Server Limits for Apache Security
(Page 1 of 4 )

In this fourth part of a six-part series on Apache installation and configuration, you will learn how to set server configuration limits, prevent information leaks, and more. This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

Setting Server Configuration Limits

Though you are not likely to fine-tune the server during installation, you must be aware of the existence of server limits and the way they are configured. Incorrectly configured limits make a web server an easy target for attacks (see Chapter 5). The following configuration directives all show default Apache configuration values and define how long the server will wait for a slow client:

  # wait up to 300 seconds for slow clients
  TimeOut 300
  # allow connections to be reused between requests
  KeepAlive On
  # allow a maximum of 100 requests per connection
  MaxKeepAliveRequests 100
  # wait up to 15 seconds for the next
  # request on an open connection
  KeepAliveTimeout 15

The default value for the connection timeout (300 seconds) is too high. You can safely reduce it below 60 seconds and increase your tolerance against denial of service (DoS) attacks (see Chapter 5).

The following directives impose limits on various aspects of an HTTP request:

  # impose no limits on the request body
  LimitRequestBody 0
  # allow up to 100 headers in a request
  LimitRequestFields 100
  # each header may be up to 8190 bytes long
  LimitRequestFieldsize 8190
  # the first line of the request can be
  # up to 8190 bytes long
  LimitRequestLine 8190
  # limit the XML request body to 1 million bytes(Apache 2.x only)
  LimitXMLRequestBody 1000000

LimitXMLRequestBodyis an Apache 2 directive and is used by the mod_dav module to limit the size of its command requests (which are XML-based).

Seeing that the maximal size of the request body is unlimited by default (2 GB in practice), you may wish to specify a more sensible value forLimitRequestBody. You can go as low as 64 KB if you do not plan to support file uploads in the installation.

The following directives control how server instances are created and destroyed in Apache 1 and sometimes in Apache 2 (as described further in the following text):

  # keep 5 servers ready to handle requests
  MinSpareServers 5
  # do not keep more than 10 servers idle
  MaxSpareServers 10
  # start with 5 servers
  StartServers 5
  # allow a max of 150 clients at any given time
  MaxClients 150
  # allow unlimited requests per server
  MaxRequestsPerChild 0

You may want to lower the maximal number of clients (MaxClients) if your server does not have enough memory to handle 150 Apache instances at one time.

You should make a habit of putting a limit on the maximal number of requests served by one server instance, which is unlimited by default in Apache 1 (as indicated by the0 MaxRequestsPerChildvalue) but set to10000 in Apache 2. When a server instance reaches the limit, it will be shut down and replaced with a fresh copy. A high value such as1000 (or even more) will not affect web server operation but will help if an Apache module has a memory leak. Interestingly, when the Keep-Alive feature (which allows many requests to be performed over a single network connection) is used, all requests performed over a single Keep-Alive connection will be counted as one for the purposes ofMaxRequestsPerChildhandling.

Apache 2 introduces the concept of multiprocessing modules (MPMs), which are special-purpose modules that determine how request processing is organized. Only one MPM can be active at any one time. MPMs were introduced to allow processing to be optimized for each operating system individually. The Apache 1 processing model (multiple processes, no threads, each process handling one request at one time) is called prefork, and it is the default processing model in Apache 2 running on Unix platforms. On Windows, Apache always runs as a single process with multiple execution threads, and the MPM for that is known as winnt. On Unix systems running Apache 2, it is possible to use the worker MPM, which is a hybrid, as it supports many processes each with many threads. For the worker MPM, the configuration is similar to the following (refer to the documentation for the complete description):

  # the maximum number of processes
  ServerLimit 16
  # how many processes to start with
  StartServers 2
  # how many threads per process to create
  ThreadsPerChild 25
  # minimum spare threads across all processes
  MinSpareThreads 25
  # maximum spare threads across all processes
  MaxSpareThreads 75
  # maximum clients at any given time
  MaxClients 150

Since the number of threads per process is fixed, the Apache worker MPM will change the number of active processes to obey the minimum and maximum spare threads configured. Unlike with the prefork MPM, theMaxClientsdirective now controls the maximum number of active threads at any given time.

Next: Preventing Information Leaks >>
 

More Apache Articles
More By O'Reilly Media

Comments On: Server Limits for Apache Security

· This article is an excerpt from the book "Apache Security," published by O'Reilly....   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Check it out today at your favorite bookstore. Buy this book now.