The default settings need not be changed if the websites receive normal traffic. But once the traffic increases you would need to change the default settings and one should know what values need to be changed and why. Below setting will help you understand most of the Apache directives and what needs to be tweaked.
1. Apache modules and settings
a) mod_reqtimeout
Syntax:
RequestReadTimeout [header=timeout[-maxtimeout][,MinRate=rate] [body=timeout[-maxtimeout][,MinRate=rate]
As seen above, time outs can be set for both request header and body from the client. Set this to a low value to make sure both header and body times out after the configured time.
b) TimeOut
This directive defines the time that Apache process will wait for I/O. The default value is set to 60 seconds and you should lower it to say 10-20 seconds in case of DDOS attacks. Some cgi scripts that need more execution time may face issues due to this.
c) KeepAlive and KeepAliveTimeout
Most of the webhosts disable KeepAlive during DDOS but doing so affects the server's performance again. A better idea would be to decrease the KeepAliveTimeout to 2 (default 5) and still have the KeepAlive enabled.
d) LimitRequestBody
This defines the allowed size of message body to be allowed. During DDOS attacks, set this server-wide. The default value is 0 which means unlimited. Set that to 100MB and see if improves the performance.
Syntax:
LimitRequestBody value
LimitRequestBody 102400000
e) LimitRequestFields
This directive limits the request header fields from the client. Set this to a value between 40-50
LimitRequestFields 40 (default is 100)
f) LimitRequestFieldSize
This limits the size of the HTTP request header allowed from the client. Default is 8190 and is hard coded when it is recompiled. Decrease this value to half.
LimitRequestFieldSize 4095
g) LimitRequestLine
This limits the size of the HTTP request line that will be accepted from the client.
LimitRequestLine 4095 (default is 8190)
h) LimitXMLRequestBody
This limits the size of an XML type body request.
LimitXMLRequestBody 500000 (defaults to 1000000)
i) MaxRequestWorkers
A webserver should never use SWAP as doing so further decreases the server's performance and increases the server load drastically. You should regulate this directive to make sure that Apache doesn't spawn so many child processes as it starts swapping.
j) ServerLimit
It is the upper limit for the number of connections configured for Apache.
k) MaxClients
It is the maximum number of simultaneous connections that will be processed by Apache web server. This value should never exceed the #ServerLimit set. Extra care should be taken into consideration while setting the MaxClients value as any slight variation could badly affect the overall server's performance.
No comments:
Post a Comment