17 Set 12 SSH local and remote tunnels

Sometimes you may need to forward remote traffic to a local host through a SSH connection. In other words you can bind a given TCP port to a server running SSH and make remote clients connecting to it, letting the traffic to be redirected to a local server.

You may need to add the parameter GatewayPorts clientspecified to /etc/ssh/sshd_config on the SSH server and restart sshd. This is to enable ssh clients to bind remote connections on a given ip, otherwise you can only connect to the remote port just from 127.0.0.1.

At this point, let me do an example:

A TCP client wants to connect to 192.168.1.2 on TCP port 18443
You want to forward TCP traffic from 192.168.1.2:18443 to 11.22.33.44:18443
You have a client host with IP address 11.22.33.41 that can reach 11.22.33.44
You can establish a SSH connection from your client (11.22.33.41) to the remote server (192.168.1.2)

If you have the given situation, you can execute the following command to bind the TCP port 18443 on the remote server:

ssh -l root 192.168.1.2 -R:18443:11.22.33.44:18443

Now, you can apply your changes:

Substitute “root” with your SSH user on the remote SSH server
Substitute “192.168.1.2” with your remote SSH server IP/host
Substitute the first “18443” with the port your remote TCP clients need to connect
Substitute “11.22.33.44” with your internal TCP server to forward traffic coming from the outside
Substitute the second “18443” with the TCP port listening on the internal host

You can even do the reverse, letting local traffic flowing to an external host, passing through a SSH connection.

Let me do another example:

You have a client host with IP address 11.22.33.41
A TCP client wants to connect to 11.22.33.41 (your IP) on TCP port 18443
You want to forward local TCP traffic from 11.22.33.41:18443 to 192.168.1.3:18443
You can establish a SSH connection from your client (11.22.33.41) to a remote server (192.168.1.2) that can reach 192.168.1.3

If you have the given situation, you can execute the following command to bind the TCP port 18443 of your computer to the remote server:

ssh -g -l root 192.168.1.2 -L18443:192.168.1.3:18443

Now, apply your changes:

Substitute “root” with your SSH user on the remote SSH server
Substitute “192.168.1.2 with your remote SSH server IP/host
Substitute the first “18443” with the port your local TCP clients need to connect
Substitute “192.168.1.3” with the remote TCP server you want to reach from your local TCP clients
Substitute the second “18443” with the TCP port of the remote server

Tags: firewall, Linux, server, ssh, sysadmin, tunnel
Filed in Linux OS, Open source, Sysadmin pills with 0 Comments

03 Set 12 apache2 + mod_fastcgi + php 5.3 + PHP-FPM

This is a very quick guide to get your feet wet with PHP 5.3 + PHP-FPM fastcgi support and apache webserver.
The PHP-FPM is basically a fastcgi compliant pool of PHP processes spawned on the system, ready to quickly accept connections, for example via TCP. It’s generally used to greatly improove PHP scalability, security and performance.

Start by installing apache, no matter if it’s a binary installation or if it’s compiled from source code (I assume this step is already done).

Once you have a valid apache installation, you need to compile the mod_fastcgi module.
NOTE: don’t use mod_fcgid or any other fastcgi provider but mod_fastcgi: it’s proved to be stable and to work well with PHP-FPM.

To install mod_fastcgi you have to:

download mod_fastcgi: http://www.fastcgi.com/dist/mod_fastcgi-2.4.6.tar.gz
untar the package, then compile the apache module with: /your_apache_path/bin/apxs -o mod_fastcgi.so -c *.c
install the module with: /your_apache_path/bin/apxs -i -a -n fastcgi .libs/mod_fastcgi.so

Now, compile PHP with the fpm support, or install a already compiled PHP binary package.

Here I’ll cover how to compile it from source.

Start by downloading the latest php 5.3 version from http://www.php.net/downloads.php

When you have done, untar the PHP source package and enter into the extracted php-5.3.x directory.
Now create a file called conf.sh and put this stuff inside it:

./configure \
–prefix=/usr/local/php53 \
–with-libdir=lib64 \
–enable-pcntl \
–enable-mbstring=shared \
–enable-mbregex \
–with-gd=shared \
–enable-bcmath=shared \
–with-xmlrpc=shared \
–with-mysql=shared,/usr \
–with-mysqli=shared,/usr/bin/mysql_config \
–enable-dom=shared \
–enable-soap=shared \
–with-xsl=shared,/usr \
–enable-xmlreader=shared –enable-xmlwriter=shared \
–with-pdo-mysql=shared,/usr \
–enable-json=shared \
–enable-zip=shared \
–with-readline \
–with-jpeg-dir=/usr \
–with-png-dir=/usr \
–with-pear \
–with-ldap=shared \
–enable-fpm \
–with-fpm-user=apache \
–with-fpm-group=apache

Your mileage may vary here, so please double check row by row if you need to modify something. The FPM part are the last 3 lines.

NOTE: you cannot compile PHP as FPM and SAPI at the same time.

Now, make the file executable with: chmod 755 conf.sh
and run the executable with: ./conf.sh

Wait that the configure script is done. If no errors are encountered you can proceed with make and make install as usual.
Remember to create the php.ini configuration file if you need it.
You should now end up with a fresh PHP installation into /usr/local/php53 (or any other path you given to the prefix configure attribute).

Ok, now it’s time to configure the php-fpm (change /usr/local/php53 with your path if it’s different):

cd /usr/local/php53/etc
cp php-fpm.conf.default php-fpm.conf
vi php-fpm.conf

You generally don’t need to modify anything here, but if you want you can touch something.
Now start the php-fpm process pool by running this command by the root user: /usr/local/php53/sbin/php-fpm

If anything gone ok you should have some process up and running, something like this:

25976 ?        Ss     0:00 php-fpm: master process (/usr/local/php53/etc/php-fpm.conf)
4945 ?        S      0:00 \_ php-fpm: pool www
4946 ?        S      0:00 \_ php-fpm: pool www
4947 ?        S      0:00 \_ php-fpm: pool www

If you didn’t modify the php-fpm.conf, the process pool listen for fastcgi requests to TCP 127.0.0.1:9000.

It’s time to configure a apache virtualhost with PHP support using this brand new fpm.

Edit the httpd.conf apache configuration file (or another included file where you store the virtualhost) and append this stuff (I assume that apache is installed into /opt/apache2):

<VirtualHost *:80>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot “/opt/apache2/htdocs”
ServerName “your_servername.com”
ErrorLog “logs/your_servername-error_log”
CustomLog “logs/your_servername-access_log” common

FastCgiExternalServer /opt/apache2/htdocs/php5.sock -host 127.0.0.1:9000
AddHandler php5-fcgi .php
Action php5-fcgi /tmp/php5.sock
Alias /tmp /opt/apache2/htdocs

<Directory “/opt/apache2/htdocs”>
Options FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
</Directory>
</VirtualHost>

Any file whose name ends for “.php” into your document root should now be associated to the PHP fastcgi handler and the requests should be routed to the php-fpm process pool. Each php-fpm process is reused according to the php-fpm.conf configuration file.

Restart apache and enjoy (any comment are welcome).

Tags: apache, http, Linux, php, server, sysadmin
Filed in General, Linux OS, Open source, Sysadmin pills with 0 Comments

18 Mag 12 The OrientDB 1.0 stable is finally there!

Congratulation to Luca Garulli and his dev team to the public release of OrientDB 1.0 Stable!
After a year of release candidates and bug fixing it’s finally time to the stable version.
Many may bugs fixed, new indexing algorithms, improved clustering with multi master replication, new Object Database interface with lazy object loading, new studio (web interface) and much more.

The community is growing fast and people get rapidly moving to new technologies.
Words like nosql, object and graph databases, cloud and mobile are big buzzwords of nowadays.

If you didn’t already, subscribe to the orientdb mailinglist to get in touch: http://groups.google.com/group/orient-database?pli=1.

Tags: Linux, NuvolaBase, orientdb, server, sysadmin
Filed in Commercial news, General, General news, Linux OS, Notes, Open source, What's hot with 0 Comments

08 Mar 12 How to execute a HTTP/Rest Query to NuvolaBase distributed database with PHP

As previously said, nuvolabase.com is a great service that permits you to have a distributed nosql document database in the cloud. This is very cool: think each time you would had the need of a database always available in the cloud that you would access via simple HTTP/Rest queries. The possibilities are endless.

Here is a very simple but powerful PHP curl agent to submit commands (queries) to nuvolabase via HTTP.

<?php
/*
* Author: Dino Ciuffetti <dino@tuxweb.it>
* Object: Execute a remote query to a distributed database on nuvolabase.com (free account) using HTTP (OrientDB REST API)
*/

/* user configurable parameters */
$nuvolabasedb = ‘db$free$youruser$yourdb’;
$command = ‘select from yourclass’;
$user = ‘admin’;
$password = ‘qwerty’;
$useragent = “NuvolaBase PHP REST agent/v0.8 (compatible; Mozilla 4.0; MSIE 5.5; http://www.nuvolabase.com/)”;
/* END of user configurable parameters */

$nuvolabasehost = ‘studio.nuvolabase.com’;
$url = ‘http://’.$user.’:’.$password.’@’.’studio.nuvolabase.com/command/’.$nuvolabasedb.’/sql/’;

$ch = curl_init();

// set user agent
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);

// return the result or false in case of errors
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

// set the target url
curl_setopt($ch, CURLOPT_URL, $url);

// do basic login authentication
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);

// howmany parameter to post
curl_setopt($ch, CURLOPT_POST, 1);

// the post data to send
curl_setopt($ch, CURLOPT_POSTFIELDS, $command);

// execute curl,fetch the result and close curl connection
$res = curl_exec ($ch);
curl_close ($ch);

// display result
if ($res !== FALSE);
print_r (json_decode($res));

?>

Please use the attached file.

test.php

Tags: http, Linux, NuvolaBase, orientdb, php, rest, server, sysadmin
Filed in General, General news, Linux OS, Notes, Open source, Sysadmin pills, What I'm doing, What's hot with 2 Comments

21 Feb 12 Mitigare attacchi di tipo Distributed Denial Of Service su apache con mod_evasive

Ciao.
C’e’ un modulo molto carino non official per apache che permette di bloccare o comunque mitigare facilmente attacchi di tipo DDOS.

Si scarica il modulo mod_evasive dal sito http://www.zdziarski.com/blog/?page_id=442, si decomprime il tar.gz e si compila con la seguente stringa:

<directory_di_installazione_apache>/bin/apxs -i -c mod_evasive20.c

Ora bisogna inserire due cosette in httpd.conf e successivamente riavviare gli apache:

1) LoadModule evasive20_module modules/mod_evasive20.so
2) La sua configurazione

Per quanto riguarda la numero 2 bisogna fare una considerazione importante, ovvero che il tuning del presente modulo con parametri errati o maldimensionati puo’ provocare dei falsi positivi che creano gravi disservizi per un periodo anche prolungato di tempo.

La configurazione e’ simile a questa (effettuo già un pre tuning che comunque dovrete ricontrollare e confermare voi che conoscete il vostro sistema):

<IfModule mod_evasive20.c>
DOSHashTableSize 196613
DOSLogDir “/tmp”

DOSPageCount 20
DOSPageInterval 10

DOSSiteCount 350
DOSSiteInterval 5

DOSBlockingPeriod 10
</IfModule>

Di seguito una breve spiegazione dei parametri:

DOSHashTableSize: e’ la dimensione della tabella di lookup interna usata dal modulo. Su server carichi il numero non deve essere troppo basso. Non andrebbe messo un numero casuale ma un numero primo presente nella struct dei numeri primi dentro mod_evasive20.c.

DOSLogDir: e’ una directory dove evasive appoggia dei dati che vengono utilizzati internamente per motivi di locking tra i processi child di apache

DOSPageCount: e’ la soglia per il numero di richieste effettuate verso una stessa url da uno stesso IP entro un determinato intervallo di tempo specificato dalla direttiva DOSPageInterval. Se il numero di richieste verso una stessa pagina/oggetto/uri viene superato nell’intervallo di tempo specificato apache blocchera’ l’IP del client per un determinato numero di secondi specificati dalla variabile DOSBlockingPeriod. Consiglio vivamente di non impostare questo parametro troppo basso per evitare falsi positivi all’interno di ambienti nattati o dietro proxy server (ad esempio clienti fastweb, utenti all’interno di grosse organizzazioni che usano un proxy server, ecc.)

DOSPageInterval: e’ l’intervallo di tempo espresso in secondi che attiva la soglia relativa al parametro precedente (DOSPageCount)

DOSSiteCount: e’ la soglia per il numero di richieste complessive verso tutto il sito effettuate da uno stesso IP entro un determinato intervallo di tempo specificato dalla direttiva DOSSiteInterval. Se il numero complessivo di richieste verso apache viene superato nell’intervallo di tempo specificato, apache blocchera’ l’IP del client per un determinato numero di secondi specificati dalla variabile DOSBlockingPeriod. Anche qui consiglio vivamente di non impostare questo parametro troppo basso per evitare falsi positivi all’interno di ambienti nattati o dietro proxy server (ad esempio clienti fastweb, utenti all’interno di grosse organizzazioni che usano un proxy server, ecc.)

DOSSiteInterval: e’ l’intervallo di tempo espresso in secondi che attiva la soglia relativa al parametro precedente (DOSSiteCount)

DOSBlockingPeriod: e’ l’intervallo di tempo espresso in secondi durante i quali tutti i client finiti in blacklist avendo superato i limiti imposti dai parametri specificati sopra non potranno collegarsi ad apache e navigare sul sito ottenendo invece un codice di errore HTTP/403 (Forbidden). Se i clients bloccati continuano ad effettuare nuove richieste durante il periodo di blocco, ogni richiesta resetta il timer percui il conteggio ricomincia. Consiglio quindi VIVAMENTE di non impostare questo parametro troppo alto, in genere non vanno mai superati i 20 secondi. Il motivo principale e’ la mitigazione di eventuali disservizi causati da falsi positivi. Il discorso e’ inoltre valido perche’ durante un attacco DDOS il timer viene continuamente resettato e l’attacco viene comunque mitigato anche impostando il parametro ad un valore molto basso.

Riavviate apache e buon divertimento.

Dino Ciuffetti.

Tags: apache, blacklist, http, Linux, policy, proxy, server, sysadmin
Filed in Linux OS, Notes, Open source, Sysadmin pills with 0 Comments

02 Feb 12 NuvolaBase: the new no-sql company behind OrientDB launches the Graph Database in the Cloud

London, UK – NuvolaBase Ltd is a London-based startup that is about to revolutionize the database market. Only two years ago this market was dominated by few big players such as Oracle, IBM and Microsoft. Something, in the last 24 months, has changed thanks to the “NoSQL” movement which focused on alternative solutions to the ordinary Relational DBMS’s due to the pressing and increasing demands for better performance and higher scalability.

Today the largest IT companies avail themselves of NoSQL solutions to manage Mission Critical projects. Google, Amazon, Microsoft, Facebook, Twitter, Disney, MTV, Craiglist and FourSquare are amongst the most famous ones.

After just a year of testing, NuvolaBase comes out of Alpha version, offering a NoSQL database of high performance as a cloud-based service. This way the database is no longer a software component that needs installing, configuring and maintaining, but it becomes a distributed service that is always available on the internet.

Web Site: http://www.nuvolabase.com
Follow us on Twitter: https://twitter.com/#!/nuvolabase
LinkedIn: http://www.linkedin.com/company/nuvolabase-ltd

Tags: cloud, database, db, http, Linux, nosql, NuvolaBase, orientdb, server, sysadmin
Filed in Commercial news, General, General news, Notes, What's hot with 0 Comments

26 Gen 12 liborient, OrientDB C library migrated to github

I never said before on those pages that some months ago I migrated liborient to github: liborient project page.

For those who do not know liborient, it’s a LGPLv3 library that can be used by C programs to interact with the OrientDB DBMS Server using the orientdb binary protocol. At the time of this writing it’s in development stage, but almost all low level binary protocol methods are implemented and should be quite working.

After fixing some (well known) memory leaks on the new odocument interface, I’m now working on a high level API that can be used by C programs to manipulate objects going to and coming from OrientDB Server.
You can, for example, put or get records to/from the server containing different data type fields. Those fields are organized into an object that OrientDB calls Document. This Document can include structured types like: integers, shorts, dates, strings, binary, char, float, collections, maps, documents embedded into documents, and more.
The liborient’s new odocument higher level API should make you comfortable to access and manipulate this documents.
This can be, for example, a good starting point to create native bindings for other languages like PHP, python, perl, ruby, etc.

At the moment I am the author and the only developer on this project, but if you are brave you can join and submit patches, test the code, open bugs, put your considerations, and so on. Feel free to send me a mail, add a comment to this page, write to the orientdb mailing list, send me a tweet at @tuxweb, or anything else.

Tags: c, development, liborient, Linux, NuvolaBase, orientdb, server, sysadmin
Filed in General, General news, Linux OS, Open source, Sysadmin pills, What's hot with 2 Comments

12 Dic 11 How to quickly install courier-mta mail server from source on debian (for the impatients)

What it follows is a quick n’ dirty but working list of things to do to correctly install you brand new courier mta mail server from source on a linux debian system (or ubuntu). This is for the impatients that don’t want to read the courier installation manual page (http://www.courier-mta.org/install.html). You can download the last stable courier packages from here: http://www.courier-mta.org/download.php.
You only have to download those three software archive files:

Courier
Courier authentication library
Courier unicode library

You’ll need to be root and have an internet connection to install dependencies debian packages.
First of all you have to enable the EN_US-utf8 locale, or “make check” will fail. You can do it with:

dpkg-reconfigure locales

Ready to install? Ok. This is how I have done:

groupadd courier
useradd -m -g courier courier
groupadd vmail
useradd -g vmail -d /opt/courier -m vmail

apt-get install build-essential
apt-get install libldap2-dev
apt-get install ldap-utils
apt-get install slapd
apt-get install libmysqlclient-dev
apt-get install libpcre++-dev libpcre3-dev
apt-get install libidn11-dev
apt-get install libgdbm-dev
apt-get install libdb-dev
apt-get install libgamin-dev
apt-get install libssl-dev
apt-get install libgnutls28-dev
apt-get install expect
apt-get install libperl-dev
apt-get install libltdl-dev
apt-get install libsqlite3-dev

tar jxvf courier-unicode-x.x.tar.bz2
cd courier-unicode-x.x

./configure –prefix=/opt/courier/unicode

make
make install

cd ..

tar jxvf courier-authlib-0.xx.0.tar.bz2
cd courier-authlib-0.xx.0

export CFLAGS=”-I/opt/courier/unicode/include”
export LDFLAGS=”-L/opt/courier/unicode/lib”

./configure \
–prefix=/opt/courier/authlib \
–without-authvchkpw \
–without-authpgsql \
–with-mysql-libs=/usr \
–with-mysql-includes=/usr \
–with-mailuser=vmail \
–with-mailgroup=vmail

make
make install

cd ..

tar jxvf courier-0.xx.0.tar.bz2
chown -R courier:courier courier-0..0

su – courier
cd courier-0.xx.0

export COURIERAUTHCONFIG=/opt/courier/authlib/bin/courierauthconfig
export CFLAGS=”-I/opt/courier/authlib/include -I/opt/courier/unicode/include”
export CPPFLAGS=”-I/opt/courier/authlib/include -I/opt/courier/unicode/include”
export LDFLAGS=”-L/opt/courier/authlib/lib -L/opt/courier/unicode/lib”

./configure \
–prefix=/opt/courier –with-locking-method=fcntl –without-explicitsync \
–with-qdircount=20 –with-random=/dev/urandom \
–without-ispell –disable-autorenamesent –enable-mimetypes

make
make check
exit
make install-strip
make install-configure >upgrade.log

/opt/courier/sbin/showmodules
/opt/courier/sbin/makesmtpaccess

OK. If everything gone OK, the installation stuff was terminated.
The configuration stuff is another complex thing that I cannot cover now here… may be another time.
Now, continue to read installation manual from here: http://www.courier-mta.org/install.html#aliases

This procedure was last tested with courier 0.75.0 on debian 8.4, but should be OK with newer versions too.
The software will be installed in /opt/courier.

I hope that it will help someone.
Ciao, Dino.

Tags: courier, Linux, mailserver, mta, relaying, server, smtp, sysadmin
Filed in Linux OS, Open source, Sysadmin pills, What I'm doing with 1 Comment

15 Nov 11 How to compile apache httpd on HP-UX 11.11 PA-RISC

The first thing that I have to say, after more than 10 years working with different OSes, is that there is no better operative system than Linux. Any other OS that I’ve worked with is a pure shit, in my humble opinion off course. HP-UX is one of this. This is a closed box with custom patches here and there, not a true, modern os like linux or free bsd, and the like. The compiler is closed source and it’s not free.

The best way that I’ve found to compile apache with gcc on HP-UX 11.11 (pa-risc) using open source free software is:

download the following software packages from HP-UX Porting Centre (http://hpux.connect.org.uk/) – your version may vary: zlib-1.2.5-hppa-11.11.depot.gz, make-3.82-hppa-11.11.depot.gz, libiconv-1.14-hppa-11.11.depot.gz, gettext-0.18.1.1-hppa-11.11.depot.gz, openssl-1.0.0e-hppa-11.11.depot.gz, libgcc-4.2.3-hppa-11.11.depot.gz, gcc-4.2.3-hppa-11.11.depot.gz
gunzip each one of the downloaded depot, (eg: gunzip * from the directory where you downloaded)
install each depot in the order given below (the first is zlib, the last is gcc) with the standard hpux command: swinstall -s [your_absolute_depot_path]
once this boring operation mandatory only on non modern operative systems is terinated successfully, you can export the PATH variable setting /usr/local/bin in front of the PATH list: export PATH=”/usr/local/bin:$PATH”
ok. We are now ready to compile apache. Download and uncompress the httpd tar.gz with “gunzip”, then “tar xf” (on a modern system you can do it in a single pass with tar xzvf …)
the configure string to run is: ./configure –with-included-apr –with-expat=builtin –prefix=[YOUR_APACHE_INSTALLATION_PATH] –enable-mods-shared=most –enable-ssl –enable-proxy –enable-proxy-connect –enable-proxy-http –enable-proxy-balancer –enable-cache –enable-disk-cache –enable-mem-cache
once finisced, run: “gmake“.

At this point, after some minute, you probably will end with a compiler error like this one:

/var/adm/crash/src/httpd-2.2.21/srclib/apr/libtool –silent –mode=link gcc -g -O2 -pthread -L/usr/local/lib -o htpasswd htpasswd.lo -lm /var/adm/crash/src/httpd-2.2.21/srclib/pcre/libpcre.la /var/adm/crash/src/httpd-2.2.21/srclib/apr-util/libaprutil-1.la /var/adm/crash/src/httpd-2.2.21/srclib/apr-util/xml/expat/libexpat.la -liconv /var/adm/crash/src/httpd-2.2.21/srclib/apr/libapr-1.la -lrt -lm -lpthread -ldld
libtool: link: warning: this platform does not like uninstalled shared libraries
libtool: link: `htpasswd’ will be relinked during installation
/usr/ccs/bin/ld: Unsatisfied symbols:
apr_generate_random_bytes (first referenced in .libs/htpasswd.o) (code)
collect2: ld returned 1 exit status
gmake[2]: *** [htpasswd] Error 1
gmake[2]: Leaving directory `/var/adm/crash/src/httpd-2.2.21/support’
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/var/adm/crash/src/httpd-2.2.21/support’
gmake: *** [all-recursive] Error 1

This means that the APR library cannot generate random numbers. I have to investigate why, probably the system is not capable/patched to generate PRN numbers at kernel level (/dev/random or /dev/urandom) and the APR library breaks. Not a problem. Simply skip the creation of the htpasswd executable. You will probably not need it.

cd support
touch htpasswd
cd ..

Now came back to compile:

gmake

when finished, simple “gmake install“, and you hopefully have done, thinking why you are still using a non modern os and becoming soon a happy new linux user..

😉 Hope this one will help some linux user fighting on HP as well like me!

Ciao, Dino.

Tags: apache, http, Linux, openssl, server, sysadmin
Filed in Linux OS, Open source, Sysadmin pills, What I'm doing with 0 Comments

07 Ott 11 Apache with Worker MPM (multi threaded), mem_cache and mod_deflate

When you have to publish mainly static contents, like static sites, the most powerful solution is to configure your apache http server to use the MPM Worker, mod_mem_cache e mod_deflate modules.

Why the MPM Worker
It implements a multi process / multi thread server model. The father process spawn processes, and each child process spawn threads. Each thread will handle a client connection.
This implementation can handle a large number of requests with fewer system resources than a standard prefork multi process server model.
Please note that you cannot use the MPM Worker in server environments that are not thread safe. For example, PHP, mod_perl, and other dynamic page processors do not ensure you that the environment it’s completely thread safe, so my advice is to NOT USE the MPM Worker with PHP, mod_perl and the like.
The Worker MPM can consume much less memory because the heap memory is shared among threads, while that’s not true for processes.
For more informations you can read the official page: http://httpd.apache.org/docs/2.2/mod/worker.html

Why the mod_mem_cache module
This module can be configured to cache open file descriptors and objects into the heap storage (memory).
If the same object (html, css, js, etc) it’s requested for the first time by a client, it get saved into the heap memory. The second time it got requested, the object got feeded directly from the memory cache. It can lower down CPU and disk I/O.
For more informations you can read the official page: http://httpd.apache.org/docs/2.2/mod/mod_mem_cache.html

Why the mod_deflate module
It can allows output from your server to be compressed before being sent to the client . The HTTP 1/1 protocol has a header called Accept-Encoding. This way a client can tell the server witch response encoding it can reads.
Any modern browsers today can handle page compression, so why not using it?
With it you can save bandwidth.
For more informations you can read the official page: http://httpd.apache.org/docs/2.2/mod/mod_deflate.html

Ok. Let’s begin to enable that stuff.

First step is to compile apache from source.
If you want to use the packages released by your linux distribution instead of compiling apache by yourself you can do it.
Always choose the latest apache stable version available.

To compile apache 2.2.X with most modules in shared form (*.so) you should run this configure:
$ ./configure –prefix=<YOUR_APACHE_DIR> –with-mpm=worker –with-included-apr –with-expat=builtin –enable-mods-shared=most –enable-ssl –enable-proxy –enable-proxy-connect –enable-proxy-http –enable-proxy-balancer –enable-cache –enable-disk-cache –enable-mem-cache –enable-nonportable-atomics=yes

Then, as usual, run:
$ make
$ make install

You hopefully end up with apache correctly installed with all needed modules in place.
Now configure your httpd.conf adding those lines:

# Compress on the fly HTML pages, TXT and XML files, CSS and JS.
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/x-js application/x-javascript

# Cache open file descriptors
CacheEnable fd /

# Enable memory caching
CacheEnable mem /

# Limit the size of the cache to 24 Megabyte
MCacheSize 25165824

# Minimum size of an object that can be cached: 1 Kbyte
MCacheMinObjectSize 1024

# Maximum size of an object that can be cached: 3 Mbyte
MCacheMaxObjectSize 3145728

# Spawn 10 child processes, spawning 100 threads for each child process.
# So, a pool of 1000 threads is left up and sleeping, ready to serve incoming requests.
# If more requests will come in, apache will spawn new child processes, each one spawning 100 threads,
# enlarging the thread pool until the total number of threads become 2000. In that case, apache begin
# to cleanly drop processes, trying to reach 1000 threads.
# New processes and its threads are spawned in case of a large spike of requests, until 4000 parallel
# client requests are reached, then apache will no longer accept new incoming connections.
# When the load calm down, and requests come back under 4000 parallel connections, apache will continue
# to accept connections. After 1,000,000 requests served by a child, q. 10,000 per thread, the process
# get closed by the father to ensure no memory leak is fired.
<IfModule mpm_worker_module>
ThreadLimit          100
ServerLimit         4000
StartServers          10
MaxClients          4000
MinSpareThreads      1000
MaxSpareThreads      2000
ThreadsPerChild      100
MaxRequestsPerChild   1000000
</IfModule>