Jump to content

Apache/Print version

From Wikibooks, open books for an open world


Apache

The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Apache

Permission is granted to copy, distribute, and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 3.0 License.

Introduction

Apache is primarily used to serve both static content and dynamic Web pages on the World Wide Web. Many web applications are designed expecting the environment and features that Apache provides.

Apache is redistributed as part of various proprietary software packages including the Oracle Database and the IBM WebSphere application server. Mac OS X integrates Apache as its built-in web server and as support for its WebObjects application server. It is also supported in some way by Borland in the Kylix and Delphi development tools. Apache is included with Novell NetWare 6.5, where it is the default web server. Apache is included with many Linux distributions.

Apache is used for many other tasks where content needs to be made available in a secure and reliable way. One example is sharing files from a personal computer over the Internet. A user who has Apache installed on their desktop can put arbitrary files in Apache's document root which can then be shared.

Programmers developing web applications often use a locally installed version of Apache in order to preview and test code as it is being developed.

Microsoft Internet Information Services (IIS) is the main competitor to Apache, followed by Sun Microsystems' Sun Java System Web Server and a host of other applications such as Zeus Web Server or Nginx.


Introduction/History

History and name

[edit | edit source]

The first version of the Apache web server software was created by Robert McCool, who was heavily involved with the National Center for Supercomputing Applications web server, known simply as NCSA HTTPd. When McCool left NCSA in mid-1994, the development of httpd stalled, leaving a variety of patches for improvements circulating through e-mails. These patches were provided by a number of other developers besides McCool, and they thus helped to form the original "Apache Group".

There have been two explanations of the project's name. According to the Apache Foundation, the name was chosen out of respect for the Native American tribe of Apache (Indé), well-known for their endurance and their skills in warfare. However, the original FAQ on the Apache Server project's website, from 1996 to 2001, claimed that "The result after combining [the NCSA httpd patches] was a patchy server. The first explanation was supported at an Apache Conference and in an interview in 2000 by Brian Behlendorf, who said that the name connoted "Take no prisoners. Be kind of aggressive and kick some ass". Behlendorf then contradicted this in a 2007 interview, stating that "The Apache server isn't named in honor of Geronimo's tribe" but that so many revisions were sent in that "the group called it 'a patchy Web server'". Both explanations are probably appropriate.

Version 2 of the Apache server was a substantial re-write of much of the Apache 1.x code, with a strong focus on further modularization and the development of a portability layer, the Apache Portable Runtime. The Apache 2.x core has several major enhancements over Apache 1.x. These include UNIX threading, better support for non-Unix platforms (such as Microsoft Windows), a new Apache API, and IPv6 support. The first alpha release of Apache 2 was in March 2000, with the first general availability release on April 6, 2002.

Version 2.2 introduced a more flexible authorization API. It also features improved cache modules and proxy modules.


Introduction/License

License

[edit | edit source]

The software license under which software from the Apache Foundation is distributed is a distinctive part of the Apache HTTP Server's history and presence in the open source software community. The Apache License allows for the distribution of both open and closed source derivatives of the source code.

The Free Software Foundation does not consider the Apache License to be compatible with version 2 of the GPL in that software licensed under the Apache License cannot be integrated with software that is distributed under the GPL:

This is a free software license but it is incompatible with the GPL. The Apache Software License is incompatible with the GPL because it has a specific requirement that is not in the GPL: it has certain patent termination cases that the GPL does not require. We don't think those patent termination cases are inherently a bad idea, but nonetheless they are incompatible with the GNU GPL.[1]

However, version 3 of the GPL includes a provision (Section 7e) which allows it to be compatible with licenses that have patent retaliation clauses, including the Apache License.

The name Apache is a registered trademark and may only be used with the trademark holder's express permission.

References

[edit | edit source]


Architecture

Features

[edit | edit source]

Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod access, mod auth, mod digest, and mod auth digest, the successor to mod_digest. A sample of other features include SSL and TLS support (mod ssl), a proxy module (mod proxy), a URL rewriter (implemented under mod rewrite), custom log files (mod log config), and filtering support (mod include and mod ext filter).

Popular compression methods on Apache include the external extension module, mod gzip, implemented to help with reduction of the size of web pages served over HTTP. ModSecurity is an open source intrusion detection and prevention engine for web applications. Apache logs can be analyzed through a web browser using free scripts such as AWStats/W3Perl or Visitors.

Virtual hosting allows one Apache installation to serve many different actual websites. For example, one machine with one Apache installation could simultaneously serve www.example.com, www.test.com, test47.test-server.test.com, etc.

Apache features configurable error messages, DBMS-based authentication databases, and content negotiation. It is also supported by several graphical user interfaces.


Installation

Windows

[edit | edit source]

The program can be installed alone from http://www.apache.org/dyn/closer.cgi.

However the best is generally to get it with an all-in-one solution like WAMP or EasyPHP, because it includes the installation or PHP and MySQL at the same time.

Apart from that, a portable all-in-one is XAMPP.

Remark (on a PC):


By default Apache is set to automatically launch at startup which is convenient on a server. However on a PC, it may be better to create a script to start and stop it manually. Example with EasyPHP:

net start ews-dbserver
net start ews-httpserver
net start ews-dashboard
pause
net stop ews-dashboard
net stop ews-httpserver
net stop ews-dbserver

Unix-like

[edit | edit source]

Debian

[edit | edit source]
 apt-get install apache2

Gentoo

[edit | edit source]
 emerge apache

Configuration

[edit | edit source]

The service should be restarted manually after the most part of the configuration modifications:

 vim /etc/httpd/conf/httpd.conf
#or
 vim /etc/apache2/apache2.conf

 /etc/init.d/apache2 restart


Configuration

Configuring Apache WebServer


GUI Tools:

There are some GUI tools to configure Apache web server but they mostly do the basic or intermediate levels of configurations. For advanced configuration, modifying the configuration file. is the way to go. Some GUI tools are: Comanche, TkApache, LinuxConf, WebMin, ApacheConf, user_manage. Among them, Webmin is browser based and may be a better choice than the others.

Basic Apache Configuration Information is as below:

Apache has three configuration files:

httpd.conf
access.conf
srm.conf

httpd.conf is the main file, you can forget about the others.

A basic configuration file may look like the following:

 ServerName www.justetc.net #host name .. serving website URL
 listen 192.168.0.1:80 # listen to the network interface 192.168.0.1 and port 80
 listen 192.168.0.1:400 # listen to the network interface 192.168.0.1 and port 400
 User nobody #connect to the apache server as the user nobody #default
 Group nobody
 ServerAdmin admin@justetc.net #email of the administrator
 ServerRoot /usr/locale/apache #apache's main working folder, apache keeps essential files here
 ErrorLog logs/error_log #to keep track of errors
 TransferLog logs/access_log #check the access, may make website slower
 DocumentRoot /home/www/justetc

You can create your own user and set that to access webpages

groupadd -g httpd
useradd -u 999 -g httpd -s /bin/false -c 'Web Server'

then use

User httpd
Group httpd


Configuration/Performance

Performance

[edit | edit source]

Although the main design goal of Apache is not to be the "fastest" web server, Apache does have performance comparable to other "high-performance" web servers. Instead of implementing a single architecture, Apache provides a variety of MultiProcessing Modules (MPMs) which allow Apache to run in a process-based, hybrid (process and thread) or event-hybrid mode, to better match the demands of each particular infrastructure. This implies that the choice of correct MPM and the correct configuration is important. Where compromises in performance need to be made, the design of Apache is to reduce latency and increase throughput, relative to simply handling more requests, thus ensuring consistent and reliable processing of requests within reasonable time-frames.


Virtual hosting

Principle

[edit | edit source]

Virtual hosting in Apache allows a single instance of the Apache software to host more than one distinct web site. Since only one instance of Apache can use port 80 on a server at once, without virtual hosting each new web site you hosted would need a new server.

Sites hosted under virtual hosting appear to end users as normal sites in every way; the only difference is that fewer server machines are needed to host them. Virtual hosting is commonly used by high-volume low-price web hosting companies, who give each of their customers a virtual host, with potentially hundreds of customers sharing the same server.

Configuration

[edit | edit source]

To add a virtual host, edit apache2.conf (or httpd.conf). Example:[1]

<VirtualHost MyIP:80>
  ServerAdmin admin@site1.com
  DocumentRoot /home/site1/public_html
  ServerName site1.com
  ServerAlias www.site1.com
</VirtualHost>

<VirtualHost MyIP:80>
  ServerAdmin admin@site2.com
  DocumentRoot /home/site2/public_html
  ServerName site2.com
  ServerAlias www.site2.com
  AccessLog /home/site2/access.log
  ErrorLog /home/site2/error.log
  <Directory /home/site2/public_html>
    AllowOverride All
  </Directory>
</VirtualHost>

References

[edit | edit source]


SSL

Install and Configure Apache2 with PHP5 and SSL Support

Required Packages

[edit | edit source]
apache2
openssl ssl-cert
libapache2-mod-php5 
php5-cli 
php5-common 
php5-cgi

Configuration Steps

[edit | edit source]

Step 1: generate certificate

[edit | edit source]

For generating certificate Use the following command to generate certificates

 sudo openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -
 keyout /etc/apache2/apache.pem

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:West Bengal
Locality Name (eg, city) []:Kolkata
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MAT3 Impex Pvt. Ltd.
Organizational Unit Name (eg, section) []:Crypto-Devel
Common Name (eg, YOUR name) []:Promathesh Mandal
Email Address []:promatesh@mat3impex.com

This will complete the certificate now you need to make sure you have the correct permissions for .pem file if not use the following command to set the correct permissions

 sudo chmod 600 /etc/apache2/apache.pem

Note: For generating a certificate signing request give the following command

 sudo openssl req -new -key apache.pem -out chikpea.csr

Step 2: listen the port

[edit | edit source]

By default the server will listen for incoming HTTP requests on port 80 - and not SSL connections on port 443. So you need to enable SSL support by entering the following entry to the file /etc/apache2/ports.conf save and exit the file.

 Listen 443

Step 3: enable SSL support

[edit | edit source]

If you want to enable SSL support for your apache web server you need to use the following command

 sudo a2enmod ssl

Module ssl installed; run /etc/init.d/apache2 force-reload to enable. Now you need to restart the apache2 server using the following command

 sudo /etc/init.d/apache2 restart

Step 4: configuring SSL Certificate to Virtual Hosts in Apache2

[edit | edit source]

First you need to edit the /etc/apache2/sites-available/default file change

 NameVirtualHost *

to

 NameVirtualHost *:80
 NameVirtualHost *:443

Now you need to configure Virtual hosts using port 80.

Example

[edit | edit source]
 ServerAdmin webmaster@localhost
 .
 .
 .

configure Virtual hosts using port 443 the main difference is you need to use the following two lines for each SSL hosts.

 SSLEngine on
 SSLCertificateFile /etc/apache2/apache.pem

Example

 ServerAdmin webmaster@localhost
 .
 .
 .
 SSLEngine on
 SSLCertificateFile /etc/apache2/apache.pem

Now you need to restart your apache web server using the following command

 sudo /etc/init.d/apache2 reload

Sample Files : sample for “ports.conf” file

 Listen 80 
 Listen 443

sample for “default” file

 NameVirtualHost *:80
 NameVirtualHost *:443
 <VirtualHost *:80>
 	DocumentRoot /var/www/
 	<Directory />
  		Options FollowSymLinks
 		AllowOverride None
  	</Directory>
 	<Directory /var/www/>
 		Options Indexes FollowSymLinks MultiViews
 		AllowOverride None
 		Order allow,deny
 		allow from all
 		# This directive allows us to have apache2's default start page
                 # in /apache2-default/, but still have / go to the right place
                 #RedirectMatch ^/$ /apache2-default/
 	</Directory> 
 	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 	<Directory "/usr/lib/cgi-bin">
 		AllowOverride None
 		Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
 		Order allow,deny
 		Allow from all
 	</Directory> 
 	ErrorLog /var/log/apache2/error.log 
 	# Possible values include: debug, info, notice, warn, error, crit,
 	# alert, emerg.
 	LogLevel warn
 	CustomLog /var/log/apache2/access.log combined
 	ServerSignature On 
     Alias /doc/ "/usr/share/doc/"
     <Directory "/usr/share/doc/">
         Options Indexes MultiViews FollowSymLinks
         AllowOverride None
         Order deny,allow
         Deny from all
         Allow from 127.0.0.0/255.0.0.0 ::1/128
     </Directory> 
  </VirtualHost> 
  <VirtualHost *:443>
 	ServerAdmin webmaster@localhost
 	SSLEngine on
 	SSLCertificateFile /etc/apache2/apache.pem 	
 	DocumentRoot /var/www/
 	<Directory />
 		Options FollowSymLinks
 		AllowOverride None
 	</Directory>
 	<Directory /var/www/>
 		Options Indexes FollowSymLinks MultiViews
 		AllowOverride None
 		Order allow,deny
 		allow from all
 		# This directive allows us to have apache2's default start page
                 # in /apache2-default/, but still have / go to the right place
                 #RedirectMatch ^/$ /apache2-default/
 	</Directory>
 	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 	<Directory "/usr/lib/cgi-bin">
 		AllowOverride None
 		Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
 		Order allow,deny
 		Allow from all
 	</Directory>
 	ErrorLog /var/log/apache2/error.log
 	# Possible values include: debug, info, notice, warn, error, crit,
 	# alert, emerg.
 	LogLevel warn
 	CustomLog /var/log/apache2/access.log combined
 	ServerSignature On
     Alias /doc/ "/usr/share/doc/"
     <Directory "/usr/share/doc/">
         Options Indexes MultiViews FollowSymLinks
         AllowOverride None
         Order deny,allow
         Deny from all
         Allow from 127.0.0.0/255.0.0.0 ::1/128
     </Directory>
   </VirtualHost>


.htaccess

Principle

[edit | edit source]

In order to protect a directory in particular (and its subdirectories), it suffices to place a file called .htaccess inside. Apache will instantly apply its rules after, only in this tree structure. The syntax is the same as the general vhost rules (eg: URL rewriting or protection), unless it will only affect the .htaccess directory (so no Directory clause).


Attention: the Windows explorer doesn't allow to name some files beginning by a dot, but a text editor is able to save as .htaccess.

Installation

[edit | edit source]

To authorize the .htaccess in the site .conf, use AllowOverride[1]:

AllowOverride All

To forbid them:

AllowOverride None

References

[edit | edit source]
  1. http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride


Security

Numerous robots use to try to crack some databases (for instance via PhpMyAdmin or WordPress). To be protected from them, we can play on several criteria.

For example, to forbid to visualize a directory files which hasn't got any index (e.g.: .html, .php), add the code: Options -Indexes.

Protection by provenance

[edit | edit source]

Authorize only two IP to read the directory:

whitelist with Require[1]

[edit | edit source]
    <Directory /usr/share/phpmyadmin/>
        <IfModule mod_authz_core.c>
            <RequireAny>
                Require all denied
                Require ip 127.0.0.1
                Require ip 127.0.0.2
            </RequireAny>
        </IfModule>
    </Directory>

whitelist with allow (obsolete in Apache 2.4)

[edit | edit source]
    <Directory /usr/share/phpmyadmin/>
        <IfModule mod_access_compat.c>
            deny from all
            allow from 127.0.0.1
            allow from 127.0.0.2
        </IfModule>
    </Directory>

If the authorization ranges have some addresses in common with the prohibited ranges, it's better to specify their precedence (the lines order in the .htaccess file doesn't change anything):

order allow, deny
begin by the authorizations and then start the interdictions, by risking to ban what was previously allowed.
order deny, allow
the contrary is less restrictive.

blacklist avec Require[2]

[edit | edit source]
    <Directory /usr/share/phpmyadmin/>
        <IfModule mod_authz_core.c>
            Require all granted
            Require not ip 127.0.0.1
        </IfModule>
    </Directory>

blacklist avec deny (obsolete in Apache 2.4)

[edit | edit source]
    <Directory /usr/share/phpmyadmin/>
        <IfModule mod_access_compat.c>
            order allow,deny
            allow from all
            deny from 127.0.0.1
        </IfModule>
    </Directory>

Protection by password

[edit | edit source]

Authentication configuration

[edit | edit source]

It's imperative to allow the authentication parameters modifications in the Apache settings.

The directive AllowOverride of a parent directory must contain the option AuthConfig[3].

The directives to place in the .htaccess are:

AuthType basic
authentication type communally adopted but poorly secured.
AuthName "My message"
the text as an invite in the dialog box.
AuthUserFile /etc/apache2/my_passwd
the passwords file path.
Require valid-user
specifies that a valid account is needed to accede to the folder.

We can also use Require user toto sasa to authorize only the two accounts toto & sasa.

The authentication type basic uses not crypted passwords.

Some other more secured types exist, like digest, which is recommended to combine with HTTPS.

The first request is addressed to the protected directory and provokes the displaying of the dialog box, from which the user should identify (with login and password):

  • If the password is invalid, the dialog will be displayed again.
  • If it's valid, the navigator can record it, and never ask it again until the next relaunching.

Passwords file

[edit | edit source]

The following command creates a passwords file called with one user toto:

htpasswd -c /home/user/www/.htpasswd toto

To add or modify a user:

htpasswd /home/user/www/.htpasswd sasa

Then, tell to .htaccess the .htpasswd path with:

 AuthName "Protected page"
 AuthType Basic
 AuthUserFile "/home/user/www/.htpasswd"
 Require valid-user

References

[edit | edit source]
  1. https://httpd.apache.org/docs/2.4/en/howto/access.html
  2. https://httpd.apache.org/docs/2.4/en/upgrading.html
  3. http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride


CGI

CGI scripts

[edit | edit source]

The CGI (Common Gateway Interface) is a norm permitting Apache to execute some programs, which can be written in any programming language (Bash, C, Java, Perl, PHP, Python...), from the moment it's executable and it respects certain in/out constraints.

Configure the CGI scripts access

[edit | edit source]

To make Apache interpret the scripts, it's necessary to do a minimum of settings in the site configuration.

ScriptAlias

[edit | edit source]

The directive (from httpd.conf):

 ScriptAlias /cgi-bin/ ''/scripts path/''

precise the folder name where Apache is authorized to executer the CGI scripts.[1]

Unix example:

 ScriptAlias /cgi-bin/ /var/www/cgi-bin

Windows example, use the URL format (no backslash):

 ScriptAlias /cgi-bin/ "C:/wamp/bin/apache/apache2.2.27/cgi-bin/"

Actually the path /cgi-bin/ doesn't really exist, it's redirected to the scripts path, set by the directive, and it allows to write some URL like http://server/cgi-bin/my_script.

ExecCGI

[edit | edit source]

The following clause activates the option ExecCGI in /var/www/cgi-bin, which authorize Apache to execute some scripts on the server:

 <Directory /var/www/cgi-bin>
   Options ExecCGI
 </Directory>

For example, if a script is called essai.cgi into /home/httpd/cgi-bin:

 <Directory /home/httpd/cgi-bin>
   Options ExecCGI
 </Directory>

Then, call the URL: http://serveur/cgi-bin/essai.cgi

AddHandler

[edit | edit source]

This clause permits to choose the files extensions which will be authorized, eg:

 AddHandler cgi-script .cgi .exe .pl .py .vbs

Recapitulation

[edit | edit source]

Full example on Windows, in the Apache configuration:

 ScriptAlias /cgi-bin/ "E:/www/cgi-bin/"
 <Directory "E:/www/cgi-bin/">
   Options FollowSymLinks Indexes
   AllowOverride All
   Order deny,allow
   Allow from all
   Require all granted		
 </Directory>

In E:/www/cgi-bin/.htaccess :

 AddHandler cgi-script .cgi .exe .pl .py .vbs

Write a CGI program

[edit | edit source]

The main constraint concerns the program outputs. If a CGI script generates some data on its standard output, he must display an HTTP header before, allowing to identify them.

#!/bin/bash

# Header
echo "Content-type: text/html"

# Header end
echo ""

# Content to display in the navigator
echo "<html><body>Hello World!</body></html>"

This script generates an HTML page.

#!c:/perl/perl/bin/perl.exe -w
use CGI;
my $query = new CGI;
my $Name = $query->param('Name');
print $query->header();
print "Hello World!"

Python

[edit | edit source]
#!C:\Program Files (x86)\Python\python.exe
# -*- coding: UTF-8 -*-
print "Content-Type: text/plain;charset=utf-8"
print
print "Hello World!"

For Windows.[2]

'!c:/windows/system32/cscript //nologo
Wscript.Echo "Content-type: text/html" & vbLF & vbLF
WScript.Echo "Hello World!"
Wscript.Quit 0

Known errors

[edit | edit source]
  • Error 500 Server error!: replace a Deny from all by a Allow from all.

or

# setsebool -P httpd_enable_cgi 1
# chcon -R -t httpd_sys_script_exec_t cgi-bin/your_script.cgi
  • Error 403 Forbidden access: impossible to list this folder, so call directly its files.
  • If the file source code is appearing in the navigator: the .htaccess is not properly set.
  • couldn't create child process: replace the path after shebang. For example:
    #!/usr/bin/perl par #!c:/perl/perl/bin/perl.exe -w.
    #!/usr/bin/env python par #!C:\Program Files (x86)\Python\python.exe.
  • End of script output before headers: missing header (eg: move the importation before print "Content-Type: text/plain;charset=utf-8"). But it can also be the symptom of a compilation error in the script language.
  • malformed header from script: Bad header: : the header is not adapted (eg: replace #print "Content-Type: text/plain;charset=utf-8" by print "Content-type: text/html\n\n" if there is a print "<html>" after).

Otherwise consult the Apache logs...

References

[edit | edit source]
  1. http://httpd.apache.org/docs/current/en/howto/cgi.html
  2. http://wiki.uniformserver.com/index.php/CGI:_VBScript_CGI