* apache *
20030205
INTRO:
apache is a web (http) server and apache-ssl is a secure web (https) server.
apache typically runs on port 80 and apache-ssl on 443. apache can get
rather complicated as there are many config options, such as access
controls and virtual hosts, as well as Apache modules and related packages
(such as php).
For more information about apache (and php), see the installed documenation,
as well as:
apache.org (esp docs/directives.html, docs/mod/core.html and docs/mod/)
apache-ssl.org (esp docs.html)
php.net
Also see the apache howto (tldp.org) and (optionally) O'Reilly's apache
book. You can also gain quite a bit of knowledge from the config files in
/etc which are fairly commented. And as always, google is a useful tool.
Before installing, think about what you want. Do you want to restrict
access to certain pages? Have a database backend? Know where you want to
store pages (default is /var/www)? Have user pages (~username)? And so on.
SETUP:
Assuming you don't need anything not in Debian, just apt-get install the
relevant packages, which should include some of apache, apache-ssl,
apache-common, and apache-doc. If you want php, install php4 and whatever
other packages you require (phpdoc, php4-gd, php4-imap, php4-ldap,
php4-mcrypt, php4-odbc, php4-pear, php4-pgsql, php4-snmp, etc). You'll
probably be asked some configuration questions, which it's easiest to
answer, but you can skip (or give bogus config options) if necessary.
apache can later be configured through 'apacheconfig' (apache-ssl through
'apache-sslconfig'), as well as by manually modifying the files in
/etc/apache/ (or /etc/apache-ssl/).
apache is started with '/etc/init.d/apache start' and stopped with
'/etc/init.d/apache stop'. You need to restart apache after making
configuration changes.
Earlier versions of apache break up configuation into several files, include
httpd.conf, srm.conf, and access.conf. For the purposes of this document,
I'll assume everything is in httpd.conf; it is isn't there, try the other
files. Other files to be aware of include /etc/mime.types (to set mime
types such as .php) and /etc/php4/apache/php.ini (especially the
extensions=*.so lines at the bottom). If apache works, but not php or
postgresql via web or some other thing, chances are the problem is in one of
these two files.
* httpd.conf quickstart: The main things you need (that may not be
correctly set by default) are LoadModules, ServerName, DocumentRoot, and
DirectoryIndex. Odds are setting these will give you a working
configuration. If not, hopefully the error messages to the console (and/or
to /var/log/apache/error.log) make sense. For php and postgresql, the
following two lines (or something similar) will be needed, as well as the
potential changes to mime.types and php.ini (see the php section):
LoadModule php4_module /usr/lib/apache/1.3/libphp4.so
LoadModule pgsql_auth_module /usr/lib/apache/1.3/mod_auth_pgsql.so
Also make sure to include index.php in DirectoryIndex if you want requests
to http://foo/bar/ to display foo/bar/index.php.
* httpd.conf not-so-quickstart: There are lots of directives, most of which
are set correctly by default (and commented with explanations). Make sure
ServerName and DocumentRoot are set correctly. ServerName must have valid
DNS. If you want several virtual hosts see the section on virtual hosts.
Check that DirectoryIndex has what you want (such as index.php); order
matters here. You may want to tweak some (such as MaxKeepAliveRequests and
MinSpareServers) for performance purposes.
* Modules: There are tons of modules (shared objects). The ones loaded by
default are probably all okay, although if you have the mime ones for both
apache and apache-ssl you will get a message that they have already been
loaded (since the same modules are included by both). userdir is needed if
you want users to be able to create homepages, alias for adding web
directories not contained in DocumentRoot, rewrite for URL rewriting,
expires for caching, ... read the documentation on apache.org, really.
Again, if you want php4, load the module.
* Access: There are tons of access options, which can be specified in the
directive or (if allowed) in .htaccess. The default should be
set to something restrictive, such as:
Options SymLinksIfOwnerMatch
AllowOverride None
Then you can set permissions for other directories (such as /var/www/).
Other options include Indexes, FollowSymLinks, IncludesNoExec, ExecCGI,
Includes, MultiViews, .... You can also set AllowOverride to various
options to allow the values set in .htaccess files to override these
defaults. You can also restrict access to particular domains/IPs, such as
order deny,allow
allow from .example.com
allow from 192.168.0.0/24
deny from all
The Directory directive can also be used on virtual hosts (specify the
appropriate DocumentRoot). Use the Directorymatch directive to set
permissions on user webpages ().
There's lots of other stuff, like log options, aliases, and script aliases
(for CGI). Modify as needed (probably not).
* Virtual hosts: This is for multiple host names for one IP (or multiple IPs
for one host name). If you are using this, read the apache.org
documentation first. Syntax (in addition to setting NameVirtualHost) is
.... where the content in between the
tags includes DocumentRoot, ServerName, ErrorLog, and TransferLog, and may
also include other directives (such as Alias). For example,
DocumentRoot /home/www-vhost/
ServerName vhost.example.com
ErrorLog /var/log/apache/vhost-error.log
TransferLog /var/log/apache/vhost-access.log
Alias /directory /usr/local/webdir/
* SSL: apache-ssl is nearly identical to apache (in configuration and
maintence). The module apache_ssl_module must be loaded and SSLEnable set.
Possibly of interest, SSLRequireSSL can be specified in to
require SSL for particular pages. Note that mod_ssl is not the same thing
as apache-ssl.
Certificates are another topic, not (yet) covered by this document.
Probably the thing to do is purchase a certificate so as to avoid browser
incompatibility problems (IE 5 for Mac OS 9). We've been generating our own
certs with some degree of success. Certificate files and keys must be
specified with the SSLCertificateFile and SSLCertificateKeyFile directives.
* PHP: Again, you need to set two options in httpd.conf, LoadModule and
DirectoryIndex. For example,
LoadModule php4_module /usr/lib/apache/1.3/libphp4.so
DirectoryIndex index.html index.php index.php3 index.shtml index.htm
Also, I mentioned two files in passing in the quickstart section. In more
detail, a line like the following should be in /etc/mime.types:
application/x-httpd-php phtml pht php php3 inc
and lines like the following in /etc/php4/apache/php.ini for extensions:
extension=pgsql.so
extension=ldap.so
There are possibly other options in this file file that you may want to
modify. php is realy a whole other topic.
SECURITY:
Lots to think about here. Make sure file permissions are set as
you want them. At a minimum files need to be readable by www-data. Also
remember that anything that goes on a non-restricted website is public. If
you don't want crawlers indexing and caching the site, look into robots.txt
syntax. Also, .htaccess files can be created to apply access control to
specific directories/files.
Finally, if you are allowing php, cgi, or any other server side scripting,
make sure you are aware of the security issues. If you install any
web-based applications, check for exploits and make sure to do upgrades.
Also make sure you have mime.types set correctly.
I probably should have more to say about security, but I don't.
MAINTENANCE:
apache should just work. Seriously. If it starts running away with the
CPU/memory (top), stop and start it (/etc/init.d/apache). If you need to
modify any config options, make sure to restart. If you made an ssl
certificate, it may expire at some point in time in which case a new one
will be needed. If you have anything writing to /tmp you might consider
making sure that files in /tmp are regularly deleted (weekly via cron for
instance). Logs are in /var/log/apache/ and are fairly straightforward.
Reading them can be vaguely enlightening on occassion.