Apache HTTP Web server configuration

2010. 4. 28. 16:13

Apache HTTP Web server configuration

2010. 4. 28. 16:13 in 팁&테크/Linux

This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0).
The Apache web server configuration file is: /etc/httpd/conf/httpd.conf

Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:

Linux distribution	Apache web server "DocumentRoot"
Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5, CentOS 4/5	`/var/www/html/`
Red Hat 6.x and older	`/home/httpd/html/`
Suse 9.x	`/srv/www/htdocs/`
Ubuntu (dapper 6.06/hardy 8.04) / Debian	`/var/www/html`

The default home page for the default configuration is index.html. Note the pages should not be owned by user apache as this is the process owner of the httpd web server daemon. If the web server process is comprimised, it should not be allowed to alter the files. The files should of course be readable by user apache.

Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may be achieved in two ways:

Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting.
Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.

The default configuration will allow one to have multiple user accounts under one domain by using a reference to the user account: http://www.domain.com/~user1/. If no domain is registered or configured, the IP address may also be used: http://XXX.XXX.XXX.XXX/~user1/.

[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html

[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the existing "Directory" directives to be a bad idea. It would not use the .htaccess file. This was because the statement defining the use of the .htaccess file was after the "Directory" statement. Previously in RH 6.x the files were separated and the order was defined a little different. I now place new "Directory" statements near the end of the file just before the "VirtualHost" statements.

For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools.

Files used by Apache:

Start/stop/restart script:
- Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
- SuSE 9.3: /etc/init.d/apache2
- Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/init.d/apache2
Apache main configuration file:
- Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
- SuSE: /etc/apache2/httpd.conf
  (Need to add directive: ServerName host-name)
- Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/apache2/apache2.conf
Apache suplementary configuration files:
- Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
- SuSE: /etc/apache2/conf.d/component.conf
- Ubuntu (dapper 6.06/hardy 8.04) / Debian:
  - Virtual domains: /etc/apache2/sites-enabled/domain
    (Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on. Use command a2ensite)
  - Additional configuration directives: /etc/apache2/conf.d/
  - Modules to load: /etc/apache2/mods-available/
    (Soft link to /etc/apache2/mods-enabled/ to turn on)
  - Ports to listen to: /etc/apache2/ports.conf
/var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
(Suse: /var/log/apache2/)

Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the configuration files to pick up any changes. To have this script invoked upon system boot issue the command chkconfig --add httpd.

Also Apache control tool: /usr/sbin/apachectl start

Apache Control Command: apachectl:

Red Hat / Fedora Core / CentOS: apachectl directive
Ubuntu dapper 6.06 / hardy 8.04 / Debian: apache2ctl directive

Directive	Description
start	Start the Apache httpd daemon. Gives an error if it is already running.
stop	Stops the Apache httpd daemon.
graceful	Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted.
restart	Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn't die.
status	Displays a brief status report.
fullstatus	Displays a full status report from mod_status. Requires mod_status enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script.
configtest -t	Run a configuration file syntax test.

Apache Configuration Files:

/etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was broken down into three files. These may now be all concatenated into one file. See Apache online documentation for the full manual.
/etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific configurations.
/etc/sysconfig/httpd: Holds environment variables used when starting Apache.

Basic settings: Change the default value for ServerName www.<your-domain.com>

Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those directories necessary. This is done with the directory statement. Start by denying access to everything, then grant access to the necessary directories.

Deny access completely to file system root ("/") as the default:

Deny first, then grant permissions:

   
<Directory />
   Options None
   AllowOverride None
</Directory>

Set default location of system web pages and allow access: (Red Hat/Fedora/CentOS)

   
DocumentRoot "/var/www/html"

<Directory "/var/www/html">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from all
</Directory>

Grant access to a user's web directory: public_html

Enabling Red Hat / Fedora Linux, Apache public_html user directory access:

This will allow users to serve content from their home directories under the subdirectory "/home/userid/public_html/" by accessing the URL http://hostname/~userid/

File: /etc/httpd/conf/httpd.conf

LoadModule userdir_module modules/mod_userdir.so

...
...

<IfModule mod_userdir.c>
    #UserDir disable             - Add comment to this line
    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disable" line above, and uncomment
    # the following line instead:
    UserDir public_html          # Uncomment this line
</IfModule>

...
...

<Directory /home/*/public_html>
    AllowOverride FileInfo AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

Change to a comment (add "#" at beginning of line) from Fedora Core default UserDir disable and assign the directory public_html as a web server accessible directory.
OR
Assign a single user the specific ability to share their directory:

 <Directory /home/user1/public_html>
   AllowOverride None
   order allow,deny
   allow from all
   Options Indexes Includes FollowSymLinks
</Directory>

Allows the specific user, "user1" only, the ability to serve the directory /home/user1/public_html/

Also use SELinux command to set the security context: setsebool httpd_enable_homedirs true

Directory permissions: The Apache web server daemon must be able to read your web pages in order to feed their contents to the network. Use an appropriate umask and file protection. Allow access to web directory: chmod ugo+rx -R public_html.
Note that the user's directory also has to have the appropriate permissions as it is the parent of public_html.
Default permissions on user directory: ls -l /home
drwx------ 20 user1 user1 4096 Mar 5 12:16 user1
Allow the web server access to operate the parent directory: chmod ugo+x /home/user1
d-wx--x--x 20 user1 user1 4096 Mar 5 12:16 user1

One may also use groups to control permisions.

Enabling Ubuntu's Apache public_html user directory access:
Ubuntu has broken out the Apache loadable module directives into the directory /etc/apache2/mods-available/. To enable an Apache module, generate soft links to the directory /etc/apache2/sites-enabled/ by using the commands a2enmod/a2dismod to enable/disable Apache modules.
Example:
- [root@node2]# a2enmod
  A list of available modules is displayed. Enter "userdir" as the module to enable.
- Restart Apache with the following command: /etc/init.d/apache2 force-reload
Note: This is the same as manually generating the following two soft links:
- ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf
- ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load
Man page: a2enmod/a2dismod

[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this server." Note the default permissions on a user directory when first created with "useradd" are:

drwx------ 3 userx userx
You must allow the web server running as user "apache" to access the directory if it is to display pages held there.
Fix with command: chmod ugo+rx /home/userx

drwxr-xr-x 3 userx userx

SELinux security contexts:

Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies and context labels.
To view the security context labels applied to your web page files use the command: ls -Z

The system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):

SELINUX=disabled

or using the command setenforce 0 to temporarily disable SELinux until the next reboot.

When using SELinux security features, the security context labels must be added so that Apache can read your files. The default security context label used is inherited from the directory for newly created files. Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory. Move does not create a new file and thus the file does not recieve the directory security context label. The context labels used for the default Apache directories can be viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate context label (httpd_sys_content_t).

Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:

-R: Recursive. Files and directories in current directory and all subdirectories.
-h: Affect symbolic links.
-t: Specify type of security context.

Use the following security contexts:

Context Type	Description
`httpd_sys_content_t`	Used for static web content. i.e. HTML web pages.
`httpd_sys_script_exec_t`	Use for executable CGI scripts or binary executables.
`httpd_sys_script_rw_t`	CGI is allowed to alter/delete files of this context.
`httpd_sys_script_ra_t`	CGI is allowed to read or append files of this context.
`httpd_sys_script_ro_t`	CGI is allowed to read files and directories of this context.

Set the following options: setsebool httpd-option true
(or set to false)

Policy	Description
`httpd_enable_cgi`	Allow httpd cgi support.
`httpd_enable_homedirs`	Allow httpd to read home directories.
`httpd_ssi_exec`	Allow httpd to run SSI executables in the same domain as system CGI scripts.

Then restart Apache:

Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
Red Hat/Fedora: service httpd restart

The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans

Virtual Hosts:

The Apache web server allows one to configure a single computer to represent multiple websites as if they were on separate hosts. There are two methods available and we describe the configuration of each. Choose one method for your domain:

Name based virtual host: (most common) A single computer with a single IP adress supporting multiple web domains. The web browser using the http protocol, identifies the domain being addressed.
IP based virtual host: The virtual hosts can be configured as a single multi-homed computer with multiple IP addresses on a single network card, with each IP address representing a different web domain. This has the appearance of a web domain supported by a dedicated computer because it has a dedicated IP address.

Configuring a "name based" virtual host:

A virtual host configuration allows one to host multiple web site domains on one server. (This is not required for a dedicated linux server which hosts a single web site.)

NameVirtualHost XXX.XXX.XXX.XXX

<VirtualHost XXX.XXX.XXX.XXX>

   ServerName www.your-domain.com          - CNAME (bind DNS alias www) specified in Bind configuration file (/var/named/...)
   ServerAlias your-domain.com             - Allows requests by domain name without the "www" prefix.
   ServerAdmin user1@your-domain.com
   DocumentRoot /home/user1/public_html

   ErrorLog logs/your-domain.com-error_log
   TransferLog logs/your-domain.com-access_log
</VirtualHost>

Notes:

You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as well as a local network IP address.
NameVirtualHost XXX.XXX.XXX.XXX NameVirtualHost 192.168.XXX.XXX <VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX> ... ..
Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address.
One can use DNS views to provide different local network DNS results.
Note that I configure Apache for both requests http://www.domain-name.com and http://domain-name.com.

Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your default domain now must be configured as a virtual domain.

<Directory "/var/www/html">

   ...  This part remains the same
   ..

</Directory>

# Default for when no domain name is given (i.e. access by IP address)

<VirtualHost *:80>
   ServerAdmin user1@your-domain.com
   DocumentRoot /var/www/html
   ErrorLog logs/error_log
   TransferLog logs/access_log
</VirtualHost>

# Add a VirtualHost definition for your domain which was once the system default.

<VirtualHost XXX.XXX.XXX.XXX>

   ServerName www.your-domain.com
   ServerAlias your-domain.com
   ServerAdmin user1@your-domain.com
   DocumentRoot /var/www/html
   ErrorLog logs/error_log
   TransferLog logs/access_log
</VirtualHost>

   ...
   ..

Forwarding to a primary URL. It is best to avoid the appearance of duplicated web content from two URLs such as http://www.your-domain.com and http://your-domain.com. Supply a forwarding Apache "Redirect".

<VirtualHost XXX.XXX.XXX.XXX>
   ServerName www.your-domain.com   - Note that no aliases are listed
   ...
   ...
</VirtualHost>

# Add a VirtualHost definition to forward to your primary URL

<VirtualHost XXX.XXX.XXX.XXX>
   ServerName your-domain.com
   ServerAlias other-domain.com
   ServerAlias www.other-domain.com
   Redirect permanent / http://www.your-domain.com.com/
</VirtualHost>

   ...
   ..

More virtual host examples.

When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address. Specify a "NameVirtualHost" for each IP address.

After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu / Debian)

Apache virtual domain configuration with Ubuntu Dapper/Hardy:

Ububntu separates out each virtual domain into a separate configuration file held in the directory /etc/apache2/sites-available/. When the site domain is to become active, a soft link is created to the directory /etc/apache2/sites-enabled/.

Example: /etc/apache2/sites-available/supercorp

<VirtualHost XXX.XXX.XXX.XXX>
        ServerName supercorp.com
        ServerAlias www.supercorp.com
        ServerAdmin webmaster@localhost

        DocumentRoot /home/supercorp/public_html/home
        <Directory "/">
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /home/supercorp/public_html/home>
                Options Indexes FollowSymLinks MultiViews
                IndexOptions SuppressLastModified SuppressDescription
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/
        <Directory "/home/supercorp/cgi-bin/">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/supercorp.com-error.log

        # Possible values include: debug, info, notice, warn, error,
        # crit, alert, emerg.
        LogLevel warn
        CustomLog /var/log/apache2/supercorp.com-access.log combined
        ServerSignature On
</VirtualHost>

Enable domain:

Create soft link:
- Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2/sites-enabled/supercorp
- Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site you would like to enable or disable.
Restart Apache:
- apache2ctl graceful
  or
- /etc/init.d/apache2 restart
  or
- /etc/init.d/apache2 reload

Also note that Apache modules can also be enabled/disabled with scripts a2enmod/a2dismod.

Man pages:

a2ensite/a2dissite (Ubuntu: Apache 2 enable/disable site)
apache2ctl

Configuring an "IP based" virtual host:

One may assign multiple IP addresse to a single network interface. Each IP address may then be it's own virtual server and individual domain. The downside of the "IP based" virtual host method is that you have to possess multiple/extra IP addresses. This usually costs more. The standard name based virtual hosting method above is more popular for this reason.

   
NameVirtualHost *              - Indicates all IP addresses

<VirtualHost *>
   ServerAdmin user0@default-domain.com
   DocumentRoot /home/user0/public_html
</VirtualHost>

<VirtualHost XXX.XXX.XXX.101>
   ServerAdmin user1@domain-1.com
   DocumentRoot /home/user1/public_html
</VirtualHost>

<VirtualHost XXX.XXX.XXX.102>
   ServerAdmin user1@domain-2.com
   DocumentRoot /home/user2/public_html
</VirtualHost>

The default <VirtualHost *> block will be used as the default for all IP addresses not specified explicitly. This default IP (*) may not work for https URL's.

CGI: (Common Gateway Interface)

CGI is a program executable which dynamically generates a web page by writing to stdout. CGI is permitted by either of two configuration file directives:

ScriptAlias:
- Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
- Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
- Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
- Ubuntu (dapper/hardy) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"
or

Options +ExecCGI:

<Directory /var/www/cgi-bin>

Options +ExecCGI

</Directory>

The executable program files must have execute privileges, executable by the process owner (Red Hat 7+/Fedora Core: apache. Older use nobody) under which the httpd daemon is being run.

Configuring CGI To Run With User Privileges:

The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

NameVirtualHost XXX.XXX.XXX.XXX

<VirtualHost XXX.XXX.XXX.XXX>
   ServerName node1.your-domain.com                         - Allows requests by domain name without the "www" prefix.
   ServerAlias your-domain.com www.your-domain.com          - CNAME (alias www) specified in Bind configuration file (/var/named/...)
   ServerAdmin user1@your-domain.com
   DocumentRoot /home/user1/public_html/your-domain.com
   ErrorLog logs/your-domain.com-error_log
   TransferLog logs/your-domain.com-access_log
  
   SuexecUserGroup user1 user1
   <Directory /home/user1/public_html/your-domain.com/>
      Options +ExecCGI +Indexes
      AddHandler cgi-script .cgi
   </Directory>
</VirtualHost>

ERROR Pages:

You can specify your own web pages instead of the default Apache error pages:

   ErrorDocument 404 /Error404-missing.html

Create the file Error404-missing.html in your "DocumentRoot" directory.

PHP:

If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules will support PHP content. RPM Packages (RHEL4):

php: HTML-embedded scripting language
php-pear: PEAR is a framework and distribution system for reusable PHP components.
php-mysql: MySQL database support.
php-ldap: Lightweight Directory Access Protocol (LDAP) support

Apache configuration:

Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf

...

DirectoryIndex index.html index.htm index.php

...

PHP Configuration File:

RHEL4 - PHP 4.3: /etc/php.ini
Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini

[PHP]
engine = On
...
...
display_errors = Off
include_path = ".:/php/includes"
...
...
memory_limit = 32M   ; Default is typically 8MB which is too low.
...
...

[MySQL]
...
...
mysql.default_host = superserver    ; Hostname of the computer
mysql.default_user = dbuser
...

Small portion of file shown.
Note that changes will not take effect until the apache web server daemon is restarted.

Test you PHP capabilities with this test file: /home/user1/public_html/test.php

<?php

   phpinfo();

?>

OR (older format)

<?
   phpinfo();
?>

Test: http://localhost/~user1/test.php

Running Multiple instances of `httpd`:

The Apache web server daemon (httpd) can be started with the command line option "-f" to specify a unique configuration file for each instance. Configure a unique IP address for each instance of Apache.

Apache Man Pages:

httpd - Apache Hypertext Transfer Protocol Server
apachectl - Apache HTTP Server Control Interface
ab - Apache HTTP server benchmarking tool
htdigest - manage user files for digest authentication
htpasswd - Manage user files for basic authentication
logresolve - Resolve IP-addresses to hostnames in Apache log files
rotatelogs - Piped logging program to rotate Apache logs

Log file analysis:

Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed or presented in an easy to read fashion. The following packages to a good job of presenting site statistics.

Analog - Also see Report Magic for Analog
Webalizer
AWStats - (requires PERL)

Web site statistic services:

eXTReMe Tracking

Load testing your server:

PureLoad - JAVA load testing and reporting tool.
WebPerformance Trainer - Load Testing Tools.

Apache Links:

CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid
Thumbprint - CGI for viewing a directory of images as thumbnails
WWWThreads.org - Commercial product - Advanced Web Conferencing Software
Configuring https (mod_ssl):

Log file analysis using Analog:

Installation:

Red Hat / Fedora: yum install analog
Ubuntu / Debian: apt-get install analog

Installation packages also available from the Analog downloads page.

Configuration file: /etc/analog.cfg

LOGFILE /var/log/httpd/your-domain.com-access_log* http://www.your-domain.com
UNCOMPRESS *.gz,*.Z "gzip -cd"
SUBTYPE *.gz,*.Z
#
OUTFILE /home/user1/public_html/analog/Report.html
#
HOSTNAME "YourDomain.com"
HOSTURL  http://www.your-domain.com

....
...
..

REQINCLUDE pages                  # Request page stats only
ALL ON
LANGUAGE US-ENGLISH

One can view the settings which be used with your configuration file (also good for debugging): analog -settings

Make Analog images available to the users report: ln -s /usr/share/analog/images/* /home/user1/public_html/analog

Log file location:

Red Hat / Fedora: /var/log/httpd/
Ubuntu / Debian: /var/log/apache2/

The Directive ALL ON turns on all of the following:

Analog Directive	Description
`MONTHLY ON`	one line for each month
`WEEKLY ON`	one line for each week
`DAILYREP ON`	one line for each day
`DAILYSUM ON`	one line for each day of the week
`HOURLYREP ON`	one line for each hour of the day
`GENERAL ON`	the General Summary at the top
`REQUEST ON`	which files were requested
`FAILURE ON`	which files were not found
`DIRECTORY ON`	Directory Report
`HOST ON`	which computers requested files
`ORGANISATION ON`	which organisations they were from
`DOMAIN ON`	which countries they were in
`REFERRER ON`	where people followed links from
`FAILREF ON`	where people followed broken links from
`SEARCHQUERY ON`	the phrases and words they used...
`SEARCHWORD ON`	...to find you from search engines
`BROWSERSUM ON`	which browser types people were using
`OSREP ON`	and which operating systems
`FILETYPE ON`	types of file requested
`SIZE ON`	sizes of files requested
`STATUS ON`	number of each type of success and failure

Cron job to handle multiple domains: /etc/cron.daily/analog

#!/bin/sh
cp /opt/etc/analog-domain1.com.cfg      /etc/analog.cfg
/usr/bin/analog
cp /opt/etc/analog-domain2.com.cfg      /etc/analog.cfg
/usr/bin/analog

...

Links:

저작자표시 비영리 동일조건

Posted by 와이즈번

일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

메모장입니다.