Ansible Role apache_httpd

This role installs and configures a CIS-compliant Apache httpd.

What this Role does

This role configures Apache in the same way as is usual on Debian systems, so quite different to upstream’s suggested way to configure the web server. This is because this role attempts to make adding and removing mods, virtual hosts, and extra configuration directives as flexible as possible, in order to make automating the changes and administering the server as easy as possible.

The config is split into several files forming the configuration hierarchy outlined below, all located in the /etc/httpd/ directory:

/etc/httpd/
`-- httpd.conf
`-- conf-available/
`-- conf-enabled/
`-- mods-available/
`-- mods-enabled/
`-- sites-available/
`-- sites-enabled/

We try to avoid using <IfModule> in the global Apache configuration as well as in the configuration of the vhosts as much as possible in order to facilitate debugging. Otherwise, when using <IfModule>, configuration options are silently dropped, and their absence is very difficult to notice.

For flexibility, use the raw variable to configure the following topics (have a look at the „Apache vHost Configs“ section for some examples):

  • SSL/TLS Certificates.

  • Quality of Service (mod_qos directives).

  • Proxy passing rules.

  • Any other configuration instructions not covered in the „Role Variables“ chapters.

If you want to check Apache with our STIG audit script, run it like this:

  • Apache Application Server:
    ./audit.py --lengthy --profile-name='CIS Apache HTTP Server 2.4' --profile-version='v2.0.0' --hostname=web --control-name-exclude='2\.4|2\.6|2\.8|5\.7|6\.6|6\.7

  • Apache Reverse Proxy Server:
    ./audit.py --lengthy --profile-name='CIS Apache HTTP Server 2.4' --profile-version='v2.0.0' --hostname=proxy --control-name-exclude='2\.4|2\.6|2\.8|5\.7

What this Role doesn’t do

  • PHP: This role prefers the use of PHP-FPM over PHP, but it does not install either.

  • SELinux: Use specialized roles to set specific SELinux Booleans, Policies etc.

Config Examples for vHosts

Have a look here.

Mandatory Requirements

Optional Requirements

Tags

Tag

What it does

apache_httpd

* Installs and configures apache_httpd

apache_httpd:config

* Creates or updates global Apache configuration
* Removes conf-available configs
* Creates conf-available configs
* Disables configs
* Enables configs

apache_httpd:htpasswd

Manages htpasswd files.

apache_httpd:matomo

* Deploys Matomo Log Analytics Python Script

apache_httpd:mod_security_coreruleset

* Downloads, verifies and installs OWASP ModSecurity Core Rule Set (CRS)
* Installs tar
* Unarchives the CRS
* Links the CRS

apache_httpd:mods

* Removes mods-available configs
* Create mods-available configs
* Disable mods
* Enable mods

apache_httpd:state

* Ensures that httpd service is in a desired state

apache_httpd:vhosts

* Removes sites-available vHosts
* Creates sites-available vHosts
* Creates DocumentRoot for all vHosts
* Disables vHosts
* Enables vHosts

Mandatory Role Variables - Global Apache Config (core)

Variable

Description

apache_httpd__conf_server_admin

Mandatory, string. Apache Directive

Example:

# mandatory
apache_httpd__conf_server_admin: 'webmaster@example.com'

Optional Role Variables - Global Apache Config (core)

Variable

Description

Default Value

apache_httpd__conf_add_default_charset

String. Apache Directive

'UTF-8'

apache_httpd__conf_document_root

String. Apache Directive

'/var/www/html'

apache_httpd__conf_enable_send_file

String. Apache Directive

'On'

apache_httpd__conf_error_log

String. Apache Directive

'syslog:local1'

apache_httpd__conf_hostname_lookups

String. Apache Directive

'Off'

apache_httpd__conf_keep_alive

String. Apache Directive

'On'

apache_httpd__conf_keep_alive_timeout

Number. CIS: Do not set it above 15 seconds.
Apache Directive

5

apache_httpd__conf_limit_request_body

Number. CIS: Do not set it above 102400.
Apache Directive

102400

apache_httpd__conf_limit_request_field_size

Number. CIS: Do not set it above 1024 - but this might be too small for any modern application which sets cookies in its Header.
Apache Directive

8190

apache_httpd__conf_limit_request_fields

Number. CIS: Do not set it above 100.
Apache Directive

100

apache_httpd__conf_limit_request_line

Number. CIS: Do not set it above 512 - but this might be too small for any modern application which sets cookies in its Header.
Apache Directive

8190

apache_httpd__conf_log_level

String. Apache Directive

'warn'

apache_httpd__conf_max_keep_alive_requests

Number. Apache Directive

500

apache_httpd__conf_server_name

String. Mandatory, string. Apache Directive

'localhost'

apache_httpd__conf_timeout

Number. CIS: Do not set it above 10 seconds.
Apache Directive

10

apache_httpd__conf_trace_enable

String. CIS: Do not set it to 'On'.
Apache Directive

'Off'

Example:

# optional - core
apache_httpd__conf_add_default_charset: 'UTF-8'
apache_httpd__conf_document_root: '/var/www/html'
apache_httpd__conf_enable_send_file: 'On'
apache_httpd__conf_error_log: 'syslog:local1'
apache_httpd__conf_hostname_lookups: 'Off'
apache_httpd__conf_keep_alive: 'On'
apache_httpd__conf_keep_alive_timeout: 5
apache_httpd__conf_limit_request_body: 102400
apache_httpd__conf_limit_request_field_size: 8190
apache_httpd__conf_limit_request_fields: 100
apache_httpd__conf_limit_request_line: 8190
apache_httpd__conf_log_level: 'warn'
apache_httpd__conf_max_keep_alive_requests: 500
apache_httpd__conf_server_name: 'localhost'
apache_httpd__conf_timeout: 10
apache_httpd__conf_trace_enable: 'Off'

Optional Role Variables - Specific to this role

Variable

Description

Default Value

apache_httpd__conf__group_var /
apache_httpd__conf__host_var

List. List of dictionaries of conf-available/conf-enabled files.
Subkeys:
* filename: Mandatory, string. Destination filename in conf-available/, and normally is equal to the name of the source template used. Will be suffixed with .conf.
* enabled: boolean. Defaults to true. Creates a symlink to conf-available/<keyname>.conf in conf-enabled/ (true), otherwise the link is removed (false).
* state: string. conf-available/<keyname>.conf is created (present), otherwise file is removed (absent).
* template: Mandatory, string. Name of the Jinja template source file to use.
See example below.

Have a look

apache_httpd__htpasswd__group_var /
apache_httpd__htpasswd__host_var

List of dictionaries containing used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. Subkeys:

  • username: Mandatory, string. Username.
  • password: Mandatory, string. Password.
  • path: Optional, string. Path to the htpasswd file. Defaults to /etc/httpd/.htpasswd.
  • state: Optional, string. Either present or absent. Defaults to present.

[]

apache_httpd__limit_vhosts

List. Checks if the conf_server_name is in the list and only deploys those. Can be used on the CLI to speed up the deployment on large proxy servers, e.g. --extra-vars='apache_httpd__limit_vhosts=["test.example.com"]'.

unset

apache_httpd__mods__group_var / apache_httpd__mods__host_var

List. List of dictionaries of mods-available/mods-enabled files.
Subkeys:
* filename: Mandatory, string. Destination filename in mods-available/, and normally is equal to the name of the source template used. Will be suffixed with .conf.
* enabled: boolean. Defaults to true. Creates a symlink to mods-available/<keyname>.mods in mods-enabled/ (true), otherwise the link is removed (false).
* state: string. mods-available/<keyname>.conf is created (present), otherwise file is removed (absent).
* template: string. Name of the Ansible Jinja template source file to use. If ommited, filename is used.
See example below.

Have a look

apache_httpd__packages__group_var / apache_httpd__packages__host_var

List. List of dictionaries of packages to install, related to Apache, using the OS package manager. Possible options:
* name: Mandatory, string. The package name.
* state: Mandatory, string. State of the package, one of present, absent. Packages are removed first and then added.

Have a look

apache_httpd__skip_document_root_chown

Boolean. Set to true to skip the chown -R apache:apache of the document root.

false

apache_httpd__skip_php_fpm

Boolean. Skip PHP configuration globally and in each vHost within Apache.

false

apache_httpd__systemd_enabled

Boolean. Whether the Apache webserver service should start on boot (true) or not (false).

true

apache_httpd__systemd_state

String. Make sure Apache webserver service is in a specific state. Possible options:
* reloaded
* restarted
* started
* stopped

'started'

Example:

# optional - role-specific
apache_httpd__conf__host_var:
  - filename: 'deflate'
    enabled: true
    state: 'present'
    template: 'deflate'
apache_httpd__htpasswd__host_var:
  - username: 'test-user'
    password: 'linuxfabrik'
    state: 'present'
apache_httpd__limit_vhosts:
    - 'test.example.com'
apache_httpd__mods__host_var:
  - filename: 'alias'
    enabled: true
    state: 'present'
    template: 'alias'
  - filename: 'authn_core'
    enabled: false # overwrite the default
    state: 'absent' # overwrite the default
    template: 'authn_core'
apache_httpd__packages__host_var:
  - name: 'mod_qos'
    state: 'present'
apache_httpd__skip_document_root_chown: true
apache_httpd__skip_php_fpm: false
apache_httpd__systemd_enabled: true
apache_httpd__systemd_state: 'started'

Mandatory Role Variables - vHosts

apache_httpd__vhosts__group_var / apache_httpd__vhosts__host_var:

Variable

Description

conf_server_name

Mandatory, string. Set this variable for each vHost definition. Although this is just best practise, we would never use a vHost without a ServerName.

Example:

# mandatory
apache_httpd__vhosts__host_var:
  # Application vHosts
  - template: 'app'
    conf_server_name: 'myapp.example.com'

Optional Role Variables - vHosts

Using apache_httpd__vhosts__group_var or apache_httpd__vhosts__host_var (which are dictionaries), you define vHosts for Apache. The example below shows a complete example, use this as a starting point.

Types of vHosts:

  • app
    A hardened vHost running an application like Nextcloud, Wordpress etc. with the most common options. Can be extended by using the raw variable.

  • localhost
    A hardened, pre-defined VirtualHost just listening on https://localhost, and only accessible from localhost. Due to its naming, it is the first defined vHost. Useful for
    Apache status info etc. Can be extended by using the raw variable. The following URLs are pre-configured, accessible just from localhost: /fpm-ping, /fpm-status, /monitoring.php, /server-info, /server-status.

  • proxy
    A typical hardened reverse proxy vHost. Can be extended by using the raw variable. This proxy vHost definition prevents Apache from functioning as a forward proxy
    server (inside > out).

  • redirect
    A vHost that redirects from one port (default „80“) to another (default „443“). Custom redirect rules can be provided using the raw variable.

  • raw
    If none of the above vHost templates fit, use the raw one and define everything except <VirtualHost> and </VirtualHost> completely from scratch.

  • wordpress
    A special vHost just for deploying WordPress instances.

„Hardened“ means among other things:

  • Old HTTP protocol (< HTTP/1.1) versions are disallowed.

  • IP address based requests are disallowed.

  • Number of bytes that are allowed in a request are limited.

  • etc.

This role creates a vHost named localhost by default. Have a look at the defaults/main.yml |

Variable

Description

Default Value

allow_accessing_dotfiles

Boolean. app-vHosts block access to files that begin with a period. With this setting you can disable this behavior.

false

allow_requests_without_hostname

Boolean. app-vHosts forbid accessing them without a hostname / just by IP. With this setting you can disable this behavior.

false

allowed_file_extensions

List. app- and localhost-vHosts block ALL file extensions by default (including .gitignore, .svn, .htaccess, .hg, .bzr etc.), unless specifically allowed. Use find {{ apache_httpd__conf_document_root }} -type f -name '*.*' | awk -F. '{print $NF }' | sort --unique | sed -e 's/^/- \x27/' -e 's/$/\x27/' to compile a list of the file extensions that are currently present in your application. Note: The vHost templates already ensure that files and folders starting with a dot („.“) are forbidden. Use skip_allowed_file_extensions to allow all file extensions.

* app: ['css', 'gif', 'html?', 'ico', 'jpe?g', 'js', 'pdf', 'php', 'png', 'svg', 'ttf', 'txt', 'woff2?']
* localhost: ['css', 'gif', 'html?', 'ico', 'jpe?g', 'js', 'pdf', 'php', 'png', 'svg', 'ttf', 'txt', 'woff2?']

allowed_http_methods

List. Should be used to disable unwanted HTTP methods. Only the explicity listed ones are allowed. Use skip_allowed_http_methods to allow all HTTP methods. Returns a 405 - Method Not Allowed if a forbidden HTTP method is used.
* This does not disable TRACE.
* Always enable GET and OPTIONS at least. For an OPTIONS request, Apache always returns Allow: GET,POST,OPTIONS,HEAD, no matter what.
* We are NOT using LimitExcept, because this directive is not allowed in a VirtualHost context.

Available HTTP methods:
* CONNECT
* DELETE
* GET
* HEAD
* OPTIONS
* PATCH
* POST
* PUT

Available WebDAV methods:
* COPY
* LOCK
* MKCOL
* MOVE
* PROPFIND
* PROPPATCH
* UNLOCK

* app: ['GET', 'OPTIONS']
* localhost: ['GET', 'OPTIONS']
* proxy: ['GET', 'OPTIONS']

authz_document_root

String. Authorization statement for the DocumentRoot {{ apache_httpd__conf_document_root }}/{{ conf_server_name }} directive.

* app: 'Require all granted'
* localhost: 'Require all granted'

by_role

String. If defined it results in a comment # Generated by Ansible role: {{ by_role }} at the beginning of a vHost definition.

* app: unset
* localhost: unset
* proxy: unset
* raw: unset
* redirect: unset

comment

String. Describes the vHost and results in a comment right above the <VirtualHost> section.

* app: 'no description available'
* localhost: 'no description available'
* proxy: 'no description available'
* raw: 'no description available'

conf_allow_override

String. Will be set in the <Directory> directive of the vHost.
Apache Directive

* app: 'None'
* localhost: 'None'

conf_custom_log

String. Apache Directive. The log format has to be of
* agent
* combined
* combinedio
* common
* debug
* fail2ban
* linuxfabrikio
* matomo
* referer
* vhost_common

* app: 'logs/{{ conf_server_name }}-access.log linuxfabrikio
* localhost: 'logs/{{ conf_server_name }}-access.log linuxfabrikio<br> * proxy: 'logs/{{ conf_server_name }}-access.log linuxfabrikio

conf_directory_index

String. Apache Directive

* app: {{ apache_httpd__mod_dir_directory_index }}

conf_document_root

String. Apache Directive

* app: {{ apache_httpd__conf_document_root}}/{{ conf_server_name }}
* localhost: {{ apache_httpd__conf_document_root}}/{{ conf_server_name }}

conf_error_log

String. Apache Directive

* app: logs/{{ conf_server_name }}-error.log
* localhost: logs/{{ conf_server_name }}-error.log
* proxy: logs/{{ conf_server_name }}-error.log

conf_keep_alive_timeout

Number. CIS: Do not set it above ‚15‘ seconds.
Apache Directive

* app: 5
* localhost: 5
* proxy: 5

conf_log_level

String. Apache Directive

* app: 'notice core:info'
* localhost: 'notice core:info'
* proxy: 'notice core:info'

conf_options

String. Sets the Options for the <Directory> directive.
Apache Directive

* app: 'None'
* localhost: 'None'

conf_proxy_error_override

String. If you want to have a common look and feel on the error pages seen by the end user, set this to „On“ and define them on the reverse proxy server.
Apache Directive

* proxy: 'On'

conf_proxy_preserve_host

String. When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.
Apache Directive

'Off'

conf_proxy_timeout

Number. Apache Directive

5

conf_request_read_timeout

Number. CIS:
* Do not set the Timeout Limits for Request Headers above 40.
* Do not set the Timeout Limits for the Request Body above 20.
Apache Directive

* app: 'header=20-40,MinRate=500 body=20,MinRate=500'
* localhost: 'header=20-40,MinRate=500 body=20,MinRate=500'
* proxy: 'header=20-40,MinRate=500 body=20,MinRate=500'

conf_server_admin

String. Apache Directive

* app: {{ apache_httpd__conf_server_admin }}
* localhost: {{ apache_httpd__conf_server_admin }}
* proxy: {{ apache_httpd__conf_server_admin }}

conf_server_alias

List. Set this only if you need more than one conf_server_name.
Apache Directive

* app: unset
* localhost: unset
* proxy: unset

conf_server_name

String. Apache Directive

* app: unset
* localhost: unset
* proxy: unset
* redirect: unset

conf_timeout

Number. Apache Directive

* app: {{ apache_httpd__conf_timeout }}
* localhost: {{ apache_httpd__conf_timeout }}
* proxy: {{ apache_httpd__conf_timeout }}

enabled

Boolean. Enable this vHost.

true

filename

String. The filename of the vHost definition. If not set it defaults to the conf_server_name variable. If not set, the filename is automatically suffixed by .virtualhost_port.conf.

conf_server_name.virtualhost_port.conf

php_set_handler

String. Set the handler for PHP
* socket-based: SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
* network-based: SetHandler "proxy:fcgi://127.0.0.1:9000/"

* app: 'SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"'
* localhost: 'SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"'

raw

String. It is sometimes desirable to pass variable content that Jinja would handle as variables or blocks. Jinja’s {% raw %} statement does not work in Ansible. The best and safest solution is to declare raw variables as !unsafe, to prevent templating errors and information disclosure.

* app: unset
* localhost: unset
* proxy: unset
* raw: unset
* redirect: unset

skip_allowed_file_extensions

Boolean. Skips checking file extensions in app- and localhost-vHosts, allowing essentially all file extensions.

false

skip_allowed_http_methods

Boolean. Skips checking the HTTP methods in app-, localhost-, proxy-, wordpress-vHosts, allowing essentially all HTTP methods.

false

state

String. Should the vhost definition file be created (present) or deleted (absent).

* app: unset
* localhost: 'present'
* proxy: unset
* raw: unset
* redirect: unset

template

String. Have a look at the intro of this paragraph.

unset

virtualhost_ip

String. Used within the <VirtualHost {{ virtualhost_ip }}:{{ virtualhost_port }}> directive.

* app: '*'
* localhost: '*'
* proxy: '*'
* raw: '*'
* redirect: '*'

virtualhost_port

Number. Used within the <VirtualHost {{ virtualhost_ip }}:{{ virtualhost_port }}> directive.

* app: 443
* localhost: 443
* proxy: 443
* raw: 443
* redirect: 80

Example: Have a look here.

Optional Role Variables - mod_dir

Variable

Description

Default Value

apache_httpd__mod_dir_directory_index

String. Apache Directive

'index.html index.htm index.txt'

Example:

# optional - mod_dir
apache_httpd__mod_dir_directory_index: 'index.html'

Optional Role Variables - mod_log_config

This module is for flexible logging of client requests. Logs are written in a customizable format, and may be written directly to a file, or to an external program. Conditional logging is provided so that individual requests may be included or excluded from the logs based on characteristics of the request.

Variable

Description

Default Value

apache_httpd__mod_log_config_custom_log

String. One of
* agent
* combined
* combinedio
* common
* debug
* fail2ban
* linuxfabrikio
* matomo
* referer
* vhost_common
Apache Directive

unset

Example:

# optional - mod_log_config
apache_httpd__mod_log_config_custom_log: 'logs/access.log combined'

Optional Role Variables - mod_security (security2)

Variable

Description

Default Value

apache_httpd__mod_security_coreruleset_url

String. The OWASP ModSecurity Core Rule Set (CRS) Download URL. Change this if you are running your own mirror servers.

'https://github.com/coreruleset/coreruleset/archive'

apache_httpd__mod_security_coreruleset_version

String. The OWASP ModSecurity Core Rule Set (CRS) version number without „v“.

'4.4.0'

apache_httpd__skip_mod_security_coreruleset

Boolean. Skip the installation of the OWASP ModSecurity Core Rule Set (CRS).

true

Example:

# optional - mod_security
apache_httpd__mod_security_coreruleset_url: 'https://github.com/coreruleset/coreruleset/archive'
apache_httpd__mod_security_coreruleset_version: '4.4.0'
apache_httpd__skip_mod_security_coreruleset: true

Optional Role Variables - mod_ssl

Variable

Description

Default Value

apache_httpd__mod_ssl_ssl_use_stapling

String. Apache Directive

'on'

Example:

# optional - mod_ssl
apache_httpd__mod_ssl_ssl_use_stapling: 'on'

Optional Role Variables - mpm_common

Variable

Description

Default Value

apache_httpd__mpm_common_listen

List of numbers or strings. Apache Directive

[80]

Example:

# optional - mpm_common
apache_httpd__mpm_common_listen:
  - 80
  - '192.0.2.10:80'

Optional Role Variables - mpm_event_module

TLDR: event MPM: A variant of the worker MPM with the goal of consuming threads only for connections with active processing. See: http://httpd.apache.org/docs/2.4/mod/event.html

Event: Based on worker, this MPM goes one step further by optimizing how the parent process schedules tasks to the child processes and the threads associated to those. A connection stays open for 5 seconds by default and closes if no new event happens; this is the keep-alive directive default value, which retains the thread associated to it. The Event MPM enables the process to manage threads so that some threads are free to handle new incoming connections while others are kept bound to the live connections. Allowing re-distribution of assigned tasks to threads will make for better resource utilization and performance.

Best for PHP-FPM. Default.

Variable

Description

Default Value

apache_httpd__mpm_event_max_connections_per_child

Number. Apache Directive

0

apache_httpd__mpm_event_max_request_workers

Number. Apache Directive

400

apache_httpd__mpm_event_max_spare_threads

Number. Apache Directive

250

apache_httpd__mpm_event_min_spare_threads

Number. Apache Directive

75

apache_httpd__mpm_event_start_servers

Number. Apache Directive

3

apache_httpd__mpm_event_thread_limit

Number. Apache Directive

64

apache_httpd__mpm_event_threads_per_child

Number. Apache Directive

25

Example:

# optional - mpm_event_module
apache_httpd__mpm_event_max_connections_per_child: 0
apache_httpd__mpm_event_max_request_workers: 400
apache_httpd__mpm_event_max_spare_threads: 250
apache_httpd__mpm_event_min_spare_threads: 75
apache_httpd__mpm_event_start_servers: 3
apache_httpd__mpm_event_thread_limit: 64
apache_httpd__mpm_event_threads_per_child: 25

Optional Role Variables - mpm_prefork_module

TLDR: prefork MPM: Implements a non-threaded, pre-forking web server. See: http://httpd.apache.org/docs/2.4/mod/prefork.html

Pre-fork: A new process is created for each incoming connection reaching the server. Each process is isolated from the others, so no memory is shared between them, even if they are performing identical calls at some point in their execution. This is a safe way to run applications linked to libraries that do not support threading—typically older applications or libraries.

NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux boolean should be enabled, to allow graceful stop/shutdown.

This MPM is very self-regulating, so it is rarely necessary to adjust its configuration directives. Most important is that apache_httpd__mpm_prefork_max_request_workers be big enough to handle as many simultaneous requests as you expect to receive, but small enough to assure that there is enough physical RAM for all processes.

Best for Standard PHP running any version of mod_php. Does not work with http2.

Variable

Description

Default Value

apache_httpd__mpm_prefork_max_connections_per_child

Number. Apache Directive

0

apache_httpd__mpm_prefork_max_request_workers

Number. Apache Directive

256

apache_httpd__mpm_prefork_max_spare_threads

Number. Apache Directive

10

apache_httpd__mpm_prefork_min_spare_threads

Number. Apache Directive

5

apache_httpd__mpm_prefork_start_servers

Number. Apache Directive

5

Example:

# optional - mpm_prefork_module
apache_httpd__mpm_prefork_max_connections_per_child: 0
apache_httpd__mpm_prefork_max_request_workers: 256
apache_httpd__mpm_prefork_max_spare_servers: 10
apache_httpd__mpm_prefork_min_spare_servers: 5
apache_httpd__mpm_prefork_start_servers: 5

Optional Role Variables - mpm_worker_module

TLDR: worker MPM: Multi-Processing Module implementing a hybrid multi-threaded multi-process web server. See: http://httpd.apache.org/docs/2.4/mod/worker.html

Worker: A parent process is responsible for launching a pool of child processes, some of which are listening for new incoming connections, and others are serving the requested content. Each process is threaded (a single thread can handle one connection) so one process can handle several requests concurrently. This method of treating connections encourages better resource utilization, while still maintaining stability. This is a result of the pool of available processes, which often has free available threads ready to immediately serve new connections.

The most important directives used to control this MPM are apache_httpd__mpm_worker_threads_per_child, which controls the number of threads deployed by each child process and apache_httpd__mpm_worker_max_request_workers, which controls the maximum total number of threads that may be launched.

Best for mod_qos if you intend to use any connection level control directive („QS_Srv*“), which is normally done on a Reverse Proxy. Works with PHP-FPM, too.

Variable

Description

Default Value

apache_httpd__mpm_worker_max_connections_per_child

Number. Apache Directive

0

apache_httpd__mpm_worker_max_request_workers

Number. Apache Directive

400

apache_httpd__mpm_worker_max_spare_threads

Number. Apache Directive

250

apache_httpd__mpm_worker_min_spare_threads

Number. Apache Directive

75

apache_httpd__mpm_worker_start_servers

Number. Apache Directive

3

apache_httpd__mpm_worker_thread_limit

Number. Apache Directive

64

apache_httpd__mpm_worker_threads_per_child

Number. Apache Directive

25

Example:

# optional - mpm_worker_module
apache_httpd__mpm_worker_max_connections_per_child: 0
apache_httpd__mpm_worker_max_request_workers: 400
apache_httpd__mpm_worker_max_spare_threads: 250
apache_httpd__mpm_worker_min_spare_threads: 75
apache_httpd__mpm_worker_start_servers: 3
apache_httpd__mpm_worker_thread_limit: 64
apache_httpd__mpm_worker_threads_per_child: 25

Optional Role Variables - wsgi_python3_module

Variable

Description

Default Value

apache_httpd__wsgi_python_home

String. Apache Directive

/opt/python

apache_httpd__wsgi_python_path

String. Apache Directive

/var/www/html/python/

apache_httpd__wsgi_script_alias

String. Apache Directive

/ /var/www/html/python/index.py

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich