Though you are not likely to fine-tune the server during installation, you must be aware of the existence of server limits and the way they are configured. Incorrectly configured limits make a web server an easy target for attacks (see Chapter 5). The following configuration directives all show default Apache configuration values and define how long the server will wait for a slow client:
# wait up to 300 seconds for slow clients TimeOut 300 # allow connections to be reused between requests KeepAlive On # allow a maximum of 100 requests per connection MaxKeepAliveRequests 100 # wait up to 15 seconds for the next # request on an open connection KeepAliveTimeout 15
The default value for the connection timeout (300 seconds) is too high. You can safely reduce it below 60 seconds and increase your tolerance against denial of service (DoS) attacks (see Chapter 5).
The following directives impose limits on various aspects of an HTTP request:
# impose no limits on the request body LimitRequestBody 0 # allow up to 100 headers in a request LimitRequestFields 100 # each header may be up to 8190 bytes long LimitRequestFieldsize 8190 # the first line of the request can be # up to 8190 bytes long LimitRequestLine 8190 # limit the XML request body to 1 million bytes(Apache 2.x only) LimitXMLRequestBody 1000000
LimitXMLRequestBodyis an Apache 2 directive and is used by the mod_dav module to limit the size of its command requests (which are XML-based).
Seeing that the maximal size of the request body is unlimited by default (2 GB in practice), you may wish to specify a more sensible value forLimitRequestBody. You can go as low as 64 KB if you do not plan to support file uploads in the installation.
The following directives control how server instances are created and destroyed in Apache 1 and sometimes in Apache 2 (as described further in the following text):
# keep 5 servers ready to handle requests MinSpareServers 5 # do not keep more than 10 servers idle MaxSpareServers 10 # start with 5 servers StartServers 5 # allow a max of 150 clients at any given time MaxClients 150 # allow unlimited requests per server MaxRequestsPerChild 0
You may want to lower the maximal number of clients (MaxClients) if your server does not have enough memory to handle 150 Apache instances at one time.
You should make a habit of putting a limit on the maximal number of requests served by one server instance, which is unlimited by default in Apache 1 (as indicated by the0 MaxRequestsPerChildvalue) but set to10000 in Apache 2. When a server instance reaches the limit, it will be shut down and replaced with a fresh copy. A high value such as1000 (or even more) will not affect web server operation but will help if an Apache module has a memory leak. Interestingly, when the Keep-Alive feature (which allows many requests to be performed over a single network connection) is used, all requests performed over a single Keep-Alive connection will be counted as one for the purposes ofMaxRequestsPerChildhandling.
Apache 2 introduces the concept of multiprocessing modules (MPMs), which are special-purpose modules that determine how request processing is organized. Only one MPM can be active at any one time. MPMs were introduced to allow processing to be optimized for each operating system individually. The Apache 1 processing model (multiple processes, no threads, each process handling one request at one time) is called prefork, and it is the default processing model in Apache 2 running on Unix platforms. On Windows, Apache always runs as a single process with multiple execution threads, and the MPM for that is known as winnt. On Unix systems running Apache 2, it is possible to use the worker MPM, which is a hybrid, as it supports many processes each with many threads. For the worker MPM, the configuration is similar to the following (refer to the documentation for the complete description):
# the maximum number of processes ServerLimit 16 # how many processes to start with StartServers 2 # how many threads per process to create ThreadsPerChild 25 # minimum spare threads across all processes MinSpareThreads 25 # maximum spare threads across all processes MaxSpareThreads 75 # maximum clients at any given time MaxClients 150
Since the number of threads per process is fixed, the Apache worker MPM will change the number of active processes to obey the minimum and maximum spare threads configured. Unlike with the prefork MPM, theMaxClientsdirective now controls the maximum number of active threads at any given time.