How to improve Apache server performance and security?

Apache is a free and open source product created by the Apache Software Foundation. Apache boasts of being one of the most commonly used web servers on the Internet.

Thanks to its modular structure, the Apache server allows for a variety of uses: you can use Apache as a proxy (mod_proxy), configure encryption for communication between the browser and the web server (mod_ssl), or even HTTP header data (mod_headers) and URLs (mod_rewrite).

Clean up the Apache server

The Apache web server receives many of its well-known features only through various modules. When cleaning up your Apache server, it is important to know which modules you are using and which may be left unused on your system. Now it’s impossible to know every module by heart - Apache is too extensive. So it's worth taking a look at the documentation, which you can find on the Apache Software Foundation website.

The more modules you use, the higher your memory usage. Remember: modules you don't use are not only unnecessary, but they also waste RAM, which can cause significant delays in responding to requests. You shouldn't expect performance miracles by deactivating unnecessary modules, but it's still a good idea. As you know, a neat server is a safer and faster server.

The first step is to find out which modules are currently loaded. To do this, enter the command “apachectl -M”. Typically, most modules are loaded into the /etc/httpd/conf/httpd.conf file. If you don't want to rely on it, use the grep command to find out where the modules are loaded:

grep -ir LoadModule /etc/httpd/conf/* /etc/httpd/conf.d/* /etc/httpd/vhosts/*

Depending on how many directories you have distributed your configuration into, different paths may appear here.

Unfortunately, we cannot give you a general answer to the question of which modules can be deactivated, since web servers can perform many different functions. You can take two approaches: either take the documentation linked above and check module by module if you are using it at all. Or you can consider the requirements of your individual server and select modules accordingly. Since the modules are very diverse, studying the documentation is especially recommended for users with little experience.

Let's take the /etc/httpd/conf/httpd.conf file as an example: it shows the enabled proxy modules. If you're not sure if you need them, find your configuration with this command:

grep -ir proxy /etc/httpd/conf/* /etc/httpd/conf.d/* /etc/httpd/vhosts/*

Nothing will happen, if you find commented out lines, you most likely are not using a proxy module. Comment out the corresponding lines in the httpd-conf file, test with Config-Test and restart the server:

service httpd configtest

service httpd Graceful

If the configuration check fails, reactivate the recently deactivated module. You can also activate or deactivate modules using a2dismod $modulname or a2enmod $modulname. To improve the performance and security of your Apache server, follow the steps we have outlined below in our article.

Optimizing Apache Performance

Sooner or later, every server reaches the limit of its performance: access becomes very slow. Unfortunately, there is no universal solution for tuning the performance of your Apache server, since the reasons for the loss of performance can be very diverse. So before you start thinking about upgrading your hardware, take a look at our recommendations. Please follow the instructions that are appropriate for you.

Top command: how to find performance degradation?

If you want to learn anything about hard drive access, iotop is the place to be. With this command you can see all read and write speeds, as well as the speeds of individual processes. iotop -o is also a convenient command because it only lists IO-active processes.

There shouldn't be any big surprises with this command—reading and writing to databases, in particular, does some I/O. You can also use another option to find out more, namely iostat: the command shows the number of blocks read and written since the system started, without any additional parameters.

With iftop, you can display your network usage to detect any slowdowns in performance. Also worth mentioning is the lsof command, which opens files. However, without setting additional options, there will be a flood of information that you don't need anyway. Assuming you were able to identify httpd as the download source, it's now worth figuring out what files are open. Type lsof -u apache -c httpd (i.e. lsof -User apache -Process httpd) to list the files. Here you will also see many log files and modules that are currently open.

Bonus tip: If you're tired of "top" and "ps" and want to see your RAM usage and CPU load at a glance, "htop" is a good option. You can think of htop as a Linux shell task manager. Use apt-get install htop to install, then type "htop" in the terminal to open the program. The output will present you with keyboard shortcuts at the bottom of the screen.

This way, you can access the program's important features without any workarounds. You call the setting using F2. Here you also have the option to tailor htop's output to your needs. Use the arrow keys to select the value you want to display and add it to the column if necessary. With F5 you add parameters to the left column, with F6 you add parameters to the right column. Press F3 to access search, which allows you to search for process names. An input field will open in the bottom panel.

By using "renice" as a htop function, you can set process priorities. In the Unix world, all processes have what are called "good values". This "good value" indicates the priority of the process, and this priority determines the process's right to CPU time. The higher the Nice value, the more CPU capacity a process can use. Adjust the Nice value of the selected process in the open list using F7 and F8. Your changes will be applied immediately.

Apache Security

Securing the server is the first thing users should do. As the server owner, you may be held accountable in the event of a hacker attack! The goal should be to tailor your system so that it is difficult for attackers to gain access to it, ideally not at all. Let's start.

To secure your Apache web server, configure the settings in the Apache configuration "/etc/apache2/sites-available/default-ssl.conf" as described below:

SSLv3 blocking. Known vulnerabilities can be exploited if your server allows fallback to SSLv3. You can prevent this with "SSLProtocol All -SSLv2 -SSLv3". Alternatively, you can disable all protocols except TLS. A minus in front of the parameter initially blocks them all, a plus in front of the desired protocol then allows this: “SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2”.

SSL compression. To protect against attacks such as the CRIME attack, you can disable SSL compression: "SSLCompression off".

Encryption specifications. The client actually decides what encryption can be used. If you want your server to match the default, use this command: "SSLHonorCipherOrder On".

Cipher suites. You have the ability to specify specific cipher suites and block unnecessary ones.

Activate HTTPS. Enable strong HTTP transport security. To do this, first install the Apache module “a2enmod headers”. Now enter your settings into the default-ssl.conf file. In our example, we include possible subdomains and tell the server that it will only allow HTTPS connections for the next five years: "Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"".

Enable OCSP. The Online Certificate Status Protocol, or OCSP for short, is designed to verify the authenticity of certificates when establishing an SSL/TLS connection. However, this security feature is only meaningful for official CA certificates, not for self-signed certificates. This security feature is not useful for every server administrator, so you should consider its advantages and disadvantages first. If you then want to activate this feature, you can do so with this command:

SSLUseStapling on

SSLStaplingCache «shmcb:logs/stapling-cache(150000)»

Regardless of which features you decide to use, after making any configuration changes, it is important to test the features before going live. To do this use:

apache2ctl -t

sudo service apache2 restart

Apache supports Unix, Linux, NetWare, Win32 and many other operating systems. Depending on which one you're working with, you may want to follow the previous instructions we've created for you when securing and cleaning up your server.

Antivirus for Apache server

The antivirus solution for your Apache server depends on which operating system you are using. When you consider that cybercriminals can attack any component of a website, it quickly becomes clear that you need protection: CMS systems such as WordPress and Joomla are just as vulnerable as application frameworks such as PHP and the ubiquitous Apache web servers. Every web server should be equipped with antivirus software and, ideally, a firewall.

Compare different web server security packages and when choosing, pay close attention to the intended use and features the package offers. A cheap security package is of no use if it doesn't provide exactly the features you need. Pay attention not only to the price, but also, first of all, to the capabilities of your antivirus solution. We will also be happy to advise you on this matter.

Epilogue

The Apache Software Foundation developed Apache, an open source product that is extremely popular for use on web servers. The modular design of the server software is undoubtedly a key factor in this success, as you can customize and use your Apache server individually.

To help you avoid confusion, we've given you instructions on how to keep your server tidy and optimize its performance. When it comes to security, you need to take action by adjusting configurations, taking into account the operating system you're using, and finding a comprehensive and effective security package to protect against malware, spyware, and cybercriminals.

Mainton Company - custom software development and testing, system administration, SEO and online advertising since 2004.

PENTEST SAFETY HACKED? ARTICLES VACANCIES