Apache HTTP Web server configuration
This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0).
The Apache web server configuration file is: /etc/httpd/conf/httpd.conf
Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:
-
Linux distribution Apache web server "DocumentRoot" Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5, CentOS 4/5 /var/www/html/ Red Hat 6.x and older /home/httpd/html/ Suse 9.x /srv/www/htdocs/ Ubuntu (dapper 6.06/hardy 8.04) / Debian /var/www/html
Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may be achieved in two ways:
- Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting.
- Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.
[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html
[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the existing "Directory" directives to be a bad idea. It would not use the .htaccess file. This was because the statement defining the use of the .htaccess file was after the "Directory" statement. Previously in RH 6.x the files were separated and the order was defined a little different. I now place new "Directory" statements near the end of the file just before the "VirtualHost" statements.
For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools.
Files used by Apache:
- Start/stop/restart script:
- Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
- SuSE 9.3: /etc/init.d/apache2
- Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/init.d/apache2
- Apache main configuration file:
- Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
- SuSE: /etc/apache2/httpd.conf
(Need to add directive: ServerName host-name) - Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/apache2/apache2.conf
- Apache suplementary configuration files:
- Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
- SuSE: /etc/apache2/conf.d/component.conf
- Ubuntu (dapper 6.06/hardy 8.04) / Debian:
- Virtual domains: /etc/apache2/sites-enabled/domain
(Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on. Use command a2ensite) - Additional configuration directives: /etc/apache2/conf.d/
- Modules to load: /etc/apache2/mods-available/
(Soft link to /etc/apache2/mods-enabled/ to turn on) - Ports to listen to: /etc/apache2/ports.conf
- Virtual domains: /etc/apache2/sites-enabled/domain
- /var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
(Suse: /var/log/apache2/)
Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the configuration files to pick up any changes. To have this script invoked upon system boot issue the command chkconfig --add httpd.
Also Apache control tool: /usr/sbin/apachectl start
Apache Control Command: apachectl:
- Red Hat / Fedora Core / CentOS: apachectl directive
Ubuntu dapper 6.06 / hardy 8.04 / Debian: apache2ctl directiveDirective Description start Start the Apache httpd daemon. Gives an error if it is already running. stop Stops the Apache httpd daemon. graceful Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted. restart Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn't die. status Displays a brief status report. fullstatus Displays a full status report from mod_status. Requires mod_status enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script. configtest
-tRun a configuration file syntax test.
Apache Configuration Files:
- /etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was broken down into three files. These may now be all concatenated into one file. See Apache online documentation for the full manual.
- /etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific configurations.
- /etc/sysconfig/httpd: Holds environment variables used when starting Apache.
Basic settings: Change the default value for ServerName www.<your-domain.com>
Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those directories necessary. This is done with the directory statement. Start by denying access to everything, then grant access to the necessary directories.
Deny access completely to file system root ("/") as the default:
- Deny first, then grant permissions:
<Directory /> Options None AllowOverride None </Directory>
DocumentRoot "/var/www/html" <Directory "/var/www/html"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory>
Grant access to a user's web directory: public_html
- Enabling Red Hat / Fedora Linux, Apache public_html user directory access:
This will allow users to serve content from their home directories under the subdirectory "/home/userid/public_html/" by accessing the URL http://hostname/~userid/
- File: /etc/httpd/conf/httpd.conf
LoadModule userdir_module modules/mod_userdir.so ... ... <IfModule mod_userdir.c> #UserDir disable - Add comment to this line # # To enable requests to /~user/ to serve the user's public_html # directory, remove the "UserDir disable" line above, and uncomment # the following line instead: UserDir public_html # Uncomment this line </IfModule> ... ... <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS> Order deny,allow Deny from all </LimitExcept> </Directory>
OR
Assign a single user the specific ability to share their directory:-
<Directory /home/user1/public_html> AllowOverride None order allow,deny allow from all Options Indexes Includes FollowSymLinks </Directory>
Directory permissions: The Apache web server daemon must be able to read your web pages in order to feed their contents to the network. Use an appropriate umask and file protection. Allow access to web directory: chmod ugo+rx -R public_html.
Note that the user's directory also has to have the appropriate permissions as it is the parent of public_html.
Default permissions on user directory: ls -l /home
drwx------ 20 user1 user1 4096 Mar 5 12:16 user1
Allow the web server access to operate the parent directory: chmod ugo+x /home/user1
d-wx--x--x 20 user1 user1 4096 Mar 5 12:16 user1One may also use groups to control permisions.
- File: /etc/httpd/conf/httpd.conf
- Enabling Ubuntu's Apache public_html user directory access:
Ubuntu has broken out the Apache loadable module directives into the directory /etc/apache2/mods-available/. To enable an Apache module, generate soft links to the directory /etc/apache2/sites-enabled/ by using the commands a2enmod/a2dismod to enable/disable Apache modules.
Example:- [root@node2]# a2enmod
A list of available modules is displayed. Enter "userdir" as the module to enable. - Restart Apache with the following command: /etc/init.d/apache2 force-reload
Note: This is the same as manually generating the following two soft links:
- ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf
- ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load
[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this server." Note the default permissions on a user directory when first created with "useradd" are:
- drwx------ 3 userx userx
Fix with command: chmod ugo+rx /home/userx- drwxr-xr-x 3 userx userx
- [root@node2]# a2enmod
SELinux security contexts:
- Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies and context labels.
To view the security context labels applied to your web page files use the command: ls -ZThe system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):-
SELINUX=disabled
When using SELinux security features, the security context labels must be added so that Apache can read your files. The default security context label used is inherited from the directory for newly created files. Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory. Move does not create a new file and thus the file does not recieve the directory security context label. The context labels used for the default Apache directories can be viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate context label (httpd_sys_content_t).Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:- -R: Recursive. Files and directories in current directory and all subdirectories.
- -h: Affect symbolic links.
- -t: Specify type of security context.
Use the following security contexts:
-
Context Type Description httpd_sys_content_t Used for static web content. i.e. HTML web pages. httpd_sys_script_exec_t Use for executable CGI scripts or binary executables. httpd_sys_script_rw_t CGI is allowed to alter/delete files of this context. httpd_sys_script_ra_t CGI is allowed to read or append files of this context. httpd_sys_script_ro_t CGI is allowed to read files and directories of this context.
Set the following options: setsebool httpd-option true
(or set to false)-
Policy Description httpd_enable_cgi Allow httpd cgi support. httpd_enable_homedirs Allow httpd to read home directories. httpd_ssi_exec Allow httpd to run SSI executables in the same domain as system CGI scripts. - Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
- Red Hat/Fedora: service httpd restart
The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans
-
Virtual Hosts:
The Apache web server allows one to configure a single computer to represent multiple websites as if they were on separate hosts. There are two methods available and we describe the configuration of each. Choose one method for your domain:- Name based virtual host: (most common) A single computer with a single IP adress supporting multiple web domains. The web browser using the http protocol, identifies the domain being addressed.
- IP based virtual host: The virtual hosts can be configured as a single multi-homed computer with multiple IP addresses on a single network card, with each IP address representing a different web domain. This has the appearance of a web domain supported by a dedicated computer because it has a dedicated IP address.
Configuring a "name based" virtual host:
- A virtual host configuration allows one to host multiple web site domains on one server. (This is not required for a dedicated linux server which hosts a single web site.)
NameVirtualHost XXX.XXX.XXX.XXX <VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com - CNAME (bind DNS alias www) specified in Bind configuration file (/var/named/...) ServerAlias your-domain.com - Allows requests by domain name without the "www" prefix. ServerAdmin user1@your-domain.com DocumentRoot /home/user1/public_html
ErrorLog logs/your-domain.com-error_log TransferLog logs/your-domain.com-access_log </VirtualHost>Notes:
- You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as well as a local network IP address.
NameVirtualHost XXX.XXX.XXX.XXX NameVirtualHost 192.168.XXX.XXX <VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX> ... ..
- Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address.
One can use DNS views to provide different local network DNS results. - Note that I configure Apache for both requests http://www.domain-name.com and http://domain-name.com.
- Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your default domain now must be configured as a virtual domain.
<Directory "/var/www/html"> ... This part remains the same .. </Directory> # Default for when no domain name is given (i.e. access by IP address) <VirtualHost *:80> ServerAdmin user1@your-domain.com DocumentRoot /var/www/html ErrorLog logs/error_log TransferLog logs/access_log </VirtualHost> # Add a VirtualHost definition for your domain which was once the system default. <VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com ServerAlias your-domain.com ServerAdmin user1@your-domain.com DocumentRoot /var/www/html ErrorLog logs/error_log TransferLog logs/access_log </VirtualHost> ... .. - Forwarding to a primary URL. It is best to avoid the appearance of duplicated web content from two URLs such as http://www.your-domain.com and http://your-domain.com. Supply a forwarding Apache "Redirect".
<VirtualHost XXX.XXX.XXX.XXX> ServerName www.your-domain.com - Note that no aliases are listed ... ... </VirtualHost> # Add a VirtualHost definition to forward to your primary URL <VirtualHost XXX.XXX.XXX.XXX> ServerName your-domain.com ServerAlias other-domain.com ServerAlias www.other-domain.com Redirect permanent / http://www.your-domain.com.com/ </VirtualHost> ... ..
- More virtual host examples.
- You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as well as a local network IP address.
When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address. Specify a "NameVirtualHost" for each IP address.
After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu / Debian)
Apache virtual domain configuration with Ubuntu Dapper/Hardy:
Ububntu separates out each virtual domain into a separate configuration file held in the directory /etc/apache2/sites-available/. When the site domain is to become active, a soft link is created to the directory /etc/apache2/sites-enabled/.- Example: /etc/apache2/sites-available/supercorp
<VirtualHost XXX.XXX.XXX.XXX> ServerName supercorp.com ServerAlias www.supercorp.com ServerAdmin webmaster@localhost DocumentRoot /home/supercorp/public_html/home <Directory "/"> Options FollowSymLinks AllowOverride None </Directory> <Directory /home/supercorp/public_html/home> Options Indexes FollowSymLinks MultiViews IndexOptions SuppressLastModified SuppressDescription AllowOverride All Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/ <Directory "/home/supercorp/cgi-bin/"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/supercorp.com-error.log # Possible values include: debug, info, notice, warn, error, # crit, alert, emerg. LogLevel warn CustomLog /var/log/apache2/supercorp.com-access.log combined ServerSignature On </VirtualHost>
- Create soft link:
- Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2/sites-enabled/supercorp
- Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site you would like to enable or disable.
- Restart Apache:
- apache2ctl graceful
or - /etc/init.d/apache2 restart
or - /etc/init.d/apache2 reload
- apache2ctl graceful
Man pages:
- a2ensite/a2dissite (Ubuntu: Apache 2 enable/disable site)
- apache2ctl
- Create soft link:
Configuring an "IP based" virtual host:
- One may assign multiple IP addresse to a single network interface. Each IP address may then be it's own virtual server and individual domain. The downside of the "IP based" virtual host method is that you have to possess multiple/extra IP addresses. This usually costs more. The standard name based virtual hosting method above is more popular for this reason.
NameVirtualHost * - Indicates all IP addresses <VirtualHost *> ServerAdmin user0@default-domain.com DocumentRoot /home/user0/public_html </VirtualHost> <VirtualHost XXX.XXX.XXX.101> ServerAdmin user1@domain-1.com DocumentRoot /home/user1/public_html </VirtualHost> <VirtualHost XXX.XXX.XXX.102> ServerAdmin user1@domain-2.com DocumentRoot /home/user2/public_html </VirtualHost>
CGI: (Common Gateway Interface)
CGI is a program executable which dynamically generates a web page by writing to stdout. CGI is permitted by either of two configuration file directives:- ScriptAlias:
- Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
- Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
- Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
- Ubuntu (dapper/hardy) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"
- Options +ExecCGI:
-
<Directory /var/www/cgi-bin>
Options +ExecCGI
</Directory>
-
Configuring CGI To Run With User Privileges:
The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.-
NameVirtualHost XXX.XXX.XXX.XXX <VirtualHost XXX.XXX.XXX.XXX> ServerName node1.your-domain.com - Allows requests by domain name without the "www" prefix. ServerAlias your-domain.com www.your-domain.com - CNAME (alias www) specified in Bind configuration file (/var/named/...) ServerAdmin user1@your-domain.com DocumentRoot /home/user1/public_html/your-domain.com ErrorLog logs/your-domain.com-error_log TransferLog logs/your-domain.com-access_log SuexecUserGroup user1 user1 <Directory /home/user1/public_html/your-domain.com/> Options +ExecCGI +Indexes AddHandler cgi-script .cgi </Directory> </VirtualHost>
ERROR Pages:
You can specify your own web pages instead of the default Apache error pages:
-
ErrorDocument 404 /Error404-missing.html
PHP:
If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules will support PHP content. RPM Packages (RHEL4):
- php: HTML-embedded scripting language
- php-pear: PEAR is a framework and distribution system for reusable PHP components.
- php-mysql: MySQL database support.
- php-ldap: Lightweight Directory Access Protocol (LDAP) support
Apache configuration:
- Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf
... DirectoryIndex index.html index.htm index.php ...
- RHEL4 - PHP 4.3: /etc/php.ini
- Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini
-
[PHP] engine = On ... ... display_errors = Off include_path = ".:/php/includes" ... ... memory_limit = 32M ; Default is typically 8MB which is too low. ... ... [MySQL] ... ... mysql.default_host = superserver ; Hostname of the computer mysql.default_user = dbuser ...
Note that changes will not take effect until the apache web server daemon is restarted.
Test you PHP capabilities with this test file: /home/user1/public_html/test.php
-
<?php
phpinfo();
?>
<? phpinfo(); ?>
Running Multiple instances of httpd:
The Apache web server daemon (httpd) can be started with the command line option "-f" to specify a unique configuration file for each instance. Configure a unique IP address for each instance of Apache.
Apache Man Pages:- httpd - Apache Hypertext Transfer Protocol Server
- apachectl - Apache HTTP Server Control Interface
- ab - Apache HTTP server benchmarking tool
- htdigest - manage user files for digest authentication
- htpasswd - Manage user files for basic authentication
- logresolve - Resolve IP-addresses to hostnames in Apache log files
- rotatelogs - Piped logging program to rotate Apache logs
Log file analysis:
Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed or presented in an easy to read fashion. The following packages to a good job of presenting site statistics.
- Analog - Also see Report Magic for Analog
- Webalizer
- AWStats - (requires PERL)
Web site statistic services:
Load testing your server:
- PureLoad - JAVA load testing and reporting tool.
- WebPerformance Trainer - Load Testing Tools.
Apache Links:
- CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid
- Thumbprint - CGI for viewing a directory of images as thumbnails
- WWWThreads.org - Commercial product - Advanced Web Conferencing Software
- Configuring https (mod_ssl):
Log file analysis using Analog: |
Installation:
- Red Hat / Fedora: yum install analog
- Ubuntu / Debian: apt-get install analog
-
LOGFILE /var/log/httpd/your-domain.com-access_log* http://www.your-domain.com UNCOMPRESS *.gz,*.Z "gzip -cd" SUBTYPE *.gz,*.Z # OUTFILE /home/user1/public_html/analog/Report.html # HOSTNAME "YourDomain.com" HOSTURL http://www.your-domain.com .... ... .. REQINCLUDE pages # Request page stats only ALL ON LANGUAGE US-ENGLISH
Make Analog images available to the users report: ln -s /usr/share/analog/images/* /home/user1/public_html/analog
Log file location:
- Red Hat / Fedora: /var/log/httpd/
- Ubuntu / Debian: /var/log/apache2/
-
Analog Directive Description MONTHLY ON one line for each month WEEKLY ON one line for each week DAILYREP ON one line for each day DAILYSUM ON one line for each day of the week HOURLYREP ON one line for each hour of the day GENERAL ON the General Summary at the top REQUEST ON which files were requested FAILURE ON which files were not found DIRECTORY ON Directory Report HOST ON which computers requested files ORGANISATION ON which organisations they were from DOMAIN ON which countries they were in REFERRER ON where people followed links from FAILREF ON where people followed broken links from SEARCHQUERY ON the phrases and words they used... SEARCHWORD ON ...to find you from search engines BROWSERSUM ON which browser types people were using OSREP ON and which operating systems FILETYPE ON types of file requested SIZE ON sizes of files requested STATUS ON number of each type of success and failure
-
#!/bin/sh cp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg /usr/bin/analog cp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg /usr/bin/analog ...