Linode Plan: Dedicated 16 GB, How to optimize? (Apache 2.4.48)

There are 3 domain name folders in total, Only two are in heavy use, Two official websites and one test website.

ARRRRRGGHH! They're not "folders"…they're directories!

However, since none of us can see inside your Linode and most of us don't know what aaPanel 6.8.14 is, you've asked questions for which only you have the answer(s).

PS. Can I install ModSecurity modules in my environment? How do i start?

I don't know what "ModSecurity modules" are. Are you talking about mod_ssl? If so, I don't see why not… I use it (and a ton of other stuff) on a system with a quarter the resources you have. I've also used it on a nanode (which has about 1/16 the resources you have).

See:

https://www.arubacloud.com/tutorial/how-to-enable-https-protocol-with-apache-2-on-ubuntu-20-04.aspx

-- sw

aaPanel, This is a Linux web hosting control panel from China, For me, the difficulty of setting this control panel is relatively low, but the same configuration file is the same as other control panels.

So you can directly modify all the .ini configuration files and restart the server

Apache 2.4.48:
Timeout 300
KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 1000
StartServers 8
MaxSpareThreads 150
MinSpareThreads 50
ThreadsPerChild 25
MaxRequestWorkers 500
MaxConnectionsPerChild 500

At the moment I just want to understand how these settings will help my server performance improve?

Because my server often shows "503 Service Unavailable"/"Service Temporarily Unavailable" error messages, I need to know how to adjust this configuration file, Can someone help me?

I don't know what "ModSecurity modules" are. Are you talking about mod_ssl? If so, I don't see why not… I use it (and a ton of other stuff) on a system with a quarter the resources you have. I've also used it on a nanode (which has about 1/16 the resources you have).

What I’m discussing with you is an Apache-specific module: ModSecurity

https://github.com/SpiderLabs/ModSecurity

I want to be able to install on my operating system, Do you know how to use it correctly?

At the moment I just want to understand how these settings will help my server performance improve?

I can only point you to the documentation for each of these things:

# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value 
#   during a graceful restart. ThreadLimit can only be changed by
#   stopping and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves

You can consult the official apache2(8) documentation here:

• https://httpd.apache.org/docs/2.4 (for KeepAlive, TimeOut, etc.)

• https://httpd.apache.org/docs/2.4/mod/worker.html (for mpm_worker)

• https://httpd.apache.org/docs/2.4/mod/event.html (for mpm_event)

It looks to me from the list of configuration directives you've given that you're using mpm_event but that's just a guess on my part.

As for assessing impacts on your server… Again, only you can determine that through understanding and measurement. Your traffic pattern is most likely way different than mine so generalizations about your situation based on any other situation are extremely dangerous. Anyone that tells you otherwise is a liar and/or a thief.

What I’m discussing with you is an Apache-specific module: ModSecurity

OK. I took a quick look at this. It looks reasonable enough. Your primary concern should not be functionality but support. Are new versions of apache2(8) supported quickly? What's their policy on legacy versions? How quickly do they respond to defect reports? What's their triage process? How good is their documentation? etc etc etc

One concrete piece of advice I can offer is that, if mod_security is not thread-safe, you're NOT going to be able to use a multi-threaded MPM (either mpm_worker or mpm_event). Period. Full stop. You need to make sure about that absolutely, positively first. Otherwise, I don't see a reason why mod_security wouldn't work. However, I'm not you and and my server is not configured like yours…

IMHO, mod_security didn't seem to offer anything that you couldn't otherwise do with the stuff you already have. SQL injection attacks are quite common and every webapp/database vendor in the world has suggestions about how to prevent/mitigate them. You should follow their advice.

aaPanel probably has information about how to secure your installation. You should probably follow their advice.

Treat every request for increased privilege/access to your site(s) as if the requestor was a hacker. Don't just hand out increased privilege/access willy-nilly. Such behavior will come back to bite you big time. Trust me on this…

apache2(8) already has extensive authentication/security/hardening facilities. You should use them. For example, I use this:

https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker

and I update it every night with a cron(8) job. It denies access to 'bots & crawlers with known signatures. This goes a long way to preventing problems…and it's all done with mod_authz -- a standard part of apache2(8) you already have.

If you have spare cash that's burned a hole through your pants pocket and into your leg, invest it in a good log analyzer. The data from that will help you understand your traffic, performance and threat landscape far better than I (or anyone else here) probably can.

-- sw