Apache 性能和安全指南

Apache 性能和安全指南

这 个指南为系统管理员或开发者以及那些对优化Apache速度和增强安全性感兴趣的爱好者而写。毫无疑问，Apache 依然是当今互联网世界最受欢迎的web 服务器，开放源码，动态模块加载等等特性，总之它几乎能做任何事情，它能帮助你开发你感兴趣的产品。这个指南将帮助你使用最少的资源，去最有效的使用和控 制Apache web服务器。

Apache Performance and Security Guide1) Who should use this guide?
Web admins and web developers who want to optimize the speed and increase the security of Apache Web Server. Also the guide is useful for ISPs who get slammed with big loads of traffic.

2) On what operating systems has this guide been tested on?
This guide was tested on Redhat Linux 9.0, but should work on any *nix or win32 environment as well.

3) Does this guide guarantee a significant increase in performance of Apache?
This guide might or might not help you increase the speed of Apache. I don't guarantee anything. Please be warned that the speed of Apache is controlled by many factors such as amount of RAM, processor speed, size of the executable, number of compiled modules and etc. Don't expect your Apache to be twice as fast just because you followed the guide. I will do my best in providing explanations for what I'm doing and why, so that you understand the purpose of every action and how it can help you in speeding up your web server.

4) What you need to get started:
The guide is useless without a working Apache installation. If you don't have Apache installed yet, go ahead and install it now. You can follow my "Apache, PHP, GD & Mod_Perl Guide" or install it on your own. I do not recommend running the default RPM version of Apache that comes with your OS distribution for various reasons. Go ahead and download the following modules into your source directory (in this case the source directory is /usr/local/src).

List of useful modules:
- mod_dosevasive 1.9 from
- mod_security 1.8 from http://www.modsecurity.org

5) Purpose of mod_dosevasive
This is the official description from mod_dosevasive's homepage: mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_dosevasive presently reports abuses via email and syslog facilities. Simply put, mod_dosevasive allows us to detect web attacks and take necessary steps to ensure that the attacks do not bring the server down. When an attack takes place (let's say a hacker decides to initiate a DoS attack against your webserver by requesting thousands of pages at the same time), this module blocks the hacker's IP address for 10 seconds (default) and issues a 403 error. If within 10 seconds another request comes in from the same user, the counter will be reset to 0 and the attacker will have to wait another 10 seconds before being able to request a page.

5.1) Installing mod_dosevasive
I will assume that your apache is installed at /etc/httpd. If it is located somewhere else, please change the paths below as needed.

# cd /usr/local/src
# tar zxf mod_dosevasive.1.9.tar.gz
# cd mod_dosevasive
# /etc/httpd/bin/apxs -iac mod_dosevasive.c

5.2) Configuring mod_dosevasive
APXS will automatically install the module and change your httpd.conf as needed. We still have to insert the specific module configuration into the apache configuration file though. Open up httpd.conf with your favorite editor and copy paste the following at the end of the file:

    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
    DOSEmailNotify     

Don't forget to change the email address in the last line to your real address. If your mail program is in a location other than /bin/mail, please edit the file mod_dosevasive.c and change the mail path to a different location. Reinstall the module with APXS again and you should be ready to go. Those who are curious about what every line means in the above configuration, please read the README file in mod_dosevasive folder. It explains every single directive and its purpose. It's recommended to increase the DOSHashTableSize to a higher value on busy servers.

6) Purpose of mod_security
mod_security adds intrusion detection and prevention features to the Apache Web Server. It has built-in functions to prevent various types of attacks such as command execution, directory traversal, SQL injection and etc. Overall, mod_security is a very good way to monitor your web services especially in shared hosting environments.

6.1) Installing mod_security
Again, change your apache path if it's not /etc/httpd.

# cd /usr/local/src
# tar zxf mod_security-1.8.tar.gz
# cd mod_security-1.8/apache1
# /etc/httpd/bin/apxs -iac mod_security.c

6.2) Configuring mod_security
The following configuration is what I would use for a webserver. However, you can read the documentation and tweak mod_security to your needs. There are many things you can do with this module. One of the biggest advantages of mod_security is its ability to be configured differently per virtual host. In this case, you can have one general configuration that applies to all hosts and you could also add more directives on an insecure virtualhost, if necessary. Again, copy-paste the following into the end of httpd.conf:

    SecFilterEngine On
    SecFilterDefaultAction "deny,log,status:403"
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckCookieFormat On
    SecFilterCheckUnicodeEncoding Off
    SecFilterForceByteRange 1 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit_log
    SecFilterDebugLevel 0
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterSelective REQUEST_METHOD "!^GET$" chain
    SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    SecUploadDir /tmp
    SecUploadKeepFiles Off
    SecFilter "../"
    SecFilter /etc/password
    SecFilter /etc/group
    SecFilter /etc/shadow
    SecFilter /bin/ls
    SecFilter "delete[:space:]+from"
    SecFilter "insert[:space:]+into"
    SecFilter "update[:space:]+set"
    SecFilter "select.+from"
    SecFilterSelective OUTPUT "Fatal error:" deny,status:500

Want to find out what each line does? Read mod_security documentation. To test mod_security, The above configuration was tested on a production server.

7) Apache config (httpd.conf) considerations