Description of Apache security parameters - Fluid Topics - 3.10

Fluid Topics Integration Guide

Operating system
RHEL
Category
Reference Guides
Audience
public
Version
3.10

TraceEnable: This directive overrides the behavior of TRACE for both the core server and mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.

For more information about traceEnable, see the Apache web site.

SSLProtocol and SSLCipherSuite: Directive allowing to control which ciphers and protocols are used. In this example, the server is configured to use only strong encryption.

For more information about SSL protocol, see the Apache web site.

ServerSignature: For instance, whenever Apache web server returns error pages (e.g., 404 not found, 403 access forbidden pages) or listing directory, it shows web server signature (e.g., Apache version number and operating system info) at the bottom of the pages. This directive allows turning off these web server signatures.

ServerTokens Prod: This directive controls the response which server sends to include the server details, OS and other complied modules.

LoadModule reqtimeout_module modules/mod_reqtimeout.so: mod_reqtimeout limits the time waiting on the client to prevent an attacker from causing a denial of service by opening many connections but not sending requests. This file tries to give a sensible default configuration, but it may be necessary to tune the timeout values to the actual situation. Note that it is also possible to configure mod_reqtimeout per virtual host.

RequestReadTimeout header=20-40,minrate=500: Wait max 20 seconds for the first byte of the request line+headers. From then, require a minimum data rate of 500 bytes/s, but do not wait longer than 40 seconds in total.

Lower timeouts may make sense on non-SSL virtual hosts but can cause problem with SSL enabled virtual hosts: This timeout includes the time a browser may need to fetch the CRL for the certificate. If the CRL server is not reachable, it may take more than 10 seconds until the browser gives up.

RequestReadTimeout header=20-40,minrate=500: Wait max 10 seconds for the first byte of the request body (if any). From then, require a minimum data rate of 500 bytes/s.

<IfModule prefork.c> …</IfModule>:

  • StartServers: number of server processes to start
  • MinSpareServers: minimum number of server processes which are kept spare
  • MaxSpareServers: maximum number of server processes which are kept spare
  • ServerLimit: maximum value for MaxClients for the lifetime of the server
  • MaxClients: maximum number of server processes allowed to start
  • MaxRequests: maximum number of requests a server process serves