Apache Webserver security and optimization tips

Question

I\'m about to deal with managing and running my first Internet connected Apache webserver and I was wondering if there are any sys admins and developers out there that would lik

Answer 1

I'm going to interpret "after installing Apache on a box" as "Preparing a new server installation for production use", because of course this would all be done on a development server and committed to SCM or built into an automated install.

Everything you do to optimise must be done based on real measurments. Set up a test environment with your actual application you intend to run, as realistically as possible. Some points to consider are:

• Don't set MaxClients too high. You can use up a lot of RAM, particularly with prefork servers with a large application embedded in them (e.g. mod_perl, PHP etc). Using too much memory is counter-productive. It's better for clients to wait for a successful service than be served an error.
• Consider carefully whether you have Keepalives on. These can both speed up and slow down depending on your environment. If you choose to have them on, you should think about your keepalive timeout based on the actual use case.
• Do performance testing with HTTPS enabled if you're using HTTPS in production
• Set "Last-modified" and "Expires" headers appropriately on objects which change infrequently (to maximise client side caching). Test client side caching in a variety of browsers.
• Make sure your application uses HTTPS correctly, not in a way which causes browsers to generate security warnings (this is another good reason you need to use HTTPS during testing)