Anyone have any pointers for modules that can be disabled right off the bat? I’m running conventional LAMP setup, with varnish, memcache, and apc. Thanks
LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so LoadModule env_module modules/mod_env.so LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule info_module modules/mod_info.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule userdir_module modules/mod_userdir.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule cache_module modules/mod_cache.so LoadModule suexec_module modules/mod_suexec.so LoadModule disk_cache_module modules/mod_disk_cache.so LoadModule file_cache_module modules/mod_file_cache.so LoadModule cgi_module modules/mod_cgi.so LoadModule version_module modules/mod_version.so
Well, this is the starting point I use, which I pretty much got from TKL.
alias auth_basic (webdav) authn_file (webdav) authz_default (webdav) authz_groupfile (webdav) authz_host (webdav) autoindex cgi dav (webdav) dav_fs (webdav) deflate dir env headers mime negotiation perl php5 python reqtimeout rewrite setenvif ssl status
note: the authentication modules are all of the .htpasswd related stuff. i use them exclusively for webdav (dav and dav_fs), but you might have use beyond that. Also note that I use Basic and not Digest; it’s less secure, but if security is actually a concern for what I’m doing, I won’t use Apache for authentication at all.
I’d say that you can probably reduce yours to be equivalent to mine, and from there reduce it even more by disabling perl, python, cgi, ssl, dav, etc. if you don’t use them. I couldn’t really see myself disabling any of the following (based on some best practice in terms of serving content): alias, deflate, dir, headers, mime, negotiation, env & setenvif, reqtimeout, and rewrite.
Do you need perl, php5, and python? You can remove two modules there if you code your site in just one of them. You can probably get rid of the cgi module too. If you’re doing authentication, keep the ssl module around to encrypt the traffic.