Apache服务器的主要配置文件是httpd.conf,通常位于/etc/apache2/或/etc/httpd/目录下。该文件包含了服务器的全局设置、模块加载、虚拟主机配置等信息。在配置文件中,我们可以设置一些基本的参数,如:ServerRoot指定Apache服务器的根目录。Listen指定服务器监听的端口,默认为80。ServerName指定服务器的域名或IP地址。DocumentRoot指定Web文档的根目录。如果服务器需要同时托管多个网站,可以使用虚拟主机功能。在配置文件中,可以通过指令定义每个虚拟主机的配置。每个虚拟主机可以拥有独立的域名、文档根目录、访问控制等设置 。
本文目录导读:
Apache服务器是一个非常流行的开源Web服务器软件,它以其稳定性、安全性和可扩展性而受到广大开发者的喜爱,随着网站和应用的不断增加,Apache服务器可能会面临性能瓶颈和安全风险,本文将对Apache服务器进行评测,并提供一些优化建议,帮助您提高服务器的性能和安全性。
Apache服务器评测
1、性能评测
(1)连接数评测
在评测Apache服务器的性能时,我们需要关注其最大并发连接数,通过查看Apache的配置文件(httpd.conf),我们可以找到以下参数:
MaxClients 2048
这个参数表示Apache服务器允许的最大客户端连接数,默认情况下,它的值为2048,如果需要修改这个值,可以在配置文件中找到或添加以下行:
MaxClients 新的值
然后重启Apache服务器以使更改生效。
(2)响应时间评测
为了评测Apache服务器的响应时间,我们可以使用apachebench工具,首先安装apachebench,然后运行以下命令:
apachebench -t -c 100 -n 1000请求次数 -r 1请求速率 http://localhost/
这个命令将发送1000个请求到Apache服务器,每次请求1个对象,总共执行100次请求。apachebench将输出每个请求的平均响应时间。
2、安全评测
(1)SSL/TLS证书评测
为了启用HTTPS加密,我们需要为Apache服务器配置SSL/TLS证书,确保已经安装了OpenSSL库,创建一个名为openssl.cnf的配置文件,内容如下:
[req] prompt = no default_bits = 2048 default_keyfile = privatekey.pem distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C=CN ST=Beijing L=Beijing O=Example Company Inc. OU=IT Department CN=example.com emailAddress=admin@example.com
使用以下命令生成自签名证书:
openssl req -x509 -newkey rsa:2048 -nodes -out privatekey.pem -keyout publickey.pem -days 365 -config openssl.cnf && echo "OK" > generated/privatekey.txt && echo "Generated by OpenSSL" > generated/privatekey.txt.cnf && echo "This cert will expire in 365 days" > generated/privatekey.txt.expiry && echo "Please save this file and email it to yourself or your IT department" > generated/privatekey.txt.warning && echo "Please check the file before using it" > generated/privatekey.txt.checksum && cat privatekey.txt > generated/privatekey.pem && cat publickey.txt > generated/publickey.pem && chmod 644 generated/*.pem && mv generated/*.pem cacerts/ && chown root:root cacerts/ && chmod 644 cacerts/ && chgrp root cacerts/ && chmod g+rwcacerts/ && chmod u+rwcacerts/ && chmod o+rwcacerts/ && chmod go-rwcacerts/ && chmod a+rwcacerts/ && chmod g-rwcacerts/ && chmod u-rwcacerts/ && chmod o-rwcacerts/ && chmod go-rwcacerts/ && chmod a-rwcacerts/ && chmod g+wcacerts/ && chmod u+wcacerts/ && chmod o+wcacerts/ && chmod go-wcacerts/ && chmod a+wcacerts/ && chmod g-wcacerts/ && chmod u-wcacerts/ && chmod o-wcacerts/ && chmod go-wcacerts/ && chmod a-wcacerts/ || (cat generated/* >&2; exit 1)
(2)防火墙设置评测
要启用防火墙以保护Apache服务器,我们需要在配置文件中添加以下内容:
<IfModule mod_security2.c> SecRuleEngine On SecRuleSet HTTPBasic "!@#$%^&*()" "phase:request" nolog:true pass:allow id:1001 tag:'Basic-Auth' status:403 msg:'Forbidden' </IfModule> <!-- End of Basic-Auth Rule -->
Apache服务器优化建议
1、开启KeepAlive功能
KeepAlive可以减少TCP连接的建立和关闭次数,从而提高服务器的性能,要开启KeepAlive功能,只需在Apache配置文件中添加以下内容:
<IfModule mpm_prefork_module> # Apache MPM for preforked processes only<IfModule mpm_winnt_module> # Windows NT uses MSIE as browser<IfModule proxy_http_module> # Uncomment to enable if you are behind a proxy server # Enable proxy config for HTTP requests and responses<IfModule proxy_ajp_module> # Uncomment to enable if you are behind a proxy server # Enable proxy config for AJP requests and responses<IfModule proxy_connect module> # Use proxy connect module to set up an HTTP connection with the backend<IfModule lbmethod_byrequests module> # Define how to balance load based on the number of requests per connection<IfModule lbmethod_bytraffic module> # Define how to balance load based on the amount of traffic<IfModule lbmethod_byrequestbody module> # Define how to balance load based on the size of the request body<IfModule rewrite_module> # Add code to prevent URL rewriting attacks #Enable rewrite modules and add code below to block IP addresses and URLs that cause problems<IfModule rewrite_host_module> #Add code to prevent URL rewriting attacks#Enable rewrite host modules and add code below to block IP addresses and URLs that cause problems<IfModule headers_module> # Set default Content-Type header<IfModule mod_deflate.c> # Optionally compress HTML, CSS and JavaScript files<IfModule mod_headers.c> <FilesMatch \"\.(htm|html|css|js|gif|jpg|png|ico|xml)$\"> # Remove browser bugs (only needed for *some* browsers) BrowserMatch \"MSIE [678]\" \"!Mozilla\"; # MSIE bug <FilesMatch \".(htm|html|svg|eot|ttf|otf|woff|woff2)$\"> <IfModule mod_headers.c>Header edit SetEnvIf X-UA-Compatible "IE=edge" env=HTTPS </IfModule></FilesMatch><IfModule mod_headers.c>Header edit SetEnvIf X-UA-Compatible "IE=edge" env=HTTPS </IfModule></FilesMatch><IfModule mod_headers.c>Header edit SetEnvIf X-UA-Compatible "IE=edge" env=HTTPS </IfModule></FilesMatch><!-- Add headers to request here --> </IfModule><!-- END Module: mod_headers --> <IfModule authz_core_module> # Enable authentication through core.authz FileHandler AuthFile \"core.authz\" require group=$remote_user deny=ALL; # Make sure that user is in the allowed group if (authz_core_is_enabled()){ authz_core_basic(\"Restricted Area\");} # If you want to change the name of the directory where you store authorization data, comment out the above line and uncomment the following line: authz_core_set_filename(\"path/to/your/directory\"); </IfModule><!-- END Module: authz_core --> <IfModule authz_host_module> # Enable authentication through host checking FileHandler AuthFile \"hosts.auth\" require valid-user; </IfModule><!-- END Module: authz_host --> <IfModule authz_user_module> # User Name Invalidation UserIDInactive log off after 2 weeks inactive account expiration grace period of 30 days minimum password length of 8 characters maximum password age of one month password reuse count of five minimum password age of one day maximum password age of two months minimum password length of six characters maximum password length of twenty four characters PasswordReuseCountInterval one week PasswordReuseLifetime ten years PasswordChangeGracePeriod one week PasswordExpireGracePeriod ten years PasswordHistoryLength three months PasswordHistoryLifetime seven years PasswordMinimumLength eight characters PasswordMaximumLength twenty four characters PasswordMinimumNonAlphanumericCharacterCount one PasswordMinimumSymbolCount one
