Parallels H-Sphere Documentation Administrator Guide

 

Advanced Web Server Settings

(3.1 Beta 1 and up)
 
 

Related Docs:   Physical Servers Enabling PHP in Web Options (User Guide) Web Server Configuration (Sysadmin Guide)

Last modified: 23 Jul 2008

 

WARNING: This documentation covers Parallels H-Sphere versions up to 3.1. For the latest up-to-date Parallels H-Sphere documentation, please proceed to the official Parallels site.

H-Sphere 3.1 branch adds support of Apache 2.2 and adds more flexibility in configuring the web service for Unix boxes, while many options are available right from the administrator interface:

These settings are available under icon near the server on E. Manager -> Servers -> P.Servers page. After you're done with the settings, don't forget to click Submit.

 

Apache Version

To choose Apache version for your physical Unix box:

  1. Go to E. Manager -> Servers -> P.Servers and click the (Server options) icon.
  2. On the page that appears choose Apache versions:
    Apache Versions

    1 corresponds to Apache 1.3.x, 2 to Apache 2.2.x.

    If you enable Apache 2.2.x, choose also MPMs (Multi-Processing Modules): prefork or worker.

  3. Click Submit.

 

Apache Modules

Some Apache modules like apache_ssl consume much of the system resources, some are obsolete like apache_throttle and apache_frontpage. In version 3.1 you can toggle them from the interface for each Apache version. By default, only apache_ssl of the following is enabled, the rest are disabled:

Apache Modules
  • apache_ssl - this module provides strong cryptography for the Apache 1.x webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL.
  • apache_fastcgi - this module provides support for the FastCGI protocol. FastCGI is a language independent, scalable, open extension to CGI that provides high performance and persistence without the limitations of server specific APIs.
  • apache_scgi - the SCGI protocol is a replacement for the Common Gateway Interface (CGI) protocol. It is a standard for applications to interface with HTTP servers. It is similar to FastCGI but is designed to be easier to implement.
  • apache_throttle - limit the bandwidth usage and server load of virtual hosts, directories, locations, or users according to selected policies.
  • apache_frontpage - this module adds front page support.
  • apache_status - this module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state.
  • apache_security - open source Intrusion Detection and Prevention module for Web applications.
  • apache_cache - enables memory caching scheme with most common set of related parameters. If you want to change them, or use disk caching scheme, or combination of the two, prepare a custom template for corresponding include file.

When enabling apache_security, set also Apache mod_security options.

In H-Sphere 3.1 Patch 1+, we provide a new tool for loading Gotroot rules included into hsphere-apache-shared-h3.1 package.

If you want to use Gotroot.com rules with Apache mod_security, you should first load them into H-Sphere. Read about Using Gotroot.com Modsecurity Rules With H-Sphere.

Apache Mod_security Options
  • asecurity_rules - Web Application protection. Config file: rules.conf. Default: 0 (disabled).
  • asecurity_jitp - Just in Time Patches for Vulnerable Applications. Config file: jitp.conf. Default: 0 (disabled).
  • asecurity_useragents - Bad UserAgents blocking. Config file: useragents.conf. Default: 0 (disabled).
  • asecurity_blacklist - Comment spam blacklist. Config file: blacklist.conf. Default: 0 (disabled).
  • asecurity_blacklist2 - Compromised/Hacker boxes blacklist. Config file: blacklist2.conf. Default: 0 (disabled).
  • asecurity_apache2-rules - Additional Apache 2.x rules. Effective for apache 2.2 only. Config file: apache2-rules.conf. Default: 0 (disabled).
  • asecurity_rootkits - Known rootkits/worms. Config file: rootkits.conf. Default: 0 (disabled).
  • asecurity_exclude - Rule Exclusions. Config file: exclude.conf. Default: 0 (disabled).
  • asecurity_recons - "Google Hacks" signatures. Config file: recons.conf. Default: 0 (disabled).

 

PHP Modes

For each available Apache version you can choose from libphp (default), cgi, or fastcgi (the latter is implemented only since 3.1):

  • libphp - PHP runs as an Apache module. The advantage is that PHP is always in memory use which results in a higher speed capability and lower server load.
  • cgi - PHP runs as a CGI script in a separate process which starts with each request and completes its work upon the script execution. This provides a simpler and more secure PHP work, but draws excessive memory usage and higher memory load.
  • fastcgi - PHP also runs as a CGI script, but under a single process which does not stop when the script is executed. This allows to minimize server load while running PHP in CGI mode.

To configure advanced PHP mode settings in admin CP, go to E.Manager->Servers->P.Servers and click on the Settings icon for a physical server. You will see the following interface:

PHP 4/5 Modes Form

This form allows you to choose which PHP 4 and PHP 5 libphp/cgi/fastcgi modes will be available for end users whose domains are hosted on this physical server, and to set the default mode for each PHP version.

The fastcgi and cgi modes can be enabled for both PHP 4 and PHP 5, but the libphp mode only for one of the PHP versions. Modes checked as Enabled will be available for end users to choose from in the Advanced PHP configuration interface in Web Options. When users switch PHP version in the "simplified" PHP configuration interface, they switch between the default modes of PHP versions (the Default column in the form - choose one default mode per PHP version). After that, selected modes will be available for users to choose from for each domain.

If you have enabled fastcgi mode, you can configure its VirtualHost options in the form below:

FastCGI Options
  • fcgi_idle-timeout - the number of seconds of FastCGI application inactivity allowed before the request is aborted and the event is logged (at the error LogLevel). The inactivity timer applies only as long as a connection is pending with the FastCGI application. If a request is queued to an application, but the application doesn't respond (by writing and flushing) within this period, the request will be aborted. If communication is complete with the application but incomplete with the client (the response is buffered), the timeout does not apply.
  • fcgi_killInterval - determines how often the dynamic application instance killing policy is implemented within the process manager. Smaller numbers result in a more aggressive policy, larger numbers a less aggressive policy.
  • fcgi_minProcesses - minimum total number of dynamic FastCGI application instances allowed to run at any one time without being killed off by the process manager (due to lack of demand).
  • fcgi_maxClassProcesses - maximum number of dynamic FastCGI application instances allowed to run for any one FastCGI application. It must be less or equal to maxProcesses (this condition is not programmably enforced).
  • fcgi_maxProcesses - maximum total number of dynamic FastCGI application instances allowed to run at any one time. It must be greater or equal to maxClassProcesses (this condition is not programmably enforced).
  • fcgi_restart - causes the process manager to restart dynamic applications upon failure (similar to static applications).
  • fcgi_multiThreshold - an integer between 0 and 100 used to determine whether any one instance of a FastCGI application should be terminated. If the application has more than one instance currently running, this attribute will be used to decide whether one of them should be terminated. If only one instance remains, -singleThreshold is used instead.
  • fcgi_singleThreshold - An integer between 0 and 100 used to determine whether the last instance of a FastCGI application can be terminated. If the process manager computed load factor for the application is lower than the specified threshold, the last instance is terminated. In order to make your executables run in the "idle" mode for the long time, you would specify a value closer to 1, however if memory or CPU time is of primary concern, a value closer to 100 would be more applicable. Setting it to 0 will prevent the last instance of an application from being terminated; this is the default value, changing it is not recommended (especially if -appConnTimeout is set).
  • fcgi_updateInterval - determines how often statistical analysis is performed to determine the fate of dynamic FastCGI applications.

 

PHP Plugins

In this form you can disable unwanted PHP plugins (PHP extensions as DSO modules):

PHP Plugins

phpext_dbx, phpext_domxml, phpext_filepro, phpext_mcal, phpext_xslt are implemented only for PHP 4, while phpext_soap and phpext_mysqli - for PHP 5.

To obtain help on a plugin, click the button with ? near its title.


Related Docs:   Physical Servers Enabling PHP in Web Options (User Guide) Web Server Configuration (Sysadmin Guide)



© Copyright 2017. Parallels Holdings. All rights reserved.