Name :Apache Web Server Administration & E-Commerce Handbook
Original Author :Scott Hawkins
Condensed notes :Teddy David Mills teddymills@hotmail.com
COMPLETED
VERIFIED
REVIEWED
*************************************************************************************
CHAPTER 1 BASIC CONCEPTS
*************************************************************************************
1.3 Directives
90% of Apache Server Administration is figuring out all these directives, there are
hundreds, and figuring out when and why to use them. The CORE DIRECTIVES are
enabled by default, but some esoteric Apache directives you choose might not be
enabled in Apache by default. You may have to compile apache with that support.
httpd -l
shows the compiled in modules are included with that Apache you are using.
Shared Object Modules are runtime loadable, and do not show up in this list!
httpd -l lists only the internal compiled in modules.
1.4 Limiting the Scope of Directives
Often you want to specify a scope for directives. You cant have all directives global.
If your hosting multiple websites with Virtual Hosting, then obviously you'll have
to think about scope of the directives you use.
DIRECTIVE SCOPE is controlled 3 ways
************************************
1) by DIRECTORY using
a)
port 8080
b)
port 8888
c) .htaccess file
2) by URL using
a)
port 8080
b)
port 7070
3) by file using
a)
b)
************************************
1.41 Limiting Scope to a Directory using and
*************************************************************************
Suppose you want a directive to apply ONLY to actual directories. Say /www/amazon.com
no where else. The directive will apply to the entire /www/amazon.com directory
and all its files and subdirectories only.
MyDirective
OR
MyDirectives
As you can see, the directive MyDirective, will only apply to /www/amazon.com directory
and all the files and directories in there. No other website will be affected. This b cool.
********************************************************************************************
Please remember:
To make a location work in Apache, all you need is a directory, and an index.html file.
If you want to then apply some directives to that location, THEN you have to open up
httpd.conf.
You cannot make directories and files work in Apache just by listing them in httpd.conf,
they actually have to exist, and with the proper permissions before you can use them in httpd.conf!
I mean in /www/amazon.com, there has to be a directory called "teddy". Otherwise the httpd wont start!!
In the example above it, in /www/amazon.com there has to be a directory called "security"
********************************************************************************************
"/www/*">
MyuDirective
DirectoryMatch is even cooler than Directory. Directory only works on a single tree,
DirectoryMatch works on as many directories as you want. This is true power here.
Imagine being able to control access of hundreds of websites with a simple directive
. Don't forget to use the quotes "", since were globbing here.
1.42 Limit scope to a Directory using .htaccess file
***************************************************
Almost all directives are in /etc/httpd/conf/httpd.conf. However if you make a file
called .htaccess and put it in the directory you want to control, be it /www or
/www/microsoft.com or teddy.amazon.com/ then it will affect only that directory.
They .htaccess means that this file is invisible unless you use ls -a (all)
By default this file is called .htaccess, but you can change this to any filename you
want in the httpd.conf via ACCESSFILENAME. Why, I don't know, security reasons maybe,
no other reason I see.
.htaccess files are not enabled by default!
To enable them you must add AllowOverride to /etc/httpd/conf
AllowOverride is not just a simple on/off switch. AllowOverride specifies WHAT
directives you can use in ALL your .htaccess files. This is very important.
AllowOverride All :all directives can be used in .htaccess files
AllowOverride None :No directives allowed. File searching is disabled.
AllowOverride AuthConfig :allows use of the AUTH directives only in .htaccess files
AllowOverride FileInfo :Allows use of Add directives only in .htaccess files
AllowOverride Indexes :Allows use of Add* and Index* in .htaccess
AllowOverride Limit :Allows use of ALLOW/DENY/ORDER in .htaccess
AllowOverride Options :ALLOWS USE OF OPTIONS AND XBITHACK
You can combine these on a single line, if needed...
AllowOverride Options FileInfo (enables both directive classes for all your .htaccess files)
You must remember that if you use an .htaccess file, it applies to the entire directory tree.
That directory, subdirectory and all its files. So if your trying to squeeze as much speed
as possible on a high performance Apache server, you should try and avoid the use of .htaccess files.
AllowOverride None (disables all your .htaccess files, and speeds up Apache too)
1.43 Limit Scope to a URL and
********************************************************
Just as and limit the scope of those directives to actual directories
on your drive, and limit the scope of directives of a URL.
and both do the same thing, its just the must apply to the local
filesystem, does not need to apply to the local filesystem.
SetHandler server-teddy
so if you went to www.amazon.com/teddy, it would activate that SetHandler server-teddy command.
Handlers tell Apache to do special things when you go to that site.
Port 8080
1.44 Limiting Scope to a Virtual Host
*************************************
You can limit directives to each Virtual Host web site.
VirtualHosting means that apache controls more than one website.
A single Apache server can control as many as 250 websites at a time.
1.45 Limiting Scope by and
*********************************************
limits the scope of directives to that file.
limits the scope of directives to a File Pattern.
Order deny, allow
Deny from all
makes .htaccess files inaccessible to all.
******************************************************************************************************
works on a single directory macintosh and its subdirs and files
works on multiple directories and all its subdirs and files
works on a single file
works on multiple files
works on a location in the filesystem, NOT directories
works on multiple locations in the filesystem, NOT directories
/home/.htaccess applies to all files and folders in /home
/home/tmills/.htaccess applies to all files and folders in /home.tmills
*******************************************************************************************************
1.5 Apache Modules
***********************************************
You can use httpd --help to view all sorts of parameters of your httpd binary and settings.
Apache by default includes a CORE SET. Modules are not part of the CORE SET and need to be added manually.
httpd -l, shows what modules are currently loaded for your Apache. You add new modules by compiling
Apache again, or using ADDMODULE /CLEARMODULELIST. They order in what modules load is important, and
don't dick around with this unless you know what your doing.
in your httpd.conf...
CLEARMODULELIST, clears out the internal module CORE list.
ADDMODULE mod_access.c adds module mod_access.c
CGI stuff is much slower than modules. These Apache modules are wicked fast compared to your CGIs.
When at all possible, use or create your own custom Apache module. Writing a Apache Module is
almost a complex as writing a device driver, but not quite that bad. Many laypeople write their
own Apache Modules, not is can't be that bad.
1.6 DSOs DYNAMIC SHARED OBJECTS
***********************************************
DSOs is pre-compiled code.
DSOs either loaded and executed at runtime, or does not load.
APXS=Apache Extensions
APXS=DSOs dynamic shared objects
APXS=DSOs
APXS Apache Extension DSOs must be compiled by APXS.
Not simply compiled like any other module.
mod_perl
mod_php
are 2 very common APXS/DSOs, that you must compile yourself.
"--enable-rule=SHARED_CORE" is the text you must include in your configure script when compiling
up a new Apache to enable DSO support. Then compile, rebuild and reinstall Apache.
mod_so DSO module lets you enable at runtime what DSOs are to included with LoadModule.
MODULE_NAME MODULE_PATH
LoadModule perl_module libexec/libperl.so
DSO modules are normally found at root/libexec.
HANDLER MODULE FUNCTION
send-as-is mod_asis serve file and headers "as is"
cgi-script mod_cgi attempt to execute cgi and serve the output
imap-file mod_imap image map rule file
server-info mod_info display configuration info about this Apache server
server-parsed mod_include find and replace server-side includes
server-status mod_status display server side status info
type-map mod_negotiation parse file as type map file
1.8 MIME TYPES
*****************************************************************************
MIME=Multimedia Internet mail extensions.
It assigns file extensions to applications.
Apaches own MIME types are in /usr/local/apache/conf/mime.types
You can edit this file anyway you want.
To add more file mappings to MIME.types
AddType application/x-httpd-php .php
It is considered much preferable to use AddTypes in httpd.conf rather than
editing and changing mime.types.
Remember, don't modify mine.types, just use AddTypes in your httpd.conf file...
COMPLETED
VERIFIED
REVIEWED
***********************************************************************************
CHAPTER 2: INSTALLING APACHE
***********************************************************************************
Apache web server runs on everything you got very well, even a 486.
Like computers in general, the main bottleneck for Apache is RAM.
I repeat the main bottleneck for Apache or often not the computer, it is RAM!.
If your thrashing or swapping like mad, of course nothing is going to get done.
Remember too, that whenever you have to SWAP/DiskThrash, that 6 orders of magnitude of
speed your losing!! Ram is ~1million times faster than disk.
Scott Hawkins, an Apache expert, says when your httpd file is ready to go,
RAM Requirement=size of httpd times number of simultaneous clients times 1.5
Obviously just install more, more is always better.
More high performance systems, SCSI is till the one you have to go with.
SCSI starts blowing away IDE as you use more drives.
Apache runs fine under the "nobody" account "apache" account or whatever account you decide.
Apache usually puts its
/usr/sbin Apache Binaries
/etc/httpd/conf Apache configuration files
MACOSX has Apache pre-compiled and ready to go, as do most versions of Linux.
If you need to get the source code for Apache and compile it again, ftp.apache.org
make usually has 2 inputs..source code and libraries
make source libraries
Makefile is a textfile that specifies the compiler, source code files, dependencies and the goal.
The nobody/nobody account is the default system identify. Scott says it is much better to
create an Apache/Apache user and group and run apache under that. My problem is, how do
I know how much access Apache/Apache needs? and to what directories??
etc/group
groupname password groupID group members
amazon * 400 tmills bob cindy
/etc/passwd
userID enc passwd UserID GroupID usersname home shell
tmills 6gHj7R43 204 204 Teddy Mills /home/tmills /bin/bash
2.5 Compiling Apache
"make" takes the source code and compiles it with the
requested compiler and its libraries and usually makes a binary
executable.
The "Makefile" is what "make" reads and executes. The "Makefile"
says what the compiler is, the source code files, and libraries.
Make is essential for you to learn to become a UNIX programmer.
2.52 APACI (configure script)
The old way, you had to get into /src directory of the apache source
code to add your own modules. Fortunately, this has been made easier with
APACI configuration scripts. You can still do it the old fashioned way if
you like pain. Actually sometimes the APACI config scripts are not enough,
you might have to go into /src of APACHE and do some heavy duty work.
CD to the TAR SOURCE of APACHE and
./configure --prefix=/teddy/www/apache
prefix is where you want Apache to be installed to,
ie. /teddy/www/apache. Leave it to default /usr/local/apache
It should create a Makefile. you type
"make"
"make install"
*************************************************************************
Thats it, to do a basic compile of Apache
0. ./configure --help (to get a list of options)
1. ./configure --prefix=/usr/local/apache --enable-module= --enable-module= --enable-module=
2. make
3. make install
************************************************************************
These are the core modules included with a source compiled Apache
http_core.c core functionality
mov_env.c enables passing of env variables to CGI programs
mod_log_config.c user can modify the logging of Apache
mod_mime.c Enables Apache to determine files based on file extensions
mod_negotiation.c Negotiates content
mod_status.c Displays the server status as a web page..
mod_include.c Enables some dynamic content
mod_autoindex.c enables automatic directory listings
mod_dir.c Basic display of directory information
mod_cgi.c Enables dynamic content generation via CGI programs
mod_asis.c Enables transmission of files with HTTP headers
mod_imap.c Not IMAP like email, but Image maps, so you can use them in HTML
mod_actions.c Enables CGI scripts to work on files
mod_userdir.c Enables each home user account to make a web page from their home dir
mod_alias.c Enables URL relocation and forced remapping in the filesystem
mod_access.c Access control!
mod_auth.c Limited authorization
mod_setenvif.c Enables apache to set env variables based on the client information
./configure --prefix=/teddy/www/apache \ --enable-module=proxy
compiles apache, enabling module mod_proxy.c
./configure --prefix=/teddy/www/apache \ --disable-module=asis
compiles apache, disabling module mod_asis.c
Please always remember, ./configure only configures the Makefile,
you must still "make" and "make install" to compile the binaries.
Configure only configures, you must make them!
2.62 Apache Win32
*****************
The installation of Apache on a Win32 computer is idiot-proof.
In fact, thats a good idea since most Window users are idiots.
It will install by default to :
c:\Program Files\Apache Group\Apache
apache -i starts Win32 Apache as a service, or you can choose
this option when first starting it. It is much preferred to use
Apache as a service on Winnt systems.
COMPLETED
VERIFIED
REVIEWED
***************************************************************************************************
CHAPTER 3: CONFIGURING APACHE
***************************************************************************************************
Apache has 4 configuration files previously
/etc/httpd/httpd.conf Overall Apache
/etc/httpd/access.conf Security & Access
/etc/httpd/srm.conf Server Resources
/etc/httpd/mime.types File Extension mappings
However, this method didn't work out too well, so they decided to dump it
all into /etc/httpd/httpd.conf. This file is like 1200 lines long.
Apache is far more complex than Samba. But at least everything is all in
one place. With the 3 files, it was difficult to remember what each
file was doing.
3.2 Modules
A standard Apache install includes the default modules and doesn't use
ADDMODULE or CLEARMODULELIST.
3.3 /etc/httpd/httpd.conf
servertype standalone
servertyoe inetd
You almost certainly do not want to run Apache as inetd. In fact all
your INETD services must load up via disk for each request. Can you
imagine how slow that is? Until the program loads into memory, INETD is
6 orders of magnitude slower than standalone.
(1 million times slower)
The only reason to put services on INETD is in they are used not very
often. The minute that they are used often, make those services
standalone. And get more RAM if you have to avoid paging out, because
paging out/disk thrashing is even far far worse than running INETD.
332 Specifying the PORTs Apache will use
A socket is a port+service.
/etc/services does mapping of service names to TCP/UDP ports numbers.
If your client and the server and not using the same ports, it
is not going to work. Please verify this.
By default, all web browsers use port 80 for HTTP/www. You can
change it, but you'll have to change all your web browsers, or
they'll have to use 192.168.0.1:4465, to connect to say port 4465.
It might be useful as a basic security tool, since finding a HTTP
service is easy, finding the port number it uses if its not 80,
is quite difficult. How would you know the www port was 4465,
if I didn't tell you.
Proxies often use non-standard port numbers. If your on a system
that uses say, port 8080/www ftp/2002, then chances are your in
a proxy environment. Please always take care in a proxy environment!
That proxy server is keeping a log of everything your doing, and
where your going on the Internet.
333 CLEARMODULELIST
Apache comes with a list of default included modules.
If you want to disable these modules and use only your own
modules, do a CLEARMODULELIST. (almost never used)
334 ADDMODULE
ADDMODULE enables a module that is compiled in, but not active.
ADDMODULE mod_auth_dbm.c (enables the mod_auth_dbm module)
335 HostnameLookups ON Logs DNS names, OFF logs IPs
It is quite useful to log all those DNS names like teddy.amazon.com,
instead of 216.55.78.42. I mean who the hell is 216.55.78.42? Could be
anybody on the planet. However, if you do HOSTNAMELOOKUPS ON, your make
Apache slow to a near crawl. To get any kind of performance you must have
HOSTNAMELOOKUPS OFF. and record those IPs instead. Nobody ever said this
was a perfect world.
336 Security with User+Groups
User Apache
Group Apache
Says to execute Apache web server with the rights assigned to this user.
Doesn't have to be called "Apache" Can be any user/group you want.
Whatever you do never run Apache with access to a root account!
337 BrowserMatch
Set environmental variables based on what Browser the client is using.
Say you need to enable nokeepalive for Netscape 2X browsers...
BrowserMatch Mozilla/2 nokeepalive
338 Specifying the Web Administrator
ServerAdmin tmills@amazaon.com
339 SERVERROOT: Specifies where the web page files are located.
by default this is /var/www/html, but if you have virtual web hosting,
it doesn't matter. Since the Virtual Hosting directives take care of that
for each website.
3310 BindAddress: Selecting an IP address to use
No this has nothing to do with BIND, the DNS server.
Apache-BIND tells apache what interface to use.
If you have only 1 NIC, don't bother changing this setting.
To get Apache to respond to all the NIC connections you have
(if more than one) then BindAddress * (global)
******************************************************
BindAddress can only be used once! (otherwise use Listen)
By default Apache listens to all network interfaces!
By default Apache listens to all network interfaces!
And in case you have too much in common Homer Simpson
Apache by default listens to all network interfaces.
******************************************************
BindAddress 216.56.78.33 (respond to this interface only)
If you want to listen to two specific interfaces,
if you have 3 or more..then use the LISTEN directive.
3311 Errorlog: where Apache logs errors
Errorlog /var/log/apache
All configuration scripts and Apache logs are SERVERROOT.
So Apache error logs are by default located in /etc/httpd/logs
3312 Transferlog: Recording files accessed in Apache
Transferlog logs/access_log
By default SERVERROOT is /etc/httpd, so Transfer logs are /etc/httpd/log/access.log
This file shows what Apache has transferred.
3313 PidFile: Recording the Parent process ID
/var/run/httpd.pid is by default where Apache stores the PID of the Apache Parent process.
In fact /var/run is where all the PIDs of the programs are. You can use /etc/init.d/program
to stop the program, or if you need to get medieval /var/run/ and find the PID you need.
Just cat it and kill it.
3314 ScoreBoardFile: IPC Interprocess communication
In order for child processes of Apache to talk to each other and the parent Apache process,
it needs a bit of ram set aside. You never need to look here, since its very internal to Apache.
ScoreBoardFile logs/apache_status
3315 Naming your Apache Server
ServerName www.amazon.com
3316 CacheNegotiatedDocs
HTTP1.1 defines standard headers. Apache sends these standardized HTTP1.1 headers to its
clients and proxies. So those proxies and clients know what can stored in a cache and
what should not be put in a cache. By default, all NEGOTIATED CONTENT is marked
non-cacheable. Use to override this default.
3317 Timeout: Limiting Inactive Connections
This directive says how many seconds a connection can be inactive, before Apache kills the connection.
Apache deems "activity" as one of four things
1. a connection was made
2. GET request received from that connection
3. if a bad transmission, clock starts with last known connection to that client
4. a packet was received via PUSH or PUT HTTP request.
the default timeout is 300 seconds, 5 minutes. This is quite a long time.
You could probably reduce it to like 60 seconds, or even 45 seconds for a super busy website.
3318 KeepAlive: Enable persistent connections
If you enable this, then clients browsers can maintain a "persistent connection" with your Apache
web server. KeepAlive means clients can get multiple chunks. Otherwise, it is one chunk at a time.
KeepAlive is good for you and the client. Since theres a lot of overhead in opening and closing
connections. You want to keep this overhead to a minimum. Plus the client browser wants to
access your website.
3319 MaxKeepAliveRequests:
If you have enabled KeepAlive "persistent connections" MaxKeepAlive says HOW MANY REQUESTS each
persistent user gets. Setting it to 0 means unlimited requests. This means great performance!
3320 KeepAliveTimeout
Max number of seconds Apache will wait for a persistent client to make a new request.
3321 MinSpareServers:
It is a very good idea to always have a few instances of Apache always running to handle the
next incoming request. Its like the supermarket. If you have to get into a line cause you don't
have enough instances of Apache running (ie. cashiers) Then you'll sit there, waiting and
getting mad. This MinSpareServers says how many EXTRA instances of Apache do you want (ie. cashiers)
running at all times? This is not the number of Apaches running, just the number of EXTRA APACHES to
be ready at all times.
MinSpareServers 5
Says to keep 5 extra instances above and beyond what we currently use.
3322 MaxSpareServers: Limiting the Resource Drainage
Now set the maximum of spare Apaches, as not to waste resources.
MinSpareServers 5 //always have at least cashiers ready to go...
MaxSpareServers 10 //never have more than 10 cashiers ready to go...
So these 2 lines say don't have any less than 5 copies of Apache running at any time,
and don't have anymore than 10 copies running at any time.
3323 StartServers: Number of Apaches to startup when apache boots.
You cant go wrong here. Almost any number will do.
Your friends MinSpareServers and MaxSpareServers will take this StartServers number
as their base.
3324 MaxClients: "A mans got to know his limitations".
Sets the maximum simultaneous clients. This is a hard limit, and if you know hard
limits like I know hard limits, they're ain't no bargaining with them.
If your Apache hits the MaxClients, thats all that this Apache is going to do.
All new users will get "locked out" until one of the other connections logs off.
3325 MaxRequestsPerChild: Preventing a process from killing the server.
This says how many processes a child of an apache process can spawn before that
child process is killed. If there was a bug in a module or Apache, a
child process run-amuck could spawn endless children processes and eventually
kill the server. Thats why smarty pants.
3326 Limiting Directive scope
"some directives"
So "some directives" would only apply to /www/amazon.com and its subdirectories and files.
3327 Location: Limit directives to a place in the filesystem
order deny,allow # deny from most, allow from a few
deny from all # now deny all
allow from 192.168.0.10 # now allow only 192.168.0.1
3328 Options to the .htaccess files
the options that or and .htaccess are
ALL enable all options except multiviews
ExecCGI enable CGI scripts
FollowSymLinks Lets Apache follow symbolic links
includes enables Server-Side Includes
IncludesNoEXEC Server side includes are enabled, but #EXEC #include of CGIs disabled
Indexes If no DirectoryIndex file exists, a formatted directory list is displayed
That is to say, if no index.html exists, display the directory instead.
3329 AllowOverride
As discussed previously, you can slow your Apache down and use .htaccess files, or process them
once with Directives. If you insist on using .htaccess files, you must enable AllowOverride.
3330 Order
Order is part of the core MOD_ACCESS. Order says what you'll be doing.
order deny, allow = means denying most, allowing a few
order allow,deny = means allowing most, denying a few.
Obviously "order deny,allow" will be your common choice.
3331 Allow:
to specify a DNS hostname, domain, or IP that will be granted access
allow from amazon.com allow anyone from amazon.com
allow from 192.168.0.1 allow anyone from IP 192.168.0.1
allow from 192.168.0 allow anyone from the entire network 192.168.0
allow from all allows everyone
3332 Deny:
to specify a DNS hostname, domain, or IP that will be denied. Denied! says Wayne & Garth.
deny from all deny everyone
deny from amazon.com deny all from amazon.com
deny from 192.168.0.1 deny IP 192.168.0.1
deny wayne-and-garth.com deny all from wayne-and-garth.com. Wayne says Denied!!, Garth says Wicked!
3333 DocumentRoot: where all HTML files are, the root of document htmls.
My current DocumentRoot is /www/amazon.com, where all my other virtual websites are...
3334 UserDir: Users Homepages
Specifies the name of the directory in each users home then a ~user is requested.
ie. amazon.com/~tmills. The default is "public_html" located in each users home directory.
3335 DirectoryIndex: what file is to be used as the html file.
DirectoryIndex index.html is the default. Put this file in the dir, and it will be used.
However, you can add more than "index.html"
DirectoryIndex index.html index.htm index.cgi index.shtml
If none of these files are found, then a directory listing is usually listed.
3336 Fancy Indexing: Improves on DirectoryIndex with more file attributes.
FancyIndexing ON
3337 AddIcon AddIconByType AddIconbyEncoding
enables you to associate a binary image file to a file type. The image file will be
displayed when an index is generated? What weirdness is this?
3338 DefaultIcon /icons/teddy.gif
Use this default icon image with a directory listing when no match found with AddIcon.
3339 AddDescription "Amazon Policy" readme.html
Adds a small description to server generated indices
3340 ReadMeName readme.html
Specify the readme file for mod_autoindex
3341 HeaderName header
specifies the filename that will be added to autogenerated indices
3342 IndexIgnore */.??* *~ *# */HEADER* /README**/RCS
specifies files that will not be included in autogenerated indexes
3343 ACCESSFILENAME .htaccess
specifies the filename that if found in any directory will be used against that directory
and all subdirectories and all files. This file will hold Apache directives.
3344 DefaultType text/plain
Sets Apaches default MIME type to text/plain, if the file extension cannot be found.
3345 AddLanguage en .en .english
says that any HTML file on this server that ends in en .en or .english is an english file.
The client browser must be setup to use file extension mappings to languages for this to work.
3346 LanguagePriority en fr de
Is a tie-breaker. When listing content, english, then the french, finally those pot smoking,
free-living, red light district denmarks.
3347 Alias .icons /usr/local/etc/httpd/icons
Refers requests from non-existent locations to actual locations.
fakename realname
3348 ScriptAlias /cgi-bin/ /usr/local/etc/httpd/cgi-bin/
specifies the directory that holds CGI scripts.
3349 AddType
Associates a MIME type with a file extension. Almost the same as adding the file
extension to mime.types
3350 AddHandler:
There are 7 default handlers
AddHandler cgi-script execute the URL as a cgi-script
AddHandler imap-file assume the URL has an image
AddHandler isapi-isa Windows only, Load DDLs when URL is accessed
AddHandler server-info generate server configuration page
AddHandler server-parsed parse file looking for server-side includes
AddHandler server-status generate server status page
AddHandler type-map treat URL as a map of types
These are the magnificent 7. You can design your own if you want.
3.4 Apache Windows Differences
Windows uses backslashes, but you still you Apache with forward slashes. This means
transporting UNIX HTML files from Apache UNIX to an Apache Windows wont mean you
have to change all the delimiters.
You can specify a drive letter, if not, it assumes the drive where Apache is located.
341 Apache Unix Differences
tIn UNIX, Apache uses a new process to handle each new request. However the Parent-Child process
and spawning was so ingrained into Unix Apache, something that Windows cannot relate to. This means on a
Windows machine, you'll see a PARENT and a CHILD PROCESS running. The child process will multithread if
need be.
342
3.5 MacOSX
At the heart of Apple MacOSX is BSD44. On top of that is the fancy GUI apple designed.
Thats why MacOSX needs so much CPU power. On MACOSX servers these files are located...
Linux location and name MacOSX location and name
/usr/local/bin/httpd /usr/sbin/apache
/etc/httpd/conf/httpd.conf /Local/Library/Webserver/Configuration/apache.conf
/etc/httpd/conf/srm.conf NA
/etc/httpd/conf/access.conf NA
apachectl /usr/sbin/apachectl
COMPLETED
VERIFIED
REVIEWED
********************************************************************
CHAPTER 4 STARTING STOPPING AND RESTARTING APACHE
********************************************************************
You should always run Apache as "ServerType StandAlone"
However if you must run Apache as INETD, you must add this line to /etc/inetd.conf
--------------------------------------------------------------------------------
httpd stream tcp nowait httpd /usr/local/bin/httpd -f /etc/httpd/conf/httpd.conf
--------------------------------------------------------------------------------
On Windows, you can goto the command line and type
net start apache or
net stop apacheor perhaps even better is to goto the services nad modify Apache to run as needed.
To start Apache under MacOSX, "apachectl start"
If your using the OpenSource Apache, you get a different startup script than Redhats.
You also have a "configtest" option that will check your syntax. Then again, running
the script is a test in itself, if OK, it passed, othjerwise it FAILS.
Under Windows you can control the Apache service just like any other NT service.
The easiest way to stop and start the Windows-Apache is with the NET commands.
NET START APACHE
NET STOP APACHE
or via the Control Panel>Services
kill -hup 1 kills process 1 (init) and reloads it new
kill -hup 378 kills process 378 and reloads it
KILL -USR1 378 kills process 378 and asks the child processes to exit when done.
kill -term PID/Program
kill -term 366 kills process 366 and all its child processes
kill -term named kills named and all its child processes
killall named kills all processes called named
To do diagnostics on your Apache, the best place is the Apache error log.
/usr/local/apache/log/errors, by default.
COMPLETED
VERIFIED
AND REVIEWED
**********************************************************************
CHAPTER 5 ADVANCED APACHE ADMINISTRATION
**********************************************************************
The reason that VirtualHosting is so popular, is because its so cheap.
One sufficently powerful computer running Apache Server can host 250+ websites.
VirtualHosting by NAME, multiple domains share the 1 public ip.
VirtualHosting by IP, each domain has its own ip, the NIC must be configured
with ifconfig to multiple IPs. The very uncool thing about VirtualHosting by IP
is that each domain must have its own public IP.
Apache can be told to monitor multiple NICs with BindAddress and Listen.
On each IP address, it can use any port, but default is port 80.
You can configure your Apache to host many websites in three ways.
1. UserHome Pages
2. VirtualHosting by Name
3. VirtualHosting by IP
The first method is the easiest, but not a professional way to support websites.
UserHome pages is not meant for business users. UserHome pages is acceptable
just for users.
When you use VirtualHosting, you can include all the Directives you need, and
it overrides the main apache directives.
Of course to get VirtualHosting operational, you will have to register all those
domains with a Domain Registrar and pay the fees. VirtualHosting by Name means
many sites using a single IP. VirtualHosting by IP, means many sites each with their
own IP. You can configure a NIC to support multiple IPs, but VirtualHosting by
Name is much easier.
521 UserDir public_html
http://www.amazon.com/~tmills
will run the website located at /home/tmills/public_html/index.html
This method means homepages must be in /home/username
522 UserDir /www/users
http://www.amazon.com/~tmills/index.html will return content from
/www/users/tmills/index.html.
This method means you can put user home pages anywhere you want.
523 UserDir /home/* /public_html
This is a combination of the two methods above, and UserDir absolute with wildcard
is least prone to abuse by your users.
It says all users home pages are located in /home, each with a public_html folder.
So http://www.amazon.com/~susie, would get resolved to /home/susie/public_html
5.3 IP Addresses and ports
By default Apache listen to port 80 on all interfaces.
Multiple port statements will overwrite each other. Use only 1 port statement.
531 BindAddress: Specifying an IP address
BindAddress says to bind only to a specific interface.
Obviously using BindAddress makes sense only if you have 2 or more interfaces.
Multiple BindAddress will overwrite each other. Use only 1 bind address.
BindAddress * (Apache by default will listen to all interfaces)
BindAddress 192.168.0.1 (listen only to this interface...)
532 Port: Specifying a port
By default Apache only listens to port 80. You can use the PORT command only once.
But if your paranoid, you can set your Apache to say 9004 if you want.
533 LISTEN: Listening to multiple ports
Multiple listen statements DO NOT OVERWRITE EACH OTHER. You can use multiple LISTENS!
You can use multiple listen statements to say
listen 80
listen 8080
listen 8888
and they will all work. A single port command, however works only once.
and in fact you can use the LISTEN statement to bind ip addreses!!
Listen is very powerful!!
Say you had an Apache server with 3 NIC cards in it, you could set it
so that....
listen 192.168.0.100:80 NIC1 maybe your public server
listen 24.42.105.244:8080 NIC2 maybe a clients intranet
listen 214.45.65.201:4004 NIC3 manybe your intranet
A real cool trick to make multiple IPs on a NIC using ifconfig is
inter:num new ip mask
ifconfig eth0:1 192.168.0.2 netmask 255.255.255.0
ifconfig eth0:2 192.168.0.1 netmask 255.255.255.0
...
ifconfig eth0:100 192.168.0.100 netmask 255.255.255.0
and use NameVirtuals by IP
Maybe I can do this and do some cool firewalling tricks.
5.4 VirtualHosting by Name
************************************************************************
All VirtualHosting take the properties of the main server configuration.
************************************************************************
VirtualHosting by name is pretty new in HTTP. Many domain names share 1 IP.
all domain names must be registered and point to that one IP. There is a
header called HOST, and this is how Apache knows what virtualserver that
this is for. The only requirement to using VirtualHosting by name is you
must use a HTTP1.1+ browser. One that supplies the HOST header.
(so apache knows what virtualhost to send you to)
You can use almost all the Apache Directives in a VirtualHost container.
These directives you CANNOT use in a VirtualHost container.
BindAddress your already in the virtualcontainer!
Listen your already in the virtualcontainer!
MaxSpareServers ditto
MinSpareServers ditto
MaxRequestsPerChild ditto
PidFile httpd.pid of the parent is already up and running silly!
SERVERROOT main server is running
ServerType main server is running
Typesconfig
NameVirtualHost your already inside a virtualcontainer!
553 Default VirtualHost
If for some weird reason, if theres not a match to one of your virtualhost,
you can have a default virtualhost container. This is optional. This is
sort of like a safety net. Maybe your main web server should be the default?
your directives....
554 To use Names or IPs in VirtualHost containers?
You have the choice of using IPs or DNS names in VirtualHost containers.
If you go with names, performance immediately sucks. Always use IPs.
556 VirtualHosting using IPs
VirtualHosting by name requires the HOST header from HTTP1.1+ client browsers.
VirtualHosting by IP does not require the HOST header. So if you have some real real
old browsers that aren't HTTP1.1 compliant and for God knows why you cannot upgrade them,
then you can reconfigure your Apache to do VirtualHosting by IPs.
In fact you can combine VirtualHosting by Name and VirtualHosting by IP together on one Apache.
But this is a bit confusing, and probably not worth the trouble.
ALL VIRTUALHOST CONTAINERS INHERIT THE PROPERTIES OF THE MAIN SERVER CONFIGURATION.
SO DON'T REINVENT THE WHEEL!!
JUST ADD INTO THE VIRTUALHOST CONTAINER THE EXTRA INFO NEEDED FOR THAT CONTAINER.
===============================================================================
VirtualHosting Steps
1. Create a new DNS entry for the domain in your local DNS server
2. Stop and restart NAMED, and verify the DNS domain works locally by pinging it
3. Upload the website or copy the new website from your template website.
4. Create a new Apache VirtualContainer in httpd.conf
5. Verify the container works and the website works locally
6. Register the new domain with your local Domain Registrar.
7. Remotely verify new Apache website works over the Internet
==============================================================================
*****************************************************************************************************
CHAPTER 6 PROXY SERVERS AND CACHING
*****************************************************************************************************
A proxy server is your agent/middleman for some or all network services.
A proxy server does not usually "store" data like a server, but is a forwarder.
------
It is important to disable the basic Apache settings, if your going to make a
PROXY SERVER of Apache. Because they'll just use port 80, and bypass the proxy
server altogether. What use is that? Either everyone goes through the
proxy server, or nobody does. A proxy server is like a firewall in that respect.
Either everybody uses it, or nobody uses it. Because otherwise, the few people that
do not use it, make it insecure for everyone else, thus making the proxy or firewall
useless.
Proxy module is not included by default. You must compile a new apache and add mod_proxy.
Enabling proxy is very easy.
Listen 8888
ServerName proxy.amazon.com
proxyrequests on
Now the $64,000 dollar question is, why bother with APACHEs PROXY SERVER?
You want reasons to use Apache proxy ? I'll give you reasons
1. centralize all internet bandwidth through 1 connection
2. able to block out smut and objectionable websites
3. if you start caching popular websites locally , overall performance is better
4. Basically, PROXY SERVER is a control mechanism. That NetZero ad said it best, you know the
old senator and girl from This Hour has 40 minutes, "license to go willy-nilly all over the Internet"
If you want your users to go "willy-nilly" all over the Interent and have to support them, then
thats your choice. If you want to have some control over where they can and can't go you should
use a PROXY SERVER, be it Microsofts Proxy 2.0 or Apache Webserver.
Weird that Apache can also be an enterprise-wide PROXY SERVER, when most people think of it as only a webserver.
621 Ports
If your going with the Apache proxy solution, then you may as well use a different port than 80.
Listen 8888
6.30 Configuring an APACHE PROXY SERVER
The Apache proxy module "mod_proxy" is not compiled in by default.
Then all you do is ProxyRequests ON (I mean how difficult is that? I mean really?)
631 Restricting access to specific sites...
ProxyBlock games.yahoo.com hotmail.com
Thes are not your Virtual Websites your blocking, your blocking Internet websites
from being accesses when they are going through your Apache Proxy server.
632
6.40 CACHING
Caching is storing recently used webpages.
Cachesize 10000
Cacheroot /cache
Says to make a cache size of 10000k (1Mb) and into /cache. The default cache size is 5k!
COMPLETED
****************************************************************************
CHAPTER 7: LOGS AND MONITORING
****************************************************************************
The busier your Apache site is, the more you must monitor it and make sure
things run smoothly. Apache has 2 main types of logs
1. error logs
2. transfer logs
7.2 Error logs
Errorlog says WHERE to record Apache errors. By default it is
/usr/local/apache/logs/error_log
You can redirect Apache errors to the standard /var/log/messages by
ErrorLog syslog
If your the "damn the torpedoes, full speed-ahead" type of sysadmin
ErrorLog /dev/null
sends all Apache errors into a deep deep cyberspace blackhole.
Never to be see or heard from again.
ErrorLog /dev/lp0 (outputting errors realtime to a lineprinter 0 might be 70s cool)
Loglevel says WHAT to record in Apache logs.
Loglevel has 8 settings from most detailed to most serious
debug info notice warn error crit alert emerg
loglevel warn is the default.
If your doing some Apache debugging, try debug or info settings..
7.3 Transfer logs
Transfer logs are not file transfers. They are access logs. Transfer logs
show what has been requested out of your server. Transfer logs are quite
interesting because it shows what people have been using your web server for.
mod_log_config is the Apache module that does all this access log work.
There is 7 items that a transfer log stores...
1. host ip address or FDQN of host
2. ident identity of the user. IdentityCheck must be enabled
3. authuser UserID
4. date date/time stamp of the request
5. request request line from client
6. status return status code to client
7. bytes number of bytes in the transfer
7.34 Resetting Logs
You should never just delete a log because it is getting large. If you do
delete it, you must stop and restart Apache, because apache keeps an internal
counter on how long each log is, and if you delete a log, apache wont know
it. So that is why you must restart apache after deleting or resetting
any of its logs.
7.41 mod_status
the mod_status module is not included by default.
You must compile up your own apache and include it.
You can enable ExtendedStatus to get information about all Apache processes
and child processes, but all this is doing is slowing your Apache down.
Do not use ExtendedStatus, except when debugging.
www.yourserver.com/server-status
- process exists but idle
W process is writing to a client
L process writing to a logfile
S process is starting
K process is in KeepAlive state (aka keep me awake!)
G child process recived SIG to exit
R process reading a clients request
D process is doing some DNS, resolving a name or IP
742 Lots of Ds are bad and should be avoided.
Start substituting IPs instead of domain names!!
743 Lots of Ls are bad too.
If lots of processes are logging, you might want to recuce the amount of
Apache logging. Dont log to a slow device like a tape or NFS.
Logging to a line printer like I stated previously, while it might look 70s
cool, only keeps your Apache performance like in the 70s. All that line printer
is doing is slowing your Apache down.
744 ExtendedStatus On
Should only be uused when debugging. This directive is a pig.
7.50 mod_info
www.yourserver.com/server-info
Shows what modules are compiled into this version of Apache binary
The directives that affect these modules
SetHandler server-info
SetHandler server-status
7.5 server-info
the mod_info module is not include by default, you must enable this module.
The cool thing about mod_info, is it should you what modules that this Apache
has available via a web browser and the directives affecting these modules.
**************************************************************************
CHAPTER 8 APACHE SECURITY (or what General Custer was lacking that fateful day)
**************************************************************************
If your into a e-commerce site, you need to constantly review and monitor
your security setup. Especially if it involves credit cards or cash.
That is why you should use SSL or IPSEC technologies.
Doing e-commerce over standard HTTP is insane and a quick way to get sued
out of this world and the next world.
Apache httpd is normally started as a root process, but I believe on the
Redhat systems, by default it is run as User/Group of Apache/Apache.
Make sure that these directories are writable only by root!
*********************************************************
$APACHE (i assume usr/local/apache?)
$APACHE/bin
$APACHE/logs
$APACHE/conf
8.22 Write up a Security Policy like an airline takeoff checklist.
******************************************************************
8.23 Do not run anything else on that e-commerce Apache server.
Anything else will just create more holes in the dyke.
A webserver is okay, but an ecommerce webserver will probably be
the single most important server you have.
8.24 Constant review the security web pages for updates and security notices
Find a few of the top security websites, and review them weekly.
825 DENY ACCESS
for root...
order deny,allow denying most...
deny from all in fact we'll be denying everyone!
order deny,allow
allow from all
8.26 CGI Security
CGI is insecure by the very fact it allows anyone on the planet to run
programs on your web server. Each new CGI program you add to the system
make your server that more weak. Don't ever run binaries on your server,
that you don't know what is happening. It could be a trojan, emailing
someone out there all your passwords and accounts.
Try and keep that server to as few services as possible. Limit services
like NFS, SMB, Telnet, RSH, etc.
Keep all your CGIs in one place! If your CGIs are in multiple places,
good luck cause you'll need it.
The most important data should be encrypted on the server.
8.27 PHP
Early PHP had a security flw, but new PHPs are okay.
8.28 SSIs Server Side Includes
Are special tags in the HTML, processed only by the Apache server.
8.29 Disable Automatic Indexing, otherwise a directory list of all your
files show up, in the event there is no index.html in that directory.
Talk about a major security breach.
8.30 Basic Authentication
===================
Apache has several way to authenticate web clients.
mod_access, a module included by default must be included for user authentication to work.
8.31 user authentication based on your hostname/domain
8.32 user authentication based on
order
order deny,allow deny most, allow a few (like the marines)
order allow,few allow most, deny a few (like Canadian Immigration)
order mutual-failure hosts must match the allow list and not appear
on the deny list to get access
8.33 allow
allow everyone to public
allow from all
allow everyone from genx.com to genx
order deny, allow
deny from all
allow from genx.com
allow only from 192.168 to internal
order deny,allow
deny from all
allow from 192.168
allow only from 192.168.100 subnet to support
order deny,allow
deny from all
allow from 192.168.100
allow from 192.168.0 subnet mask of 255.255.242.0
order deny,allow
deny from all
allow from 192.168.0/255.255.242.0
8.34 allow from env
there is a feature you can use in allow/deny. Allow/Deny based on an environment variable.
If the env variable netscape_yes, exists, grant access.
order deny,allow
deny from all
allow from env=netscape_yes
8.40 User Based Authentication
There are a number of Apache modules that do user authentication.
You know the routine name and password with a dialogbox in the web browser window.
"AuthName" "AuthType" will ALWAYS be required!
8.41 AuthName "This site is restricted to Amazon.com"
is required for the dialogbox.
8.42 require valid-user (anyone with a unix account on this system)
require teddy cindy rob debbie (any of these users)
8.50 SSL Netscapes Secure Socket Layers
When they designed the ARPA packet-switching network, which evolved into the
Internet, reliability was they goal. Nowadays security is one of the main goals.
There is now way to control or determine the route that packets may take once
they leave your network and are out on the Internet.
Once they leave your network and enter the "cloud" packets can take many routes
to the same location.
HTTP has zero security. Even with the Apache user autentications we are doing,
obviously, there is no encrption of packets. The Apache user authentications
clearly have nothing to do with encrption of your datagrams.
If you want to run HTTP data out in the open, thats your choice.
Now if your wondering why encrption technology is not included in software,
it is because one of the ColdWar rules forbid the export of encryption technology.
At that time, even article or books abnout encryption was like almost against the law.
8.51 Public Key Encryption
Symmetrical Encryption is using the same key to encrypt/decrypt.
PKE is Asymmetrical Encryption, a private Key A, public Key B.
Each key A/B can only decrypt each others messages, nothing else.
You keep one private, and publish the other key publically.
8.53 mod_ssl
Well if you looked at the commerical Apache SSL products and they are too
expensive, and your the kind who likes to play in the mud, then the mod_ssl
module is right for you.
http://www.modssl.org and get your latest mod_ssl module.
http://www.openssl.org
*****************************************************************************
CHAPTER9 DYNAMIC CONTENT
****************************************************************************
9.10 Most weebsites today have some dynamic content. A purely static website
where nothing happens is okay, but not "special". (well isn't that special)
Dynamic content means the page is being generated on the fly.
Apache has 2 methods for generating dynamic content
1) SSI Server side include tags
2) a CGI with PERL/C/Other/Database
9.21 SSI and Server performance
SSI is disabled by default in Apache and if enabled, will slow Apache down.