A-Zx - Ucccs.info

colonteeΛογισμικό & κατασκευή λογ/κού

4 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

123 εμφανίσεις


1



Apache Configuration

Directives can be classified as



Global


apply to Apache execution



Server Specific


apply to server



Virtual Host Specific


apply to virtual hosts

Directives can also be classified as



Core


in all Apache installations



MPM


in an
OS
-
native installation



Base


provided by modules included in Apache by default



Extension


part of a module that is optional



Experimental


use at your own risk

Main configuration file: httpd.conf

Virtual host configuration:



Can be defined in section of h
ttpd.conf ***

…or…



Can be placed in .htaccess file in virtual host home directory, with directive in
https.conf: AllowOverride all|none [not all directives permitted in .htaccess]#

Directives:



Listen[Server]



Defines IP and/or port where Apache listens
.



E.g
. Listen 80



Listen 143.238.1.1:80



Listen 143.239.1.1.8080




DocumentRoot[Server, Virtual Host]



Defines the root directory where web pages should reside.



E.g. DocumentRoot “C:/websites/atlanticferries”




DirectoryIndex[Server, Virtual Host, Directory, .
htaccess]



DirectoryIndex index.html index.htm



DirectoryIndex index.html /cgi
-
bin/list.pl




ServerName[Server, Virtual Host]



Specifies server name(optional port no) that Apache uses to identify itself.



E.g. ServerName
www.atlanticferries.com


2





Configuring Log Files:



ErrorLog[Server, Virtual Host]



Specifies name/location of error logfile



E.g. ErrorLog /etc/apache_error_log




LogLevel[Server, Virtual Host]



Adjusts the verbosity of the messages recorded in the error
logs.



E.g. LogLevel warn



[levels are: emerg, alert, crit, error, warn, notice, info, debug]




CustomLog[Server, Virtual Host]



Specifies name & format of logfile for http requests, with optional nickname



E.g. CustomLog /logs/connect_logfile “%h %u %t %r %s”

mylogformat




Logformat[Server, Virtual Host]



Specifies format of logfile for http requests, with optional nickname



E.g. LogFormat “%a %u %B %t %r %s” mynewlogformat

Running Scripts[
Script Alias

Directive]

Server
-
side scripting is commonly supported so as
to provide dynamic websites.

Scripting languages of various styles exist:



ColdFusion Markup Language (*.cfm)



Java via JavaServer Pages (*.jsp)



JavaScript using Server
-
side JavaScript (*.ssjs)



PHP (*.php)



Perl (*.pl)

The modern Apache approach is to provide optional modules [e.g. mod_perl,

mod_php] for many of these scripting languages, These modules, if loaded, will

handle processing of the relevant script.


CGI Scripts

Prior to the development of such languages, earl
y scripting was done using a

combination of C programs, (Unix) shell scripts and Perl scripts. This combination of

approaches was referred to as the Common Gateway Interface (CGI), and is still

employed in websites to this day. A CGI script will be stored
in a file, the first line of

which specifies how the file contents are to be interpreted. For example, the following

first line of a CGI script states that the file contains a shell script, to be executed by

the bash shell:


! /bin/bash


An alternative fir
st line of a file might state that it contains a Perl script, to be


3



executed by the Perl interpreter:


!/usr/local/bin/perl



CGI Directory [
ScriptAlias

Directive]

By convention, Apache stores all CGI scripts in a directory named cgi
-
bin. The

location

of this directory should be specified with an appropriate ScriptAlias directive

within the htttpd configuration file:

e.g.
ScriptAlias /cgi
-
bin/ “C:/xampp/apache/cgi
-
bin/”

e.g.
ScriptAlias /cgi
-
bin/ /usr/local/apache2/cgi
-
bin/


Then, for example, if a scr
ipt is invoked from a HTML form:

<form action= “/cgi
-
bin/processform.cgi” method=”POST”>


A

request is made for the file
/cgi
-
bin/processform.cgi
to Apache which looks for

it in the
directory
/usr/local/apache2/cgi
-
bin
and then executes it.


MIME Types
[
Ad
dType
&
Action

Directives
]

MIME [Multipurpose Internet Mail Extensions] types are identifiers used to identify

file types, such as text, image, audio, etc. While originally designed for mail, MIME

has been extended to the Web in general. When a Web server
is handling a file, either

for direct manipulation or for transfer to a client, it needs to identify the file type so

that he correct handling application can be chosen.


MIME types have the format type/subtype, and examples are:



text/plain



text/html



text/
xml



image/jpeg



image/gif



video/mpeg



application/pdf



application/zip


The definition of supported MIME types is stored in a file [default location:

/conf/mime.types
], which uses the file extension to determine its type and

identifies

the handler application(s). If it cannot determine the file type, it assigns it

the default type,
test/plain
. [Note that, if the optional
mime
-
magic
module is

loaded, it looks inside the file to determine its type]


Editing the
mime
-
types
File
[
AddType
&
Action

Directives
]

If you need to add a type, it is done using the
AddType
directive, as in:

AddType mime
-
type extension

e.g.
AddType application/x
-
httpd
-
php .php

which adds a line to the file.


4




Similarly, you can instruct Apache to run a particular script

when it receives a request

for a file type, using the
Action
directive:

Action mime
-
type script

e.g. to handle all requests for png images with a CGI script:

Action image/png /cgi
-
bin/processPNG.cgi

Or, you can create an action for PHP using the MIME type

created above as follows:

Action application/x
-
httpd
-
php /php/php.exe

In this case,
/php/
must have been defines as a script directory using the

ScriptAlias
directive.


Configuring Directories
[
Options
,
AllowOverride
,
Order
,
Allow
,
Deny

Directives
]

Directories are used in Apache for organizing both the server components and the

individual virtual hosts. Both the access to, and the features of, directories can and

should be controlled.


Directory Access

A general rule is that Apache should not have an
y more access to a directory than is

absolutely necessary. A further general rule is that access to a directory applies to

subdirectories, etc, unless specifically refused by a directive.


To achieve control, a default directory is normally defined with mi
nimal access

permission for Apache:


<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>


This defines a top
-
level directory [from which all others inherit], which allows

Apache to follow symbolic links, but it cannot process a .htaccess

configuration file.

Other directories can then have specific directive applied to them using the template:


<Directory dirpath>

Directives

</Directory>


e.g.
<Directory /usr/local/apaches/htdocs>


An example of this might be:

<Directory /usr/local/apache/
htdocs/secret>

Order Deny, Allow

Allow from cs.ucc.ie

Deny from all

</Directory>



5



which will deny access to the directory from all clients except those originating from

the domain
cs.ucc.ie
. Note that Deny is evaluated before Allow, thereby achieving

the d
esired result.



When using the
Deny
or
Allow
directives, they take the form

Allow from identifier

Deny from identifier


where Identifier can take the form



All



Domain
-
Name [cs.ucc.ie]



IP Address [143.239.1.17]



Partial IP Address [143.239]


Directory
Features

In addition to enabling access, we may also want to control features of a directory,

using the
Options
directive, as in:

Options features


where features take the form:



All



ExecCGI



FollowSymLinks



Includes



Indexes



None



SymLinksIfOwnerMatch


Using Directives with Files
[
Order
,
Allow
,
Deny

Directives
]

You can restrict access to files in the same way you restrict access to directories,

using the
Files
directive:


<Files filename>

Directives

</Files>


You can specify wildcards in the filename opt
ion:


<Files *.gif>


The
Directives
, which control file access, can include
Allow
,
Deny
and
Order
.


Apache Modules

Since the release of Apache2, the design of the software has been modular, where

each

module supports a particular feature


and can be omitted if that feature is not

required. Modules can be
base
(enabled by default),
extension
(enabled by choice


6



when installing Apache) or
externa
l (provided by third parties). The latter two

categories

of software module can either be compiled
statically
(compiled with

Apache; adding or removing involves recompiling the Apache software) or

dynamically
(they are Dynamically Shared Objects


DSO


that require a

LoadModule
directive in
httpd.conf
in order

to be loaded).


Some useful extension modules include:


PHP
[
mod_php
]



a scripting modules for dynamic data
-
driven websites


Secure Socket Layer (SSL)
[
mod_ssl
]




a connection on Port 443 that uses the HTTPS protocol, not HTTP.

Information transmitted betwe
en Apache and the browser is encrypted, with

the server holding a digital certificate, issues by a certification authority, that

verifies its identity; uses a library OpenSSL that must also be installed.


Perl
[
mod_perl]



executes Perl CGI scripts, employed

for text/file manipulation; run much

faster than Perl scripts executed as CGI scripts.


Python
[
mod_python]



another scripting language employed for text/file manipulation; objectoriented,

comparable to Perl & java..


Security Tips

Update Regularly



Update
Apache with each new release, particularly those relating to security

issues.


Restrict Access to Apache Directory
[Unix]



Create Apache directory as root, with root permissions. Do not allow writes to

Apache directory.


Don’t Run Apache as Root
[Unix]



You must start Apache as root. However, the
User
&
Group
directives in the

configuration file should switch to another dedicated account, one with fewer

privileges.


Monitor Server Requests



Check logfiles regularly. Look out for suspicious requests, such a
s requests for

the
passwd
file or repeated requests from same user.


Use a Restricted Default Directory



In
httpd
configuration file, specify
Deny from All
in default directory

<Directory />
. Then use Allow directory to open up access to specific

directories.


7




Don’t Let Users See Your Files



Don’t allow indexes in any directories unless specifically required (so that

users won’t try each file). Don’t set
Options
directive to
Index
in default

directory


only in directories where file browsing is req
uired.


Limit CGI Scripts



Limit the execution of CGI scripts to specific directories, such as
cgi
-
bin
.

Don’t place them in any other directory, unless you trust users who can

execute them. Ensure that any directory containing executable scripts is not

writ
eable to outside users.


Don’t Allow .htaccess Files



Do all configuration in
httpd.conf
.


Use SSL for Important Communications



Encrypt important communications


Apache From Source

Installing Apache WebServer on Unix



from

source



from

binaries



from

a

package

manager

[RPM]


Installing

Apache

from

Source

Files

Step 1: Download


1.

Download from
httpd.apache.org

2.

Select appropriate mirrorsite [choose default]

3.

Choose required source file for download, e.g. httpd
-
2.2.17.tar.gz

4.

Save to an appropriate directory, such as

/usr/src


Step 2: Installation

After downloading:

1.

Go to a Linux shell and login as the system administrator root:

sudo bash [become root]


2.

Change to the download directory:


cd /usr/src


and check that the downloaded file httpd
-
2.2.17.tar.gz is there


3.

Unpack the tarball:


8




gunzip

c httpd
-
2.2.17.tar.gz | tar

xf



A new directory named httpd.2.2.17 is created that contains several
subdirectories with

all the files unpacked from the tarball


4.

Configure the installation [choosing where to install Apache]:


The default location is /usr/local/apache2, achieved by:


./configure


To locate the installation elsewhere, use the prefix option:


./configure
--
prefix=/software/apache2


5.

Compile the source code programs using the make utility:


Make


6.

Install the
software:


make install


Apacheis now installed below the /usr/local/apache2 directory.


Step 3: Start

Assuming that you choose the default for the configure
command, the
/usr/local/apaches2 directory

will have a bin subdirectory that contains the
executables. In particular, it will contain the following:


httpd: this is the apache executable, and can be run directly with suitable
parameters


apachect1
: this is a script that will start httpd executing, having done some
checking of the

parameters; it

is the standard way of starting apache.


To start apache using
apachect1
:


/usr/local/apache2/bin/apachectl start


By default, apachectl looks for the httpd executable in /usr/local/apache2/bin
directory. If you installed

in non
-
standard directories, you
should edit the apachectl
script and amend the line


HTTPD=’/usr/local/apache2/bin/httpd’


So that it contains the correct path to the httpd executable, e.g.


HTTPD=’software/apaches/bin/httpd’


9




Step 4: Test

To check that Apache is running, lookup all
processes:


ps

A


and check if the list of processes includes some named httpd.


Stopping Apache

To

stop

Apache

simply

call

this

command:


/usr/local/apache2/bin/apachectl stop


Restarting Apache

To

restart

Apache

just

type

in

this

command:


/usr/local/apache2/bin/apachectl restart


Installation Options

In Step2 above, we have seen that the configure command can have a prefix option
that determines

where the Apache executables will be placed. In fact, the user can
determine the placement of al
l Apache files,

using the enable
-
layout option. Its
format is enable
-
layout=LAYOUT, which states that the

installation should take its
layout format from a file named LAYOUT. The default is layout.config.


./configure
--
prefix=/software/apache2


enable
-
la
yout=LAYOUT


The default layout.config file contains:


<Layout Apcahe>

prefix:




/usr/local/apache2

exec_prefix:



$[prefix]

bindir:




$[exec_prefix]/bin

sbindir:



$[exec_prefix].bin

libdir:




$[exec_prefix].lib

libexecdir:



$[exec_prefix]/modules

mandir:



$[prefix]/man

<Layout>


Serving Multiple Websites

Hosting More Than One Website

User Home Pages [Directory
-
Based]




group all websites under one controlling hostname



e.g.


10




www.MyServer.com/~abc/siteone.html

www.MyServer.com/~cde/sitetwo.html

www.MyServer.com/xyz/newsite.html




simple to implement by assigning a directory to each separate website




home directory for each supported website can be automatically setup with UserDir
directive:




e.g


UserDir /home/www/MyServer/users/




this will take an incoming URL of
www.MyServer.com/~abc/siteone.html
and
redirect it to the page at
/home/www/MyServer/users/abc/siteone.html
[i.e. it
substitutes the URL for the tilde




individual websites can be given some level of control with a
.htacce
ss
file


Use Separate Servers



run more than one instance of Apache at the same time




each could listen on the same IP/Port, but requests must include the “
Host:
…”
header of HTTP1.1 [see “Name
-
based Virtual Hosting” below]




alternatively, each could on

a separate IP number and port [see ”IP
-
based Virtual
Hosting” below]




heavyweight solution, but considered useful for high
-
security systems [especially if
Apache instances run as different user/group identities]


IP
-
Based Virtual Hosting



run only one i
nstance of Apache but, for each hosted website, have it listen on a
separate IP number and port [i.e. on separate network cards or on a single network
card that has several IP numbers multiplexed]




more efficient than having separate servers [since a comm
on pool of processes is
effectively shared]




can define the behaviour of virtual host in the configuration file




e.g.


<VirtualHost IP>

ServerName
www.MyServer.com



11




ServerAlias MyServer.com, *.MyServer.com


ServerAdmin
webmaster@MyServer.com



DocumentRoot /home/www/MyServer


ErrorLog logs/MyServer_errors


TransferLog loga/MyServer_log

</VirtualHost>





Name
-
Based Virtual Hosting



an instance of Apache could s
upport multiple websites, each having its own
directory structure and configuration file




all requests must have the “
Host:
…” header of HTTP1.1]