Apache configuration on Debian - part 1

Your Debian web server continues to take shape as we delve into the depths of apache's configuration options.

Configuring apache

Now that we've installed apache, looked at where apache keeps its configs, and tweaked the MPM settings, we get to look at the more run-of-the-mill settings in apache's config.

We won't go into detail about every directive (you can look at the apache docs for that), but we will highlight the settings that most people will need to change and talk about how they can be tailored for a site. Fortunately the config files are nicely commented as well, so just skimming the main config file should let you see what other directives do and whether or not you would need to change them.



Timeout 300

This sets (in simple terms) the maximum time, in seconds, to wait for a request, action it and the response to the request.

The default is deliberately set high to allow for varied situations. You can reduce this to something more sane, to 30 seconds or even lower. A decrease may also help in reducing the effects of a DOS attack.



KeepAlive On

You should generally have KeepAlive "On" as it allows for persistent connections to a client so each file, image, etc. that gets requested. Without keepalives, the apache server and web client will need to establish new connections for every element needed to display a web page. Keeping a single connection going that the client can reuse allows your server to manage clients more efficiently.

Define other KeepAlive settings as shown below:



MaxKeepAliveRequests 100

Now we have our persistent connection, set the maximum number of requests per connection. Keep this high for maximum performance. You might want to experiment with this setting a bit, but if you have a site with lots of images, javascript, etc, try increasing MaxKeepAliveRequests to as much as 500.



KeepAliveTimeout 15

So how long does a persistent connection to a client wait for the next request? The default setting is very high and can easily be reduced to 2 or 3 seconds. If no new requests are received during this time the connection is killed.

Once a connection has been established and the client has requested the files needed for the web page, this setting tells that connection, "This is your client. There are many like it, but this one is yours. Handle only that client's requests until you reach the KeepAliveTimeout, ignore the others." So you'll want to balance the duration of KeepAlives (which make the server more responsive to a web client) against the need to free up old connections to make room for new clients.

The best way to optimize this setting is to use your site like an average visitor would, and pay attention to how often you click links. If you find someone would generally take a minute to read a page after navigating to it, a lower timeout would free their connection up quickly once they've reached that page. If you find that you click links regularly with small lulls between (for something like a one-question-per-page quiz), your site would be more responsive to a user with a higher KeepAliveTimeout to handle them.



HostnameLookups Off

If you want happy users and to save traffic, keep this at Off.

Setting this to "On" will enable DNS lookups so host names can be logged (it performs a reverse DNS check). Setting it to "Double" will not only perform the reverse DNS check, it will then check the resulting hostname with a regular DNS query.

All a bit much just to make your access logs easier to read. If you really want hostname information from your visitors in your logs it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation of its use can be found here.


Quite a lot here, but as you go through the different settings you will see that several are fairly easy to understand. Naturally, there is a lot more to it than this article (or set of articles) can go into.

In the second part of this apache configuration overview we will look at other settings that will add some more efficiency and help in increasing the security of our Slice.

  • -- Jered
Want to comment?

(not made public)


(use plain text or Markdown syntax)