Showing posts with label Apache. Show all posts
Showing posts with label Apache. Show all posts

Wednesday, 4 May 2016

How to optimize Apache configuration ?


Settings can be done in conf / httpd.conf

 Timeout

  • Amount of time Apache will wait to receive TCP packets and acknowledgements for a request
  • Default : 300 (sufficient)
  • Recommended for virtualized servers : 100  =>  improves performance

KeepAlive
  • makes KeepAlive setting ON or OFF
  • Possible settings : “KeepAlive off” or “KeepAlive on

MaxKeepAliveRequests
  • Max number of requests a single persistent connection will serve.
  • used when KeepAlive is On
  • Set to 0 = Unlimited requests
  • Recommended for virtualized servers : 100  and Dedicated server : 150

KeepAliveTimeout
  • Number of seconds Apache will wait for another request before closing the connection
  • Recommended : 1 to 5 (Avoids wasting RAM while waiting for requests)
  • Default : 15 (at higher side)
  • High value = Performance issue in servers having heavy load

MinSpareServers
  • Minimum number of idle child server processes (idle = not handling a request)
  • Recommended :
    • For virtualized server (Default) = 5
    • For Dedicated server with 2 GB RAM = 10
    • For Dedicated server with 4 GB RAM = 20
    • For Dedicated server with 4+ GB RAM = 25

MaxSpareServers
  • Max number of idle child server processes 
  • Default : 10
  • Recommended : Double of value set for MinSpareServers

StartServers
  • Number of child server processes created on startup
  • Default : 5
  • Recommended : Same as value set for MinSpareServers

MaxClients
  • Limit on the number of simultaneous requests that will be served
  • Connection more than limit, will be in queue and wait for other processes to finish.
  • Default : 150
  • Recommended for virtualized server = 150 and dedicated server = 250

MaxRequestsPerChild
  • Limit on the number of requests that an individual child server process will handle
  • After number of requests reaches more than limit, child process will die.
  • Default : 0 = process will never expire
  • Recommended :
    • For virtualized server = 300
    • For Dedicated server with 1 to 4GB RAM = 500
    • For Dedicated server with 4+ GB RAM = 1000

Posted by at No comments:
Labels:

What are KeepAlive configurations ?


Settings can be done in conf / httpd.conf

 KeepAlive
  • makes it ON or OFF
  • Possible settings : “KeepAlive off” or “KeepAlive on

MaxKeepAliveRequests
  • Max number of requests a single persistent connection will serve.
  • 0 = Unlimited requests
  • Recommended : 100 to 150

KeepAliveTimeout
  • Number of seconds Apache will wait for another request before closing the connection
  • Recommended : 1 to 5 (Avoids wasting RAM while waiting for requests)
  • Default : 15 (at higher side)
  • High value = Performance issue in servers having heavy load

Posted by at No comments:
Labels:

When to enable or disable KeepAlive ?


Use KeepAlive = OFF
  • If you have little RAM and KeepAlive = ON, Apache waits for multiple requests


 Use KeepAlive = ON
  • If you have little CPU power, as it reduces CPU load
  • If you have pages with lots of images and other files (CSS, JS etc.) as it uses single TCP connection to transfer multiple files
  • If your website have traffic throughout the day
To set KeepAlive , set config in conf / httpd.conf :
KeepAlive On
OR
KeepAlive Off

Posted by at No comments:
Labels:

KeepAlive On vs. KeepAlive Off


HTTP is stateless protocol which makes a connection to transfer a single file and closes it.
It is not very efficient.

 keepalive provides a persistent connection which uses same TCP connection for HTTP conversation instead of opening a new connection for each new request.

 KeepAlive disabled

  • opens a new connection for each new request
    • Impact : Takes longer time to open web pages and wastes server resources
  • HTTP header used : connection: close

----- HTML ------>
<--------------------
------- CSS ------->
<--------------------
------- JS --------->
<--------------------

KeepAlive enabled

  • uses same TCP connection for HTTP conversation
    • improves website speed ; Better user experience
    • reduces CPU usage (for creating and closing multiple connections)
    • uses more RAM as Apache waits for multiple requests
  • HTTP header used : Connection: Keep-Alive


 HTML, CSS, JS
-------------------------->

Posted by at No comments:
Labels:

Monday, 21 March 2016

How to migrate from HTTP to HTTPS using Apache + Tomcat ?



1. Generate the certificate

Step 1. Generate a Private Key
Install OpenSSH.
Create your RSA Private Key which is 2048 bits long, encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.
# openssl genrsa -des3 -out /etc/pki/tls/private/mytool.key 2048
It will generate a file with .key extension.

Step 2. Remove passphrase from the key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started.

# cp /etc/pki/tls/private/mytool.key  /etc/pki/tls/private/mytool.key.org
# openssl rsa -in /etc/pki/tls/private/mytool.key.org -out /etc/pki/tls/private/mytool.key



Step 3. Generate a CSR (Certificate Signing Request)
Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways.
Ideally, the CSR file will be sent to a Certificate Authority (such as Thawte or Verisign) who will verify the identity of the requestor and issue a signed certificate.
The second option is to self-sign the CSR.

# openssl req -new -key /etc/pki/tls/private/mytool.key -out /etc/pki/tls/private/mytool.csr
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Haryana
Locality Name (eg, city) [Newbury]: Gurgaon
Organization Name (eg, company) [My Company Ltd]: Org
Organizational Unit Name (eg, section) []: Dev
Common Name (eg, your name or your server's hostname) []: dev1
Email Address []: shaanmail@gmail.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: password
An optional company name []:

The output of above command would be a file with .csr extension.
Note : For getting a signed certificate (issued by CA), the certificate request (mytool.csr) must be sent to CA.


Additional steps to get self-signed certificate
Step 4. Generate a self-signed certificate
At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate.
This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.
# openssl x509 -req -days 365 -in /etc/pki/tls/private/mytool.csr -signkey /etc/pki/tls/private/mytool.key -out /etc/pki/tls/certs/mytool.crt

To Check/Locate your certificate (.crt) file and key file (.key) file go to these locations :
For key : # ls /etc/pki/tls/private/mytool.key
For certificate : # ls /etc/pki/tls/certs/mytool.crt


Step 5. Certificate conversion
When you receive the certificate (*pem.cer) and certificate chain (*pem_chain.cer) , rename them to mytool.cer and mytool_chain.cer.


2. Configuration of Apache
Step 1. Stop the Apache Server, if it is running
# /opt/operating/bin/OperateApacheAll.ksh -stop mytool
    OR
# killall httpd

Step 2. Check if the ssl.conf is included in the http.conf file
# vim /opt/application/mytool/current/apache2215/conf/httpd.conf
Include conf.d/*.conf


Step 3. Edit SSL configuration
3.1. Check the existence of certificate, chain and private key
# ls /etc/pki/tls/certs/mytool.cer
# ls /etc/pki/tls/private/mytool.key
# ls /etc/pki/tls/private/mytool_chain.cer
If above files do not exist, please put the files.


3.2. Make sure the module mod_ssl is loaded into the ssl.conf file.
# vim /opt/application/mytool/current/apache2215/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so

3.3. Add certificate and private key in the ssl.conf
  1. Comment the default certificate and key
  2. Add Certificate with the location where certificate stored
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/mytool.cer

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/private/mytool.key
SSLCertificateChainFile  /etc/pki/tls/private/mytool_chain.cer

3.4. Add new entry of worker name in Virtual host (with port = 443) configuration :
<VirtualHost _default_:443>
  JkMount /* myworker1
   …
  …
</VirtualHost>


Step 4. Check entry of worker (myworker1) in workers.properties
# vim /opt/application/mytool/current/apache2215/conf.d/workers.properties
# Ajp13 Worker
ps= /
worker.list= myworker1
#worker.myworker.lbfactor=1
#Tuning
socket_timeout=30
socket_keepalive=1
recycle_timeout=30
retries= 3
worker.myworker1.port=8009
worker.myworker1.host=localhost
worker.myworker1.type=ajp13


Step 5. Start the Apache Server
# /opt/operating/bin/OperateApacheAll.ksh -start mytool
 

3. Configuration of Tomcat

Change in Tomcat configuration



# vim /opt/application/mytool/current/jonas5226/00/conf/tomcat6-server.xml



Change the AJP Connector :

  • Remove the proxyPort and proxyName
  • Change the redirectPort = 9000, so that it can redirect to its HTTP connector.

<Connector port="8009" redirectPort="9000" protocol="AJP/1.3" maxThreads="512" minSpareThreads="25" maxSpareThreads="75"  connectionTimeout="20000" />


<Connector port="8009" protocol="HTTP" .... />


 Restart Tomcat and test the application on HTTPs


https://host/mytool/

https://host:443/mytool/


Posted by at No comments:
Labels: ,
Subscribe to: Comments (Atom)