Compiling, installing and configuring

Apache and PHP on Linux

Elliot Smith, moochlabs.com
Table of Contents
Introduction..........................................................................................................................................3
Compiling Apache................................................................................................................................3
Pre-compilation decisions................................................................................................................3
Preparation.......................................................................................................................................4
Preparation on Fedora.................................................................................................................4
Compiling........................................................................................................................................4
Controlling Apache..........................................................................................................................5
Modules...........................................................................................................................................6
Disabling modules.......................................................................................................................
!nabling modules........................................................................................................................"
#ther con$igure options..................................................................................................................."
#ther use$ul modules %e&re not using.............................................................................................."
'hich Multi-Processing Module(...................................................................................................)
#ur uber con$igure command..........................................................................................................)
*ecompiling...................................................................................................................................+,
+. -pgrading the main httpd binar...........................................................................................+,
/. Compiling modules staticall. into the main Apache binar..................................................+,
3. Compiling ne% shared modules............................................................................................++
Patching.........................................................................................................................................+/
Con$iguring Apache............................................................................................................................+3
De$ault con$iguration.....................................................................................................................+3
0ie%ing all loaded modules...........................................................................................................+3
Initial con$iguration.......................................................................................................................+4
1tarting2stopping automaticall......................................................................................................+5
1tarting2stopping automaticall. using ch3con$ig on Fedora.....................................................+6
4eneral ser5er limits......................................................................................................................+6
MPM settings.................................................................................................................................+
File la.out......................................................................................................................................+"
1ummar. o$ $iles.stem la.out..................................................................................................+"
6ogging..........................................................................................................................................+)
Adding logging con$iguration.................................................................................................../,
6og rotation using rotatelogs and pipes..................................................................................../+
6og rotation using logrotate....................................................................................................../+
Custom log rotation scripts.......................................................................................................//
Con$iguring $ile ser5ing................................................................................................................./3
1a$e de$aults $or ser5ing directories........................................................................................../3
#ptions on directories.............................................................................................................../4
Allo%#5erride7 o5erriding ser5er con$iguration in a director................................................./6
8iding important $iles.............................................................................................................../6
1etting the de$ault home page.................................................................................................../
1etting the right MIM! t.pes..................................................................................................../
Compressing content sent to the client...................................................................................../"
8iding the ser5er&s identit............................................................................................................./"
+
chrooting......................................................................................................................................../)
C4I.....................................................................................................................................................3,
Apache and C4I.............................................................................................................................3,
Impro5ing securit. %ith su!9!C and FastC4I............................................................................3+
116.....................................................................................................................................................3/
Creating a sel$-signed certi$icate...................................................................................................3/
Con$iguring Apache to use 116.....................................................................................................33
Adding P8P........................................................................................................................................36
Pre-installation...............................................................................................................................36
Preparation.....................................................................................................................................36
Compiling P8P..............................................................................................................................3
A note on 1!6inu:....................................................................................................................3)
*emo5ing P8P..............................................................................................................................3)
!:tensions......................................................................................................................................3)
*ecompiling P8P..........................................................................................................................4,
+. Adding a ne% e:tension........................................................................................................4,
/. *ecompiling the P8P binar..................................................................................................4,
Con$iguring P8P............................................................................................................................4,
;esting P8P < M.1=6..................................................................................................................4/
;esting P8P&s 4D e:tension..........................................................................................................43
.htaccess $iles......................................................................................................................................45
1etting up authentication b. username and pass%ord...................................................................45
Authorisation b. group..................................................................................................................46
*e%riting -*6s.............................................................................................................................46
0irtual hosts........................................................................................................................................4
1etting up >elica.com......................................................................................................................4
1etting up logging and C4I $or a 5irtual host...........................................................................4)
Allo% $ollo%ing o$ s.mlin3s....................................................................................................5,
Allo%ing directi5e o5errides.....................................................................................................5,
0irtual host P8P con$iguration.................................................................................................5,
;he $inal con$iguration $ile $or our 5irtual host.............................................................................5+
Fi:ing localhost..............................................................................................................................5/
;roubleshooting..................................................................................................................................55
6ogs...............................................................................................................................................55
1tatus reports..................................................................................................................................55
1tandard tools................................................................................................................................56
More ad5anced tools......................................................................................................................56
6icense................................................................................................................................................5
/
Introduction
;his document outlines ho% to compile? install? and con$igure Apache and P8P on 6inu:. It is not a
complete manual to the process? but goes through the process step b. step? e:plaining the decisions
to be made along the %a..
'e are %or3ing to%ards the $ollo%ing scenario7
A secure? custom built and con$igured Apache %eb ser5er %ith support $or P8P 5 @including
the M.1=6 and 4D e:tensionsA plus 5irtual hosts
116 support $or our main %ebsite
A de$ault @pac3age managedA M.1=6 installation? accessible to the Apache ser5er
1ome P8P scripts to pro5e %e can connect to the M.1=6 ser5er $rom P8P? and that %e can
use the 4D graphics tool3it
A la.out $or 5irtual hosts7 %e&re going to assume one client? %ith their o%n %ebsite at
>elica.com
A user account $or the 5irtual host? isolated $rom the main Apache con$iguration? allo%ing
the user to login and edit their %ebsite
Bote that I %rote these instructions based on -buntu? but the. should be portable to other 6inu:
distributions. In particular? I ha5e outlined Fedora-speci$ic issues? as the materials %ere %ritten $or a
training course run using machines installed %ith Fedora.
Compiling Apache
Pre-compilation decisions
'hich 5ersion o$ Apache(
+.:
8as been around $or .ears? and is a 3no%n Cuantit.. A sa$e choice.
/.:
Code is much impro5ed? and man. o$ the modules ha5e been re5amped. Con$iguration is
also more consistent? and the $ormat $or directi5es impro5ed. 8o%e5er? some people ha5e
reser5ations about using it. Although it is possible to run in a h.brid multi-process2multi-
thread mode @using the %or3er MPMA? man. o$ the libraries .ou&re li3el. to use %ith it ma.
not be @e.g. P8P e:tensionsA. 8o%e5er? under normal conditions @i.e. up to tens o$ thousands
o$ hits per da.? rather than millionsA? this 5ersion o$ Apache is li3el. to be a better solution
than Apache +.:.
Dinar. or source(
1ource E more controlF .ou can patch %hen .ou %antF .ou can add $eatures %hen .ou li3e
Dinar. E easier to manageF automatic updatesF less control
5ia pac3age management tool @using indi5idual componentsA? e.g. Apt on Debian? *PM
on Fedora
5ia a pre-pac3aged stac3 containing all components? e.g. 9AMPP
@http722apache$riends.org2en2:ampp.htmlA - also gi5es some o$ the ad5antages o$ a source
3
installation? as .ou can compile ne% modules into it
5ia a pre-pac3aged stac3? %ith optional certi$ication and support? e.g. 1pi3e1ource
@http722%%%.spi3esource.com2do%nloads.htmlA? 1ourcelabs
@http722sourcelabs.com2(pageEso$t%areGsubEampA
'e&ll do it $rom source? using 5ersion /./
Preparation
Preparing the machine .ou&re going to install on
gcc
#pen116
#pen116 de5elopment headers @libssl-de5 on -buntuA
ntpdate to ensure ser5er time is accurate
Perl 5 H allo%s .ou to use some o$ the support scripts li3e ap:s @$or building and installing
shared modulesA
Do%nload the source and chec3 the archi5e&s integrit. using md5sum li3e this7
root@lily:/home/ell/download# md5sum httpd-2.2.2.tar.bz2
9c759a97444!de!a!aa2ddbc49d!e"# httpd-2.2.2.tar.bz2
Compare the string on the le$t to the MD5 hash listed on the Apache do%nload site. ;he. should
match. I$ the. don&t? the do%nload has been corrupted? so do it again.
Preparation on edora
#n Fedora? I $ound I needed to install the $ollo%ing 5ia IAdd2*emo5e 1o$t%areI7
De5elopment J De5elopment 6ibraries < De5elopment ;ools < 4B#M! 1o$t%are
De5elopment
Compiling
-npac3 the tarball
Beed to get apr up and running $irst7
cd httpd-/././2srclib2apr
.2con$igure --pre$i:E2opt2apache-apr
ma3e
ma3e install
;hen apr-util7
cd httpd-/././2srclib2apr-util
.2con$igure --pre$i:E2opt2apache-apr-util --%ith-aprE2opt2apache-apr
ma3e
4
ma3e install
;hen Apache7
cd httpd-/././
.2con$igure --pre$i:E2opt2apache --%ith-aprE2opt2apache-apr --%ith-apr-utilE2opt2apache-apr-util
ma3e
ma3e install
;est7
2opt2apache2bin2apachectl start @as rootA
BD .ou need to be root i$ the port Apache listens on @6isten directi5eA is belo% +,/4F de$ault
is port ",
;est b. 5isiting http722localhost2 in a %eb bro%ser
Controlling Apache
ps to see the processes Apache starts
'hen Apache starts? it establishes a parent process as the original user @e.g. root in our caseAF it then
spa%ns child processes to handle reCuests. ;he number o$ children is con$igurable @see laterA.
;he PID $ile stores the ID o$ the parent process. It can be sent a 5ariet. o$ standard P#1I9 signals
to control it directl.F or @betterA it can be controlled through the apachectl script.
;he $iles in the log director. are the de$ault Apache logs? as speci$ied b. the auto-generated con$ig.
$ile. errorKlog is use$ul $or debugging? and at the moment contains start2stop in$o.F accessKlog
records reCuests ser5ed.
;he apachectl script ta3es a 5ariet. o$ s%itches
start E start the parent process
stop @;!*M signalA E tell the parent to 3ill its childrenF it does this immediatel.F then once
the.&5e e:ited? the parent 3ills itsel$
graceful @-1*+ signalA E instruct the parent process to ad5ise the children to e:itF the.
allo% all reCuests being ser5ed to completeF then the. stopF then the parent stopsF then the parent
restarts itsel$F the parent process then starts ne% children %ith the latest 5ersion o$ the con$iguration
$ile
graceful-stop @'IBC8 signalA E as grace$ul? but no restart a$ter e5er.thing stops
restart @8-P signalA E this restarts its children @as in ;!*MA? but doesn&t stop the parent
processF the parent process >ust rereads its con$iguration $ile and carries on running
status E sho% short status report @BD this needs l.n: installed to %or3? and modKstatus to
be enabledA
configtest E test %hether the con$ig. $ile is readable and correctl. $ormatted
5
Modules
Modules add e:tra $unctionalit. to Apache. ;heir $unctionalit. is managed 5ia Apache
con$iguration directi5esF and each module ma3es di$$erent directi5es a5ailable.
1tatic- 5s. d.namicall.-loaded modules(
1tatic E %hole ser5er < modules in one binar.F slightl. $asterF harder to compromise as .ou
can&t >ust lin3 ne% modules into itF must recompile %hole thing each time .ou updateF uses
more memor.
D.namic7 .ou need to ha5e modKso enabled @BD modKperl should not be compiled as a
shared module? according to http722%%%.$aCs.org2docs2apache-compile2apache.htmlA
'e&ll do as man. as %e can as d.namic modules? %hile 3eeping the core static
;o see the list o$ modules compiled into the httpd binar.7
2opt2apache2bin2httpd -l
8ere&s %hat I got7
core.c @.es - essential $or the ser5er to operateA
modKauthnK$ile.c @.es - essential $or Dasic authenticationA
modKauthnKde$ault.c @.es - essential $or authenticationA
modKauthLKhost.c @.es - authoriLation b. hostname2IPA
modKauthLKgroup$ile.c @.es - authoriLation b. groups de$ined in a $ileA
modKauthLKuser.c @.es - authoriLation b. users de$ined in a $ileA
modKauthLKde$ault.c @.es - essential $or authoriLationA
modKauthKbasic.c @.es - support $or Dasic authenticationA
modKinclude.c @no - unless .ou need ser5er-side includesA
modK$ilter.c @no - pro5ides $iltering o$ resources be$ore the. are returned in the response? e.g.
Lipping the response bod.? do%nsampling e5er. image sent bac3 $rom the ser5erA
modKlogKcon$ig.c @.es - allo%s customisation o$ log outputA
modKen5.c @no - unless need to set and clear en5ironment 5ariables $or use %ith C4I scripts - e.g.
essential i$ running *ub. on *ails applications %ith FastC4IA
modKseten5i$.c @.es - supports a lot o$ other modulesA
pre$or3.c @.esA
httpKcore.c @.esA
modKmime.c @.es - allo%s Apache to correctl. deli5er content based on MIM! t.peA
modKstatus.c @no - sho%s ser5er status pageA
modKautoinde:.c @no - unless .ou %ant director. inde:es to be sho%n $or directories %ith no
inde: $ileA
modKasis.c @no - used to send a $ile %ithout appending response headers to it - so .ou could ha5e a
$ile %hich contains a %hole 8;;P response? including headersA
modKcgi.c @no - unless .ou %ant C4I script supportA
6
modKnegotiation.c @no - it pro5ides a method $or negotiating the best content t.pe to suit the
client&s capabilitiesA
modKdir.c @.es - controls the Director.Inde: directi5e? used to set the de$ault $ile to ser5e $or a
director.? e.g. inde:.phpA
modKactions.c @no - triggers C4I scripts based on the MIM! t.pe o$ a resource reCuested - e.g. all
reCuests $or image2>peg are handed o$$ to a speci$ic C4I scriptA
modKuserdir.c @no - unless .ou %ant M2publicKhtml directories $or user home sitesA
modKalias.c @.es - handles aliasing o$ -*6s to directoriesA
modKso.c @.es - shared ob>ect support $or d.namic e:tension loadingA
!isabling modules
An. modules %e %ant turned o$$ ha5e to be e:plictl. disabled %ith this s.nta:7
--disable-M#D-6!
For our purposes7
--disable-userdir
--disable-actions
--disable-negotiation
--disable-cgi
--disable-asis
--disable-autoinde:
--disable-status
--disable-en5
--disable-$ilter
--disable-include
D-; %e can also remo5e the remaining modules and ma3e them d.namicall.-loaded7
--disable-modKauthnK$ile
--disable-modKauthnKde$ault
--disable-modKauthLKhost
--disable-modKauthLKgroup$ile
--disable-modKauthLKuser
--disable-modKauthLKde$ault
--disable-modKauthKbasic
--disable-modKlogKcon$ig
--disable-modKmime
--disable-modKdir
--disable-modKalias
Bote %e didn&t disable a $e% o$ the modules? as %e do %ant them staticall. compiled @e.g. modKso?
%hich enables shared modules to be loadedA

Enabling modules
!:tra modules %e %ant7
ssl @support $or 116 - %e&ll put this in staticall.A
seten5i$ @set en5ironmental 5ariables conditional upon modules being loadedA
headers @enable modi$ication o$ reCuest2response headersA
re%rite @$or re%riting reCuests - used $or search-engine $riendl. -*6s? $or e:ampleA
de$late @$or Lipping content be$ore it is sent to client Nuse$ul i$ client supported gLipped
streams? e.g. Fire$o:OA
cgi @$or running C4I scriptsA
;he t.pical method @the one %e&ll useA is to use shared modules rather than static ones
'e do this b. adding this option to .2con$igure? %ith the names o$ the modules %e %ant to enable7
--enable-mods-sharedE&seten5i$ headers re%rite de$late cgi&
Dut %e %ill enable 116 as a static module? to ensure it is al%a.s used and to minimise the
possibilit. o$ the librar. being tro>aned.
--enable-ssl
'e can also add bac3 in the modules %hich %ere pre5iousl. staticall.-compiled but %hich %e are
con5erting to d.namicall.-loaded modules7
--enable-mods-sharedE&authnK$ile authnKde$ault authLKhost authLKgroup$ile authLKuser
authLKde$ault authKbasic logKcon$ig mime dir alias&
Other configure options
I$ .ou %ant to be able to use ap:s? it&s a good idea to speci$. the path to Perl e:plicitl. @>ust in case
multiple 5ersions are installedA7
--%ith-perlEPpath to perl e:ecutableJ
As %e ha5e turned on ssl? best to e:plicitl. set %here #pen116 is installed7
--%ith-sslEPpath to openssl include director.? e.g. 2usr2include2opensslJ
Full list o$ options to con$igure7
http722httpd.apache.org2docs2/./2programs2con$igure.html
Other useful modules we're not using
8ere are some modules %e&re missing out? but %hich can be 5er. use$ul7
modKda5 @'ebDA0 supportA
modKldap @base module to support other modules? e.g 6DAP authentication modulesA
modKpro:. @use Apache as a pro:. to other ser5ersA
"
modKpro:.Kbalancer @$or load balancingA
modKcache @cache local or pro:ied contentA
modK5hostKalias @automatic mapping o$ -*6s onto 5irtual hostsA
Which Multi-Processing Module?
pre$or3 is the de$ault $or 6inu: - stable? tolerant o$ dodg. module code @one process at a time
handles each connectionA
%or3er is more light%eight? but less tolerant @uses multiple child processes? plus each child has
multiple threads - each thread handles one connectionA
pre$or3 is the recommended MPM to use i$ .ou intend to run P8P as a module @see
http722%%%.php.net2manual2en2$aC.installation.phpQ$aC.installation.apache/AF ho%e5er? i$ .ou intend
to use FastC4I or similar to run P8P? the %or3er MPM is stable.
;o enable %or3er instead o$ pre$or3 on 6inu: add the $ollo%ing con$igure option7
--%ith-mpmE%or3er
Our uber configure command
Putting all o$ this together gi5es us our master con$igure command7
.2con$igure --pre$i:E2opt2apache --%ith-aprE2opt2apache-apr --%ith-apr-utilE2opt2apache-apr-util --
%ith-perlE2usr2bin2perl --%ith-sslE2usr2include2openssl --disable-userdir --disable-actions --disable-
negotiation --disable-cgi --disable-asis --disable-autoinde: --disable-status --disable-en5 --disable-
$ilter --disable-include --disable-modKauthnK$ile --disable-modKauthnKde$ault --disable-
modKauthLKhost --disable-modKauthLKgroup$ile --disable-modKauthLKuser --disable-
modKauthLKde$ault --disable-modKauthKbasic --disable-modKlogKcon$ig --disable-modKmime --
disable-modKdir --disable-modKalias --enable-mods-sharedE&cgi seten5i$ headers re%rite de$late
authnK$ile authnKde$ault authLKhost authLKgroup$ile authLKuser authLKde$ault authKbasic
logKcon$ig mime dir alias& --enable-ssl
It %ould be a good idea to put this into a script? so .ou ha5e it a5ailable each time .ou recompile
Apache.
*emember that once %e&5e run con$igure? %e then need to do7
ma3e
ma3e install
;his per$orms the compilation @according to our con$igurationA and installs the binaries into the
appropriate location @under 2opt2apacheA.
Recompiling
*ecompiling a ne% 5ersion o$ Apache @gi5en an old 5ersion alread. e:istsA isn&t too arduous. ;here
are se5eral things %e might %ant to do7
)
+. -pgrade Apache as a %hole @e.g. mo5ing $rom 5ersion /./.55 to /./.5A
/. Compile modules staticall. into the httpd binar. @either ne% ones or e:isting shared ones %e
%ant to mo5e into the core httpd binar.A
3. Compile ne% shared modules @either completel. ne% ones or e:isting staticall.-compiled
onesA
1ee http722httpd.apache.org2docs2/./2install.html $or more details. #utlines o$ each process are gi5en
belo%.
". #pgrading the main httpd binar$
Rou can onl. do this $or minor 5ersion number changes? e.g. 5ersion /./., to /./.+F .ou can&t do it to
go bet%een ma>or 5ersion number changes? e.g. /., to /./.
I$ .ou are upgrading? it&s %orth doing it alongside .our e:isting installation. Rou could do this b.
changing the --pre$i: option to con$igure? so that the ne% 5ersion ends up in a di$$erent director.F
and setting a di$$erent 6isten directi5e inside the ne% httpd.con$ $ile so .our ne% 5ersion runs on a
di$$erent port. #ne .ou&re happ.? .ou can re-run con$igure %ith the correct --pre$i: setting.
8ere&s the procedure7
+. Do%nload the ne% source distribution and unpac3 it
/. Cop. the config.nice $ile $rom .our old source tree $or Apache into the top o$ the ne% source
tree. ;his $ile is basicall. a script %hich %ill repla. all the con$igure options .ou used to
build the old 5ersion.
3. *un the $ollo%ing commands7
.2con$ig.nice
ma3e
ma3e install
;he Apache ma3e $ile %ill not o5er%rite e:isting $iles on the ser5er li3e con$iguration $iles
@httpd.con$A or $iles %hich ha5e changed. Dut it %ill o5er%rite the httpd binar. and an. modules
%hich have changed.
%. Compiling modules staticall$ into the main Apache binar$
6et&s sa. %e ha5e modKssl compiled as a shared module? and %ant to recompile our httpd binar. to
staticall. include it instead. 'e can do this as $ollo%s7
+. Pass an edited set o$ options to the .2con$igure script. For e:ample? let&s sa. %e had 116
compiled as a shared module @a $ragment o$ our con$igure options linesA7
.2con$igure --enable-sslEshared ...
Change this to compile the module staticall. instead7
.2con$igure --enable-ssl ...
/. ma3e
;he ma3e command rebuilds the httpd binar. @plus an. other $iles %hich ha5e changed as a
result o$ our recon$igurationA
3. Manuall. cop. the ne% httpd binar. @in the root o$ the build director.A into our e:isting
+,
Apache con$iguration? i.e.
cp .2httpd 2opt2apache2bin2
4. *eset the permissions on the ne% binar. @see laterA
5. *emember to remo5e an. 6oadModule lines $or the old shared 5ersion o$ the module? so
that the staticall.-compiled module is used instead.
6. @#ptionalA *emo5e the shared module $rom the modules director.? as it is no longer being
loaded.
'e could $ollo% the same approach to enable a new static module in the httpd binar. @rather than
mo5e a module $rom being d.namic to staticA.
Alternati5el.? %e could recompile? then use ma$e install to o5er%rite our installation %ith an.
changed $iles @see abo5eA.
&. Compiling ne' shared modules
'e could do this to either add a completel. ne% shared module? or to mo5e a static module to being
a shared module.
;he ap:s tool can be used to add ne% shared modules into an e:isting Apache installation. ;he
procedure ma. 5ar. slightl. $rom module to module? but $or the ones %hich are part o$ the core
Apache distribution it $ollo%s this pattern7
+. 6ocate the module director. @in the source tree? under modulesA. ;he modules are arranged
into groups? e.g. pro:. $or modules %hich handle pro:.ing $unctions? mappers $or mapping
modules li3e modKre%rite. 'hat %e&re loo3ing $or is the appropriate .c $ile $or the module.
/. *un the ap:s command %ith the -c @compileA and -i @installA $lags? e.g.
2opt2apache2bin2ap:s -c -i -a modKre%rite.c
;his compiles up the ne% module binar. @.so $ileA and deposits it into 2opt2apache2modules.
3. Bote that the -a s%itch to ap:s automaticall. adds a 6oadModule line to httpd.con$. I$ .ou
don&t use this s%itch? .ou %ill need to manuall. add the 6oadModule directi5e to httpd.con$
.oursel$? something li3e this7
%oad&odule rewrite'module modules/mod'rewrite.so
I$ %e %ant to mo5e a static module to become a shared module? %e %ill need to recompile the httpd
binar. as %ell? and e:clude the old static module @see instructions abo5eA.
'e can demonstrate ho% this %or3s b. compiling a simple module li3e modKecho. ;his turns the
Apache ser5er into an echo ser5er %hich repeats bac3 %hate5er .ou send to it.
+. cd PApache source rootJ2modules2echo
/. 2opt2apache2bin2ap:s -c -i modKecho.c
3. !dit 2opt2apache2con$2httpd.con$ and add these lines7
%oad&odule echo'module modules/mod'echo.so
(rotocol)cho *n
4. *estart Apache
++
5. ;est the module has loaded correctl. using telnet7
telnet localhost "+
;.pe some commands? and the. should be echoed bac3 to .ou. ;his is Apache acting as an
echo ser5er? using its ne%l.-compiled echo module.
;he beaut. o$ Apache&s modularit. is that it is eCuall. eas. to remo5e a shared module. 'e can
simpl. remo5e the 6oadModule directi5e in httpd.con$F and %e could additionall. remo5e the .so
$ile itsel$ to be e:tra sa$e.
Patching
#ccasionall.? bet%een releases o$ Apache 5ersions? o$$icial patches ma. be released $or the current
5ersion. ;hese patches %ill t.picall. implement important securit. updates %hich are too 5ital to
%ait until the ne:t $ull release. ;he. are $airl. rare? but .ou should chec3 $or applicable patches
be$ore compiling.
;o get the patches? go to the source do%nload director. on one o$ the mirror sites? 5ia the Apache
Do%nloads lin3. Inside the main distribution director. is a patches director.? e.g.
http722%%%.mirrorser5ice.org2sites2$tp.apache.org2httpd2patches2
;his contains a series o$ directories %ith names in this $ormat7
apply'to'2.2.+/
Inside these directories are a series o$ patches $or each released 5ersion o$ Apache. ;o appl. a
patch7
+. Do%nload the patch $ile
/. Place it in the source director. $or Apache
3. Appl. it to .our source %ith7
patch -s , -ile.patch
%here $ile.patch is the name o$ the patch $ile .ou do%nloaded
4. con$igure2ma3e2ma3e install @see the -pgrading section abo5e $or more details about the
e$$ect o$ thisA
+/
Configuring Apache
Default configuration
;he de$ault con$iguration $or our compiled Apache is in 2opt2apache2con$2httpd.con$. ;here are
other use$ul $iles containing sample con$iguration I$ragmentsI in the 2opt2apache2con$2e:tra
director.. ;he. can be used $or re$erence or pulled into .our main con$ig. $ile as the. are? %ith little
modi$ication.
iewing all loaded modules
;o sho% all loaded modules @including d.namicall.-loaded modulesA once the ser5er is running7
2opt2apache2bin2httpd -M
'hich outputs7
6oaded Modules7
coreKmodule @staticA
mpmKpre$or3Kmodule @staticA
httpKmodule @staticA
soKmodule @staticA
authnK$ileKmodule @sharedA
authnKde$aultKmodule @sharedA
authLKhostKmodule @sharedA
authLKgroup$ileKmodule @sharedA
authLKuserKmodule @sharedA
authLKde$aultKmodule @sharedA
authKbasicKmodule @sharedA
de$lateKmodule @sharedA
logKcon$igKmodule @sharedA
mimeKmagicKmodule @sharedA
headersKmodule @sharedA
seten5i$Kmodule @sharedA
sslKmodule @sharedA
mimeKmodule @sharedA
dirKmodule @sharedA
aliasKmodule @sharedA
re%riteKmodule @sharedA
1.nta: #S
+3
BD this also chec3s the s.nta: o$ the con$ig. $ileF can do this %ithout displa.ing modules using7
2opt2apache2bin2httpd -t
!nitial configuration
'e ha5e the option to use a single con$ig. $ile #* spread it out o5er multiple $iles. Pros and cons7
1ingle E e5er.thing in one placeF di$$icult to manage %ith lots o$ 5hosts
Multiple E clear separation o$ di$$erent aspects o$ con$iguration
'e&ll use a single $ile $or the main con$ig.F plus a separate $ile $or the 116 con$ig.? and one $or each
5irtual host.
'e are also %riting a con$ig. $ile %hich onl. %or3s $or our compiled 5ersion o$ Apache. ;he de$ault
generated $ile pro5ided as an e:ample in the Apache distribution contains a 5ariet. o$ conditional
statements. ;hese appl. di$$erent con$iguration directi5es depending on the underl.ing operating
s.stem? but %e are going to dispense %ith these as much as possible to get a streamlined
con$iguration $ile.
1tart %ith a blan3 con$ig $ile in
2opt2apache2con$2httpd.con$
;hen add7
# base o- the web ser.er install
/er.er0oot /opt/apache
# name o- the web ser.er 1can help pre.ent
# startup problems2
/er.er3ame localhost
# email address o- the administrator
# 1shown in error messa4es2
/er.er5dmin ell@localhost
# location o- the root o- the web ser.er document tree
6ocument0oot /.ar/www/htdocs
# path to the process 76 1(762 -ile8 which
# stores the 76 o- the main 5pache process
(id9ile /.ar/run/apache/httpd.pid
# which port to listen on
%isten "+
# do not resol.e client 7( addresses to names 1reduces o.erhead2
+4
:ost3ame%oo$ups *--
# e--ecti.e user and 4roup
;ser apache
<roup apache
'e %ill need to create the Ie$$ecti5e userI under %hich Apache %ill run on the s.stem. Apache %ill
run %ith the permissions o$ this user and group7
groupadd apache
useradd apache -g apache -d 2de52null -s 2bin2$alse
@-d E home director.? -g E main group? -s E shellA
And %e&ll need to create the appropriate directories7
m3dir 25ar2%%%2htdocs @$or the resources Apache %ill ser5eA
m3dir 25ar2run2apache @$or the process $ileA
m3dir 25ar2log2apache @$or logsA
;here are also se5eral directories l.ing around %hich %e can sa$el. remo5e7
rm -*$ 2opt2apache2manual @the Apache manualA
rm -*$ 2opt2apache2cgi-bin @%e&ll put the cgi-bin into indi5idual host con$igurationsA
rm -*$ 2opt2apache2icons @icons used %hen listing the content o$ directories - %e&re not going
to be doing this an.%a.? so %e ma. as %ell remo5e themA
It&s necessar. to 3eep the de$ault logs director.? e5en though %e&re not using it directl.? as some
modules use it to store $iles? %hile not pro5iding a directi5e to customise the log director. location.
I$ it&s use$ul .ou can also 3eep the man director.. Rou can access the $iles in this director. using the
man command li3e this7
man .2htdigest.+
$or e:ample? i$ .ou need to $ind out more about the commands Apache pro5ides.
'e can no% tr. restarting to ensure our con$ig. %or3s7
2opt2apache2bin2apachectl restart
'e %on&t be able to see our site an.more? but at least %e should be able to see i$ the ser5er starts
#S.
"tarting#stopping automaticall$
1.mlin3 into appropriate run-le5el
#n -buntu? I suggest run-le5el /
ln -s 2opt2apache2bin2apachectl 2etc2rc/.d21"5apache
+5
ln -s 2opt2apache2bin2apachectl 2etc2rc/.d2S/,apache
Rou also need to ma3e sure that the net%or3 is up and the hostname set be$ore .ou start the Apache
ser5er? so a high number li3e "5 is suitable.
Starting(stopping automaticall$ using ch)config on edora
#n Fedora? %e can use the ch3con$ig to add Apache to the startup2shutdo%n seCuence. ch3con$ig
uses speciall.-$ormatted comments in the start2stop script to determine %hen a ser5ice is started7 at
%hich runle5els? and %here in the seCuence o$ starting2stopping ser5ices.
+. Ma3e a s.mlin3 $rom the Apache control script to Fedora&s init script director.7
ln -s /opt/apache/bin/apachectl /etc/rc.d/init.d/apache
/. Add these e:tra lines to the top o$ 2opt2apache2bin2apachectl7
#
# apache =ontrol script -or the 5pache :>>( /er.er
#
# ch$con-i4: 45 "5 #5
# description: 5pache web ser.er
;he ch3con$ig line speci$ies7
PrunKle5elsJ PstartKpriorit.J PstopKpriorit.J
3. Add Apache to the ser5ices managed b. ch3con$ig7
ch$con-i4 apache on
4. Con$irm the con$iguration7
ch$con-i4 --list apache
Rou should see something li3e this7
apache +:o-- #:o-- 2:o-- :on 4:on 5:on !:o--
5. #nce %e ha5e a script in 2etc2rc.d2init.d? %e can use a shortcut to start2stop ser5ices
manuall.7
ser.ice apache start
ser.ice apache stop
ser.ice apache restart
ser.ice apache 4race-ul
etc.
%eneral ser&er limits
;here are a range o$ directi5es %hich go5ern the generic operating capacit. o$ the ser5er7 $or
e:ample? the ma:imum length o$ time to spend %aiting $or a client? the ma:imum number o$ client
connections allo%ed? %hether to use SeepAli5e connections? and so on. ;he most important ones
are7
# time to wait -or slow clients? de-ault is ++8
# but settin4 this lower impro.es resilience
+6
# a4ainst 6*/ attac$s
>ime*ut !+
# $eep-ali.e allows multiple :>>( re@uests to be
# ser.ed o.er a sin4le >=( re@uest?
# the client needs to eAplicitly mar$ itsel-
# as bein4 capable o- handlin4 this type o- re@uest
# in a re@uest header -or 5pache to ser.e the re@uest this way
Beep5li.e *n
# the maA. number o- re@uests to ser.e o.er a sin4le
# >=( connection? de-ault is #++8 but the
# 5pache manual recommends settin4 it hi4her
&aABeep5li.e0e@uests 2++
# len4th o- time to $eep a connection open while
# waitin4 -or the neAt re@uest in a $eep-ali.e
# se@uence? de-ault is 5? lower it on hea.ily-loaded
# ser.ers to pre.ent 5pache lea.in4
# connections idlin4 while they wait -or clients
Beep5li.e>imeout #5
# maAimum size o- re@uest body 1+ C no limit2
%imit0e@uestDody +
# number o- header -ields allowed in a re@uest
%imit0e@uest9ields #++
# how lon4 header -ields can be 1in bytes2
%imit0e@uest9ieldsize "#9+
# how lon4 the initial line o- a re@uest can be
%imit0e@uest%ine "#9+
MPM settings
'e also need some directi5es to control the acti5it. o$ the MPM. For the pre$or3 MPM @%hich
%e&re usingA %e can speci$. the $ollo%ing7
# number o- spare ser.ers to $eep runnin4 to
# handle potential incomin4 re@uests
&in/pare/er.ers 5
# maA. number o- ser.ers to lea.e idlin4
&aA/pare/er.ers #+
+
# number o- ser.ers to start when 5pache boots
/tart/er.ers 5
# maAimum number o- clients to ser.e simultaneously
&aA=lients #5+
# maAimum re@uests to handle by any one ser.er instance be-ore it
is restarted?
# de-ault is #++++ 1unlimited28 but settin4 it lower will help in
cases where
# 5pache modules are memory-lea$in48 as a sin4le process will be
unable
# to consume too much memory? -or $eep-ali.e sessions8 this
represents the number o- clients
# per child8 rather than re@uests per child
&aA0e@uests(er=hild #+++
I$ %e&re using the %or3er MPM? it has a di$$erent set o$ con$iguration directi5es. 1ee the Apache
manual $or more details? or the sample con$ig. $ile in 2opt2apache2con$2e:tra2httpd-mpm.con$.
;r. changing these 5alues? and use ps to see the processes %hich Apache starts.
'ile la$out
'e&5e alread. started ma3ing decisions about ho% our Apache ser5er %ill be laid out. 6et&s
consolidate this no%.
1uggested director. la.out7
Dinaries and supporting $iles7 2opt2apache
De$ault %eb site7 25ar2%%%2htdocs @%e can e5entuall. remo5e this i$ %e don&t %ant to use itA
De$ault cgi-bin7 25ar2%%%2cgi-bin @ditto as $or the htdocs director.A
6og $iles7 25ar2log2apache @e.g. accessKlog? errorKlogA
Process $ile7 25ar2run2apache
'e&re going to use a separate la.out $or each 5irtual host @to be co5ered laterA.
Although %e ha5e an apache user and group? the. shouldn&t o%n the Apache e:ecutables7 these
must start as root to run on port ",F so i$ someone crac3ed the apache user account and replaced the
httpd binar. %ith a ;ro>an&ed 5ersion? the ne:t time httpd runs it %ould run the ;ro>an code as root.
Summar$ of files$stem la$out
Path User:group ownership Directory permissions File Permissions
2opt2apache root7root 55 644
2opt2apache2bin root7root u<: -
2opt2apache2build2T.sh root7root - u<:
+"
Path User:group ownership Directory permissions File Permissions
2opt2apache2con$ root7root ,, -
25ar2log2apache root7root ,, -
25ar2run2apache root7root ,, -
25ar2%%%2htdocs root7root 55 -
25ar2%%%2cgi-bin root7root 55 -
8ere are the commands to implement these settings7
cho%n -* root7root 2opt2apache
$ind 2opt2apache -t.pe d U :args chmod 55
$ind 2opt2apache -t.pe $ U :args chmod 644
$ind 2opt2apache2bin -t.pe $ U :args chmod u<:
chmod u<: 2opt2apache2build2T.sh
chmod ,, 2opt2apache2con$
cho%n root7root 25ar2log2apache
chmod ,, 25ar2log2apache
cho%n root7root 25ar2run2apache
chmod ,, 25ar2run2apache
cho%n root7root 25ar2%%%2htdocs
chmod 55 25ar2%%%2htdocs
cho%n root7root 25ar2%%%2cgi-bin
chmod 55 25ar2%%%2cgi-bin
(ogging
N;o enable logging? the logKcon$ig module has to be loaded $irst.O
Apache has t%o separate logs7
+. Error log
;he $irst stop $or diagnosing errors %ith the ser5erF b. de$ault %ill also contain C4I error
output. !:ample message7
EFed *ct ## #4:2:52 2+++G EerrorG Eclient #27.+.+.#G client
denied by ser.er con-i4uration: /opt/apache/htdocs/test
Date and time o$ the message
;.pe o$ message
IP address o$ client %hich triggered the error
+)
!rror message
;he le5el o$ logging is set in Apache con$ig. using the LogLevel directi5e. ;he possible
settings are @in order o$ decreasing signi$icanceA7
emer4 !mergencies - s.stem is unusable. IChild cannot open loc3 $ile. !:itingI
alert Action must be ta3en immediatel.. Igetp%uid7 couldn&t determine user name $rom
uidI
crit Critical Conditions. Isoc3et7 Failed to get a soc3et? e:iting childI
error !rror conditions. IPremature end o$ script headersI
warn 'arning conditions. Ichild process +/34 did not e:it? sending another 1I48-PI
notice Bormal but signi$icant condition. Ihttpd7 caught 1I4D-1? attempting to dump
core in ...I
in-o In$ormational. I1er5er seems bus.? @.ou ma. need to increase 1tart1er5ers? or
Min2Ma:1pare1er5ersA...I
debu4 Debug-le5el messages I#pening con$ig $ile ...I
1etting the 6og6e5el tells Apache to log all messages o$ that se5erit. or higher. 1etting the
6og6e5el to crit? $or e:ample? %ill report emerg? alert and crit messages. ;he standard
setting is error.
;he log is %ritten to the $ile speci$ied b. the ErrorLog directi5e? %hich speci$ies the path $or
the log $ile? e.g. )rror%o4 /.ar/lo4/apache/error'lo4
/. Access log
;his logs reCuests made to the ser5er. It is set up b. de$ining t%o directi5es7
%o49ormat HIh Il Iu It JHIrJH IKs Ib JHIL0e-ererMiJH
JHIL;ser-54entMiJHH combined
=ustom%o4 /.ar/lo4/apache/access'lo4 combined
8ere I am using a standard log $ormat commonl. 3no%n as IcombinedI. Bote that .ou can
re$erence an. reCuest header using the %{Header}i s.nta:. Rou can also record response
headers %ith %{Header}o.
VJs is the status sent in the response @e.g. /,,? 4,4? 3,/A. I$ .ou speci$. VJs? the $inal
status is recordedF i$ .ou speci$. VPs? the initial status message sent to the reCuest is
recorded.
Adding logging configuration
Putting this together $or our setting gi5es us the $ollo%ing e:tra lines $or httpd.con$7
# load shared modules
%oad&odule lo4'con-i4'module modules/mod'lo4'con-i4.so
# error lo4
%o4%e.el in-o
)rror%o4 H/.ar/lo4/apache/error'lo4H
/,
,7-&odule lo4'con-i4'moduleK
# access lo4
%o49ormat HIh Il Iu It JHIrJH IKs Ib JHIL0e-ererMiJH
JHIL;ser-54entMiJHH combined
=ustom%o4 H/.ar/lo4/apache/access'lo4H combined
,/7-&oduleK
Bote I snea3ed in a directi5e to load a shared module here @modKlogKcon$ig.soA. ;his is necessar.
be$ore %e can start using the directi5es %hich that module ma3es a5ailable in our con$ig..
I also put the directi5es %hich depend on this module inside a conditional PI$ModuleJ directi5e.
;his means that i$ %e decide to turn o$$ this module at some point? the directi5es relating to it are
ignored. ;his ma3es the con$ig. $ile more stable? and also ma3es it easier to trac3 dependencies
bet%een modules and directi5es.
Log rotation using rotatelogs and pipes
Apache comes %ith a utilit. $or rotating logs called rotatelogs. Rou can speci$. that this be used in
the Custom6og directi5e b. speci$.ing a pipe @ U A $or the Custom6og7
=ustom%o4 HN/opt/apache/bin/rotatelo4s -l
/.ar/lo4/apache/access'lo4-IO-Im-Id "!4++H common
@;his command rotates the access log e5er. /4 hours? and calls the old log$ile accessKlog su$$i:ed
%ith the $ull .ear? month and da.F "64,, E /4 hours E 6, T 6, T /4 secondsF the -l option $orces the
ser5er to use local time $or the logs rather than 4M;A
It is also possible to rotate the logs based on siLe @replace the time speci$ication %ith a $ile siLe? e.g.
5MA
;here is another log rotation script called cronolog @http722cronolog.org2A? %hich o$$ers $iner-grained
control o5er logging? but %hich can be used in the same %a. as rotatelogs @i.e. 5ia a pipeA.
Log rotation using logrotate
logrotate is another solution a5ailable %ith most 6inu: distributions. It %or3s e:ternall. to the
programs it is rotating $or7 .ou don&t con$igure it inside httpd.con$? but con$igure logrotate itsel$
instead? telling it %hich logs to rotate. logrotate can be used to rotate logs $or an. application? and
runs as a daemon. 8ere&s a sample con$iguration script $or rotating our Apache logs @adapted $rom
-buntu&s logrotate con$iguration $or ApacheA7
/.ar/lo4/apache/P'lo4 L
# rotate on a daily basis
daily
# donQt return an error i- there are no P'lo4 -iles
missin4o$
# $eep + copies o- lo4s
rotate +
/+
# compress rotated lo4s
compress
# wait -or another rotation be-ore compressin4 lo4s
delaycompress
# create new lo4 -iles with mode !++8 owner root8 and 4roup root
create !++ root root
sharedscripts
# script to run a-ter rotatin4 lo4s
postrotate
i- E -- /.ar/run/apache/httpd.pid G? then
/opt/apache/bin/apachectl 4race-ul K /de./null
-i
endscript
M
8ere&s a good re$erence $or creating .our o%n logrotation scripts? and %hat the directi5es mean7
http722%%%-u:sup.cs:.cam.ac.u32M>%352courses2apache2html2:/+6.html
;he location to put the con$iguration $ile into depends on ho% the logrotate daemon is con$igured
on the machineF in the case o$ Fedora? the abo5e con$iguration script %ould be placed in7
2etc2logrotate.d2apache
Rou can test .our logrotate script manuall. using7
logrotate -$ 2etc2logrotate.d2apache
Custom log rotation scripts
It&s prett. eas. to %rite .our o%n log rotation script %hich %or3s o$$line. ;his is more e$$icient than
using piped logs? as it onl. reCuires a short-li5ed process %hich runs occasionall. to archi5e the log
$iles @unli3e rotatelogs? %hich runs continuousl. %ith ApacheA. 8o%e5er? it ma. be a less
sustainable choice than a dedicated application li3e logrotate @see earlierA? as .ou ha5e to maintain
the script .oursel$? though it should be easier to setup.
8ere&s a sample script %e could use %ith cron @as the root userA to rotate our logs on a dail. basis7
#R/usr/bin/python
import time
-rom subprocess import call
-rom os import rename
su--iA C Q.Q S time.str-time1QIO-Im-IdQ2
access'lo4 C Q/.ar/lo4/apache/access'lo4Q
archi.ed'access'lo4 C access'lo4 S su--iA
//
error'lo4 C Q/.ar/lo4/apache/error'lo4Q
archi.ed'error'lo4 C error'lo4 S su--iA
rename1access'lo48 archi.ed'access'lo42
rename1error'lo48 archi.ed'error'lo42
# do a 4race-ul restart
call1EQ/opt/apache/bin/apachectlQ8 Q4race-ulQG2
'hile sa5ing some CP- c.cles? this approach also has the ad5antage o$ 3eeping log $ile names
simple @>ust accessKlog and errorKlogA? as logrotate does. ;his ma3es con$iguration easier later on
@e.g. i$ %e %ant multiple 5irtual hosts to %rite to the same accessKlog? %e can >ust speci$. the
$ilename accessKlogA.
;he old log $iles are renamed b. appending a date su$$i: onto the end o$ the original $ile name. Rou
could re$ine this b. remo5ing reall. old logs? or Lipping the archi5ed logs.
NBD there appears to be a bug %ith the grace$ul restart command $or Apache /./ @it is recorded on
the Apache bug trac3erA? %hich causes an error to appear in the logs %hen running the abo5e script.
8o%e5er? this appears to ha5e no e$$ect on the ser5er&s operation.O
Configuring file ser&ing
Safe defaults for ser*ing directories
D. de$ault? Apache %ill ser5e an. $ile it can access. ;his could be problematic i$ a mis-
con$iguration made it possible $or Apache to ser5e critical s.stem $iles. 'e can set the de$ault to
den. access to the %hole $iles.stem b. de$ault7
,6irectory /K
*rder 6eny85llow
6eny -rom all
,/6irectoryK
;he PDirector.J directi5e allo%s .ou to group a set o$ options %hich appl. to a speci$ied director.
in the $iles.stem @and all its sub-directoriesA. In our case? %e are appl.ing it to 2 @the root o$ the
%hole $iles.stemA.
;he #rder directi5e is part o$ the host based authentication module @modKauthLKhostA. It speci$ies
the order in %hich Den. and Allo% directi5es are applied. In this case? Den. directi5es are applied
$irst? then Allo% directi5es. Access is allo%ed b. de$ault. An. client %hich does not match a 6eny
directi5e or does match an 5llow directi5e %ill be allo%ed access to the director..
;he Den. directi5e speci$ies that all hosts are denied access. It is possible to restrict access using IP
addresses? partial IP addresses? net%or32netmas3 pairs? or net%or32nnn CID* speci$ication? e.g.
Allo% $rom "/.6".+)4.+5,
Allo% $rom +,.+
/3
Allo% $rom +,.+.,.,2/55./55.,.,
Allo% $rom +,.+.,.,2+6
Rou can also control access b. en5ironment 5ariable using7
Allo% $rom en5EaccessKgranted
-sing seten5i$? .ou could set en5ironment 5ariables based on arbitrar. $eatures o$ the reCuest @e.g.
particular user agents? re$erer? non-standard headersA? %hich could then be used to grant2den.
access.
'e no% need to allo% access to the de$ault %ebsite director. so %e can ser5e $iles $rom it7
,6irectory /.ar/www/htdocsK
*rder 5llow86eny
5llow -rom all
,/6irectoryK
'e need to add these directi5es? plus the 6oadModule statement to pull in the module %hich
controls authentication? to httpd.con$7
...
%oad&odule authz'host'module modules/mod'authz'host.so
...
,6irectory /K
*rder 6eny85llow
6eny -rom all
,/6irectoryK
,6irectory /.ar/www/htdocsK
*rder 5llow86eny
5llow -rom all
,/6irectoryK
'e no% ha5e enough in place to test %hether %e can ser5e $iles. All %e need to do no% is7
+. Change to the root user
/. Create a $ile in 25ar2%%%2htdocs called inde:.html @an. contentA
3. *estart Apache
4. 4o to http722localhost2inde:.html7 .ou should see .our content
+ptions on directories
;he #ptions directi5e co5ers $ile access con$iguration $or indi5idual PDirector.J directi5es. It
/4
allo%s .ou to go5ern $eatures li3e e:ecution o$ $iles? $ollo%ing s.mlin3s? and sho%ing inde:es o$
$iles in a director.. 8ere are the options a5ailable7
ExecCGI: C4I scripts can be e:ecuted in the director.
Followym!in"s: s.mlin3s in the director. can be $ollo%ed to their target? e5en i$ outside
the %ebser5er&s document tree @BD this one is needed $or modKre%rite? %hich is 5er.
important $or -*6 re%riting and used b. man. applications $or 1earch !ngine #ptimisation
o$ -*6sA
ym!in"sIf#wner$atch: onl. $ollo% s.mlin3s i$ the o%ner o$ the lin3 is the same as the
o%ner o$ the $ile pointed to
Inclu%es: allo%s ser5er-side includes
Inclu%e&#E'EC: allo%s ser5er-side includes? but pre5ents the e:ec command being used
in 11Is
In%exes: %hen on? the ser5er %ill generate an inde: o$ $iles in a director. i$ no de$ault
resource @li3ed inde:.htmlA is speci$ied
$ulti(iews: allo%s content negotiation @i.e. ser5e $iles based on user&s language pre$erenceA
All: all o$ the abo5e are enabled e:cept Multi0ie%s
&one: none o$ the abo5e are enabled
;o enable or disable an option? use this s.nta:7
*ptions S9ollow/ym%in$s
*ptions -7ndeAes S)Aec=<7
;o see %h. s.mlin3s are important? tr. this7
+. ln -s 2etc2pass%d 25ar2%%%2htdocs2pass%d
/. 4o to http722localhost2pass%d
;his isn&t too dangerous here? as %e need to be root to create the s.mlin3 @no one else can %rite into
25ar2%%%2htdocs2A. Dut i$ %e had con$igured the site to allo% access b. non-root users %ho can
read 2etc2pass%d? the. %ould be able to do the same thing $or their o%n %ebsite.
;o pre5ent this 3ind o$ thing? %e should set *ptions 3one $or the directi5e %hich co5ers the
root o$ the $iles.stem7
,6irectory /K
*rder 6eny85llow
6eny -rom all
*ptions 3one
,/6irectoryK
/5
;his no% becomes the de$ault setting $or an. directories belo% the root o$ the $iles.stem? including
25ar2%%%2htdocs.
Allo'+*erride, o*erriding ser*er configuration in a director$
;his directi5e go5erns %hether parts o$ the ser5er con$iguration can be o5erridden using $iles inside
the %ebser5er document tree. For e:ample? %e ma. allo% users to speci$. their o%n authorisation
directi5es in these $iles? to go5ern %hich hosts? users? and or groups can access their directories.
Con$iguration is o5erridden in )htaccess $iles.
;he $ollo%ing options speci$. %hich parts o$ the con$iguration can be o5erridden in .htaccess $iles7
#ption Controls o*erri%ing of this type of %irecti*e)))
AuthCon$ig Authorisation? e.g. *eCuire? Auth-serFile? Auth;.pe
FileIn$o Document t.pe? e.g. 8eader? !rrorDocument? *e%riteDase
Inde:es Director. inde:ing? e.g. Inde:#ptions? Director.Inde:? De$aultIcons
6imit 8ost access? e.g. Allo%? Den.? #rder
#ption ;he #ptions directi5e
All An. directi5e %hich can be o5erridden in .htaccess $iles can be o5erridden in
this director. @i.e. all o$ the abo5eA
Bone Bone o$ the abo5eF .htaccess $iles are ignored
;he #ptions o5erride is probabl. the most con$using7 i$ Allo%#5erride #ptions is speci$ied? then
the de$ault #ptions setting $or the director. can be o5erridden b. a .htaccess $ile in that director.W
Rou can speci$. %hich directi5e t.pes can be o5erridden li3e so7
5llow*.erride 5uth=on-i4 %imit
In our case? $or the root director.? %e don&t %ant to allo% an.thing to be o5erridden7
,6irectory /K
*rder 6eny85llow
6eny -rom all
5llow*.erride 3one
*ptions 3one
,/6irectoryK
Hiding important files
D. de$ault? Apache %ill ser5e an. $ile reCuested %hich is %ithin a 5isible director.. ;his includes
.htaccess $iles @discussed abo5eA %hich ma. contain important con$iguration in$ormationF plus it
could contain bac3up $iles @commonl. ending %ith .ba3 or starting %ith M? depending on the editor
%hich produced themA.
/6
;r. adding a .htaccess $ile to 25ar2%%%2htdocs? then $etch it in .our %eb bro%ser. It should %or3
#S? %hich isn&t %hat %e %ant.
'e can globall. turn o$$ access to these $iles li3e this b. putting a FilesMatch directi5e at the top
le5el directi5e o$ our httpd.con$ $ile7
,9iles&atch H1TJ.htNUVNJ.ba$V2HK
*rder 6eny85llow
6eny -rom 5ll
,/9iles&atchK
;his directi5e can also be applied to indi5idual 5irtual hosts or directories? and can be set in
.htaccess $iles i$ Allo%#5erride is set to All $or that director..
Bo% tr. getting .our .htaccess $ile. It should be protected.
;here is also a Director.Match directi5e? %hich can be used to pre5ent ser5ing o$ directories %hose
name matches a speci$ied regular e:pression.
Setting the default home page
#ne use$ul thing %e can do immediatel. is de$ine the de$ault document to ser5e %hen the root o$ a
director. is reCuested? e.g. http722localhost2. 'e do this %ith the Director.Inde: directi5e? %hich
needs modKdir to be loaded7
%oad&odule dir'module modules/mod'dir.so
,7-&odule dir'moduleK
6irectory7ndeA indeA.html
,/7-&oduleK
@;est it at http722localhost2A
'hen %e add other t.pes o$ $ile @e.g. P8P scriptsA? %e can add these onto the Director.Inde: to
ma3e them a5ailable as the de$ault inde: page.
Setting the right -I-E t$pes
'hen .ou $etch inde:.html? .ou&ll probabl. notice that it turns up as plain te:t. I$ .ou chec3 the
response headers %hen .ou $etch inde:.html? .ou&ll notice the resource is deli5ered %ith the MIM!
t.pe te:t2plain. 8o%e5er? %e %ould e:pect an. .html $ile to be treated as te:t2html. ;his is because
%e ha5en&t con$igured MIM! handling. ;his $acilit. is pro5ided b. modKmime? and acti5ated li3e
this7
%oad&odule mime'module modules/mod'mime.so
### mime types
/
6e-ault>ype teAt/plain
,7-&odule mime'moduleK
# location o- the &7&) types con-i4uration -ile
>ypes=on-i4 con-/mime.types
,/7-&oduleK
;he mime.t.pes $ile maps $ile su$$i:es @.html? .php etc.A to MIM! t.pes @a MIM! t.pe >ust
describes the 3ind o$ content a $ile contains? and is used b. the client to determine ho% to handle the
$ile? e.g. displa. in the bro%ser? do%nload? displa. in a helper applicationA. Bote that the
;.pesCon$ig directi5e is implicit and doesn&t ha5e to be speci$ied as %e ha5e here? and it %ill still
%or3. Dut it&s %orth being e:plicit? again to remind us o$ the dependenc. bet%een the module and
the mime.t.pes $ile in the con$ director..
;here is another MIM! module called modKmimeKmagic? %hich uses hints in the $ile to determine
its MIM! t.pe? as %ell as the $ilename su$$i:. ;his could be help$ul in cases %here .ou ha5e man.
unusual and esoteric $ile t.pes? or ha5e $iles %ithout su$$i:es or incorrect su$$i:es.
It is also possible to add .our o%n custom MIM! t.pes on top o$ the de$ault ones using modKmime.
Compressing content sent to the client
;his is a use$ul option? and one %hich can reduce net%or3 band%idth usage. It enables Apache to
compress content sent to clients that are able to handle such compressed content @i.e. most modern
bro%sersA.
+. !nable modKde$late7
%oad&odule de-late'module modules/mod'de-late.so
/. Con$igure compression $or common content t.pes7
5dd*utput9ilterDy>ype 6)9%5>) teAt/html teAt/plain teAt/Aml
It is possible to compress other t.pes o$ content? but con$iguration is more comple: and reCuires
bro%ser sni$$ing @see http722httpd.apache.org2docs2/./2mod2modKde$late.htmlA. ;his con$iguration is
straight$or%ard and %ill %or3 %ith all bro%sers.
BD Apache %ill onl. send compressed content to clients %hose reCuests include the $ollo%ing
header7
5ccept-)ncodin4: 4zip8de-late
'e can test this b. reCuesting our inde:.html $ile? then chec3ing the response headers %hich come
bac3 $rom Apache. ;he. should include7
=ontent-)ncodin4: 4zip
)iding the ser&er's identit$
;he response %e get bac3 %hen %e reCuest a resource on the ser5er gi5es a%a. some in$ormation
about the ser5er. Bamel.? the response contains a 1er5er header %hich loo3s li3e this7
/er.er: 5pache/2.2.2 1;niA2
/"
'e can see this using the 6i5e8;;P8eaders in Fire$o:.
An attac3er could use this in$ormation to potentiall. determine 5ulnerabilities in the ser5er? based
on the ser5er t.pe? 5ersion? and underl.ing operating s.stem. ;here are t%o simple things %e can do
to hide this in$ormation in httpd.con$7
# this line controls whether 5pache adds in-ormation about
# itsel- to the end o- ser.er-4enerated documents
# 1e.4. directory indeA pa4es8 error messa4es2?
# *-- is the de-ault8 but letQs ma$e it eAplicit
/er.er/i4nature *--
# the to$ens displayed in response headers?
# this sets it to Wust show the ser.er name 15pache2?
# this can only be set at the ser.er le.el 1not per host2
/er.er>o$ens (roduct*nly
I$ .ou are reall. paranoid? and %ant to disguise the $act .ou are using Apache at all? .ou can change
the 1er5er header in the response to %hate5er .ou li3e using the modKsecurit. module @%e&re not
going to botherA7
/er.er>o$ens 9ull
/ec/er.er/i4nature H)lliotQs &iraculous Feb /er.erH
Rou can get modKsecurit. $rom7
http722%%%.modsecurit..org2pro>ects2modsecurit.2apache2inde:.html
It&s 5er. eas. to install @using the instructions $or compiling ne% Apache shared modules - see
earlierA.
8o%e5er? there are still certain aspects o$ the beha5iour o$ the ser5er&s net%or3ing stac3 and the
%a. it $ormats responses %hich can enable the ser5er&s real identit. to be disco5ered.
chrooting
Chroot&ing Apache is another %a. to add more securit.? b. constricting Apache to running in a
speci$ic director.. Bo $iles outside the chroot director. are accessible to Apache once running.
;he traditional method $or chroot&ing Apache is comple:F ho%e5er? modKchroot is an easier %a. to
chroot Apache %hich 3eep things simple7 http722core.seg$ault.pl2Mhobbit2modKchroot2
/)
C.I
I;he Common 4ate%a. Inter$ace @C4IA is a standard $or inter$acing e:ternal applications %ith
in$ormation ser5ers? such as 8;;P or 'eb ser5ers. A plain 8;M6 document that the 'eb daemon
retrie*es is static? %hich means it e:ists in a constant state7 a te:t $ile that doesn&t change. A C4I
program? on the other hand? is execute% in real-time? so that it can output %ynamic in$ormation.I
@$rom http:++hoohoo)ncsa)uiuc)e%u+cgi+intro)html,
Apache and C%!
C4I scripts run as processes e:ternal to Apache? and run as the e$$ecti5e Apache user. !ach time a
C4I script is reCuested b. a client? a ne% process is $ired up to handle it. @;his is $airl. ine$$icient?
and se5eral solutions e:ist to alle5iate this? as described later. It also means that a poorl.-%ritten
C4I script can hog memor. and CP- c.cles7 again? the solutions described later go some %a. to
helping %ith this.A
Common practice is to put C4I scripts into a dedicated director.. ;his is the most secure %a. o$
hosting scripts? but the least $le:ible $rom the user&s perspecti5e.
+. Create a separate cgi-bin $older in 25ar2%%%2cgi-bin
/. chmod 55 25ar2%%%2cgi-bin
3. 1etup C4I con$ig. $or that director. in 2opt2apache2con$2httpd.con$7
%oad&odule c4i'module modules/mod'c4i.so
,6irectory /.ar/www/c4i-binK
*rder 5llow86eny
5llow -rom all
,/6irectoryK
4. 'e need to load modKalias so %e can alias a director. %hich holds C4I scripts7
%oad&odule alias'module modules/mod'alias.so
5. Create an alias $or the cgi-bin director.7
/cript5lias /c4i-bin/ /.ar/www/c4i-bin/
;his directi5e means that an. $ile put into the 25ar2%%%2cgi-bin2 director. is treated as a
C4I scriptF also that an. -*6 o$ this $orm7
http722localhost2cgi-bin2 filename
is mapped onto a script called filename in the 25ar2%%%2cgi-bin2 director..
6. Create a test C4I script @I&m using P.thonA in the cgi-bin director.7
#R/usr/bin/python
print H=ontent->ype: teAt/plainH
print HJnH
print H:ello worldH
3,
. Ma3e the script e:ecutable7
chmod 55 hello.p.
". ;r. accessing it at7 http722localhost2cgi-bin2hello.p.
It is sa$e to use 1criptAlias %here %e are setting up a director. to e:ecute C4I scripts %hich is
outside the document root $or the ser5er @i.e. the director. is not a5ailable 5ia an. means other than
through the 1criptAliasA. 8o%e5er? %here %e %ant to allo% C4I e:ecution inside a director. under
the document root? it is better to use the PDirector.J directi5e instead.
For e:ample? i$ %e %anted to allo% P.thon C4I scripts under 25ar2%%%2htdocs? %e could enable
them li3e this7
,6irectory /.ar/www/htdocsK
*rder 5llow86eny
5llow -rom all
*ptions )Aec=<7
5dd:andler c4i-script .py
,/6irectoryK
!mpro&ing securit$ with su*+*C and 'astC%!
su!9!C and FastC4I are t%o alternati5e mechanisms $or adding e:tra securit. and stabilit. to C4I
script e:ecution.
suE'EC onl. reall. ma3es sense in a shared hosting en5ironment %ith 5irtual hosts. It
allo%s e:ecution o$ C4I scripts as a user di$$erent $rom the Apache e$$ecti5e user. ;o use it?
Apache must be compiled %ith su!9!C support @it isn&t compiled in b. de$aultA. #nce in
place? a 5irtual host can be con$igured to run an. C4I scripts under a di$$erent user and
group? as speci$ied b. the 1ue:ec-ser4roup director. @onl. allo%ed inside a 0irtual8ost
directi5eA. su!9!C puts a stringent series o$ chec3s in place e5er. time a C4I script is
reCuested? such as chec3ing %hether the su!9!C user e:ists? %hether the. ha5e permissions
to e:ecute the script? permissions on the director. containing the script? o%nership o$ the
script? and so on.
FastCGI creates a separate process $or C4I scripts? and allo%s reCuests $or speci$ied
resources to be routed to that process. Decause the FastC4I process is persistent across
reCuests @so multiple reCuests $or a C4I script can be handled b. a single processA? it is more
e$$icient than standard C4I @close to Apache module speedsA. In addition? FastC4I can also
be con$igured to run under su!9!C? so the e:ternal FastC4I process runs as a user di$$erent
$rom the Apache e$$ecti5e user.
;he onl. do%nside to FastC4I is that it is not in acti5e de5elopment? and is %idel.
considered IabandonedI @$or e:ample? the *!ADM! has not been updated $or / .ears? and
the current 5ersion is not compatible %ith Apache /./ %ithout manual patching o$ the
sourceA.
3+
SSL
116 is a protocol $or communicating securel. bet%een a client and a ser5er. #riginall. de5eloped to
secure 8;;P communications? it has been e:tended to co5er 1M;P? IMAP and other protocols.
116 is based around Public Se. Cr.ptograph.. In this t.pe o$ encr.ption? there isn&t a single 3e. @as
there is in s.mmetrical encr.ptionAF there are t%o 3e.s? one public and one pri5ate. An.thing
encr.pted %ith the public 3e. can be decr.pted onl. i$ the pri5ate 3e. is 3no%nF and an.thing
encr.pted %ith the pri5ate 3e. can be decr.pted onl. %ith the public 3e..
116 %or3s in t%o phases7
+. -an%sha"e
;he ser5er sends the client a digital certi$icate? %hich contains its public 3e.. ;he certi$icate
can either be signed b.7
+. ;he o%ner o$ the certi$icate @a.3.a. sel$-signed? shouldn&t be trustedA
/. A pri5ate certi$icate authorit. @e.g. an organisation might create a certi$icate $or use on
its intranetA
3. A public certi$icate authorit. @i.e. an organisation %hich e:ists onl. to sign certi$icates
and 5eri$. identitiesA
A certi$icate recei5ed b. a client ma. ha5e been signed directl. b. one o$ the abo5e? or b.
an intermediar. bet%een the certi$icate&s o%ner and a certi$icate authorit.. ;he client
5eri$ies the certi$icate b. $ollo%ing the signing chain o$ the certi$icate bac3 to its root
authorit.? and ma3es a decision to either trust or re>ect the certi$icate. #ptionall.? the ser5er
ma. reCuire that the client send its o%n certi$icate be$ore it %ill allo% communication.
I$ the certi$icate is trusted? the client and the ser5er then negotiate the encr.ption protocol to
use and a set o$ s.mmetrical 3e.s. 1.mmetrical 3e.s are $aster than using public 3e.
encr.ption.
/. Data exchange
;he client and ser5er e:change data using the agreed s.mmetrical 3e..
;here is a good document e:plaining the ins and outs o$ 116 and Apache at7
http722%%%.modssl.org2docs2/."2
Creating a self-signed certificate
;o generate a sel$-signed 116 certi$icate? .ou %ill need openssl installed.
;hen $ollo% these steps7
+. 4enerate the ser5er&s pri5ate 3e.F %e&ll use a +,/4-bit 3e. using the *1A algorithm7
cd 2opt2apache2con$
m3dir ssl
cd ssl
openssl genrsa -out ser5er.3e. +,/4
/. 4enerate a certi$icate-signing reCuest7
openssl reC -ne% -3e. ser5er.3e. -out ser5er.csr
3/
Fill in the reCuired in$ormation. ;he important $ields are7
=ountry 3ame 12 letter code2 E<DG:<D
/tate or (ro.ince 3ame 1-ull name2 EG:.
%ocality 3ame 1e48 city2 E3ewburyG:Dirmin4ham
*r4anization 3ame 1e48 company2 E&y =ompany %tdG:mooch labs
*r4anizational ;nit 3ame 1e48 section2 EG:.
=ommon 3ame 1e48 your name or your ser.erQs hostname2
EG:localhost
)mail 5ddress EG:.
(lease enter the -ollowin4 QeAtraQ attributes
to be sent with your certi-icate re@uest
5 challen4e password EG:.
5n optional company name EG:.
;he reall. important one is the Common Bame7 this must match the domain name %hich
%ill ser5e the 116 siteF other%ise connecting clients %ill get a prompt about a mismatch
bet%een the certi$icate&s host name and the actual host name o$ the ser5er.
Bote that %e le$t the pass%ord blan3. I$ %e don&t do this? Apache %ill prompt .ou $or the
certi$icate pass%ord each time .ou start the ser5er.
4. Create a sel$-signed certi$icate7
openssl :5,) -reC -da.s 365, -in ser5er.csr -sign3e. ser5er.3e. -out ser5er.crt
5. rm ser5er.csr
@%e don&t need it an. moreA
6. Rou can 5ie% the certi$icate using this command7
openssl :5,) -te:t -in ser5er.crt
Configuring Apache to use ""(
'e&re going to put our 116 3e.s into a separate director. 2opt2apache2con$2ssl? and the con$iguration
in a separate $ile called 2opt2apache2con$2ssl.con$.
+. Compile modKssl staticall. into the ser5er? or load it as a shared moduleF %e compiled the
shared module earlier? so %e load it %ith7
%oad&odule ssl'module modules/mod'ssl.so
/. 'e&re also going to need the 1et!n5 module $or some o$ the con$iguration %e need to do
later7
%oad&odule seten.i-'module modules/mod'seten.i-.so
3. Ma3e sure the pri5ate and public 3e.s are in the right director.7
33
ls 2opt2apache2con$2ssl
Rou should see ser5er.3e. and ser5er.crt.
4. 1et permissions on the director.7
cho%n root.root 2opt2apache2con$2ssl
chmod ,, 2opt2apache2con$2ssl
5. 1et permissions on the certi$icate and the 3e.7
chmod 6,, 2opt2apache2con$2ssl2ser5er.T
6. Ma3e a ne% $ile to hold Apache&s 116 con$iguration7
touch 2opt2apache2con$2ssl.con$
chmod 6,, 2opt2apache2con$2ssl.con$
. Ma3e a director. to store the 116 session cache @this impro5es per$ormance as it caches
session data and pre5ents unnecessar. handsha3es? e.g. i$ a single client creates multiple
parallel connections to the ser5erA7
m3dir 2opt2apache2cache
cho%n root.root 2opt2apache2cache
chmod ,, 2opt2apache2cache
". Put together a minimal 116 con$iguration in ssl.con$7
%isten 44
//%=erti-icate9ile con-/ssl/ser.er.crt
//%=erti-icateBey9ile con-/ssl/ser.er.$ey
# switch o-- //%.2 1which is -lawed2
//%(rotocol 5ll -//%.2
# only support hi4h-4rade encryption
//%=ipher/uite 5%%:R)X(:R3;%%:R56::R%*F
# session cache: type:location1maA'size2
//%/ession=ache shmcb:/opt/apache/cache/sslcache15#2++2
//%/ession=ache>imeout ++
# con-i4uration to handle bro$en //% implementation
# in 7)
/et)n.7- ;ser-54ent H.P&/7).PH J
no$eepali.e ssl-unclean-shutdown J
down4rade-#.+ -orce-response-#.+
# con-i4ure the de-ault site to be a.ailable o.er //%
# as well as standard :>>(
,Yirtual:ost localhost:44K
//%)n4ine on
/er.er3ame localhost:44
6ocument0oot /.ar/www/htdocs
=ustom%o4 /.ar/lo4/apache/access'lo4 combined
)rror%o4 /.ar/lo4/apache/error'lo4
,/Yirtual:ostK
34
). Pull the con$iguration $ile into the main httpd.con$ $ile7
7nclude /opt/apache/con-/ssl.con-
+,. ;est at7
https722localhost2
Bote that .ou %ill be prompted to accept the certi$icate? as it is sel$-signed and cannot be
traced bac3 to a recognised certi$icate authorit..
35
Adding PHP
Pre-installation
;here are se5eral choices to ma3e7
+. .hich *ersion: / or 0 or 1oth2
P8P 5 is stable? and superior to 5ersion 4 in its support $or ob>ect-oriented programming. It
is also possible to run P8P 5 in 5ersion 4 compatibilit. mode? %hich should pro5ide near-
per$ect support $or P8P 4 scripts.
An alternati5e is to install both? and select the 5ersion to use as $ollo%s7
+. per-host @b. setting an Add8andler directi5e $or a %hole 5irtual host %hich speci$ies the
P8P 5ersion to useA
/. per-director. @b. setting an Add8andler directi5e inside a director.? either in a .htaccess
$ile or in httpd.con$A
3. per-$ile @b. setting a handler $or $iles %ith a speci$ic $ile su$$i:? e.g. .php4? in httpd.con$
or .htaccessA
'e are going to install P8P 5.
/. Do you want we13 comman% line3 an%+or GUI2
I$ .ou don&t need command line or 4-I support? lea5e them out %hen compiling P8P.
3. .ill it 1e use% 1y untruste% users2
In situations %here the ser5er %ill onl. be used b. trusted users? P8P can sa$el. be run as a
module. In this situation? P8P runs inside the main ser5er process? under the Apache
e$$ecti5e user. 'here some untrusted users ma. be using the ser5er to run P8P scripts? a
sa$er setup is to use standard C4I? C4I %ith an e:ecution %rapper li3e su!9!C? or P8P
under FastC4I. ;his isolates the P8P process $rom Apache and is sa$erF it also means that
Apache is potentiall. $aster? as it isn&t also running P8P? so static $ile deli5er. ma. be
speeded up.
'e are going to install as a module? as this is the simplest approach? and good $or most
general purpose use.
Preparation
Rou %ill need the $ollo%ing pieces o$ so$t%are to compile P8P on -buntu7
$le:
bison
autocon$
M.1=6
M.1=6-de5 @libm.sClclient+4-de5 on -buntuA
lib>peg-de5? libpng-de5? lib:pm-de5? lib%m$-de5? libungi$? lib$reet.pe6-de5 etc. @to get
support $or di$$erent image $ormats and truet.pe $onts in 4DA
36
Compiling P)P
Do%nload $rom php.net
Compare %ith the md5sum @as %e did $or ApacheA
-npac3
Connect to the unpac3ed director.
;o compile P8P? %e need to re$erence a couple o$ graphics librar. $iles. #n -buntu? this isn&t a
problemF but on Fedora @at least in 5ersion 5A? the graphics libraries ha5e non-standard names %hich
cause compilation to $ail. 'e can $i: this b. s.mlin3ing the real graphics libraries to correctl.-
named $iles li3e this7
ln -s 2usr2lib2lib>peg.so.6/ 2usr2lib2lib>peg.so
ln -s 2usr2lib2lib9pm.so.4 2usr2lib2lib9pm.so
*un the con$igure script li3e this7
.2con$igure --pre$i:E2opt2apache2php --%ith-ap:s/E2opt2apache2bin2ap:s --%ith-con$ig-$ile-
pathE2opt2apache2con$ --enable-memor.-limit --%ith-pearE2opt2apache2php2pear --%ithout-
pgsCl --%ith-m.sClEshared --%ith-m.sCliEshared --%ith-pdo-m.sClEshared --%ith-gdEshared
--%ith-LlibEshared --%ith-$reet.pe-dirE2usr2lib --%ith-:pm-dirE2usr2lib --%ith->peg-dirE2usr2lib
--%ith-gette:tE2usr2lib
;he options I&5e used here speci$. the $ollo%ing7
--pre$i: E %here to install
--%ith-ap:s/ E location o$ the ap:s binar. @$or installing the P8P module into ApacheA
--%ith-con$ig-$ile-path E %here the php.ini $ile %ill be
--enable-memor.-limit E compile %ith memor. limit support
--%ith-pear E install pear @pac3aging mechanism $or P8P e:tensionsA
--%ithout-pgsCl E disable support $or Postgre1=6
--%ith-!9;!B1I#BEshared E enable the $ollo%ing e:tensions as shared
m.sCl E include support $or M.1=6
m.sCli E impro5ed M.1=6 e:tension
pdo-m.sCl E enable PD# support $or M.1=6 @PD# is a ne% database inter$ace in P8P 5A
Llib E enable support $or the Llib e:tension @stream compression supportA
gd E enable P8P 4D support @$or image manipulation and creationA
--%ith-$reet.pe-dir? --%ith-:pm-dir? --%ith->peg-dir E path to Freet.pe29PM2XP!4 handling
libraries @BD compiling against Freet.pe is the easiest %a. to enable P8P $ont-rendering $unctions
%ithin 4DA
--%ith-gette:t E location o$ the 4B- gette:t librariesF use$ul $or internationalisation
3
Bote that there is a de$ault set o$ e:tensions installed %ith P8P %hich is $airl. sane? so %e %ill
lea5e them as is. I$ .ou %ant to turn an. o$ them o$$? use7
--disable-!9;!B1I#B
#*
--%ithout-!9;!B1I#B
@use ./con-i4ure --help to %or3 out %hich .ou&ll need $or a gi5en e:tensionA
;hen run these commands to compile and install7
ma3e
ma3e install
Be:t %e need to cop. the recommended P8P con$ig. $ile to the location %here %e told our
compiled P8P it %ould be7
cp php.ini-recommended 2opt2apache2con$2php.ini
cho%n root7root 2opt2apache2con$2php.ini
chmod 6,, 2opt2apache2con$2php.ini
'hen %e ran ma$e install? it added this line to 2opt2apache2con$2httpd.con$7
%oad&odule php5'module modules/libphp5.so
@I$ .ou recompile P8P and do ma$e install? it ma. add another line li3e this to httpd.con$?
%hich %ill brea3 Apache. Rou can $i: it b. >ust remo5ing the repeated line.A
;ell Apache %hich $iles to treat as P8P scripts7
5dd:andler application/A-httpd-php .php
And to treat inde:.php as a possible de$ault home page %hen a %ebsite root is reCuested7
6irectory7ndeA indeA.html indeA.php
;o test our installation7
+. cd 25ar2%%%2htdocs
/. create a ne% $ile called in$o.php %ith this content7
,Zphp
phpin-o12?
ZK
3. ;est at http722localhost2in$o.php
Rou should see a screen %ith in$ormation about .our P8P settings? loaded modules? etc.
3"
A note on SELinux
I$ .ou $ollo% these instructions on a de$ault Fedora install? .ou ma. $ind that .ou are unable to
restart Apache once .ou&5e installed P8P? and get an error something li3e7
Cannot restore segment prot after reloc: Permission denied
;his can be caused i$ .ou ha5e 1!6inu: enabled? %hich is the de$ault on Fedora. @#n -buntu? it
isn&t a problem @b. de$aultA.A
;he easiest %a. round this @I&m not going into the intricacies o$ 1!6inu: policies hereWA is to disable
1!6inu: in 2etc2selinu:2con$ig? b. setting7
/)%73;XCdisabled
Remo&ing P)P
I$ $or an. reason .ou %ant to >un3 .our installation? .ou can remo5e all traces o$ P8P li3e this7
+. 1top Apache
/. rm 2opt2apache2php
3. rm 2opt2apache2modules2libphp5.so
4. Delete or comment out this line7
%oad&odule php5'module modules/libphp5.so
in 2opt2apache2con$2httpd.con$
5. ;he lines %hich set up the P8P handler and speci$. inde:.php as a Director.Inde: can be
le$t in? as the. %on&t a$$ect Apache&s operationF remo5e them i$ .ou reall. %ant to get rid o$
P8P altogether
6. Rou can lea5e 2opt2apache2con$2php.ini %here it is7 it %on&t a$$ect Apache&s operation.
. 1tart Apache
BD this is one o$ the ad5antages o$ not spreading P8P and P!A* across the $iles.stem7 it ma3es it
eas. to completel. strip it out o$ the ser5er. I $ound this reall. use$ul %hen e:perimenting %ith
di$$erent con$igure s%itches.
*,tensions
Compiling e:tensions as static or shared is similar to Apache.
D. de$ault? the php.ini $ile doesn&t load e:tensionsF .ou ha5e to tell it %here the. are and %hich
ones to load.
!dit php.ini7
+. 1et the director. containing P8P e:tension .so $iles7
eAtension'dir C /opt/apache/php/lib/php/eAtensions/no-debu4-
non-zts-2++5+922
/. Add one directi5e $or each e:tension7
eAtensionCmys@l.so
eAtensionCmys@li.so
3)
eAtensionCpdo'mys@l.so
eAtensionC4d.so
eAtensionCzlib.so
I$ .ou %ant to chec3 the e:tensions %hich ha5e been compiled in as shared? ha5e a loo3 in the
e:tensionKdir @de$ined abo5eA. Rou should see a .so $ile $or each shared module.
Rou can also see a list o$ all e:tensions b. doing7
2opt2apache2php2bin2php -m
though this doesn&t discriminate bet%een shared and static e:tensions.
Recompiling P)P
". Adding a ne' extension
'e can compile ne% e:tensions into our P8P installation using the phpiLe tool. ;his is similar to
ap:s? but intended $or installing P8P e:tensions. 'e&ll install the mbstring e:tension this %a.7
+. 4o to the P8P source tree
/. cd e:t2mbstring
3. 2opt2apache2php2bin2phpiLe
;his prepares the source in the current director. $or compilation as a P8P e:tension
4. .2con$igure --%ith-php-con$igE2opt2apache2php2bin2php-con$ig
5. ma3e
6. ma3e install
. !dit 2opt2apache2con$2php.ini and add this line7
eAtensionCmbstrin4.so
". Chec3 the e:tension is loaded using7
2opt2apache2php2bin2php -m
or b. using phpin$o@A.
%. /ecompiling the PHP binar$
I$ %e re-run .2con$igure at the top o$ the source tree %ith e:tra options? the P8P binar. %ill be
recon$igured. As $ar as I can tell? it&s best to do a Ima3e cleanI to clean the pre5iousl.-compiled
5ersion completel. out o$ the build tree @BD this doesn&t a$$ect the installed P8P? >ust the build treeA.
'e can then do the standard ma3e2ma3e install to update the P8P binar. inside our Apache
installation.
Configuring P)P
'e&5e alread. chec3ed our P8P con$iguration using the phpin$o@A command.
;he con$ig. $ile consists o$ a bunch o$ directi5esF i$ the directi5e is commented %ith a semi-colon?
4,
the de$ault 5alue sho%n is set.
Bo% %e are going to ha5e a loo3 at the con$iguration $ile and s.stematicall. cut it do%n and tighten
it up.
+. Ma3e a cop. o$ the $ile @be$ore %e start butchering itA.
/. *emo5e the big bloc3s o$ comments. ;his >ust ma3es the con$ig. $ile a bit easier to read.
3. Delete an. sections in the con$ig. $ile %hich don&t appl. to our setup @i.e. $or con$iguring
e:tensions %e&re not usingA. 1tart at the end o$ the $ile and remo5e an. sections headed NO
%hich aren&t reCuired.
4. Add pear to the include path7
include'path C H.:/php/includes:/opt/apache/php/pearH
;his ensures that i$ %e install an. P!A* e:tensions? the. are a5ailable to our P8P scripts.
5. 1tarting $rom the top and %or3ing do%n7
i. safe4mo%e: 'hen sa$eKmode is on? P8P does a chec3 %hen a script calls a $unction
%hich tries to access a $ile on the $iles.stem. I$ the o%ner o$ the script and the o%ner
o$ the $ile are di$$erent? P8P does not allo% the operation. @BD this can be rela:ed
using the sa$eKmodeKgid directi5e.A
ii. expose4php: turn it to I#$$I i$ .ou don&t %ant P8P to add itsel$ to the Apache
response headers.
iii. memory4limit: "M is Cuite lo%? and ma. cause problems %ith certain scriptsF a
setting o$ 64M is more realistic.
i5. %isplay4errors: 6ea5e this o$$ on a production ser5er and log errors to a $ile instead.
Rou can turn it on in indi5idual scripts i$ .ou need it %ith7
ini'set1Hdisplay'errorsH8 #2?
Rou should also ma3e sure %isplay4startup4errors is set to #$$.
5. error4log: log errors into a $ile? rather than displa.ing them in the response7
error'lo4 C H/.ar/lo4/php/php'lo4H
BD logKerrors must be set to #n $or this to %or3.
5i. register4glo1als: set to #$$. Do not turn it on7 it is 5er. dangerous and can open
5ulnerabilities in poorl.-%ritten scripts.
5ii. allow4url4fopen: set to #$$. I$ #n? this allo%s P8P scripts to open $iles on remote
ser5ers 5ia $tp or http.
5iii. magic45uotes4gpc: set this to #$$. It is con$using i$ it&s turned on? as it automaticall.
escapes Cuotes in P#1; data.
i:. file4uploa%s: turn on i$ .ou %ant to globall. allo% $ile uploads 5ia P8P scripts.
:. ena1le4%l: turn this #$$F i$ #n? it allo%s users to load their o%n e:tensions $rom
%ithin a P8P script.
:i. sen%mail4path: set the path to the sendmail binar. i$ it is in a non-standard location?
4+
or not on the apache user&s path
:ii. session)sa*e4path: the path to the director. into %hich session data is sa5edF set it to
25ar2%%%2sessions
:iii. session)referer4chec": set to the domain name $or the Apache ser5erF this ensures
that session coo3ies are onl. accepted i$ the client&s re$erer contains this stringF in our
case? %e can set it to localhost.
As P8P runs as the apache user? and %e ha5e tightened access to 25ar2log2apache? %e %ill setup a
separate log director. $or P8P. ;his director. %ill be %riteable b. the apache user @25ar2log2apache
isn&t? $or securit. reasons? and rather than ma3e 25ar2log2apache %riteable? it&s better to put P8P logs
into a di$$erent? less-secure director.A7
m3dir 25ar2log2php
cho%n apache.apache 25ar2log2php
chmod ,, 25ar2log2php
@'e could also appl. log rotation to these logs? as %e did $or the Apache logs.A
'e also need a separate director. to sa5e session data7
m3dir 25ar2%%%2sessions
cho%n apache.apache 25ar2%%%2sessions
chmod ,, 25ar2%%%2sessions
-esting P)P . M$"/(
@I&m assuming .ou ha5e a M.1=6 setup on .our machine. I&m not going to e:plain ho% to do that
7A.A
First %e need a database? a table? and some data7
+. 1tart the m.sCl command line client in a terminal
/. At the m.sCl prompt7
use testF
create table people @id IB; A-;#KIBC*!M!B;? name 0A*C8A*@/55A?
P*IMA*R S!R@idAAF
insert into people 5alues@+? &!lliot 1mith&AF
insert into people 5alues@/? &Mic3e. Mouse&AF
e:itF
3. 'rite a P8P script to access our M.1=6 database @not secure - root has no pass%ord in m.
e:ampleWA7
,Zphp
mys@l'connect1QlocalhostQ8 QrootQ2?
mys@l'select'db1QtestQ2?
Vresult C mys@l'@uery1Q/)%)=> P 90*& peopleQ2?
4/
while1Vrow C mys@l'-etch'assoc1Vresult22 L
echo VrowEQnameQG . Q,br/KQ?
M
ZK
And a short script using PD#&s M.1=6 $unctionalit.7
,Zphp
Vdbh C new (6*1Qmys@l:hostClocalhost?dbnameCtestQ8 QrootQ2?
-oreach 1Vdbh-K@uery1Q/)%)=> P 90*& peopleQ2 as Vrow2 L
echo VrowEQnameQG . Q,br/KQ?
M
Vdbh C null?
ZK
-esting P)P's %D e,tension
'e can test the 4D P8P e:tension %ith a short script. It&s %orth doing this? as 4D relies on se5eral
other installed libraries? and it&s best to chec3 the. are being re$erenced correctl..
Create a ne% $ile in 25ar2%%%2htdocs2gdKtest.php %ith this content7
,Zphp
Vim C ima4ecreatetruecolor14++8 #++2?
Vblac$ C ima4ecolorallocate1Vim8 +8 +8 +2?
Vwhite C ima4ecolorallocate1Vim8 2558 2558 2552?
V-ont C Q/.ar/lib/de-oma/A-ttcid-ont-
con-.d/dirs/>rue>ype/5rial'Dlac$.tt-Q?
ima4e-illedrectan4le1Vim8 +8 +8 4++8 #++8 Vwhite2?
ima4ett-teAt1Vim8 +8 +8 #+8 4+ 8 Vblac$8 V-ont8 Q:ello ForldRQ2?
header1Q=ontent->ype: ima4e/pn4Q2?
ima4epn41Vim2?
ZK
Rou ma. need a di$$erent $ont path7 use
locate tt$
or
43
$ind 2 -name T.tt$
to $ind the ;rue;.pe $onts on .our s.stem.
#n Fedora? .ou could use7
2usr2share2$onts2bitstream-5era20era.tt$
$or e:ample.
;est b. bro%sing to http722localhost2gdKtest.php
44
.htaccess files
;hese $iles can be used to set local con$iguration $or a director. @and its subdirectoriesA. ;he. are
commonl. used to speci$. authentication and authorisation setup? but can also be used to set custom
handlers? re%rite rules? P8P con$iguration? and so on @in $act? .ou can set an. directi5es enabled $or
the director.? as speci$ied b. Allo%#5errideA.
Bote that an. con$iguration .ou can do in a .htaccess $ile can also be done inside the main Apache
con$iguration $iles. I$ .ou ha5e control o5er the main con$ig. $iles? use them instead o$ doing
con$iguration inside .htaccess $iles? as it means .our con$ig. %ill be centralised and easier to
manage.
"etting up authentication b$ username and password
+. 1%itch to the root user
/. Allo% con$iguration $or the document root director. to be o5erridden in .htaccess $iles b.
modi$.ing httpd.con$7
,6irectory /.ar/www/htdocsK
5llow*.erride 9ile7n-o 5uth=on-i4 %imit
,/6irectoryK
3. Create the director. %e %ant to secure7
m3dir 25ar2%%%2htdocs2secure
4. Create an inde:.php $ile inside the secure director..
5. 'e need to load the modules reCuired to do user and group authentication and authorisation7
%oad&odule authn'-ile'module modules/mod'authn'-ile.so
%oad&odule auth'basic'module modules/mod'auth'basic.so
%oad&odule authz'user'module modules/mod'authz'user.so
%oad&odule authz'4roup-ile'module modules/mod'authz'4roup-ile.so
6. Create a data director. %hich %ill contain the con$iguration $iles $or authentication7
m3dir 2opt2apache2data
cho%n root7root 2opt2apache2data
chmod ++ 2opt2apache2data
. Create the $ile %ith the user data using the htpass%d program7
2opt2apache2bin2htpass%d -c 2opt2apache2data2pass%ords elliot
;he -c s%itch tells the command %here to create the pass%ords $ileF elliot is the user %e are
creating. Rou %ill be prompted to enter a pass%ord then con$irm it.
". Create a .htaccess $ile in 25ar2%%%2htdocs2secure2.htaccess to protect the secure director.7
5uth>ype Dasic
45
5uth3ame H/ecure areaH
5uth;ser9ile /opt/apache/data/passwords
0e@uire .alid-user
). ;est at http722localhost2secure2. Rou should be prompted $or a username and pass%ord.
Authorisation b$ group
;he abo5e can be easil. e:tended to do group authentication7
+. Create a groups $ile in 2opt2apache2data2groups %ith this content7
administrators: elliot
/. Modi$. 25ar2%%%2htdocs2secure2.htaccess to authorise b. group7
5uth>ype Dasic
5uth3ame H0estricted 9ilesH
5uth;ser9ile /opt/apache/data/passwords
5uth<roup9ile /opt/apache/data/4roups
0e@uire 4roup administrators
Rewriting 0R(s
;o demonstrate the use o$ other directi5es in .htaccess $iles? let&s add a re%rite rule %hich redirects
an. reCuest $or $iles in the secure director. to the inde: page.
+. 6oad the re%rite module in httpd.con$7
%oad&odule rewrite'module modules/mod'rewrite.so
/. Con$igure the secure director. $or re%riting b. modi$.ing 2opt2apache2con$2httpd.con$7
,6irectory /.ar/www/htdocs/secureK
*ptions /ym%in$s7-*wner&atch
5llow*.erride 9ile7n-o 5uth=on-i4 %imit
,/6irectoryK
3. Add a re%rite directi5e to 25ar2%%%2htdocs2secure2.htaccess7
0ewrite)n4ine *n
0ewrite0ule .P indeA.php E%G
;his maps an. -*6 o$ the $orm http722localhost2secure2::::: to
http722localhost2secure2inde:.php.
4. ;est in .our bro%ser.
;here is a $ull guide to using modKre%rite at7
http722httpd.apache.org2docs2/./2misc2re%riteguide.html
46
0irtual hosts
N#nl. about +,,, 5irtual hosts are possible per Apache instance using the approach detailed in this
section. De.ond this limit? it is better to use an optimised solution li3e modK5hostKalias instead.O
0irtual hosting allo%s I*unning multiple %ebsites on a single machineI.
;%o methods7 IP-based or name-based
+. Bame-based is simplest and reCuires $e%er IP addresses @%hich are a scarce resourceA.
/. IP-based is more comple: and needs one IP address $or each host. For 116 sites on di$$erent
hosts? must use IP-based hosting @can&t ha5e multiple 116 sites on a single IP addressA.
'e&re going to use name-based 5irtual hosts.
#ur aim is to 3eep $iles related to an indi5idual 5irtual host in one location reser5ed $or that hostF
an. core Apache log $iles etc. remain in a central location. ;his is the la.out $or each host7
25ar2%%%2>elica.com7 base path $or the 5irtual host
25ar2%%%2>elica.com2data @pri5ate %eb ser5er2application data - e.g. things li3e pass%ords
$or P8P applications? %eb ser5er pass%ord $iles generated using the htpass%d command? or
1=6ite database $ilesA
25ar2%%%2>elica.com2htdocs @public $iles? P8P scripts? 8;M6A
25ar2%%%2>elica.com2cgi-bin @publicl.-accessible C4I scriptsA
25ar2%%%2>elica.com2log @logs $or this hostA
25ar2%%%2>elica.com2tmp @temporar. $iles? e.g. $iles uploaded using P8PA
In cases %here %e are using chrooting? %e might also ha5e the $ollo%ing7
25ar2%%%2>elica.com2bin @pri5ate binaries e:ecuted b. this hostF allo%s us to isolate
di$$erent binaries $or di$$erent hosts? e.g. i$ one host reCuires P8P 5 and another %ants P8P
4A
'e&ll miss this last one out o$ our 5irtual host con$iguration? $or simplicit.&s sa3e.
'e are also going to store each 5irtual host con$iguration in its o%n con$iguration $ile? named a$ter
the host. For e:ample? $or our >elica.com and oceanarea.com hosts? %e %ill put their con$iguration
in these t%o $iles7
+. 2opt2apache2con$2>elica.com.con$
/. 2opt2apache2con$2oceanarea.com.con$
I am not going to co5er ho% to setup a machine to restrict a user to their o%n 5irtual host
directories? %ith no access to the rest o$ the $iles.stem. @1ee the earlier section on chroot.A
"etting up 1elica2com
+. Create the user in charge o$ the domain7
useradd --home 25ar2%%%2>elica.com >elicacom
/. Ma3e the user&s home director. accessible to Apache7
chgrp apache 25ar2%%%2>elica.com
chmod g<: 25ar2%%%2>elica.com
4
3. Create an htdocs director. $or the user inside their home director.7
m3dir 25ar2%%%2>elica.com2htdocs
cho%n >elicacom7apache 25ar2%%%2>elica.com2htdocs
chmod /5, 25ar2%%%2>elica.com2htdocs
Bote that the last command also changes the stic3. bit on the director. @the &/& at the start o$
the argument to chmodA? so that an. $iles added to the director. end up being o%ned b. the
apache group.
4. Ma3e an inde: $ile $or the domain in 25ar2%%%2>elica.com2inde:.php
5. Create the con$iguration $ile $or the domain in 2opt2apache2con$2>elica.com.con$
,Yirtual:ost P:"+K
6ocument0oot /.ar/www/Welica.com/htdocs
/er.er3ame Welica.com
,6irectory /.ar/www/Welica.com/htdocsK
*rder 5llow86eny
5llow -rom all
,/6irectoryK
,/Yirtual:ostK
6. 1et permissions7
chmod 6,, 2opt2apache2con$2>elica.com.con$
. Add the directi5e to ma3e Apache attach 5irtual host de$initions to all IP addresses o$ the
ser5er7
3ameYirtual:ost P:"+
I$ .ou had a machine %ith multiple IP addresses? .ou could >ust set up one or t%o o$ these to
ser5e 5irtual hosts $rom? e.g.
Bame0irtual8ost ++.+/.+3.+47",
". Pull the >elica.com con$iguration $ile into httpd.con$7
7nclude /opt/apache/con-/Welica.com.con-
). Create a $ile in 2home2>elicacom2htdocs $or testing called inde:.php
+,. Add an entr. to 2etc2hosts to map the domain name >elica.com to the localhost IP address.
;his enables to test our ne% 5irtual host %ithout ha5ing to register the domain name etc..
+/.,.,.+ >elica.com
++. ;est at http722>elica.com2
+/. ;est user login b. attempting to login 5ia ssh7
ssh >elicacomYlocalhost
Ma3e sure the logged in user ends up in the 25ar2%%%2>elica.com director..
4"
Setting up logging and C.I for a *irtual host
'e can setup the logs and C4I $or the 5irtual host li3e this7
+. Ma3e directories $or the logs and C4I scripts inside the 5irtual host&s director.7
m3dir 25ar2%%%2>elica.com2logs
m3dir 25ar2%%%2>elica.com2cgi-bin
/. 1et permissions on the directories7
cho%n -* >elicacom7apache 25ar2%%%2>elica.com
chmod /, 25ar2%%%2>elica.com2logs
chmod /5, 25ar2%%%2>elica.com2cgi-bin
Bote the cgi-bin is set up the same as the htdocs director.. 8o%e5er? the logs director. is
setup to allo% the apache user to %rite into the director..
3. Add these directi5es to >elica.com.con$? inside the P0irtual8ostJ directi5e7
,Yirtual:ost P:"+K
6ocument0oot /.ar/www/Welica.com/htdocs
/er.er3ame Welica.com
,6irectory /.ar/www/Welica.com/htdocsK
*rder 5llow86eny
5llow -rom all
,/6irectoryK

# error lo4
)rror%o4 /.ar/www/Welica.com/lo4s/error'lo4
# access lo4
,7-&odule lo4'con-i4'moduleK
=ustom%o4 /.ar/www/Welica.com/lo4s/access'lo4 combined
,/7-&oduleK
# c4i-bin
,6irectory /.ar/www/Welica.com/c4i-binK
*rder 5llow86eny
5llow -rom all
,/6irectoryK
/cript5lias /c4i-bin/ /.ar/www/Welica.com/c4i-bin/
,/Yirtual:ostK
4)
Bote that log rotation %ill need to ta3e the ne% log location into accountF alternati5el.? .ou can
lea5e it up to users to do their o%n log rotation.
Allo' follo'ing of s$mlin)s
It is sometimes use$ul $or users to be able to setup directories outside their main %ebroot but be able
to s.mlin3 those directories into the %ebroot @this is use$ul $or setting up *ails applications? $or
e:ampleA.
Rou can turn this option on b. adding this directi5e inside the PDirector.
25ar2%%%2>elica.com2htdocsJ directi5e7
*ptions /ym%in$s7-*wner&atch
Allo'ing directi*e o*errides
'e can also allo% users to create authorisation and authentication $or their director. inside .htaccess
$iles b. adding this directi5e inside the PDirector. 25ar2%%%2>elica.com2htdocsJ directi5e7
5llow*.erride 5uth=on-i4 %imit 9ile7n-o
'e ha5en&t o5erridden Inde:es or #ptions $or the director.. Allo%ing directi5es $rom these groups
to be o5erridden can introduce securit. problems. 8o%e5er? .ou ma. ha5e to i$ .our users demand
it.
;he FileIn$o setting allo%s users to emplo. modKre%rite directi5es inside their directi5es @use$ul
$or $riendl. -*6 generation and commonl. used b. content management s.stemsA.
0irtual host PHP configuration
'e can use Apache con$iguration directi5es to a$$ect ho% P8P beha5es on a per-5irtual-host basis.
;his can be used to secure %hat P8P running under that 5irtual host is able to do? and to put an.
P8P-related in$ormation @e.g. logs and session $ilesA inside the 5irtual host director..
;here are t%o speci$ic directi5es a5ailable to Apache $or con$iguring P8P7
+. phpKadminK$lag PphpKdirecti5eJ PonKorKo$$J
;his is used to set boolean @true2$alseA P8P directi5es
/. phpKadminK5alue PphpKdirecti5eJ PsettingJ
;his is used to set P8P directi5es %hich are non-boolean? e.g. strings? numbers
'e can use these directi5es as $ollo%s7
+. php'admin'.alue open'basedir /.ar/www/Welica.com
;his restricts P8P to opening $iles inside the speci$ied director.. An. attempt to open a $ile
outside this director. %ill thro% an error. Bote that %e&5e set this to the root $or the 5irtual
host? rather than the htdocs director.? to allo% P8P access to the 2data director. and the 2tmp
director..
/. php'admin'.alue error'lo4 H/.ar/www/Welica.com/lo4s/php'lo4H
Put the P8P error log inside the 5irtual host&s log director.
3. php'admin'.alue session.sa.e'path H/.ar/www/Welica.com/sessionsH
php'admin'.alue session.re-erer'chec$ Welica.com
Put an. session in$ormation into a separate sessions director. speci$ic to this 5irtual host.
;his pre5ents users $rom other 5irtual hosts sp.ing on this host&s session data.
5,
'e also ha5e to set the session.re$ererKchec3 to >elica.com. 8o%e5er? i$ %e are allo%ing
domain par3ing? %e might %ant to remo5e this constraint7 i$ a coo3ie is set under the par3ed
domain? the re$erer @%hen the coo3ie is passed to the ne:t pageA %ill re$erence the par3ed
domain? causing P8P to re>ect the coo3ie @as the re$erer is %rongA.
For the abo5e to %or3? %e %ill need a sessions director.7
m3dir 25ar2%%%2>elica.com2sessions
cho%n >elicacom.apache 25ar2%%%2>elica.com2sessions
chmod /, 25ar2%%%2>elica.com2sessions
4. php'admin'-la4 -ile'uploads on
php'admin'-la4 upload'tmp'dir /.ar/www/Welica.com/tmp
;hese settings allo% users to upload $iles using their P8P scripts.
Again? .ou %ill need a tmp director. $or the 5irtual host7
m3dir 25ar2%%%2>elica.com2tmp
cho%n >elicacom.apache 25ar2%%%2>elica.com2tmp
chmod /, 25ar2%%%2>elica.com2tmp
5. #ne more use$ul tric3 is to enable users to create $iles $rom inside their P8P scripts. For
no%? %e %ill enable P8P to %rite onl. into the htdocs director..
;he $irst step is to allo% the apache user to %rite to the htdocs director.7
chmod g<% 25ar2%%%2>elica.com2htdocs
;he onl. issue %ith allo%ing apache to create $iles inside htdocs is that the $iles created this
%a. %ill not be editable b. the 5irtual host&s o%ner @in this case? >elicacomA. #ne solution is
to add the user to the apache group7
usermod -4 >elicacom?apache >elicacom
8o%e5er? this could potentiall. gi5e the user access to $iles in other 5irtual hosts @i.e. an.
$ile o%ned b. the apache groupA.
-he final configuration file for our &irtual host
Combining these settings together inside the PDirector.J setting $or the 5irtual host @in
2opt2apache2con$2>elica.com.con$A gi5es us7
,Yirtual:ost P:"+K
6ocument0oot /.ar/www/Welica.com/htdocs
/er.er3ame Welica.com
,7-&odule php5'moduleK
php'admin'.alue open'basedir /.ar/www/Welica.com
5+
php'admin'.alue error'lo4 /.ar/www/Welica.com/lo4s/php'lo4
php'admin'.alue session.sa.e'path /.ar/www/Welica.com/sessions
php'admin'.alue session.re-erer'chec$ Welica.com
php'admin'-la4 -ile'uploads on
php'admin'.alue upload'tmp'dir /.ar/www/Welica.com/tmp
,/7-&oduleK
,6irectory /.ar/www/Welica.com/htdocsK
*rder 5llow86eny
5llow -rom all
*ptions /ym%in$s7-*wner&atch
5llow*.erride 5uth=on-i4 %imit 9ile7n-o
,/6irectoryK
# error lo4
%o4%e.el in-o
)rror%o4 /.ar/www/Welica.com/lo4s/error'lo4
# access lo4
,7-&odule lo4'con-i4'moduleK
=ustom%o4 /.ar/www/Welica.com/lo4s/access'lo4 combined
,/7-&oduleK
# c4i-bin
,6irectory /.ar/www/Welica.com/c4i-binK
*rder 5llow86eny
5llow -rom all
,/6irectoryK
/cript5lias /c4i-bin/ /.ar/www/Welica.com/c4i-bin/
,/Yirtual:ostK
'i,ing localhost
'hile this approach sets up >elica.com? it simultaneousl. destro.s the con$iguration $or localhost.
;o 3eep our current localhost settings? %e need to remo5e the settings speci$ic to the localhost
%ebsite into a separate con$ig. $ile called 2opt2apache2con$2localhost.con$ @remember to chmod to
6,,A.
,Yirtual:ost P:"+K
/er.er3ame localhost
5/
### location o- the web ser.er document store
6ocument0oot /.ar/www/htdocs
### lo44in4
# access lo4
,7-&odule lo4'con-i4'moduleK
=ustom%o4 /.ar/lo4/apache/access'lo4 combined
,/7-&oduleK
### base website
,6irectory /.ar/www/htdocsK
*rder 5llow86eny
5llow -rom all
,/6irectoryK
### =<7
,6irectory /.ar/www/c4i-binK
*rder 5llow86eny
5llow -rom all
,/6irectoryK
/cript5lias /c4i-bin/ /.ar/www/c4i-bin/
,/Yirtual:ostK
Bote that I&5e le$t con$iguration $or the errorKlog in the main httpd.con$ $ile? as other%ise %e get
errors $or localhost in 25ar2log2apache2errorKlog? and other generic error messages not related to
localhost but to the ser5er more generall. in 2opt2apache2log2errorKlog.
'e can pull this con$iguration into httpd.con$ using7
7nclude /opt/apache/con-/localhost.con-
Another pain is that this %ill also brea3 our 116 con$ig.? as %e ha5e mo5ed the PDirector.J
directi5e $rom httpd.con$ and put it into localhost.con$. 'e can $i: this b. speci$.ing a PDirector.J
directi5e inside the P0irtual8ostJ directi5e in 2opt2apache2con$2ssl.con$ li3e this7
### base website
,6irectory /.ar/www/htdocsK
53
*rder 5llow86eny
5llow -rom all
,/6irectoryK
54
Troubleshooting
#ccasionall.? %e ma. run into problems %ith our Apache and P8P con$iguration. 8ere are a $e%
%a.s to trac3 do%n those problems.
(ogs
;he log $iles should be .our $irst port o$ call.
+*ar+log+apache+error4log
;his %ill record an. Apache-speci$ic error messages? and also some other in$o. @e.g. 116
initialisation in$o.A.
+*ar+log+apache+access4log
;his records reCuests made to the %eb ser5er. It is not as use$ul as the errorKlog? but can
enable .ou to determine %hat %as happening %hen an error occurred.
+*ar+log+php+php4log
Contains messages speci$ic to P8P applications.
I$ the Apache log $iles are not su$$icientl. 5erbose? .ou can turn up the le5el o$ error reporting in
httpd.con$ b. setting the 6og6e5el directi5e to IdebugI @.ou need to restart $or this to ta3e e$$ectA.
"tatus reports
Apache has a status module %hich enables .ou to get some general in$ormation about the ser5er.
8o%e5er? it can be a securit. liabilit.? as once the module is acti5e? an. user can add a status report
to their 5irtual host 5ia a .htaccess $ile. 1o %e ha5e disabled it.
8ere&s a sample con$iguration $or re$erence7
### ser.er status
%oad&odule status'module modules/mod'status.so
,7-&odule status'moduleK
)Atended/tatus *n
,%ocation /statusK
/et:andler ser.er-status
*rder 6eny85llow
6eny -rom all
5llow -rom #27.+.+.#
,/%ocationK
,/7-&oduleK
55
;his ma3es the status report a5ailable at http722localhost2status? but onl. to users on the local
machine.
For more in$ormation? see7
http722httpd.apache.org2docs2/./2mod2modKstatus.html
"tandard tools
1ome standard command line tools can gi5e .ou a 5ie% o$ the s.stem processes? %hich might help
.ou $ind memor. hogs and other s.stem-le5el problems7
top
0ie% processes and their memor. and CP- usage in real time.
ps
0ie% a snapshot o$ processes currentl. running.
More ad&anced tools
#ther debugging tools go outside the realms o$ Apache-speci$ic and into more general s.stem tools7
ethereal
A general net%or3 monitoring tool? %hich can be use$ul $or 5ie%ing the responses returned
b. Apache.
strace
;his gi5es a lo%-le5el 5ie% o$ the acti5it. ta3ing place %hen a binar. e:ecutes? but its
output is di$$icult to decipher. I&5e ne5er $ound a need to use a tool %ith this le5el o$
comple:it. %hen debugging.
As an e:ample? .ou can monitor Apache startup using7
strace 2opt2apache2bin2httpd -3 start
;his sho%s the $iles Apache attempts to read2%rite? and ma. help identi$. issues li3e
missing s.stem libraries.
56
License
;his %or3 is licenced under the Creati5e Commons Attribution-BonCommercial-1hareAli3e /.5
6icense. ;o 5ie% a cop. o$ this licence? 5isit http722creati5ecommons.org2licenses2b.-nc-sa2/.52 or
send a letter to Creati5e Commons? 55) Bathan Abbott 'a.? 1tan$ord? Cali$ornia )43,5? -1A.
I$ .ou ha5e an. corrections2comments on this te:t? please $eel $ree to contact me @elliot at
moochlabs.comA.
5