http://olex.openlogic.com/wazi/2012/add-these-modules-to-enhance-apache-web-server
Apache remains the world’s most popular web server, thanks in part to the abundance of powerful modules that work in synergy to extend the web server’s core functionality. Here are some useful Apache modules that can improve your web server’s performance, content delivery, and overall security.
In CentOS, by default, Apache runs its Multi-Processing Module (MPM) in prefork mode, in which one parent process is responsible for forking enough child processes to serve all the remote clients that are trying to access the server. However, managing processes dynamically in accordance with clients’ needs is not very efficient, because each start and stop operation takes time and resources. ModPrefork addresses this drawback by allowing you to configure a minimum (and maximum) number of spare Apache children instances waiting for clients’ requests. Still, this feature is not flexible and agile enough for busy sites with sporadic peaks in requests.
ModWorker addresses ModPrefork’s performance problem by using threads to serve large numbers or requests with fewer system resources. To enable ModWorker in CentOS, edit the file /etc/sysconfig/httpd and uncomment the line
Unfortunately, ModWorker is not fully compatible with all Apache modules, including such common ones as ModPHP. Prior to enabling it you should check for compatibility and find alternatives where needed. If you need both ModWorker and PHP, for instance, you can use Mod_FastCGI in place of ModPHP.
You can install ModPagespeed either from source or via binary package. For CentOS, you can use the official installation package available from ModPagespeed’s download page. Once you download the package corresponding to your CentOS architecture (32-bit or 64-bit) run the command
Next, open the configuration file /etc/httpd/conf.d/pagespeed.conf and examine all the available options. Allow your local client IP address in the directive
ModGeoIP, based on MaxMind’s GeoIP data and technology,
allows you to determine a visitor’s country using a locally saved GeoIP
database. Once you know a visitor’s country, you can do things like
redirecting him to a specific page or denying him access.
To install ModGeoIP you first need its C library and the package
Next, install ModGeoIP itself. Download the latest version, extract it, and execute
Once you restart Apache, the ModGeoIP module should be listed in the output of the command
ModStatus is installed by default in CentOS, but it’s not enabled. To enable it, open Apache’s main configuration file /etc/httpd/conf/httpd.conf, uncomment the following, and substitute your IP for your_ip with:
ModStatus can also produce machine-readable output if you append
is the best publicly available source for checking the reputation of an IP address. People usually think of Spamhaus as a project associated with mail servers, but the demand for similar web server protection led to the creation of ModSpamhaus for Apache, an extension that allows system administrators to block visitors from IP addresses with bad reputations.
To install ModSpamhaus, download the latest installation package and extract it. Find the file mod_spamhaus.c in the src directory and execute the command
Next, create ModSpamhaus’s configuration file /etc/httpd/conf.d/spamhaus.conf. Place inside the following configuration options:
Using ModSpamhaus may slow down your site, especially if you enable it for more frequently used HTTP methods such as GET. To address this problem, you can install your own rbldnsd (DNS daemon suitable for running DNS-based blocklists) and use the ModSpamhaus option MS_DNS to specify its address. Having your own rbldnsd allows you to use a local database and to copy remote ones periodically, thus optimizing performance.
All of the above are only a few of the hundreds of Apache extensions, and represent modules designed to enhance Apache web server functions.
Apache remains the world’s most popular web server, thanks in part to the abundance of powerful modules that work in synergy to extend the web server’s core functionality. Here are some useful Apache modules that can improve your web server’s performance, content delivery, and overall security.
Modules for Performance Improvement
While the latest version of Apache performs well on its own, you can optimize the web server to consume fewer resources and improve content delivery by deploying modules that compress the output, remove unnecessary payload, and optimize the HTML and CSS code.In CentOS, by default, Apache runs its Multi-Processing Module (MPM) in prefork mode, in which one parent process is responsible for forking enough child processes to serve all the remote clients that are trying to access the server. However, managing processes dynamically in accordance with clients’ needs is not very efficient, because each start and stop operation takes time and resources. ModPrefork addresses this drawback by allowing you to configure a minimum (and maximum) number of spare Apache children instances waiting for clients’ requests. Still, this feature is not flexible and agile enough for busy sites with sporadic peaks in requests.
ModWorker addresses ModPrefork’s performance problem by using threads to serve large numbers or requests with fewer system resources. To enable ModWorker in CentOS, edit the file /etc/sysconfig/httpd and uncomment the line
HTTPD=/usr/sbin/httpd.worker
. Then restart Apache with service httpd restart
. To verify in what mode Apache is running use the command apachectl -l
to list all of Apache’s loaded modules and look for worker.c
.Unfortunately, ModWorker is not fully compatible with all Apache modules, including such common ones as ModPHP. Prior to enabling it you should check for compatibility and find alternatives where needed. If you need both ModWorker and PHP, for instance, you can use Mod_FastCGI in place of ModPHP.
Content Optimization with ModPagespeed
Once you have optimized Apache’s server side, it’s time to improve the content delivery. ModPagespeed, a third-party, all-in-one optimization module developed by Google, rewrites and compresses output using ModDeflate to provide a faster client experience. It automatically applies the best practices from PageSpeed, a toolset for optimizing the performance of web pages. Though ModPagespeed is still officially in beta, it is a mature project. By using ModPagespeed you can avoid forcing your developers and designers to manually optimize HTML, CSS, JavaScript code, and images. Check the module’s features page for more information and useful comparisons.You can install ModPagespeed either from source or via binary package. For CentOS, you can use the official installation package available from ModPagespeed’s download page. Once you download the package corresponding to your CentOS architecture (32-bit or 64-bit) run the command
rpm -ivh mod-pagespeed*.rpm
to install it. Restart Apache and ensure that ModPagespeed is installed and loaded by running the command apachectl -t -D DUMP_MODULES
. In the output of the command you should be able to find pagespeed_module
among the listed modules.Next, open the configuration file /etc/httpd/conf.d/pagespeed.conf and examine all the available options. Allow your local client IP address in the directive
by adding a new row after Allow from 127.0.0.1
; for example, if your IP address is 192.168.0.2, add Allow from 192.168.0.2
.
Once you reload Apache you will be able to see the statistics of
ModPagespeed at http://yourserverip/mod_pagespeed_statistics. This
allows you to learn it faster and see the results of your optimizations.Absolute Security with ModSecurity
ModSecurity is the most popular security module for Apache. We’ve already covered it in the article Protect and Audit Your Web Server with ModSecurity, so we’ll just say that it provides full web traffic inspection, blocking, and auditing, allowing you to protect your web server from known and unknown vulnerabilities, including DDOS attacks.Detect Visitors’ Countries with ModGeoIP
To install ModGeoIP you first need its C library and the package
zlib-devel
, which is a prerequisite. Download GeoIP C library’s latest version, extract it, and go through the usual installation steps, executing ./configure && make && make install
.
APache eXtenSion tool Not all Apache modules are available as precompiled packages. When you run into one that’s not, you can install it from source with APache eXtenSion tool (apxs), provided by the CentOS package httpd-devel .
Apxs creates Apache modules as dynamic shared objects (DSO) from three
types of files – C language source files (.c), object files (.o), and
library archives (.a). DSO files are loaded during runtime in Apache
through the mod_so module. Check whether your Apache has mod_so
installed by running apachectl -l and look for mod_so.c in the output. |
apxs -i -a -L/usr/local/lib -I/usr/local/include -lGeoIP -c mod_geoip.c
.
The arguments to the apxs command mean install the module in the
default modules directory /usr/lib/httpd/modules/, activate it by
loading it into Apache with the LoadModule directive, use the libraries
inside /usr/local/lib, include the /usr/local/include directory, search
for the library GeoIP, compile it from the C source file.Once you restart Apache, the ModGeoIP module should be listed in the output of the command
apachectl -t -D DUMP_MODULES
.
To enable it, create a file /etc/httpd/conf.d/geoip.conf and place
inside of it the command to enable the module server-wide and the path
to the binary file that contains the GeoIP database:GeoIPEnable On
GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat
You can then start using ModGeoIP on a per Apache directory or vhost
configuration basis, or with local .htaccess files. The configuration
options are the same. As an example, if you wanted to deny access to any
visitors from outside the United States:SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
Deny from all
Allow from env=AllowCountry
For more examples and information check ModGeoIP’s home page.Monitoring with ModStatus
You should always monitor Apache, or any service, to ensure optimal performance. Apache’s ModStatus module gives you information about the current server’s health and business.ModStatus is installed by default in CentOS, but it’s not enabled. To enable it, open Apache’s main configuration file /etc/httpd/conf/httpd.conf, uncomment the following, and substitute your IP for your_ip with:
SetHandler server-status
Order deny,allow
Deny from all
Allow from your_ip
Also, uncomment ExtendedStatus On
so that you can see more information, such as URLs accessed by current requests. Reload Apache and try to access http://yourserver/server-status
to verify ModStatus is working. On the newly opened page you should be
able to see all the statistics related to Apache, its processes (forks
or threads), and CPU usage.ModStatus can also produce machine-readable output if you append
?auto
at the end of its URL: http://yourserver/server-status?auto. Other programs can then read and analyze the output. Auto mode data is used by Cacti, to draw graphs with useful trends, and by Nagios, to monitor for anomalies.Protection with ModSpamhaus
Certain IP addresses are known to be compromised, and known to send spam or be used for DDOS attacks and other malicious activities. The Spamhaus projectis the best publicly available source for checking the reputation of an IP address. People usually think of Spamhaus as a project associated with mail servers, but the demand for similar web server protection led to the creation of ModSpamhaus for Apache, an extension that allows system administrators to block visitors from IP addresses with bad reputations.
To install ModSpamhaus, download the latest installation package and extract it. Find the file mod_spamhaus.c in the src directory and execute the command
apxs -i -a -c mod_spamhaus.c
to build the Apache module manually. The arguments tell apxs to install
the module in the default modules directory /usr/lib/httpd/modules/,
activate it by loading it into Apache with the LoadModule directive, and
compile it from the C source file.Next, create ModSpamhaus’s configuration file /etc/httpd/conf.d/spamhaus.conf. Place inside the following configuration options:
MS_METHODS POST,PUT,OPTIONS,CONNECT
MS_WhiteList /etc/spamhaus_whitelisted
MS_CacheSize 1000
This generic configuration is acceptable for most setups. The
MS_METHODS option defines which HTTP methods should be inspected – POST,
PUT, OPTIONS, and CONNECT. If you are defending against a DDOS attack
or your web forms use GET methods, add GET too. The option MS_WhiteList
allows you to specify a file with whitelisted IP addresses; that is,
addresses that will be allowed regardless of their reputation.
MS_CacheSize specifies information about how many IP addresses should be
cached. Under heavier DDOS attacks you can increase this number to
block larger numbers of repeating malicious IP addresses.Using ModSpamhaus may slow down your site, especially if you enable it for more frequently used HTTP methods such as GET. To address this problem, you can install your own rbldnsd (DNS daemon suitable for running DNS-based blocklists) and use the ModSpamhaus option MS_DNS to specify its address. Having your own rbldnsd allows you to use a local database and to copy remote ones periodically, thus optimizing performance.
All of the above are only a few of the hundreds of Apache extensions, and represent modules designed to enhance Apache web server functions.
No comments:
Post a Comment