logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Better cache config for Apache
Author
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France
PostPosted: Fri 22 May '20 10:10    Post subject: Better cache config for Apache Reply with quote
Hello,

Since I have a very small internet connection, I am looking to optimize the management of the Apache cache.
Here is my configuration:
Code:
# Configuration de l'expiration des headers
ExpiresActive on
ExpiresDefault "access plus 12 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/ico "access plus 3 month"
ExpiresByType image/x-icon "access plus 3 month"
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"

<FilesMatch "\.(ico|pdf|flv|jpe?g|png|gif|swf|js|eot)$">
   ExpiresActive On
   ExpiresDefault "access plus 1 month"
</FilesMatch>

<IfModule headers_module>
   Header set Connection keep-alive
   Header append Cache-Control "public"
   Header set X-Frame-Options DENY

   #   When serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
   # to disable content-type sniffing on some browsers.
   # https://www.owasp.org/index.php/List_of ... TP_headers
   # Currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008 ... pdate.aspx
   # http://msdn.microsoft.com/en-us/library ... 41(v=vs.85).aspx
   # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
   Header set X-Content-Type-Options "nosniff"

   # Config to don't allow the browser to render the page inside an frame or iframe
   # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
   # if you need to allow (i)frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
   # https://developer.mozilla.org/en-US/doc ... me-Options
   Header set X-Frame-Options "SAMEORIGIN"

   #   This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
   # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
   # this particular website if it was disabled by the user.
   # https://www.owasp.org/index.php/List_of ... TP_headers
   Header set X-XSS-Protection "1; mode=block"

   # 1 YEAR
   <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|eot|woff)$">
      Header set Cache-Control "max-age=31536000, public"
   </FilesMatch>

   # 1 WEEK
   <FilesMatch "\.(jpg|jpeg|png|gif|swf|js|css)$">
      Header set Cache-Control "max-age=2592000, public, proxy-revalidate"
   </FilesMatch>

   # 3 HOUR
   <FilesMatch "\.(txt|xml)$">
      Header set Cache-Control "max-age=10800, proxy-revalidate"
   </FilesMatch>

   # NEVER CACHE - notice the extra directives
   <FilesMatch "\.(php|cgi|pl)$">
      Header set Cache-Control "max-age=30, private, no-store, no-cache, must-revalidate"
   </FilesMatch>

   <FilesMatch "\.(js|css|xml|gz)$">
      Header append Vary: Accept-Encoding
   </FilesMatch>
</IfModule>


I know that the subject is vast, but, do you have any advice or comments to improve this management?

Thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
PostPosted: Fri 22 May '20 14:01    Post subject: Reply with quote
You can also increase the speed using mod_deflate (I guess you already use it), TLS 1.3 to reduce SSL lookups, use mod_h[ttp]2, use mod_brotli for even better and faster compression.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France
PostPosted: Fri 22 May '20 14:05    Post subject: Reply with quote
Yes, i try to use everything i can Wink

Mod deflate :
Code:
DeflateCompressionLevel 9

# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE font/eot
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml

# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent

# Don't compress binaries
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|iso|tar|bz2|sit|rar) no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|jpg|ico|png) no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:pdf|avi|mov|mp3|mp4|rm|doc|xls)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .flv no-gzip dont-vary

# Pour les proxies
Header append Vary User-Agent env=!dont-vary

SetOutputFilter DEFLATE

<IfModule brotli_module>
   SetOutputFilter BROTLI_COMPRESS;DEFLATE
   SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|jpg|png|zip|pdf|rar)$ no-gzip no-brotli dont-vary
</IfModule>

<ifModule mod_gzip.c>
  mod_gzip_on Yes
  mod_gzip_dechunk Yes
  mod_gzip_add_header_count Yes
  mod_gzip_send_vary Yes
  mod_gzip_item_include file .(html?|xml|txt|css|js|php|pl)$
  mod_gzip_item_include handler ^cgi-script$
  mod_gzip_item_include mime ^text/.*
  mod_gzip_item_include mime ^application/x-javascript.*
  mod_gzip_item_exclude mime ^image/.*
  mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>


Mod H2 :
Code:
<IfModule h2_module>
    # This can also set to "off" and turned on only for specific virtual hosts
    H2Engine on
    Protocols h2c http/1.1
</IfModule>


Mod brotli is on, but without any special config.

But, for TLS 1.3, i don't know what to do to use it.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
PostPosted: Sun 24 May '20 20:44    Post subject: Reply with quote
My current config for TLS 1.3 https://mariobrandt.de/archives/apache/fight-cbc-ciphers-with-256-bit-alias-crypto-wars-part-ten-1263/

That is a reminder that some ciphers are after than others. The CHACHA20-POLY1305 is much faster on the client side.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France
PostPosted: Sun 24 May '20 23:49    Post subject: Reply with quote
Interesting, i only add this :
Code:
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1


Because everything else was already in my config.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
PostPosted: Tue 26 May '20 13:38    Post subject: Reply with quote
I has been a long time and I don't know why, but instead of the Expires* I switched to

Code:
FileETag MTime Size
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France
PostPosted: Tue 26 May '20 13:42    Post subject: Reply with quote
It's a bit strange because I saw everywhere that it was better to deactivate Etag.
I used it before, but I fired it to use Expires.

But i don't know why expires would be better.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
PostPosted: Tue 26 May '20 13:45    Post subject: Reply with quote
I wanted to know too and came a long this https://stackoverflow.com/questions/499966/etag-vs-header-expires

most of the answers say that you need both headers at the same time.
Back to top
bagu



Joined: 06 Jan 2011
Posts: 193
Location: France
PostPosted: Tue 26 May '20 13:51    Post subject: Reply with quote
Ok...I also read this : https://www.askapache.com/htaccess/apache-speed-etags/

So it's better to disable etag when using more than one server to host a website (if i understand well)
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
PostPosted: Tue 26 May '20 15:47    Post subject: Reply with quote
bagu wrote:
Ok...I also read this : https://www.askapache.com/htaccess/apache-speed-etags/

So it's better to disable etag when using more than one server to host a website (if i understand well)


That is true, but mostly I don't use CDN for my websites. Sometimes I use a load balancer, but then there is a SAN attached, so the ETAG is still the same.
Back to top


Reply to topic   Topic: Better cache config for Apache View previous topic :: View next topic
Post new topic   Forum Index -> Apache