verify ModStatus is working. On the newly opened page you should be able to see all the statistics related to Apache, its processes (forks or threads), and CPU usage.
ModStatus can also produce machine-readable output if you append ?auto at the end of its URL: http://yourserver/server-status?auto. Other programs can then read and analyze the output. Auto mode data is used by Cacti, to draw graphs with useful trends, and by Nagios, to monitor for anomalies.

Protection with ModSpamhaus

Certain IP addresses are known to be compromised, and known to send spam or be used for DDOS attacks and other malicious activities. The Spamhaus project
is the best publicly available source for checking the reputation of an IP address. People usually think of Spamhaus as a project associated with mail servers, but the demand for similar web server protection led to the creation of ModSpamhaus for Apache, an extension that allows system administrators to block visitors from IP addresses with bad reputations.
To install ModSpamhaus, download the latest installation package and extract it. Find the file mod_spamhaus.c in the src directory and execute the command apxs -i -a -c mod_spamhaus.c to build the Apache module manually. The arguments tell apxs to install the module in the default modules directory /usr/lib/httpd/modules/, activate it by loading it into Apache with the LoadModule directive, and compile it from the C source file.
Next, create ModSpamhaus’s configuration file /etc/httpd/conf.d/spamhaus.conf. Place inside the following configuration options:

MS_WhiteList /etc/spamhaus_whitelisted
MS_CacheSize 1000

This generic configuration is acceptable for most setups. The MS_METHODS option defines which HTTP methods should be inspected – POST, PUT, OPTIONS, and CONNECT. If you are defending against a DDOS attack or your web forms use GET methods, add GET too. The option MS_WhiteList allows you to specify a file with whitelisted IP addresses; that is, addresses that will be allowed regardless of their reputation. MS_CacheSize specifies information about how many IP addresses should be cached. Under heavier DDOS attacks you can increase this number to block larger numbers of repeating malicious IP addresses.
Using ModSpamhaus may slow down your site, especially if you enable it for more frequently used HTTP methods such as GET. To address this problem, you can install your own rbldnsd (DNS daemon suitable for running DNS-based blocklists) and use the ModSpamhaus option MS_DNS to specify its address. Having your own rbldnsd allows you to use a local database and to copy remote ones periodically, thus optimizing performance.
All of the above are only a few of the hundreds of Apache extensions, and represent modules designed to enhance Apache web server functions.

No comments:

Post a Comment