AH00480: apr_thread_create: unable to create worker thread

Thorsten

SSF Facilitymanagement
Staff member
Hallo!
Ich bräuchte mal einen Schupps in die richtige Richtung. Habe hier einen virtuellen Server mit zugesicherten 8GB RAM.
Auf diesem Server läuft Plesk Onyx in der aktuellen Version. Leider lässt sich der Apache Webserver nicht starten:
Code:
[Wed Oct 14 19:25:01.998526 2020] [ssl:warn] [pid 6253:tid 139752698145728] AH01909: webmail.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Wed Oct 14 19:25:01.999294 2020] [ssl:warn] [pid 6253:tid 139752698145728] AH01909: webmail.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Wed Oct 14 19:25:02.000008 2020] [ssl:warn] [pid 6253:tid 139752698145728] AH01909: default:443:0 server certificate does NOT include an ID which matches the server name
[Wed Oct 14 19:25:02.000503 2020] [suexec:notice] [pid 6253:tid 139752698145728] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Wed Oct 14 19:25:02.016890 2020] [:notice] [pid 6254:tid 139752698145728] mod_bw : Memory Allocated 0 bytes (each conf takes 48 bytes)
[Wed Oct 14 19:25:02.016911 2020] [:notice] [pid 6254:tid 139752698145728] mod_bw : Version 0.92 - Initialized [0 Confs]
[Wed Oct 14 19:25:02.023904 2020] [ssl:warn] [pid 6254:tid 139752698145728] AH01909: webmail.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Wed Oct 14 19:25:02.024672 2020] [ssl:warn] [pid 6254:tid 139752698145728] AH01909: webmail.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Wed Oct 14 19:25:02.025426 2020] [ssl:warn] [pid 6254:tid 139752698145728] AH01909: default:443:0 server certificate does NOT include an ID which matches the server name
[Wed Oct 14 19:25:02.027562 2020] [mpm_event:notice] [pid 6254:tid 139752698145728] AH00489: Apache/2.4.29 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/1.1.1 configured -- resuming normal operations
[Wed Oct 14 19:25:02.027582 2020] [core:notice] [pid 6254:tid 139752698145728] AH00094: Command line: '/usr/sbin/apache2'
[Wed Oct 14 19:25:02.029387 2020] [mpm_event:alert] [pid 6257:tid 139752698145728] (11)Resource temporarily unavailable: AH00480: apr_thread_create: unable to create worker thread
[Wed Oct 14 19:25:02.029828 2020] [mpm_event:alert] [pid 6258:tid 139752698145728] (11)Resource temporarily unavailable: AH00480: apr_thread_create: unable to create worker thread
[Wed Oct 14 19:25:04.029770 2020] [mpm_event:alert] [pid 6254:tid 139752698145728] AH02324: A resource shortage or other unrecoverable failure was encountered before any child process initialized successfully... httpd is exiting!
Manuelle Änderungen an der Apache Konfiguration gibt es nicht. PHP (7.3.23) Einstellungen sind ebenfalls Standard.

Die /proc/user_beancounters sieht wie folgt aus:
Code:
Version: 2.5
       uid  resource                     held              maxheld              barrier                limit              failcnt
   2907835: kmemsize                129101824            140152832  9223372036854775807  9223372036854775807                    0
            lockedpages                     0                    0  9223372036854775807  9223372036854775807                    0
            privvmpages                326537               866680  9223372036854775807  9223372036854775807                    0
            shmpages                    65976                99232  9223372036854775807  9223372036854775807                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            numproc                        94                   94                  400                  400                    0
            physpages                  290116               336796              2097152              2097152                    0
            vmguarpages                     0                    0  9223372036854775807  9223372036854775807                    0
            oomguarpages               290116               336796                    0                    0                    0
            numtcpsock                      0                    0  9223372036854775807  9223372036854775807                    0
            numflock                        0                    0  9223372036854775807  9223372036854775807                    0
            numpty                          1                    2  9223372036854775807  9223372036854775807                    0
            numsiginfo                      1                   90  9223372036854775807  9223372036854775807                    0
            tcpsndbuf                       0                    0  9223372036854775807  9223372036854775807                    0
            tcprcvbuf                       0                    0  9223372036854775807  9223372036854775807                    0
            othersockbuf                    0                    0  9223372036854775807  9223372036854775807                    0
            dgramrcvbuf                     0                    0  9223372036854775807  9223372036854775807                    0
            numothersock                    0                    0  9223372036854775807  9223372036854775807                    0
            dcachesize              106835968            107024384  9223372036854775807  9223372036854775807                    0
            numfile                      2286                 3395  9223372036854775807  9223372036854775807                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            dummy                           0                    0  9223372036854775807  9223372036854775807                    0
            numiptent                      65                   65                 2000                 2000                    0
Irgend eine Idee, wie man diesem Phänomen auf die Spur kommen kann? Habe ich etwas vergessen?
 

DjTom-i

verifizierter Anbieter
verifizierter Anbieter
Thread Limit, Server Limit und Thread Stack size spielen hier eine Rolle.
 

greystone

Member
Also die von DjTom gesetzten Werte sind wahrscheinlich einfach zu hoch konfiguriert
. Niedriger setzen bis der Fehler verschwindet.
 

Thorsten

SSF Facilitymanagement
Staff member
Je nach eingestelltem MPM ist folgendes konfiguriert:
Code:
Prefork:
<IfModule mpm_prefork_module>
        StartServers                     5
        MinSpareServers           5
        MaxSpareServers          10
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>
Code:
Event:
<IfModule mpm_event_module>
        StartServers                     2
        MinSpareThreads          25
        MaxSpareThreads          75
        ThreadLimit                      64
        ThreadsPerChild          25
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>

Edit!
Sobald ich mod_http2 aktiviere (sollte bei MPM Event ja funktionieren) bekomme ich folgendes um die Ohren gehauen:
Code:
[Wed Oct 14 21:26:23.680407 2020] [core:notice] [pid 25414:tid 140048699947968] AH00094: Command line: '/usr/sbin/apache2'
[Wed Oct 14 21:26:23.682156 2020] [mpm_event:alert] [pid 25417:tid 140048252286720] (11)Resource temporarily unavailable: AH03104: apr_thread_create: unable to create worker thread
[Wed Oct 14 21:26:23.684627 2020] [mpm_event:alert] [pid 25421:tid 140048327812864] (11)Resource temporarily unavailable: AH03104: apr_thread_create: unable to create worker thread
[Wed Oct 14 21:26:23.689162 2020] [mpm_event:crit] [pid 25421:tid 140048146069248] (22)Invalid argument: AH03099: ap_queue_pop failed
[Wed Oct 14 21:26:23.689296 2020] [mpm_event:crit] [pid 25421:tid 140048146069248] (22)Invalid argument: AH03099: ap_queue_pop failed
[Wed Oct 14 21:26:23.689392 2020] [mpm_event:crit] [pid 25421:tid 140048146069248] (22)Invalid argument: AH03099: ap_queue_pop failed
[Wed Oct 14 21:26:23.689472 2020] [mpm_event:crit] [pid 25421:tid 140048146069248] (22)Invalid argument: AH03099: ap_queue_pop failed

Edit2!
Es wurde manuell das Paket libnghttp2-14 installiert. Versuch #1: nginx via Plesk deaktivieren / deinstallieren, libnghttp2-14 rausschmeissen und nginx wieder hinzufügen. Findet Plesk aber doof:
Code:
apt purge libnghttp2-14
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
Die folgenden Pakete werden ENTFERNT:
  apache2* apache2-bin* curl* git* libapache2-mod-aclr2-psa* libapache2-mod-bw* libapache2-mod-cloudflare* libapache2-mod-fcgid-psa* libapache2-mod-geoip*
  libapache2-mod-php* libapache2-mod-php7.2* libapache2-mod-sysenv-psa* libapache2-modsecurity-plesk* libcurl3-gnutls* libcurl4* libnghttp2-14* libpam-plesk*
  libxmlrpc-core-c3* php-curl* php7.2-curl* plesk-backup-utilities* plesk-completion* plesk-config-troubleshooter* plesk-core* plesk-core-utilities*
  plesk-courier-imap-driver* plesk-engine* plesk-git-http* plesk-l10n* plesk-mail-pc-driver* plesk-modsecurity-configurator* plesk-modsecurity-crs* plesk-php73*
  plesk-php73-bcmath* plesk-php73-cli* plesk-php73-dba* plesk-php73-enchant* plesk-php73-fpm* plesk-php73-gd* plesk-php73-imagick* plesk-php73-imap* plesk-php73-intl*
  plesk-php73-ioncube-loader* plesk-php73-ldap* plesk-php73-mbstring* plesk-php73-mysql* plesk-php73-odbc* plesk-php73-opcache* plesk-php73-pdo* plesk-php73-pear*
  plesk-php73-pgsql* plesk-php73-process* plesk-php73-pspell* plesk-php73-redis* plesk-php73-snmp* plesk-php73-soap* plesk-php73-sodium* plesk-php73-tidy*
  plesk-php73-xdebug* plesk-php73-xml* plesk-php73-xmlrpc* plesk-php74* plesk-php74-bcmath* plesk-php74-cli* plesk-php74-dba* plesk-php74-enchant* plesk-php74-fpm*
  plesk-php74-gd* plesk-php74-imagick* plesk-php74-imap* plesk-php74-intl* plesk-php74-ioncube-loader* plesk-php74-ldap* plesk-php74-mbstring* plesk-php74-mysql*
  plesk-php74-odbc* plesk-php74-opcache* plesk-php74-pdo* plesk-php74-pear* plesk-php74-pgsql* plesk-php74-process* plesk-php74-pspell* plesk-php74-redis* plesk-php74-snmp*
  plesk-php74-soap* plesk-php74-sodium* plesk-php74-tidy* plesk-php74-xdebug* plesk-php74-xml* plesk-php74-xmlrpc* plesk-repair-kit* plesk-roundcube*
  plesk-service-node-utilities* plesk-web-hosting* plesk-web-socket* pp18.0.24-bootstrapper* pp18.0.30-bootstrapper* psa* psa-courier-imap* psa-drweb-configurator*
  psa-firewall* psa-horde* psa-imp* psa-ingo* psa-kronolith* psa-libxml-proxy* psa-locale-base-en-us* psa-logrotate* psa-mail-driver-common* psa-mnemo* psa-passwd*
  psa-php-configurator* psa-phpmyadmin* psa-proftpd* psa-spamassassin* psa-turba* psa-updates* psa-vhost* psa-watchdog* sw-collectd* sw-engine* sw-engine-cli-2.27*
  sw-engine-cli-2.30*
0 aktualisiert, 0 neu installiert, 123 zu entfernen und 0 nicht aktualisiert.
Nach dieser Operation werden 617 MB Plattenplatz freigegeben.
N: Datei »plesk.list.ai_back« in Verzeichnis »/etc/apt/sources.list.d/« wird ignoriert, da sie eine ungültige Dateinamen-Erweiterung hat.
Möchten Sie fortfahren? [J/n] n
Da der Server quasi leer ist, ist wohl eine Neuinstallation zielführender.
 
Last edited:

d4f

Kaffee? Wo?
Plesk und Co mögen es gar nicht wenn man manuell an "deren" Paketen spielt.
Was das eigentliche Limit angeht; entweder eine aktive Limitierung im Prozessverwalter (systemd --> versuche systemctl status apache2 | grep Tasks) oder aber eine nicht angezeigte Beschränkung durch Virtuozzo.
 

Joe User

Zentrum der Macht
mod_php ist nicht für mpm-worker oder mpm-event, bitte ausschliesslich PHP-FPM verwenden.
Warum zwei verschiedene mod_php?
Warum mod_fcgid?
Warum ein völlig veralteter Apache?

Generell erstmal alle nicht zwingend benötigten Apache-Module (mod_bw, mod_fcgid, mod_geoip, mod_cloudflare, mod_security, mod_aclr2, mod_sysenv, etc.) rauswerfen und dann sehen wir weiter.
 

Thorsten

SSF Facilitymanagement
Staff member
Genutzt wirdFPM/FastCGI.
mod_fgcid ist raus. Wird wohl bei einer Standardinstallation von Plesk aktiviert. Apache ist 2.4.29-1ubuntu4.14. Ist der vollkommen veraltet?

Was mich wundert:
Code:
root@mx-10:/var/log# apt show libnghttp2-14
Package: libnghttp2-14
Version: 1.30.0-1ubuntu1
Priority: optional
Section: libs
Source: nghttp2
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Tomasz Buchert <tomasz@debian.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 206 kB
Depends: libc6 (>= 2.14)
Homepage: https://nghttp2.org/
Task: ubuntu-desktop, cloud-image, server, lamp-server, kubuntu-desktop, xubuntu-core, xubuntu-desktop, lubuntu-live-share, lubuntu-desktop-share, lubuntu-gtk-desktop, lubuntu-desktop, lubuntu-live, lubuntu-qt-desktop, lubuntu-live-qt, lubuntu-live-gtk, ubuntustudio-desktop-core, ubuntustudio-desktop, ubuntukylin-desktop, ubuntu-mate-core, ubuntu-mate-desktop, ubuntu-budgie-desktop
Supported: 5y
Download-Size: 77,8 kB
APT-Manual-Installed: yes
APT-Sources: ftp://ftp.stratoserver.net/pub/linux/ubuntu bionic/main amd64 Packages
Description: library implementing HTTP/2 protocol (shared library)
 This is an implementation of the Hypertext Transfer Protocol version
 2 in C. The framing layer of HTTP/2 is implemented as a reusable C
 library.
 .
 This package installs a shared library.
Das ist exakt das selbe Paket wie zuvor.
 

Joe User

Zentrum der Macht
Apache 2.4.29 ist über zwei Jahre oder knapp 80000 Commits alt, aktuell ist Apache 2.4.46/2.4.47 -- Also ja, das ist völlig veraltet, auch wenn Ubuntu keine aktuellere Version anbietet.

Mir erschliesst sich derzeit nicht, was Du da mit libnghttp2 vorhast?

Schmeiss bitte erstmal alle mod_php* komplett raus, denn die sind nur für mpm-prefork geeignet.
Für mod_geoip/mod_geoip2 gibt es keine Datenbanken mehr, das Modul kannst Du also komplett einstampfen.
mod_bw braucht normalerweise auch kein Mensch, weg damit.
mod_cloudflare, mod_security, mod_aclr2, mod_sysenv musst Du entscheiden ob Du die wirklich brauchst und ob sie für mpm-worker/mpm-event geeignet (threadsafe) sind, ich persönlich würde sie entsorgen.

Ansonsten auch erstmal das Logging auf debug hochdrehen und hoffen dass das Log aussagekräftiger wird.
 

Thorsten

SSF Facilitymanagement
Staff member
Nun wird er langsam komisch.
@d4f, @Joe User
Code:
systemctl status apache2 | grep Tasks
Alter Server -> Tasks: 194 (limit: 585)
Neuer Server -> Tasks: 56 (limit: 60)

Das Problem ist auch wieder aufgetreten.
Code:
[Thu Oct 15 17:49:36.163092 2020] [core:notice] [pid 31879:tid 139968755198912] AH00094: Command line: '/usr/sbin/apache2'
[Thu Oct 15 17:49:37.167616 2020] [mpm_event:alert] [pid 869:tid 139968468920064] (11)Resource temporarily unavailable: AH03104: apr_thread_create: unable to create worker thread
[Thu Oct 15 17:49:37.172011 2020] [mpm_event:crit] [pid 869:tid 139968336877312] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172032 2020] [mpm_event:crit] [pid 869:tid 139968336877312] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172040 2020] [mpm_event:crit] [pid 869:tid 139968336877312] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172241 2020] [mpm_event:crit] [pid 869:tid 139968336877312] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172250 2020] [mpm_event:crit] [pid 869:tid 139968336877312] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172257 2020] [mpm_event:crit] [pid 869:tid 139968336877312] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172635 2020] [mpm_event:crit] [pid 869:tid 139968336877312] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172637 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172654 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172665 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172674 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172687 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172702 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172712 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172718 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172747 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172757 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172764 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172769 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:49:37.172775 2020] [mpm_event:crit] [pid 869:tid 139968294913792] (22)Invalid argument: AH03099: ap_queue_pop failed
...
...
...
[Thu Oct 15 17:49:37.203563 2020] [mpm_event:crit] [pid 869:tid 139968261342976] (22)Invalid arg[Thu Oct 15 17:49:37.203512 2020] [mpm_event:crit] [pid 869:tid 139968286521088] (22)Invalid a
rgument: AH03099: ap_queue_pop failed
[Thu Oct 15 17:54:36.574075 2020] [mpm_event:notice] [pid 31879:tid 139968755198912] AH00491: caught SIGTERM, shutting down

Nachtrag:

apache2ctl -t -D DUMP_MODULES
Code:
Loaded Modules:
core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 dav_lock_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 fcgid_module (shared)
 filter_module (shared)
 headers_module (shared)
 include_module (shared)
 mime_module (shared)
 mpm_event_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_fcgi_module (shared)
 proxy_http_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 security2_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 suexec_module (shared)
 unique_id_module (shared)
 userdir_module (shared)
 
Last edited:

Thorsten

SSF Facilitymanagement
Staff member
Jein, denn es funktioniert alles so, wie vom Hoster vorgesehen :).
Ubuntu 18.04 sagt für DefaultTasksMax:
Unter Ubuntu 18.04 beträgt der Wert von DefaultTasksMax 15% von numproc (maximal erlaubte Anzahl von Prozessen).

Code:
numproc                        94                   94                  400                  400                    0
 

Joe User

Zentrum der Macht
Zum Vergleich mal mein Apache:
Code:
[root@devgate:~] # httpd -v
Server version: Apache/2.4.46 (FreeBSD)
Server built:   unknown

[root@devgate:~] # apachectl -t -D DUMP_MODULES
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_event_module (shared)
authn_file_module (shared)
authn_core_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_user_module (shared)
authz_core_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
allowmethods_module (shared)
cache_module (shared)
cache_socache_module (shared)
socache_shmcb_module (shared)
socache_dbm_module (shared)
buffer_module (shared)
reqtimeout_module (shared)
filter_module (shared)
deflate_module (shared)
brotli_module (shared)
mime_module (shared)
log_config_module (shared)
env_module (shared)
expires_module (shared)
headers_module (shared)
unique_id_module (shared)
setenvif_module (shared)
version_module (shared)
proxy_module (shared)
proxy_fcgi_module (shared)
ssl_module (shared)
http2_module (shared)
unixd_module (shared)
status_module (shared)
info_module (shared)
cgid_module (shared)
negotiation_module (shared)
dir_module (shared)
alias_module (shared)
rewrite_module (shared)

[root@devgate:~] # cat /usr/local/etc/apache24/httpd.conf
ServerRoot "/usr/local"
PidFile "/var/run/httpd.pid"
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
#LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadFile /usr/local/lib/libxml2.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule brotli_module libexec/apache24/mod_brotli.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module libexec/apache24/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
#LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
    LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
    LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
<IfModule mpm_prefork_module>
    StartServers             16
    MinSpareServers          32
    MaxSpareServers          64
    MaxRequestWorkers       256
    MaxConnectionsPerChild 5000
</IfModule>
<IfModule mpm_worker_module>
    StartServers             16
    ServerLimit              64
    ThreadsPerChild          64
    ThreadLimit             128
    MinSpareThreads         128
    MaxSpareThreads         256
    MaxRequestWorkers      1024
    MaxConnectionsPerChild 5000
</IfModule>
<IfModule mpm_event_module>
    StartServers             16
    ServerLimit              64
    ThreadsPerChild          64
    ThreadLimit             128
    MinSpareThreads         128
    MaxSpareThreads         256
    MaxRequestWorkers      1024
    MaxConnectionsPerChild 5000
</IfModule>
<IfModule unixd_module>
    User www
    Group www
</IfModule>
TraceEnable off
HttpProtocolOptions Strict LenientMethods Require1.0
<IfModule http2_module>
    Protocols h2 h2c http/1.1
    ProtocolsHonorOrder On
    H2MinWorkers 64
    H2MaxWorkers 128
    H2Padding 2
    H2EarlyHints On
    H2PushDiarySize 1024
    H2PushPriority * After 16
    H2PushPriority text/css Before
    H2PushPriority image/vnd.microsoft.icon Before
    H2PushPriority application/javascript Interleaved
    H2PushPriority text/javascript Interleaved
    H2StreamMaxMemSize 262144
    H2WindowSize 262144
</IfModule>
<IfModule log_config_module>
    <IfModule logio_module>
        LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %a %h %l %u %t \"%r\" %>s %b" common
    <IfModule ssl_module>
        <IfModule logio_module>
            LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combinediossl
        </IfModule>
        LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combinedssl
        LogFormat "%v %a %h %l %u %t \"%r\" %>s %b %{SSL_PROTOCOL}x %{SSL_CIPHER}x" commonssl
    </IfModule>
</IfModule>
LogLevel info
<IfModule ssl_module>
    Listen 443
</IfModule>
Listen 80
Timeout 60
KeepAlive Off
KeepAliveTimeout 2
MaxKeepAliveRequests 100
UseCanonicalName On
HostnameLookups Double
ServerTokens OS
ServerSignature Off
AccessFileName .htaccess
AllowEncodedSlashes NoDecode
AddDefaultCharset UTF-8
<Directory "/">
    <IfModule allowmethods_module>
        AllowMethods GET POST OPTIONS
    </IfModule>
    Options None +FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>
<LocationMatch "^/?(.+/)*[\._]">
    Require all denied
</LocationMatch>
<LocationMatch "^/?(?:\.well-known)">
    Require all granted
</LocationMatch>
AliasMatch "^/?\.well-known/acme-challenge(.*)" "/data/www/acme/.well-known/acme-challenge$1"
<Directory "/data/www/acme">
    <IfModule allowmethods_module>
        AllowMethods GET
    </IfModule>
    Options None +FollowSymlinks
    AllowOverride None
    Require all granted
</Directory>
<IfModule reqtimeout_module>
    RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>
FileETag None
<IfModule headers_module>
    RequestHeader unset Proxy early
    Header always unset ETag
    Header unset ETag
</IfModule>
<IfModule dir_module>
    DirectoryIndex index.html index.htm index.php
</IfModule>
<IfModule cgi_module>
    <FilesMatch "\.(?:cgi|pl|py|rb)$">
        SetHandler cgi-script
    </FilesMatch>
</IfModule>
<IfModule cgid_module>
    <FilesMatch "\.(?:cgi|pl|py|rb)$">
        SetHandler cgi-script
    </FilesMatch>
    Scriptsock "/var/run/cgisock"
</IfModule>
<IfModule include_module>
    AddOutputFilter INCLUDES .shtml
</IfModule>
<IfModule mime_module>
    TypesConfig "etc/apache24/mime.types"
    AddType application/pkcs8                           key
    AddType application/pkcs10                          csr
    AddType application/x-pkcs7-crl                     crl
    AddType application/x-pem-file                      pem
    AddType application/x-gzip                          gz tgz
    AddType application/json                            map
    AddType application/ld+json                         jsonld
    AddType application/manifest+json                   manifest
    AddType text/markdown                               md
    AddType text/html                                   shtml
    <FilesMatch "favicon\.ico$">
        AddType image/vnd.microsoft.icon                ico
    </FilesMatch>
    AddEncoding gzip                                    svgz
    AddHandler type-map                                 var
    <IfModule negotiation_module>
        AddLanguage de             .de
        AddLanguage en             .en
        LanguagePriority en de
        ForceLanguagePriority Prefer Fallback
        AddCharset us-ascii.ascii  .us-ascii
        AddCharset ISO-8859-1      .iso8859-1   .latin1
        AddCharset ISO-8859-15     .iso8859-15  .latin9
        AddCharset UTF-8           .utf8
        AddCharset UTF-8 .atom \
                         .css \
                         .js \
                         .json \
                         .jsonld \
                         .md \
                         .manifest \
                         .rdf \
                         .rss \
                         .xml \
                         .xsl
    </IfModule>
</IfModule>
<IfModule mime_magic_module>
    MIMEMagicFile "etc/apache24/magic"
</IfModule>
<IfModule expires_module>
    ExpiresActive on
    ExpiresDefault                                      "access plus 1 month"
    ExpiresByType text/html                             "access plus 0 seconds"
    ExpiresByType application/xhtml+xml                 "access plus 0 seconds"
    ExpiresByType text/css                              "access plus 1 week"
    ExpiresByType application/javascript                "access plus 1 week"
    ExpiresByType text/javascript                       "access plus 1 week"
    ExpiresByType text/markdown                         "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"
    ExpiresByType text/xsl                              "access plus 0 seconds"
    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"
    ExpiresByType application/rdf+xml                   "access plus 1 hour"
    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/ld+json                   "access plus 0 seconds"
    ExpiresByType application/schema+json               "access plus 0 seconds"
    ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
    ExpiresByType image/x-icon                          "access plus 1 week"
    ExpiresByType application/manifest+json             "access plus 1 week"
    ExpiresByType text/x-cross-domain-policy            "access plus 1 week"
</IfModule>
<IfModule filter_module>
    <IfModule brotli_module>
        FilterDeclare  COMPRESS_BR CONTENT_SET
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^text/html\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^text/plain\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^text/xml\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^text/css\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^text/javascript\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^text/x-component\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/javascript\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/x-javascript\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/json\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/xml\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/xhtml\+xml\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/rss\+xml\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/atom\+xml\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^image/svg\+xml\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^image/x-icon\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^image/vnd\.microsoft\.icon\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/x-font-ttf\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/font-sfnt\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^application/vnd\.ms-fontobject\b#"
        FilterProvider COMPRESS_BR BROTLI_COMPRESS "%{Content_Type} =~ m#^font/opentype\b#"
        FilterProtocol COMPRESS_BR BROTLI_COMPRESS change=yes;byteranges=no
    </IfModule>
    <IfModule deflate_module>
        FilterDeclare  COMPRESS_GZ CONTENT_SET
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^text/html\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^text/plain\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^text/xml\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^text/css\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^text/javascript\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^text/x-component\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/javascript\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/x-javascript\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/json\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/xml\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/xhtml\+xml\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/rss\+xml\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/atom\+xml\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^image/svg\+xml\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^image/x-icon\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^image/vnd\.microsoft\.icon\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/x-font-ttf\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/font-sfnt\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^application/vnd\.ms-fontobject\b#"
        FilterProvider COMPRESS_GZ DEFLATE "%{Content_Type} =~ m#^font/opentype\b#"
        FilterProtocol COMPRESS_GZ DEFLATE change=yes;byteranges=no
    </IfModule>
    <If "%{HTTP:Accept-Encoding} =~ /\bbr\b/i">
        <IfModule brotli_module>
            FilterChain COMPRESS_BR
        </IfModule>
        <IfModule !brotli_module>
            <If "%{HTTP:Accept-Encoding} =~ /\bdeflate\b/i">
                <IfModule deflate_module>
                    FilterChain COMPRESS_GZ
                </IfModule>
            </If>
        </IfModule>
    </If>
    <ElseIf "%{HTTP:Accept-Encoding} =~ /\bdeflate\b/i">
        <IfModule deflate_module>
            FilterChain COMPRESS_GZ
        </IfModule>
    </ElseIf>
</IfModule>
<IfModule proxy_html_module>
    ProxyHTMLLinks  a               href
    ProxyHTMLLinks  area            href
    ProxyHTMLLinks  link            href
    ProxyHTMLLinks  img             src longdesc usemap
    ProxyHTMLLinks  object          classid codebase data usemap
    ProxyHTMLLinks  q               cite
    ProxyHTMLLinks  blockquote      cite
    ProxyHTMLLinks  ins             cite
    ProxyHTMLLinks  del             cite
    ProxyHTMLLinks  form            action
    ProxyHTMLLinks  input           src usemap
    ProxyHTMLLinks  head            profile
    ProxyHTMLLinks  base            href
    ProxyHTMLLinks  script          src for
    ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \
                    onmouseover onmousemove onmouseout onkeypress \
                    onkeydown onkeyup onfocus onblur onload \
                    onunload onsubmit onreset onselect onchange
</IfModule>
<IfModule cache_module>
    CacheQuickHandler off
    CacheIgnoreURLSessionIdentifiers sid SID
    <IfModule cache_disk_module>
        CacheRoot "/data/www/cache/"
    </IfModule>
    <IfModule cache_socache_module>
        CacheSocache shmcb
    </IfModule>
</IfModule>
<IfModule userdir_module>
    UserDir disabled
    UserDir "/home/*/public_html"
    <Directory "/home/*/public_html">
        Options None +SymLinksIfOwnerMatch
        AllowOverride None
        Require all granted
    </Directory>
</IfModule>
<IfModule info_module>
    <Location "/.well-known/server-info">
        SetHandler server-info
        <RequireAny>
            Require host localhost
        </RequireAny>
    </Location>
</IfModule>
<IfModule status_module>
    <Location "/.well-known/server-status">
        SetHandler server-status
        <RequireAny>
            Require host localhost
        </RequireAny>
    </Location>
    <IfModule http2_module>
        <Location "/.well-known/server-status2">
            SetHandler http2-status
            <RequireAny>
                Require host localhost
            </RequireAny>
        </Location>
    </IfModule>
</IfModule>
<IfModule headers_module>
    Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
    Header set Access-Control-Allow-Origin "null"
    <IfModule setenvif_module>
        SetEnvIf Origin ":" IS_CORS
        Header set Access-Control-Allow-Origin "*" env=IS_CORS
    </IfModule>
    Header set Access-Control-Max-Age "600"
    Header set Upgrade-Insecure-Requests "1"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Content-Security-Policy "\
upgrade-insecure-requests; \
default-src 'self' 'unsafe-inline' 'unsafe-eval' https: wss: data: blob: filesystem:; \
form-action 'self' https: wss:; \
frame-ancestors 'self'; \
sandbox allow-forms allow-modals allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-DNS-Prefetch-Control "on"
    Header set X-Download-Options "noopen"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Timing-Allow-Origin "*"
</IfModule>
IncludeOptional "etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf"
ServerName localhost
ServerAdmin webmaster@example.com
CustomLog "/data/www/vhosts/_localhost_/logs/apache_access_log" combined
ErrorLog "/data/www/vhosts/_localhost_/logs/apache_error_log"
DocumentRoot "/data/www/vhosts/_localhost_/data"
<Directory "/data/www/vhosts/_localhost_/data">
    Options None +FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
Include "etc/apache24/vhosts.conf"
<IfModule ssl_module>
    SSLRandomSeed startup "file:/dev/urandom" 65536
    SSLRandomSeed connect "file:/dev/urandom" 65536
    SSLPassPhraseDialog builtin
    <IfModule socache_shmcb_module>
        SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
    </IfModule>
    <IfModule !socache_shmcb_module>
        <IfModule socache_dbm_module>
            SSLSessionCache "dbm:/var/run/ssl_scache"
        </IfModule>
        <IfModule !socache_dbm_module>
            SSLSessionCache "nonenotnull"
        </IfModule>
    </IfModule>
    SSLHonorCipherOrder On
    SSLStrictSNIVHostCheck On
    SSLProtocol -ALL +TLSv1.2 +TLSv1.3
    SSLOptions +StrictRequire +StdEnvVars
    SSLCipherSuite "TLSv1.2 +CHACHA20 +AES +SHA !DH !AESCCM !CAMELLIA !PSK !RSA !SHA1 !SHA256 !SHA384 !kDHd !kDHr !kECDH !aDSS !aNULL"
    SSLCipherSuite TLSv1.3 "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
    SSLOpenSSLConfCmd Curves "X25519:X448:secp384r1:prime256v1"
    SSLOCSPEnable On
    SSLStaplingFakeTryLater Off
    SSLStaplingResponderTimeout 2
    SSLStaplingReturnResponderErrors Off
    SSLStaplingStandardCacheTimeout 86400
    <IfModule socache_shmcb_module>
        SSLUseStapling On
        SSLStaplingCache "shmcb:/var/run/stapling_cache(128000000)"
    </IfModule>
    <IfModule !socache_shmcb_module>
        <IfModule socache_dbm_module>
            SSLUseStapling On
            SSLStaplingCache "dbm:/var/run/stapling_cache"
        </IfModule>
        <IfModule !socache_dbm_module>
            SSLUseStapling Off
        </IfModule>
    </IfModule>
    Include "etc/apache24/vhosts-ssl.conf"
    <IfModule headers_module>
        Header set Public-Key-Pins "max-age=0; includeSubdomains"
        Header set Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"
        Header set Expect-CT "max-age=0"
        Header always edit* Set-Cookie "^(.*)(?i:\s*;\s*Secure)(.*)$" "$1$2"
        Header edit* Set-Cookie "^(.*)(?i:\s*;\s*Secure)(.*)$" "$1$2"
        Header always edit Set-Cookie "^(.*)$" "$1; Secure"
        Header edit Set-Cookie "^(.*)$" "$1; Secure"
    </IfModule>
</IfModule>
<IfModule headers_module>
    Header always edit* Set-Cookie "^(.*)(?i:\s*;\s*HttpOnly)(.*)$" "$1$2"
    Header edit* Set-Cookie "^(.*)(?i:\s*;\s*HttpOnly)(.*)$" "$1$2"
    Header always edit Set-Cookie "^(.*)$" "$1; HttpOnly"
    Header edit Set-Cookie "^(.*)$" "$1; HttpOnly"
    Header always edit* Set-Cookie "^(.*)(?i:\s*;\s*SameSite=[A-Za-z0-9]+)(.*)$" "$1$2"
    Header edit* Set-Cookie "^(.*)(?i:\s*;\s*SameSite=[A-Za-z0-9]+)(.*)$" "$1$2"
    Header always edit Set-Cookie "^(.*)$" "$1; SameSite=Lax"
    Header edit Set-Cookie "^(.*)$" "$1; SameSite=Lax"
    Header always unset Pragma
    Header unset Pragma
</IfModule>

[root@devgate:~] # cat /usr/local/etc/apache24/vhosts.conf
<VirtualHost *:80>
    ServerName devgate.example.com
    ServerAdmin webmaster@example.com
    CustomLog "/data/www/vhosts/_default_/logs/apache_access_log" combined
    ErrorLog "/data/www/vhosts/_default_/logs/apache_error_log"
    DocumentRoot "/data/www/vhosts/_default_/data"
    <Directory "/data/www/vhosts/_default_/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <IfModule rewrite_module>
        RewriteEngine On
        RewriteCond "%{REQUEST_FILENAME}" "!^/?(?:\.well-known|robots\.txt|google.*\.html|BingSiteAuth\.xml)" [NC]
        RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,QSA,R=308]
    </IfModule>
    <FilesMatch "(.+\.phps?)(/.*)?$">
        ProxyFCGIBackendType GENERIC
        SetHandler "proxy:unix:/var/run/fpm_www.sock|fcgi://localhost"
    </FilesMatch>
    <Proxy "fcgi://localhost" enablereuse=on max=10>
    </Proxy>
</VirtualHost>

[root@devgate:~] # cat /usr/local/etc/apache24/vhosts-ssl.conf
<VirtualHost *:443>
    ServerName devgate.example.com
    ServerAdmin webmaster@example.com
    CustomLog "/data/www/vhosts/_default_/logs/apache_ssl_access_log" combinedssl
    ErrorLog "/data/www/vhosts/_default_/logs/apache_ssl_error_log"
    DocumentRoot "/data/www/vhosts/_default_/data"
    <Directory "/data/www/vhosts/_default_/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <FilesMatch "(.+\.phps?)(/.*)?$">
        ProxyFCGIBackendType GENERIC
        SetHandler "proxy:unix:/var/run/fpm_www.sock|fcgi://localhost"
    </FilesMatch>
    <Proxy "fcgi://localhost" enablereuse=on max=10>
    </Proxy>
    SSLEngine on
    SSLCertificateFile "/data/ssl/example.com/devgate/fullchain.00.ecc.crt"
    SSLCertificateKeyFile "/data/ssl/example.com/_privkey.00.ecc.key"
    SSLCertificateFile "/data/ssl/example.com/devgate/fullchain.00.rsa.crt"
    SSLCertificateKeyFile "/data/ssl/example.com/_privkey.00.rsa.key"
</VirtualHost>

[root@devgate:~] #


Allerdings nutze ich echtes Blech und keinen vServer.

Für einen vServer würde ich die Werte für die MPMs erstmal runtersetzen (halbieren oder gar vierteln), in etwa so:
Code:
<IfModule mpm_prefork_module>
    StartServers              8
    MinSpareServers          16
    MaxSpareServers          32
    MaxRequestWorkers       128
    MaxConnectionsPerChild 5000
</IfModule>
<IfModule mpm_worker_module>
    StartServers              8
    ServerLimit              32
    ThreadsPerChild          32
    ThreadLimit              64
    MinSpareThreads          64
    MaxSpareThreads         128
    MaxRequestWorkers       512
    MaxConnectionsPerChild 5000
</IfModule>
<IfModule mpm_event_module>
    StartServers              8
    ServerLimit              32
    ThreadsPerChild          32
    ThreadLimit              64
    MinSpareThreads          64
    MaxSpareThreads         128
    MaxRequestWorkers       512
    MaxConnectionsPerChild 5000
</IfModule>

Vielleicht hilft Dir das ja etwas weiter.
 
Last edited:
Top