As far as security is concerned actually advertising what software versions are running on your site is not favorable. With most any software, whether its open source or not, if there is a bug that is exploitable and its noted on the manufacturers/projects website, there is very likely to be a version number associated with it. With that being the case, if your server software responds with “Apache/2.2.0″ as the description of itself this can tell everyone if your a vulnerable or not. To obfuscate this a bit I suggest setting the following items in your Apache config:
ServerSignature Off
ServerTokens Prod
Read more…
I recently switched this server to Lighttpd (using PHP through FastCGI) from Apache. It was easy enough and I ended up with much faster serving websites, unfortunately I hit a snag on one of my sites that extensively uses .htaccess file for rewrites – which Lighttpd does not support. I didn’t want to bail on the whole switch because of a single site, so looked and came up with a simple solution – proxy to Apache through Lighttpd for items on that site (www.350z.ws). In lighttpds config, this was very easy to accomplish:
# Proxy 350z.ws back to apache
$HTTP["host"] =~ "www.3(5|7)0z.ws" {
$HTTP["url"] !~ "(wp-content|wp-includes|css|js|php$|^/blog/$)" {
proxy.server = ( "/" =>
( "localhost" =>
( "host" => "127.0.0.1", "port" => 81 )
)
)
}
}
Note one (obvious) draw back is that you have to run Apache as well, but since I’m stopping most hits at Lighttpd by serving everything in wp-content, wp-includes, anything with css, js or php in the name, I can greatly reduce the number of Apaches I start and maintain. In my case my Apache prefork config looks like this:
<IfModule mpm_prefork_module>
StartServers 3
MinSpareServers 2
MaxSpareServers 5
MaxClients 15
MaxRequestsPerChild 10
</IfModule>
You’ll also notice I’m not proxying the folder where WordPress lives back either, this is because it contains no rewrites for it specifically and will get the majority of the hits.