Very Computer

hi,

am just getting into apache and various other pretty cool technologies.

does anyone know what is THE most efficient way to run apache?  Is there
basically a very thin and secure version of "linux with apache" which is
optimised for a dedicated machine?

/\\t\\h\\a\\n\\k\\s\/

s

latest versions of apache ???

obviously

Quote:> hi,

> am just getting into apache and various other pretty cool technologies.

> does anyone know what is THE most efficient way to run apache?  Is there
> basically a very thin and secure version of "linux with apache" which is
> optimised for a dedicated machine?

> /\\t\\h\\a\\n\\k\\s\/

> s

I've been thinking about this as well.  I'd like to hear what other
people are doing.

My purpose would be to have several front end servers for load balancing
purposes.  They would only need to run Apache, PHP (with various
extensions) and a postgresql database client.

It seems like most OS distributions are geared towards:
* Everything including the kitchen sink
* Router distributions
* Easy to install or dual boot with windows insallations

It would be nice if someone could recomend an easy to install/maintain
yet very highly optimized/focused distribution.

If no one else has a better solution, the three that I had considered are:
RedHat kickstart.  It takes a little work to get going, but once done is
pretty easy.  You simply create a kickstart boot disk and then use the
standard redhat install cd.  You choose exactly what you want and let it
do the partitioning and everything for you.  The benefits of RedHat are
that it's very easy to maintain.  Another benefit is that it's very
up-to-date.  Unfortuatnely, it's main disadvantage is that often, it's
too up-to-date.

Debian apt-get.  The default install of debian (potato, haven't tried
woody) is very minimal.  It provides the bare essentials then you add to
it what you need.  The only problem is that I don't know of a way to do
auto-installs which is a feature I would like.

FreeBSD ports.  Like Debian, it starts with a pretty minimal install
(I'm familiar with 3.3, haven't tried newer versions yet) and then you
add to it from it's "ports" collection.  One problem is that they don't
always have the variety of software as compared to Linux.  This may not
be a problem for you if you're looking for a pretty simple webserver
solution, however I need some more obscure library files for php.
Another concern for me, FreeBSD is so "BSD-ish" (go figure) it always
throws me off.  It's enough different from Linux that I'm afraid to put
one out on the Internet.  I could accidently leave it open in some
critical way and have warez and worms crawling all over it.

My inclination is to use the Kickstart method for RedHat.

Matthew Nuzum

Yep, separate processing and storage. As there's not much you can do
to split up the database into multiple machines, that's where your
bottleneck is going to be. But as the database machine only has the
database, the bottleneck isn't too close.

Quote:>If no one else has a better solution, the three that I had considered
>are: RedHat kickstart. It takes a little work to get going, but once
>done is pretty easy. You simply create a kickstart boot disk and then
>use the standard redhat install cd. You choose exactly what you want
>and let it do the partitioning and everything for you. The benefits of
>RedHat are that it's very easy to maintain. Another benefit is that
>it's very up-to-date. Unfortuatnely, it's main disadvantage is that
>often, it's too up-to-date.

Hmm.. I'd recommend that you also specify the partitioning at least to
some extent in kickstart. The drawback here is still the horrendous
jungle of dependencies; it's amazing what all you'll need to drop out
to really keep the installation slim.

Quote:>Debian apt-get.  The default install of debian (potato, haven't tried
>woody) is very minimal.  It provides the bare essentials then you add to
>it what you need.  The only problem is that I don't know of a way to do
>auto-installs which is a feature I would like.

I'm surpsired to hear about the lack of auto-installs -- I don't have
experience with Debian, but had thought that there'd be some kind
of replication mechanism.

You might wish to take a look at Gentoo. It should be slim to start
with. But then, it apparently also is more up-to-date than RedHat.

But after all, RH isn't too bad. Considering the minimum disk sizes you
get nowadays, you can do more-or-less full install without a worry. And
there's still ample room for your data and web apps. Just get your own
things into a partition of their own -- this makes OS upgrades a lot
less painful.

The optimisation needed is mostly to find all places where you can turn
functionality off. Disable most all automation and services, and there
you should have a pretty good server. Limit network accessibility with
iptables (both incoming and outgoing!), and it's already rather secure.
Local security can be increased by uninstalling setuid things you don't
use (or turning off setuid bits where you're certain they aren't needed,
if uninstalling is not an option - f.ex. due to dependencies). Then just
keep up-to-date with security advisories related to those components you
do run (Apache, PHP, possibly SSL, others?), and you should fare just
fine - of course supposing you don't open holes of your own with the
WWW server-side programs (PHP etc).
--
Wolf  a.k.a.  Juha Laiho     Espoo, Finland

         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Grab an old version of RHLinux (4.2+ would do) and compile latest
apache on it. very thin. and manualy patch secuity.

tks... 'tis v helpful.

have looked a bit into openbsd, but (due to I expect my bsd ignorance) am
coming round to the old RH idea with security patches then locking down all
the bits i don't need.

i guess it's all about number of hits, but as a good starter, i'm going for
a fairly beefy intel with a couple of scsi disks in an array (hmm, dunno how
to do that yet;)

from there on i reckon its all about tuning - and some serious reading

it may not as easy as getting it "off the shelf" but hey keeps us sysadmins
in business ;)

/cheers/

s