HOWTOlabs.net - Apache Configuration Tips

Elsewhere

DigitalOcean: Multiple SSL
Certificates on One IP,
Apache vs nginx
CentOS
Ars Technica: Why HTTPS?
Tao of Mac: Apache SSL in a nutshell,
https certifcates
web serving for human beings:
tricks, .htaccess example
www.apache.org

Related

Apache

For almost all environments except Microsoft Windows, Apache is the to go to service for serving web pages. Alternatives include IIS and ngnix, but unless you have very special hosting requirements, knowing how to setup and maintain web hosting with Apache will cover all but the most demanding web server needs..

Typically Apache is run as the httpd service
Typically configuration files are at ...: /etc/httpd/...
Default file serving directory is ...: /var/www/html

Fancy Indexing, customizing directory file listings [ edit ]

# cat .htaccess
  Options +Indexes

  <IfModule mod_autoindex.c>
      IndexOptions FancyIndexing NameWidth=*
      AddDescription "GZIP tar archive" .tgz .tar.gz
      AddDescription "RedHat Package" .rpm
      AddDescription "Debian Package" .deb
      IndexIgnore RCS CVS *,v *,t .DS_Store *.log
      IndexIgnore .??* RCS CVS *,v *,t .DS_Store
  </IfModule>

Error page instead of Index Page for root folders

In some versions of Linux, Apache is preconfigured to disable Indexes for the root folder. Often the directive in NOT in httpd.conf but in welcome.conf

# pwd
  /etc/httpd

# diff conf.d/welcome.conf
  7,10c7,10
  < <LocationMatch "^/+$">
  <     Options -Indexes
  <     ErrorDocument 403 /error/noindex.html
  < </LocationMatch>
  ---
  > #<LocationMatch "^/+$">
  > #    Options -Indexes
  > #    ErrorDocument 403 /error/noindex.html
  > #</LocationMatch>

2 GByte file limitation

Apache does not handle serving files larger than 2 GBytes. If Options Indexes is enabled, large files will simply not show in the list.

Allegedly an upcoming release may soon support large files. But wait! Should it? Apache is suited well for serving web pages. Web pages typically are comprised of small files to allow quick download and viewing. Files larger than a GByte should use something other than Apache as means of distribution. Web browsers also do not handle large file downloads well (file size > 2 GBytes). Transfering large files is really the domain of low-level operating system functions. Modern operating systems allow mounting remote volumes and interacting with very large files at the file system level. NFS works well for non-windows systems SMB (Samba) works well for Windows systems other?

Apache lacks Large File Support (LFS)

Preventing unresolved ServerName at startup

May need tweak httpd.conf so that ServerName is set before starting apache. Also check that /etc/sysconfig/network is correct.

# /etc/rc.d/init.d/httpd restart

  ...

# cat /etc/sysconfig/network

  NETWORKING=yes
  NETWORKING_IPV6=no
  HOSTNAME=c5ip21.sf.zaptech.org
  GATEWAY=192.168.2.1

CGI errors only for some script files

Elsewhere Debian Administration

Make sure that line ending are legitimate for host OS (e.g. UNIX/Linux expects just a LF). If the #!/... line doesn't have the correct line ending inexplicably wonky errors like the following will show up in apache error logs ...

# tail -f /var/log/httpd/error_log 

  [...] [error] [client 192.168.2.100] (2)No such file or directory: exec of '/var/www/cgi-bin/13.py' failed
  [...] [error] [client 192.168.2.100] Premature end of script headers: 13.py

Enabling CGI

Apache 2.0.X (now the default with RH 8.0) may not have cgi enabled by default. To test ...

http://localhost/cgi-bin/test-cgi

.../httpd.conf tweaks to enable default directory
<Directory "/usr/local/apache2/htdocs">
    Options Indexes FollowSymLinks ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
AddHandler cgi-script .cgi
AddHandler cgi-script .pl

Restricting Access - denying requests based on origin

Limit page access to local 192.168.*.* network ...
<Directory "/var/www/html/phpMyAdmin/">
#    AllowOverride None
#    Options ExecCGI Indexes
     Order allow,deny
     Allow from 192.168
#    AddHandler cgi-script .pl
#    AddHandler cgi-script .cgi
</Directory>

Secure Serving - enabling https support

Typically Apache standard install (e.g. RedHat CD) is already set up for this. However, the mod_ssl RPM must also be present for Apache to properly handle https requests (typically using port 443). Classic symptom of this is connection failed messages. Note - unless additional certificate setup is performed, secure pages will generate a unknown certificate a warning prompt with most web browsers.

# yum list \*mod_ssl\*

  ...
  Available Packages
  mod_ssl.i386             1:2.0.52-38.ent.centos update
  ...

# rpm -qa > now; diff rpm.txt now

  149d148
  < httpd-suexec-2.0.52-32.ent.centos4
  162a162,163
  > httpd-suexec-2.0.52-38.ent.centos4.2
  > mod_ssl-2.0.52-38.ent.centos4.2
  313d313
  < httpd-2.0.52-32.ent.centos4
  326a327,328
  > distcache-1.4.5-6
  > httpd-2.0.52-38.ent.centos4.2

# chkconfig --list > now; diff chkconfig.txt now

  14a15
  > dc_server     0:off   1:off   2:off   3:off   4:off   5:off   6:off
  36a38
  > dc_client     0:off   1:off   2:off   3:off   4:off   5:off   6:off

# pwd

  /etc/httpd/conf.d

# rcsdiff ssl.conf
 
  88c88,93
  < <VirtualHost _default_:443>
  ---
  > <VirtualHost *:443>
  >
  >     # this is also default if domain is not matched below
  >     ServerName www.missioncitydesign.com
  >     DocumentRoot /public/mcd
  250a256,259
  > # Ok, SSL needs different IP address/domain, unlike standard port 80 hosted sites.
  > # Secondly, likely the IP address in the certificate must be the actual
  > # public world routable IP address, so using NAT addressed virtual SSL
  > # host will probably cause a certificate warning.

The Art of Secure Key Registration

# cd /etc/httpd/conf/ssl.scr
# openssl  req -new -nodes -keyout private.key -out public.csr
  US
  California
  Santa Clara
  ZAP TECHNOLOGIES
  IT Staff
  secure.zaptech.com
  support@zaptech.com
  password

# openssl rsa -in private.key -des3 -out private_hash.key
# rm private.key
# cat public.csr
  Submit key to a key registrat like Verisign.
  Await their email with the contents to use when creating a public_20030821.crt file

# vi public.crt_20030821   extended name reminds us when this certificate expires
# vi .../httpd.conf
  edit SSLCertificateFile
  edit SSLCertificateKeyFile
# service httpd restart
  password
#

Stay tuned for details about how to setup a custom Certificate Authority server.

Elsewhere

Verisign

Apache - Virtual Hosting
This particularly powerful configuration of Apache allows a single system to act like several completely seperate web servers. This is a very economical solution for ISP's to provide hosting for multiple customers with a single machine. The setup of this is a bit tricky.

Related http authentication (password protected web pages) Virtual Hosting (hosting multiple domains on a single IP address) IP Aliasing

Elsewhere

Virtual Hosting with Apache
httpd.apache.org/docs/vhosts/virtual-host.html

Apache - ProxyPass and other fun

Recent versions of Apache offer a built in pass through feature. This pass through feature can be configured to trap certin URL's and spawn requests to other serivices (e.g. ftp, http, ssh, ...) and then feed the response to the second request back to the original requestor. This is quite handy to allow Tomcat service (typically lives on port 8080) to be invoked when a certain request is made to httpd (typically lives on port 80).

Typically ProxyPass adjustments are the only proxy directives that need to be altered for most situations - ALL other proxy directives should remain off.

# diff -r1.1 httpd.conf

238c241
< #LoadModule proxy_module       modules/libproxy.so
---
> LoadModule proxy_module       modules/libproxy.so

303c306
< #AddModule mod_proxy.c
---
> AddModule mod_proxy.c

986,988c1245,1262
< #<IfModule mod_proxy.c>
< #ProxyRequests On
---
> <IfModule mod_proxy.c>
> # Other proxy directives seem to work fine when ProxyRequests Off.
> # Indeed, the only reason to enable ProxyRequests is to provide
> # an open Proxy to the public.  Once an open proxy is discovered
> # by others, it will inevidably be followed by a storm of requests
> # that will waste bandwidth.  Bandwidth loss typically becomes
> # severe enough to affect responsiveness of services on the open
> # proxy server.  Therefore, if ProxyRequests in enabled, it is
> # best to limit its use to a known and trusted network.
> ProxyRequests Off
> 
> # .../devpanther/ <- http://devpanther.local.zaptech.org/
> ProxyPass  /devpanther/  http://192.168.1.226/
> 
> # .../kt/ <- http://devpanther.local.zaptech.org/kt/
> ProxyPass  /kt/  http://192.168.1.226/kt/
> 
> # .../public/ <- http://devx.local.zaptech.org/rescue/
> ProxyPass  /public/  http://192.168.1.221/rescue/

1014c1288
< #</IfModule>
---
> </IfModule>

Elsewhere

freebsdwiki

Apache - Test an http server using just telnet!

$ telnet google.com 80

  GET / HTTP/1.1
  Host: www.google.com
  [ blank return ]

  ...

Apache - Legacy
Linux versions before RedHat Linux 7.3 used slightly different configuration conventions. For the most part little has changed and older information may still be handy when maintaining a legacy system.

The default directory Apache serves web pages from is ...

/home/httpd/html

You may want to peruse the configuration files ...

/etc/httpd/conf/srm.conf (has most of the neeto bits)

/etc/httpd/conf/access.conf

/etc/httpd/conf/httpd.conf