Apache Webserver security and optimization tips

Question

I\'m about to deal with managing and running my first Internet connected Apache webserver and I was wondering if there are any sys admins and developers out there that would lik

Answer 1

Basic

1. Be sure to have the latest stable version installed. Running old or unstable version of Apache could expose your system to security flaws or untested solutions
2. Be sure only the intended requests are actually processed. You should consider who has to access the web resources exposed by Apache and how.
3. Avoid running Apache as root. This is a must.
4. Handle your logs. Logs tend to become bigger and bigger; consider to setup logrotate or to clean your log periodically.
5. Monitor Apache health with a monitoring system. I like to couple munin and monit, both easy to setuo and to maintain. Nagios and others are worth a look.
6. If Apache is serving web apps (i.e. PHP, Perl, Rails) be sure the requests are handled by the right module in the right order.
7. Write a nice 404 and 500 message. Sooner or later your visitors will catch an error.
8. Stop and restart Apache, so you can be sure both the shoutdown and start procedure is working flawlessy.
9. Use mod_security

Security

1. Protect Apache against DOS.
2. Load only the modules really needed.
3. Monitor your log to figure out if something strange is happening.

Performance

1. If you are compiling Apache from source code, be sure to use MPM (Multi-Processing Modules).
2. Load only the modules really needed.
3. Check the MaxClients setting so that your server does not spawn so many children it starts swapping.
4. Use the mod_deflate module, it provides the DEFLATE output filter that allows output from your server to be compressed before being sent to the client over the network.