Configuring httpd.conf for security and performance.

Below is the default httpd.conf from our web hosting company, for a shared hosting environment where virtual hosts can (and will) be added.

What changes/additions should be made as this stands now to improve on security and/or performance?

Comments removed from code.

Thank you.



LoadModule php4_module modules/mod_php4-4.0.4-module-mysql-ftp-imap-freetype-gd.so
LoadModule rewrite_module modules/mod_rewrite.so


ResourceConfig /dev/null


AccessConfig /dev/null

HostnameLookups off

ServerAdmin webmaster@ourdomain.com

ServerRoot /usr/local/etc/httpd

ErrorLog logs/error_log

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""

TransferLog logs/access_log

ServerName www.ourdomain.com
ServerAlias ourdomain.com


KeepAlive On

MaxKeepAliveRequests 20

KeepAliveTimeout 5

MaxRequestsPerChild 500


TimeOut 600



NameVirtualHost 123.456.678.99:*


DocumentRoot /usr/local/etc/httpd/htdocs


DirectoryIndex index.html index.shtml index.php index.cgi index.php3 index.htm


FancyIndexing on

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif


ReadmeName README
HeaderName HEADER


IndexIgnore */.??* *~ *# */HEADER* */README* */RCS



AccessFileName .htaccess

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

DefaultType text/plain

Alias /icons/ /usr/local/etc/httpd/icons/

ScriptAlias /cgi-bin/ /usr/local/etc/httpd/cgi-bin/

AddType application/x-httpd-php .php .php3 .phtml


AddHandler cgi-script .cgi

AddHandler server-parsed .shtml


<Directory />
AllowOverride None
</Directory>

<Directory /usr/local/etc/httpd/htdocs>

Options Indexes FollowSymLinks Includes

AllowOverride All

order allow,deny
allow from all

</Directory>

<Directory /usr/local/etc/httpd/cgi-bin>
AllowOverride None
Options None
</Directory>

<Directory /usr/local/etc/httpd/vhosts>
Options Indexes FollowSymLinks Includes
AllowOverride All
order allow,deny
allow from all
</Directory>

1) Your default docroot should be on a separate partition ( i.e. /www) like /www/htdocs. Putting it on a different partition has many advantages:
- specifically disabled suid
- ease of backup
- ease of implementing quota
- ease of adding suEXEC

2) <Directory /usr/local/etc/httpd/vhosts>
Options Indexes FollowSymLinks Includes
AllowOverride All

- disable FollowSymLinks. Are you sure they need that? If you are unsure, just disable it.
- you probably don't want AllowOverride All. Start here -> http://httpd.apache.org/docs/mod/co...l#allowoverride

3) TimeOut 600

- lower it to something like 300

For performance tuning, you need to tell us approximately how many users and the value of MinSpareServers, MaxSpareServers, MaxClients, StartServers, RLimitCPU and RLimitMem.