Webserver (en)

The hub’s webserver is Apache¹ 2.4.x., as MPM I’m using event. The config files (especially the location of them) may/will vary, depending on your distribution. I’m using Gentoo, so all paths and files are specific to that distribution. However, the file’s contents should work on all distributions.

Modules

/etc/apache2/modules.d/00_mpm.conf

Timeout 30
<IfModule mpm_event_module>
        KeepAlive               On
        MaxKeepAliveRequests    500
        KeepAliveTimeout        3

        ServerLimit             24
        StartServers            8
        MinSpareThreads         200
        MaxSpareThreads         400
        ThreadsPerChild         25
        MaxRequestWorkers       400
        MaxConnectionsPerChild  10000
</IfModule>

Your mileage may vary. There are dozens of possible configurations, depending on your hub, the server’s resources, how much user, how much load you are expecting, and so on. These settings works best for my hub.

/etc/apache2/modules.d/70-fpm-php.conf

<IfDefine PHP>
        <FilesMatch "\.php$">
                SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
        </FilesMatch>

        # Set it to handle the files
        <IfModule mod_mime.c>
                AddHandler application/x-httpd-php .php .php5 .phtml
                AddHandler application/x-httpd-php-source .phps
        </IfModule>

        <Location /status>
                SetEnv downgrade-1.0
                ProxyPass "unix:/run/php-fpm/www.sock|fcgi://localhost"
                Require local
        </Location>
        <Location /ping>
                SetEnv downgrade-1.0
                ProxyPass "unix:/run/php-fpm/www.sock|fcgi://localhost"
                Require local
        </Location>

        DirectoryIndex index.php index.phtml
</IfDefine>

Basically standard stuff, php as an FPM. The Location directives (status, ping) are used for Zabbix, my monitoring tool

Vhosts

Includes

These files are included in every vhosts in this snippet:

    Include /etc/apache2/vhosts.d/letsencrypt.include
    Include /etc/apache2/vhosts.d/deflate.include
    Include /etc/apache2/vhosts.d/maintenance.include

If the vhosts got ssl (and that’s nearly always the case), another file is being included in the non-ssl vhost:

    Include /etc/apache2/vhosts.d/sslredirect.include

/etc/apache2/vhosts.d/deflate.include

<IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/plain
        AddOutputFilterByType DEFLATE text/html
        AddOutputFilterByType DEFLATE text/xml
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE text/javascript
        AddOutputFilterByType DEFLATE application/xml
        AddOutputFilterByType DEFLATE application/xhtml+xml
        AddOutputFilterByType DEFLATE application/rss+xml
        AddOutputFilterByType DEFLATE application/atom_xml
        AddOutputFilterByType DEFLATE application/javascript
        AddOutputFilterByType DEFLATE application/x-javascript
        AddOutputFilterByType DEFLATE application/x-shockwave-flash
</IfModule>

Every text file that got delivered by the Apache will be compressed by deflate. This is not only a great way to save bandwidth, but also a good way to speed up website loading.

/etc/apache2/vhosts.d/letsencrypt.include

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/

<Directory /var/www/letsencrypt/>
    AllowOverride None
    Require all granted
</Directory>

Since I use Let’s encrypt for SSL (who doesn’t, anyway) this included makes sure that the authenticator webroot will work on any vhost. Certbot will put it’s challenge into /var/www/letsencrypt and this makes sure that the challenge can be read (the Alias directive and the directory permission.

/etc/apache2/vhosts.d/maintenance.include

<Directory "/var/www/maintenance/htdocs">
        AllowOverride None
        Require all granted
</Directory>

Alias "/maintenance" "/var/www/maintenance/htdocs/"

<IfDefine Maintenance>
   ErrorDocument 503 /maintenance/maintenance.html
   RewriteEngine on

   RewriteCond %{REMOTE_ADDR} !^2a02:8109:9840:194c:d9bc:6d26:50cb:6d66
   RewriteCond %{REQUEST_URI} !=/maintenance/maintenance.html
   RewriteRule ^ - [R=503,L]
</IfDefine>

<IfDefine !Maintenance>
   RewriteEngine On
   RewriteRule ^/maintenance/maintenance.html$ / [R,L]
</IfDefine>

Occasionally it’s necessary to put the site into maintenance mode, for example if there are database maintenance tasks to be done. If you are a user of me you might have encountered it.This include file is for this very task: When the variable Maintenance is defined (for example, in my case (Gentoo): in /etc/conf.d/apache2) and the apache has been restarted (not reloaded!), every vhosts will deliver the maintenance page (which contains a kind of countdown, a rough guestimate how long the maintenance period will be). It’s possible to go through the maintenance mode if you supply an IP address, see the first RewriteCond . However, I haven’t used this “backdoor” for a long time, so the address here is a very old address used by my former ISP at home, no longer valid.

/etc/apache2/vhosts.d/sslredirect.conf

<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

To make sure that only SSL connections are used, this include file will redirect non-SSL connections to the respective SSL URLs. The only exception is for Let’s encrypt, it’s perfectly OK (and necessary) for Let’s encrypt to request it’s challenge using a non-encrypted connection.

Footnotes

1. Please don’t bother me by telling me that nginx is the superior/more efficient webserver. I’ve used both professionally, did some extensive benchmark/performance test and I truly can say that there a practically no differences in the performance between an Apache with a threaded MPM and a nginx. Both are excellent webservers/reverse proxy, and it’s mostly just a matter of personal taste (or knowledge/experiences, whatever) ↩