در این مقاله ما بر اساس تجربیات خود در زمینه ارائه سرویسهای میزبانی وب اشتراکی لینوکس نکاتی را با شما به اشتراک می گذاریم تا بدانید چگونه میتوانید آپاچی را امن کنید و تا حدودی کارایی آن را افزایش دهید !
در این مطلب من به شما راهکارهایی کوچک را نشان خواهم دارد تا آپاچی را امن و بهینه نمائید. این مقاله فقط یک نقطه آغاز برای سری طولانی امنیت و بهینه سازی سرورهای cPanel می باشد.
مقالاتی که در آینده به آنها اشاره خواهیم نمود : امنیت PHP , تنظیمات CentOS
In this article I will share a few tips on how to optimize and secure Apache for cPanel servers. This article is the beginning of a long series of server security and optimization for cPanel.
Articles to come: PHP security, CentOS configuration for cPanel, mod security for apache, firewall configuration, cPanel optimization, and much more.
Building Apache:
In order to compile apache, php and other modules you can use “Easy Apache”, you can access it using this ways:
1. From cPanel WHM navigate to: Main >> Software >> EasyApache (Apache Update)
2. From a ssh session execute: /scripts/easyapache
I suggest using the web version, it is easier to read for beginners. Let’s begin:
Page1: Profile
Select: “PHP Security” and push: “Start customizing based on profile”
Page2: Apache Version
Select: “Apache 2.2″ and click “Next Step”
Page3: PHP Major Version
Select: “PHP 5″ and click “Next Step”
Page4: PHP Minor Version
Select: “PHP 5.2.12″ and click “Next Step” (PHP 5.3 is a bit different then 5.2 and has a lot of functions disabled/removed, select PHP 5.3 only if your scripts are compatible with this version).
Page5: Short Options List
Uncheck: Frontpage (this extension is not supported anymore)
Check: Anything that you might need and make sure that: Mod Security, Mod SuPHP and Suhosin for PHP remains checked.
After you are done click on: “Exhaustive Options List”
Page6: Exhaustive Options List
Check: Mod FCGID, Fileprotect, MPM Prefork, Mod SuPHP, Proxy, UniqueId, Mod Security, Suhosin for PHP, CGI, Fastcgi, SafeMode, Safe PHP CGI
Uncheck: Frontpage, Eaccelerator, POSIX, Path Info Check
Don’t forget to read the documentation before you activate any more extensions.
After you are done click “Save and build”.
The compilation process will take a while so be patient. After it is done you will be prompted with a form, select the following:
Default PHP Version (.php files) 5
PHP 5 Handler ***
PHP 4 Handler none
Apache suEXEC on
*** At this point you need to select the php handler, for now let’s stick with suPHP since it’s secure
I guess that you noticed fcgi was selected for compilation, I’ll explain in a future article how to securely configure fcgi as php handler, by default it’s a security risk and not stable at all. For suPHP you can’t enable Eaccelerator so make sure it’s disabled, when you wanna switch to fcgi you can enable it.
And click “Save New Configuration”
Configuring Apahce:
1. Navigate to: Main >> Security Center >> Apache mod_userdir Tweak
And check: “Enable mod_userdir Protection”
2. Navigate to: Main >> Service Configuration >> Apache Configuration >> Global Configuration
Now configure the options as bellow:
TraceEnable – Off
ServerSignature – Off
ServerTokens – ProductOnly
FileTag – None
MaxClients – 256
MaxRequestsPerChild – 1000
Click “Save” and in the following window click “Rebuild Configuration and Restart Apache”.
If you server is under heavy traffic then you should edit: /usr/local/apache/conf/httpd.conf
ServerLimit 1000
MinSpareServers 5
MaxSpareServers 10
</IfModule>
MaxClients 256
MaxRequestsPerChild 1000
And raise the valuse of “ServerLimit” and “MaxClients”, don’t raise too much the value of MaxClients, if your server ever gets attacked/ddos then it might hang if it runs out of memory, try and set it to under: 150 x RAM Memory (in GB).
3. Navigate to: Main >> Service Configuration >> Apache Configuration >> Memory Usage Restrictions
And click: “Proceed >>”
4. Navigate to: Main >> Service Configuration >> Apache Configuration >> Log Rotation
And check all files/logs, after click “Save”.
That’s it for now, stay tuned for more.