Ansible Role apache_httpd

This role installs and configures a CIS-compliant Apache httpd.

Runs on

RHEL 8 (and compatible)

What this Role does

This role configures Apache in the same way as is usual on Debian systems, so quite different to upstream’s suggested way to configure the web server. This is because this role attempts to make adding and removing mods, virtual hosts, and extra configuration directives as flexible as possible, in order to make automating the changes and administering the server as easy as possible.

The config is split into several files forming the configuration hierarchy outlined below, all located in the /etc/httpd/ directory:

/etc/httpd/
`-- httpd.conf
`-- conf-available/
`-- conf-enabled/
`-- mods-available/
`-- mods-enabled/
`-- sites-available/
`-- sites-enabled/

We try to avoid using <IfModule> in the global Apache configuration as well as in the configuration of the vhosts as much as possible in order to facilitate debugging. Otherwise, when using <IfModule>, configuration options are silently dropped, and their absence is very difficult to notice.

For flexibility, use the raw variable to configure the following topics (have a look at the „Apache vHost Configs“ section for some examples):

SSL/TLS Certificates.
Quality of Service (mod_qos directives).
Proxy passing rules.
Any other configuration instructions not covered in the „Role Variables“ chapters.

If you want to check Apache with our STIG audit script, run it like this:

Apache Application Server:
./audit.py --lengthy --profile-name='CIS Apache HTTP Server 2.4' --profile-version='v2.0.0' --hostname=web --control-name-exclude='2\.4|2\.6|2\.8|5\.7|6\.6|6\.7
Apache Reverse Proxy Server:
./audit.py --lengthy --profile-name='CIS Apache HTTP Server 2.4' --profile-version='v2.0.0' --hostname=proxy --control-name-exclude='2\.4|2\.6|2\.8|5\.7

What this Role doesn’t do

PHP: This role prefers the use of PHP-FPM over PHP, but it does not install either.
SELinux: Use specialized roles to set specific SELinux Booleans, Policies etc.

Config Examples for vHosts

Have a look here.

Mandatory Requirements

On RHEL-compatible systems, enable the EPEL repository. This can be done using the linuxfabrik.lfops.repo_epel role.
Install the python3-passlib library. This can be done using the linuxfabrik.lfops.python role.

Optional Requirements

Install PHP and configure PHP-FPM. This can be done using the linuxfabrik.lfops.php role.

Tags

Tag	What it does
`apache_httpd`	* Installs and configures apache_httpd
`apache_httpd:config`	* Creates or updates global Apache configuration * Removes conf-available configs * Creates conf-available configs * Disables configs * Enables configs
`apache_httpd:htpasswd`	Manages htpasswd files.
`apache_httpd:matomo`	* Deploys Matomo Log Analytics Python Script
`apache_httpd:mod_security_coreruleset`	* Downloads, verifies and installs OWASP ModSecurity Core Rule Set (CRS) * Installs tar * Unarchives the CRS * Links the CRS
`apache_httpd:mods`	* Removes mods-available configs * Create mods-available configs * Disable mods * Enable mods
`apache_httpd:state`	* Ensures that httpd service is in a desired state
`apache_httpd:vhosts`	* Removes sites-available vHosts * Creates sites-available vHosts * Creates DocumentRoot for all vHosts * Disables vHosts * Enables vHosts

Mandatory Role Variables - Global Apache Config (core)

Variable	Description
`apache_httpd__conf_server_admin`	Mandatory, string. Apache Directive

Example:

# mandatory
apache_httpd__conf_server_admin: 'webmaster@example.com'

Optional Role Variables - Global Apache Config (core)

Variable	Description	Default Value
`apache_httpd__conf_add_default_charset`	String. Apache Directive	`'UTF-8'`
`apache_httpd__conf_document_root`	String. Apache Directive	`'/var/www/html'`
`apache_httpd__conf_enable_send_file`	String. Apache Directive	`'On'`
`apache_httpd__conf_error_log`	String. Apache Directive	`'syslog:local1'`
`apache_httpd__conf_hostname_lookups`	String. Apache Directive	`'Off'`
`apache_httpd__conf_keep_alive`	String. Apache Directive	`'On'`
`apache_httpd__conf_keep_alive_timeout`	Number. CIS: Do not set it above `15` seconds. Apache Directive	`5`
`apache_httpd__conf_limit_request_body`	Number. CIS: Do not set it above `102400`. Apache Directive	`102400`
`apache_httpd__conf_limit_request_field_size`	Number. CIS: Do not set it above `1024` - but this might be too small for any modern application which sets cookies in its Header. Apache Directive	`8190`
`apache_httpd__conf_limit_request_fields`	Number. CIS: Do not set it above `100`. Apache Directive	`100`
`apache_httpd__conf_limit_request_line`	Number. CIS: Do not set it above `512` - but this might be too small for any modern application which sets cookies in its Header. Apache Directive	`8190`
`apache_httpd__conf_log_level`	String. Apache Directive	`'warn'`
`apache_httpd__conf_max_keep_alive_requests`	Number. Apache Directive	`500`
`apache_httpd__conf_server_name`	String. Mandatory, string. Apache Directive	`'localhost'`
`apache_httpd__conf_timeout`	Number. CIS: Do not set it above `10` seconds. Apache Directive	`10`
`apache_httpd__conf_trace_enable`	String. CIS: Do not set it to `'On'`. Apache Directive	`'Off'`

Example:

# optional - core
apache_httpd__conf_add_default_charset: 'UTF-8'
apache_httpd__conf_document_root: '/var/www/html'
apache_httpd__conf_enable_send_file: 'On'
apache_httpd__conf_error_log: 'syslog:local1'
apache_httpd__conf_hostname_lookups: 'Off'
apache_httpd__conf_keep_alive: 'On'
apache_httpd__conf_keep_alive_timeout: 5
apache_httpd__conf_limit_request_body: 102400
apache_httpd__conf_limit_request_field_size: 8190
apache_httpd__conf_limit_request_fields: 100
apache_httpd__conf_limit_request_line: 8190
apache_httpd__conf_log_level: 'warn'
apache_httpd__conf_max_keep_alive_requests: 500
apache_httpd__conf_server_name: 'localhost'
apache_httpd__conf_timeout: 10
apache_httpd__conf_trace_enable: 'Off'

Optional Role Variables - Specific to this role

Variable	Description	Default Value
`apache_httpd__conf__group_var` / `apache_httpd__conf__host_var`	List. List of dictionaries of `conf-available`/`conf-enabled` files. Subkeys: * `filename`: Mandatory, string. Destination filename in `conf-available/`, and normally is equal to the name of the source `template` used. Will be suffixed with `.conf`. * `enabled`: boolean. Defaults to `true`. Creates a symlink to `conf-available/<keyname>.conf` in `conf-enabled/` (`true`), otherwise the link is removed (`false`). * `state`: string. `conf-available/<keyname>.conf` is created (`present`), otherwise file is removed (`absent`). * `template`: Mandatory, string. Name of the Jinja template source file to use. See example below.	Have a look
`apache_httpd__htpasswd__group_var` / `apache_httpd__htpasswd__host_var`	List of dictionaries containing used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. Subkeys: `username`: Mandatory, string. Username. `password`: Mandatory, string. Password. `path`: Optional, string. Path to the htpasswd file. Defaults to `/etc/httpd/.htpasswd`. `state`: Optional, string. Either `present` or `absent`. Defaults to `present`.	`[]`
`apache_httpd__limit_vhosts`	List. Checks if the `conf_server_name` is in the list and only deploys those. Can be used on the CLI to speed up the deployment on large proxy servers, e.g. `--extra-vars='apache_httpd__limit_vhosts=["test.example.com"]'`.	unset
`apache_httpd__mods__group_var` / `apache_httpd__mods__host_var`	List. List of dictionaries of `mods-available`/`mods-enabled` files. Subkeys: * `filename`: Mandatory, string. Destination filename in `mods-available/`, and normally is equal to the name of the source `template` used. Will be suffixed with `.conf`. * `enabled`: boolean. Defaults to `true`. Creates a symlink to `mods-available/<keyname>.mods` in `mods-enabled/` (`true`), otherwise the link is removed (`false`). * `state`: string. `mods-available/<keyname>.conf` is created (`present`), otherwise file is removed (`absent`). * `template`: string. Name of the Ansible Jinja template source file to use. If ommited, `filename` is used. See example below.	Have a look
`apache_httpd__packages__group_var` / `apache_httpd__packages__host_var`	List. List of dictionaries of packages to install, related to Apache, using the OS package manager. Possible options: * `name`: Mandatory, string. The package name. * `state`: Mandatory, string. State of the package, one of `present`, `absent`. Packages are removed first and then added.	Have a look
`apache_httpd__skip_document_root_chown`	Boolean. Set to true to skip the `chown -R apache:apache` of the document root.	`false`
`apache_httpd__skip_php_fpm`	Boolean. Skip PHP configuration globally and in each vHost within Apache.	`false`
`apache_httpd__systemd_enabled`	Boolean. Whether the Apache webserver service should start on boot (`true`) or not (`false`).	`true`
`apache_httpd__systemd_state`	String. Make sure Apache webserver service is in a specific state. Possible options: * `reloaded` * `restarted` * `started` * `stopped`	`'started'`

Example:

# optional - role-specific
apache_httpd__conf__host_var:
  - filename: 'deflate'
    enabled: true
    state: 'present'
    template: 'deflate'
apache_httpd__htpasswd__host_var:
  - username: 'test-user'
    password: 'linuxfabrik'
    state: 'present'
apache_httpd__limit_vhosts:
    - 'test.example.com'
apache_httpd__mods__host_var:
  - filename: 'alias'
    enabled: true
    state: 'present'
    template: 'alias'
  - filename: 'authn_core'
    enabled: false # overwrite the default
    state: 'absent' # overwrite the default
    template: 'authn_core'
apache_httpd__packages__host_var:
  - name: 'mod_qos'
    state: 'present'
apache_httpd__skip_document_root_chown: true
apache_httpd__skip_php_fpm: false
apache_httpd__systemd_enabled: true
apache_httpd__systemd_state: 'started'

Mandatory Role Variables - vHosts

apache_httpd__vhosts__group_var / apache_httpd__vhosts__host_var:

Variable	Description
`conf_server_name`	Mandatory, string. Set this variable for each vHost definition. Although this is just best practise, we would never use a vHost without a ServerName.

Example:

# mandatory
apache_httpd__vhosts__host_var:
  # Application vHosts
  - template: 'app'
    conf_server_name: 'myapp.example.com'

Optional Role Variables - vHosts

Using apache_httpd__vhosts__group_var or apache_httpd__vhosts__host_var (which are dictionaries), you define vHosts for Apache. The example below shows a complete example, use this as a starting point.

Types of vHosts:

app
A hardened vHost running an application like Nextcloud, Wordpress etc. with the most common options. Can be extended by using the raw variable.
localhost
A hardened, pre-defined VirtualHost just listening on https://localhost, and only accessible from localhost. Due to its naming, it is the first defined vHost. Useful for
Apache status info etc. Can be extended by using the raw variable. The following URLs are pre-configured, accessible just from localhost: /fpm-ping, /fpm-status, /monitoring.php, /server-info, /server-status.
proxy
A typical hardened reverse proxy vHost. Can be extended by using the raw variable. This proxy vHost definition prevents Apache from functioning as a forward proxy
server (inside > out).
redirect
A vHost that redirects from one port (default „80“) to another (default „443“). Custom redirect rules can be provided using the raw variable.
raw
If none of the above vHost templates fit, use the raw one and define everything except <VirtualHost> and </VirtualHost> completely from scratch.
wordpress
A special vHost just for deploying WordPress instances.

„Hardened“ means among other things:

Old HTTP protocol (< HTTP/1.1) versions are disallowed.
IP address based requests are disallowed.
Number of bytes that are allowed in a request are limited.
etc.

This role creates a vHost named localhost by default. Have a look at the defaults/main.yml |

Variable	Description	Default Value
`allow_accessing_dotfiles`	Boolean. app-vHosts block access to files that begin with a period. With this setting you can disable this behavior.	`false`
`allow_requests_without_hostname`	Boolean. app-vHosts forbid accessing them without a hostname / just by IP. With this setting you can disable this behavior.	`false`
`allowed_file_extensions`	List. app- and localhost-vHosts block ALL file extensions by default (including `.gitignore`, `.svn`, `.htaccess`, `.hg`, `.bzr` etc.), unless specifically allowed. Use `find {{ apache_httpd__conf_document_root }} -type f -name '.' \| awk -F. '{print $NF }' \| sort --unique \| sed -e 's/^/- \x27/' -e 's/$/\x27/'` to compile a list of the file extensions that are currently present in your application. Note: The vHost templates already ensure that files and folders starting with a dot („.“) are forbidden. Use `skip_allowed_file_extensions` to allow all file extensions.	* app: `['css', 'gif', 'html?', 'ico', 'jpe?g', 'js', 'pdf', 'php', 'png', 'svg', 'ttf', 'txt', 'woff2?']` * localhost: `['css', 'gif', 'html?', 'ico', 'jpe?g', 'js', 'pdf', 'php', 'png', 'svg', 'ttf', 'txt', 'woff2?']`
`allowed_http_methods`	List. Should be used to disable unwanted HTTP methods. Only the explicity listed ones are allowed. Use `skip_allowed_http_methods` to allow all HTTP methods. Returns a 405 - Method Not Allowed if a forbidden HTTP method is used. * This does not disable TRACE. * Always enable GET and OPTIONS at least. For an OPTIONS request, Apache always returns `Allow: GET,POST,OPTIONS,HEAD`, no matter what. * We are NOT using LimitExcept, because this directive is not allowed in a VirtualHost context. Available HTTP methods: * CONNECT * DELETE * GET * HEAD * OPTIONS * PATCH * POST * PUT Available WebDAV methods: * COPY * LOCK * MKCOL * MOVE * PROPFIND * PROPPATCH * UNLOCK	* app: `['GET', 'OPTIONS']` * localhost: `['GET', 'OPTIONS']` * proxy: `['GET', 'OPTIONS']`
`authz_document_root`	String. Authorization statement for the `DocumentRoot {{ apache_httpd__conf_document_root }}/{{ conf_server_name }}` directive.	* app: `'Require all granted'` * localhost: `'Require all granted'`
`by_role`	String. If defined it results in a comment `# Generated by Ansible role: {{ by_role }}` at the beginning of a vHost definition.	* app: unset * localhost: unset * proxy: unset * raw: unset * redirect: unset
`comment`	String. Describes the vHost and results in a comment right above the `<VirtualHost>` section.	* app: `'no description available'` * localhost: `'no description available'` * proxy: `'no description available'` * raw: `'no description available'`
`conf_allow_override`	String. Will be set in the `<Directory>` directive of the vHost. Apache Directive	* app: `'None'` * localhost: `'None'`
`conf_custom_log`	String. Apache Directive. The log format has to be of * `agent` * `combined` * `combinedio` * `common` * `debug` * `fail2ban` * `linuxfabrikio` * `matomo` * `referer` * `vhost_common`	* app: `'logs/{{ conf_server_name }}-access.log linuxfabrikio` * localhost: `'logs/{{ conf_server_name }}-access.log linuxfabrikio<`br> * proxy: `'logs/{{ conf_server_name }}-access.log linuxfabrikio`
`conf_directory_index`	String. Apache Directive	* app: `{{ apache_httpd__mod_dir_directory_index }}`
`conf_document_root`	String. Apache Directive	* app: `{{ apache_httpd__conf_document_root}}/{{ conf_server_name }}` * localhost: `{{ apache_httpd__conf_document_root}}/{{ conf_server_name }}`
`conf_error_log`	String. Apache Directive	* app: `logs/{{ conf_server_name }}-error.log` * localhost: `logs/{{ conf_server_name }}-error.log` * proxy: `logs/{{ conf_server_name }}-error.log`
`conf_keep_alive_timeout`	Number. CIS: Do not set it above ‚15‘ seconds. Apache Directive	* app: `5` * localhost: `5` * proxy: `5`
`conf_log_level`	String. Apache Directive	* app: `'notice core:info'` * localhost: `'notice core:info'` * proxy: `'notice core:info'`
`conf_options`	String. Sets the `Options` for the `<Directory>` directive. Apache Directive	* app: `'None'` * localhost: `'None'`
`conf_proxy_error_override`	String. If you want to have a common look and feel on the error pages seen by the end user, set this to „On“ and define them on the reverse proxy server. Apache Directive	* proxy: `'On'`
`conf_proxy_preserve_host`	String. When enabled, this option will pass the `Host:` line from the incoming request to the proxied host, instead of the hostname specified in the `ProxyPass` line. Apache Directive	`'Off'`
`conf_proxy_timeout`	Number. Apache Directive	`5`
`conf_request_read_timeout`	Number. CIS: * Do not set the Timeout Limits for Request Headers above 40. * Do not set the Timeout Limits for the Request Body above 20. Apache Directive	* app: `'header=20-40,MinRate=500 body=20,MinRate=500'` * localhost: `'header=20-40,MinRate=500 body=20,MinRate=500'` * proxy: `'header=20-40,MinRate=500 body=20,MinRate=500'`
`conf_server_admin`	String. Apache Directive	* app: `{{ apache_httpd__conf_server_admin }}` * localhost: `{{ apache_httpd__conf_server_admin }}` * proxy: `{{ apache_httpd__conf_server_admin }}`
`conf_server_alias`	List. Set this only if you need more than one `conf_server_name`. Apache Directive	* app: unset * localhost: unset * proxy: unset
`conf_server_name`	String. Apache Directive	* app: unset * localhost: unset * proxy: unset * redirect: unset
`conf_timeout`	Number. Apache Directive	* app: `{{ apache_httpd__conf_timeout }}` * localhost: `{{ apache_httpd__conf_timeout }}` * proxy: `{{ apache_httpd__conf_timeout }}`
`enabled`	Boolean. Enable this vHost.	`true`
`filename`	String. The filename of the vHost definition. If not set it defaults to the `conf_server_name` variable. If not set, the filename is automatically suffixed by `.virtualhost_port.conf`.	conf_server_name.virtualhost_port.conf
`php_set_handler`	String. Set the handler for PHP * socket-based: `SetHandler "proxy:unix:/run/php-fpm/www.sock\|fcgi://localhost"` * network-based: `SetHandler "proxy:fcgi://127.0.0.1:9000/"`	* app: `'SetHandler "proxy:unix:/run/php-fpm/www.sock\|fcgi://localhost"'` * localhost: `'SetHandler "proxy:unix:/run/php-fpm/www.sock\|fcgi://localhost"'`
`raw`	String. It is sometimes desirable to pass variable content that Jinja would handle as variables or blocks. Jinja’s `{% raw %}` statement does not work in Ansible. The best and safest solution is to declare `raw` variables as `!unsafe`, to prevent templating errors and information disclosure.	* app: unset * localhost: unset * proxy: unset * raw: unset * redirect: unset
`skip_allowed_file_extensions`	Boolean. Skips checking file extensions in app- and localhost-vHosts, allowing essentially all file extensions.	`false`
`skip_allowed_http_methods`	Boolean. Skips checking the HTTP methods in app- and localhost-vHosts, allowing essentially all HTTP methods.	`false`
`state`	String. Should the vhost definition file be created (`present`) or deleted (`absent`).	* app: unset * localhost: `'present'` * proxy: unset * raw: unset * redirect: unset
`template`	String. Have a look at the intro of this paragraph.	unset
`virtualhost_ip`	String. Used within the `<VirtualHost {{ virtualhost_ip }}:{{ virtualhost_port }}>` directive.	* app: `''` localhost: `''` proxy: `''` raw: `''` redirect: `'*'`
`virtualhost_port`	Number. Used within the `<VirtualHost {{ virtualhost_ip }}:{{ virtualhost_port }}>` directive.	* app: `443` * localhost: `443` * proxy: `443` * raw: `443` * redirect: `80`

Example: Have a look here.

Optional Role Variables - mod_dir

Variable	Description	Default Value
`apache_httpd__mod_dir_directory_index`	String. Apache Directive	`'index.html index.htm index.txt'`

Example:

# optional - mod_dir
apache_httpd__mod_dir_directory_index: 'index.html'

Optional Role Variables - mod_log_config

This module is for flexible logging of client requests. Logs are written in a customizable format, and may be written directly to a file, or to an external program. Conditional logging is provided so that individual requests may be included or excluded from the logs based on characteristics of the request.

Variable	Description	Default Value
`apache_httpd__mod_log_config_custom_log`	String. One of * `agent` * `combined` * `combinedio` * `common` * `debug` * `fail2ban` * `linuxfabrikio` * `matomo` * `referer` * `vhost_common` Apache Directive	unset

Example:

# optional - mod_log_config
apache_httpd__mod_log_config_custom_log: 'logs/access.log combined'

Optional Role Variables - mod_security (security2)

Variable	Description	Default Value
`apache_httpd__mod_security_coreruleset_checksum`	String. The OWASP ModSecurity Core Rule Set (CRS) SHA1 checksum according to your version.	`'https://github.com/coreruleset/coreruleset/archive'`
`apache_httpd__mod_security_coreruleset_url`	String. The OWASP ModSecurity Core Rule Set (CRS) Download URL. Change this if you are running your own mirror servers.	`'3.3.2'`
`apache_httpd__mod_security_coreruleset_version`	String. The OWASP ModSecurity Core Rule Set (CRS) version number without „v“.	`'sha1:63aa8ee3f3c9cb23f5639dd235bac1fa1bc64264'`
`apache_httpd__skip_mod_security_coreruleset`	Boolean. Skip the installation of the OWASP ModSecurity Core Rule Set (CRS).	`false`

Example:

# optional - mod_security
apache_httpd__mod_security_coreruleset_checksum: 'sha1:63aa8ee3f3c9cb23f5639dd235bac1fa1bc64264'
apache_httpd__mod_security_coreruleset_url: 'https://github.com/coreruleset/coreruleset/archive'
apache_httpd__mod_security_coreruleset_version: '3.3.2'
apache_httpd__skip_mod_security_coreruleset: true

Optional Role Variables - mpm_common

Variable	Description	Default Value
`apache_httpd__mpm_common_listen`	List of numbers or strings. Apache Directive	`[80]`

Example:

# optional - mpm_common
apache_httpd__mpm_common_listen:
  - 80
  - '192.0.2.10:80'

Optional Role Variables - mpm_event_module

TLDR: event MPM: A variant of the worker MPM with the goal of consuming threads only for connections with active processing. See: http://httpd.apache.org/docs/2.4/mod/event.html

Event: Based on worker, this MPM goes one step further by optimizing how the parent process schedules tasks to the child processes and the threads associated to those. A connection stays open for 5 seconds by default and closes if no new event happens; this is the keep-alive directive default value, which retains the thread associated to it. The Event MPM enables the process to manage threads so that some threads are free to handle new incoming connections while others are kept bound to the live connections. Allowing re-distribution of assigned tasks to threads will make for better resource utilization and performance.

Best for PHP-FPM. Default.

Variable	Description	Default Value
`apache_httpd__mpm_event_max_connections_per_child`	Number. Apache Directive	`0`
`apache_httpd__mpm_event_max_request_workers`	Number. Apache Directive	`400`
`apache_httpd__mpm_event_max_spare_threads`	Number. Apache Directive	`250`
`apache_httpd__mpm_event_min_spare_threads`	Number. Apache Directive	`75`
`apache_httpd__mpm_event_start_servers`	Number. Apache Directive	`3`
`apache_httpd__mpm_event_thread_limit`	Number. Apache Directive	`64`
`apache_httpd__mpm_event_threads_per_child`	Number. Apache Directive	`25`

Example:

# optional - mpm_event_module
apache_httpd__mpm_event_max_connections_per_child: 0
apache_httpd__mpm_event_max_request_workers: 400
apache_httpd__mpm_event_max_spare_threads: 250
apache_httpd__mpm_event_min_spare_threads: 75
apache_httpd__mpm_event_start_servers: 3
apache_httpd__mpm_event_thread_limit: 64
apache_httpd__mpm_event_threads_per_child: 25

Optional Role Variables - mpm_prefork_module

TLDR: prefork MPM: Implements a non-threaded, pre-forking web server. See: http://httpd.apache.org/docs/2.4/mod/prefork.html

Pre-fork: A new process is created for each incoming connection reaching the server. Each process is isolated from the others, so no memory is shared between them, even if they are performing identical calls at some point in their execution. This is a safe way to run applications linked to libraries that do not support threading—typically older applications or libraries.

NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux boolean should be enabled, to allow graceful stop/shutdown.

This MPM is very self-regulating, so it is rarely necessary to adjust its configuration directives. Most important is that apache_httpd__mpm_prefork_max_request_workers be big enough to handle as many simultaneous requests as you expect to receive, but small enough to assure that there is enough physical RAM for all processes.

Best for Standard PHP running any version of mod_php. Does not work with http2.

Variable	Description	Default Value
`apache_httpd__mpm_prefork_max_connections_per_child`	Number. Apache Directive	`0`
`apache_httpd__mpm_prefork_max_request_workers`	Number. Apache Directive	`256`
`apache_httpd__mpm_prefork_max_spare_threads`	Number. Apache Directive	`10`
`apache_httpd__mpm_prefork_min_spare_threads`	Number. Apache Directive	`5`
`apache_httpd__mpm_prefork_start_servers`	Number. Apache Directive	`5`

Example:

# optional - mpm_prefork_module
apache_httpd__mpm_prefork_max_connections_per_child: 0
apache_httpd__mpm_prefork_max_request_workers: 256
apache_httpd__mpm_prefork_max_spare_servers: 10
apache_httpd__mpm_prefork_min_spare_servers: 5
apache_httpd__mpm_prefork_start_servers: 5

Optional Role Variables - mpm_worker_module

TLDR: worker MPM: Multi-Processing Module implementing a hybrid multi-threaded multi-process web server. See: http://httpd.apache.org/docs/2.4/mod/worker.html

Worker: A parent process is responsible for launching a pool of child processes, some of which are listening for new incoming connections, and others are serving the requested content. Each process is threaded (a single thread can handle one connection) so one process can handle several requests concurrently. This method of treating connections encourages better resource utilization, while still maintaining stability. This is a result of the pool of available processes, which often has free available threads ready to immediately serve new connections.

The most important directives used to control this MPM are apache_httpd__mpm_worker_threads_per_child, which controls the number of threads deployed by each child process and apache_httpd__mpm_worker_max_request_workers, which controls the maximum total number of threads that may be launched.

Best for mod_qos if you intend to use any connection level control directive („QS_Srv*“), which is normally done on a Reverse Proxy. Works with PHP-FPM, too.

Variable	Description	Default Value
`apache_httpd__mpm_worker_max_connections_per_child`	Number. Apache Directive	`0`
`apache_httpd__mpm_worker_max_request_workers`	Number. Apache Directive	`400`
`apache_httpd__mpm_worker_max_spare_threads`	Number. Apache Directive	`250`
`apache_httpd__mpm_worker_min_spare_threads`	Number. Apache Directive	`75`
`apache_httpd__mpm_worker_start_servers`	Number. Apache Directive	`3`
`apache_httpd__mpm_worker_thread_limit`	Number. Apache Directive	`64`
`apache_httpd__mpm_worker_threads_per_child`	Number. Apache Directive	`25`

Example:

# optional - mpm_worker_module
apache_httpd__mpm_worker_max_connections_per_child: 0
apache_httpd__mpm_worker_max_request_workers: 400
apache_httpd__mpm_worker_max_spare_threads: 250
apache_httpd__mpm_worker_min_spare_threads: 75
apache_httpd__mpm_worker_start_servers: 3
apache_httpd__mpm_worker_thread_limit: 64
apache_httpd__mpm_worker_threads_per_child: 25

Optional Role Variables - wsgi_python3_module

Variable	Description	Default Value
`apache_httpd__wsgi_python_home`	String. Apache Directive	`/opt/python`
`apache_httpd__wsgi_python_path`	String. Apache Directive	`/var/www/html/python/`
`apache_httpd__wsgi_script_alias`	String. Apache Directive	`/ /var/www/html/python/index.py`

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich