| This is the print version of Apache
You won't see this message or any elements not part of the book's content when you print or preview this page.
- 1 Introduction
- 2 Introduction/History
- 3 Introduction/License
- 4 Architecture
- 5 Installation
- 6 Configuration
- 7 Configuration/Performance
- 8 Virtual hosting
- 9 SSL
- 10 .htaccess
- 11 Security
- 11.1 Protection by provenance
- 11.2 Protection by password
- 11.3 References
- 12 CGI
Apache is primarily used to serve both static content and dynamic Web pages on the World Wide Web. Many web applications are designed expecting the environment and features that Apache provides.
Apache is redistributed as part of various proprietary software packages including the Oracle Database and the IBM WebSphere application server. Mac OS X integrates Apache as its built-in web server and as support for its WebObjects application server. It is also supported in some way by Borland in the Kylix and Delphi development tools. Apache is included with Novell NetWare 6.5, where it is the default web server. Apache is included with many Linux distributions.
Apache is used for many other tasks where content needs to be made available in a secure and reliable way. One example is sharing files from a personal computer over the Internet. A user who has Apache installed on their desktop can put arbitrary files in Apache's document root which can then be shared.
Programmers developing web applications often use a locally installed version of Apache in order to preview and test code as it is being developed.
Microsoft Internet Information Services (IIS) is the main competitor to Apache, followed by Sun Microsystems' Sun Java System Web Server and a host of other applications such as Zeus Web Server or Nginx.
History and name
The first version of the Apache web server software was created by Robert McCool, who was heavily involved with the National Center for Supercomputing Applications web server, known simply as NCSA HTTPd. When McCool left NCSA in mid-1994, the development of httpd stalled, leaving a variety of patches for improvements circulating through e-mails. These patches were provided by a number of other developers besides McCool, and they thus helped to form the original "Apache Group".
There have been two explanations of the project's name. According to the Apache Foundation, the name was chosen out of respect for the Native American tribe of Apache (Indé), well-known for their endurance and their skills in warfare. However, the original FAQ on the Apache Server project's website, from 1996 to 2001, claimed that "The result after combining [the NCSA httpd patches] was a patchy server. The first explanation was supported at an Apache Conference and in an interview in 2000 by Brian Behlendorf, who said that the name connoted "Take no prisoners. Be kind of aggressive and kick some ass". Behlendorf then contradicted this in a 2007 interview, stating that "The Apache server isn't named in honor of Geronimo's tribe" but that so many revisions were sent in that "the group called it 'a patchy Web server'". Both explanations are probably appropriate.
Version 2 of the Apache server was a substantial re-write of much of the Apache 1.x code, with a strong focus on further modularization and the development of a portability layer, the Apache Portable Runtime. The Apache 2.x core has several major enhancements over Apache 1.x. These include UNIX threading, better support for non-Unix platforms (such as Microsoft Windows), a new Apache API, and IPv6 support. The first alpha release of Apache 2 was in March 2000, with the first general availability release on April 6, 2002.
Version 2.2 introduced a more flexible authorization API. It also features improved cache modules and proxy modules.
The software license under which software from the Apache Foundation is distributed is a distinctive part of the Apache HTTP Server's history and presence in the open source software community. The Apache License allows for the distribution of both open and closed source derivatives of the source code.
The Free Software Foundation does not consider the Apache License to be compatible with version 2 of the GPL in that software licensed under the Apache License cannot be integrated with software that is distributed under the GPL:
This is a free software license but it is incompatible with the GPL. The Apache Software License is incompatible with the GPL because it has a specific requirement that is not in the GPL: it has certain patent termination cases that the GPL does not require. We don't think those patent termination cases are inherently a bad idea, but nonetheless they are incompatible with the GNU GPL.
However, version 3 of the GPL includes a provision (Section 7e) which allows it to be compatible with licenses that have patent retaliation clauses, including the Apache License.
The name Apache is a registered trademark and may only be used with the trademark holder's express permission.
Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod access, mod auth, mod digest, and mod auth digest, the successor to mod_digest. A sample of other features include SSL and TLS support (mod ssl), a proxy module (mod proxy), a URL rewriter (implemented under mod rewrite), custom log files (mod log config), and filtering support (mod include and mod ext filter).
Popular compression methods on Apache include the external extension module, mod gzip, implemented to help with reduction of the size of web pages served over HTTP. ModSecurity is an open source intrusion detection and prevention engine for web applications. Apache logs can be analyzed through a web browser using free scripts such as AWStats/W3Perl or Visitors.
Virtual hosting allows one Apache installation to serve many different actual websites. For example, one machine with one Apache installation could simultaneously serve www.example.com, www.test.com, test47.test-server.test.com, etc.
Apache features configurable error messages, DBMS-based authentication databases, and content negotiation. It is also supported by several graphical user interfaces.
The program can be installed alone from http://www.apache.org/dyn/closer.cgi.
Apart from that, a portable all-in-one is XAMPP.
apt-get install apache2
The service should be restarted manually after the most part of the configuration modifications:
vim /etc/httpd/conf/httpd.conf #or vim /etc/apache2/apache2.conf /etc/init.d/apache2 restart
Configuring Apache WebServer
There are some GUI tools to configure Apache web server but they mostly do the basic or intermediate levels of configurations. For advanced configuration, modifying the configuration file. is the way to go. Some GUI tools are: Comanche, TkApache, LinuxConf, WebMin, ApacheConf, user_manage. Among them, Webmin is browser based and may be a better choice than the others.
Basic Apache Configuration Information is as below:
Apache has three configuration files:
httpd.conf access.conf srm.conf
httpd.conf is the main file, you can forget about the others.
A basic configuration file may look like the following:
ServerName www.justetc.net #host name .. serving website URL listen 192.168.0.1:80 # listen to the network interface 192.168.0.1 and port 80 listen 192.168.0.1:400 # listen to the network interface 192.168.0.1 and port 400 User nobody #connect to the apache server as the user nobody #default Group nobody ServerAdmin email@example.com #email of the administrator ServerRoot /usr/locale/apache #apache's main working folder, apache keeps essential files here ErrorLog logs/error_log #to keep track of errors TransferLog logs/access_log #check the access, may make website slower DocumentRoot /home/www/justetc
You can create your own user and set that to access webpages
groupadd -g httpd useradd -u 999 -g httpd -s /bin/false -c 'Web Server'
User httpd Group httpd
Although the main design goal of Apache is not to be the "fastest" web server, Apache does have performance comparable to other "high-performance" web servers. Instead of implementing a single architecture, Apache provides a variety of MultiProcessing Modules (MPMs) which allow Apache to run in a process-based, hybrid (process and thread) or event-hybrid mode, to better match the demands of each particular infrastructure. This implies that the choice of correct MPM and the correct configuration is important. Where compromises in performance need to be made, the design of Apache is to reduce latency and increase throughput, relative to simply handling more requests, thus ensuring consistent and reliable processing of requests within reasonable time-frames.
Virtual hosting in Apache allows a single instance of the Apache software to host more than one distinct web site. Since only one instance of Apache can use port 80 on a server at once, without virtual hosting each new web site you hosted would need a new server.
Sites hosted under virtual hosting appear to end users as normal sites in every way; the only difference is that fewer server machines are needed to host them. Virtual hosting is commonly used by high-volume low-price web hosting companies, who give each of their customers a virtual host, with potentially hundreds of customers sharing the same server.
To add a virtual host, edit
<VirtualHost MyIP:80> ServerAdmin firstname.lastname@example.org DocumentRoot /home/site1/public_html ServerName site1.com ServerAlias www.site1.com </VirtualHost> <VirtualHost MyIP:80> ServerAdmin email@example.com DocumentRoot /home/site2/public_html ServerName site2.com ServerAlias www.site2.com AccessLog /home/site2/access.log ErrorLog /home/site2/error.log <Directory /home/site2/public_html> AllowOverride All </Directory> </VirtualHost>
Install and Configure Apache2 with PHP5 and SSL Support
apache2 openssl ssl-cert libapache2-mod-php5 php5-cli php5-common php5-cgi
Step 1: generate certificate
For generating certificate Use the following command to generate certificates
sudo openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem - keyout /etc/apache2/apache.pem
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:West Bengal Locality Name (eg, city) :Kolkata Organization Name (eg, company) [Internet Widgits Pty Ltd]:MAT3 Impex Pvt. Ltd. Organizational Unit Name (eg, section) :Crypto-Devel Common Name (eg, YOUR name) :Promathesh Mandal Email Address :firstname.lastname@example.org
This will complete the certificate now you need to make sure you have the correct permissions for .pem file if not use the following command to set the correct permissions
sudo chmod 600 /etc/apache2/apache.pem
Note: For generating a certificate signing request give the following command
sudo openssl req -new -key apache.pem -out chikpea.csr
Step 2: listen the port
By default the server will listen for incoming HTTP requests on port 80 - and not SSL connections on port 443. So you need to enable SSL support by entering the following entry to the file /etc/apache2/ports.conf save and exit the file.
Step 3: enable SSL support
If you want to enable SSL support for your apache web server you need to use the following command
sudo a2enmod ssl
Module ssl installed; run /etc/init.d/apache2 force-reload to enable. Now you need to restart the apache2 server using the following command
sudo /etc/init.d/apache2 restart
Step 4: configuring SSL Certificate to Virtual Hosts in Apache2
First you need to edit the /etc/apache2/sites-available/default file change
NameVirtualHost *:80 NameVirtualHost *:443
Now you need to configure Virtual hosts using port 80.
ServerAdmin webmaster@localhost . . .
configure Virtual hosts using port 443 the main difference is you need to use the following two lines for each SSL hosts.
SSLEngine on SSLCertificateFile /etc/apache2/apache.pem
ServerAdmin webmaster@localhost . . . SSLEngine on SSLCertificateFile /etc/apache2/apache.pem
Now you need to restart your apache web server using the following command
sudo /etc/init.d/apache2 reload
Sample Files : sample for “ports.conf” file
Listen 80 Listen 443
sample for “default” file
NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place #RedirectMatch ^/$ /apache2-default/ </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@localhost SSLEngine on SSLCertificateFile /etc/apache2/apache.pem DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place #RedirectMatch ^/$ /apache2-default/ </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost>
In order to protect a directory in particular (and its subdirectories), it suffices to place a file called
.htaccess inside. Apache will instantly apply its rules after, only in this tree structure. The syntax is the same as the general vhost rules (eg: URL rewriting or protection), unless it will only affect the .htaccess directory (so no
Attention: the Windows explorer doesn't allow to name some files beginning by a dot, but a text editor is able to save as .htaccess.
To authorize the .htaccess in the site .conf, use
To forbid them:
For example, to forbid to visualize a directory files which hasn't got any index (e.g.: .html, .php), add the code:
Protection by provenance
Authorize only two IP to read the directory:
<Directory /usr/share/phpmyadmin/> <IfModule mod_authz_core.c> <RequireAny> Require all denied Require ip 127.0.0.1 Require ip 127.0.0.2 </RequireAny> </IfModule> </Directory>
whitelist with allow (obsolete in Apache 2.4)
<Directory /usr/share/phpmyadmin/> <IfModule mod_access_compat.c> deny from all allow from 127.0.0.1 allow from 127.0.0.2 </IfModule> </Directory>
If the authorization ranges have some addresses in common with the prohibited ranges, it's better to specify their precedence (the lines order in the .htaccess file doesn't change anything):
order allow, deny
- begin by the authorizations and then start the interdictions, by risking to ban what was previously allowed.
order deny, allow
- the contrary is less restrictive.
<Directory /usr/share/phpmyadmin/> <IfModule mod_authz_core.c> Require all granted Require not ip 127.0.0.1 </IfModule> </Directory>
blacklist avec deny (obsolete in Apache 2.4)
<Directory /usr/share/phpmyadmin/> <IfModule mod_access_compat.c> order allow,deny allow from all deny from 127.0.0.1 </IfModule> </Directory>
Protection by password
It's imperative to allow the authentication parameters modifications in the Apache settings.
The directive AllowOverride of a parent directory must contain the option
The directives to place in the
- authentication type communally adopted but poorly secured.
AuthName "My message"
- the text as an invite in the dialog box.
- the passwords file path.
- specifies that a valid account is needed to accede to the folder.
We can also use
Require user toto sasa to authorize only the two accounts toto & sasa.
The authentication type basic uses not crypted passwords.
Some other more secured types exist, like digest, which is recommended to combine with HTTPS.
The first request is addressed to the protected directory and provokes the displaying of the dialog box, from which the user should identify (with login and password):
- If the password is invalid, the dialog will be displayed again.
- If it's valid, the navigator can record it, and never ask it again until the next relaunching.
The following command creates a passwords file called with one user toto:
htpasswd -c /home/user/www/.htpasswd toto
To add or modify a user:
htpasswd /home/user/www/.htpasswd sasa
Then, tell to .htaccess the .htpasswd path with:
AuthName "Protected page" AuthType Basic AuthUserFile "/home/user/www/.htpasswd" Require valid-user
The CGI (Common Gateway Interface) is a norm permitting Apache to execute some programs, which can be written in any programming language (Bash, C, Java, Perl, PHP, Python...), from the moment it's executable and it respects certain in/out constraints.
Configure the CGI scripts access
To make Apache interpret the scripts, it's necessary to do a minimum of settings in the site configuration.
The directive (from httpd.conf):
ScriptAlias /cgi-bin/ ''/scripts path/''
precise the folder name where Apache is authorized to executer the CGI scripts.
ScriptAlias /cgi-bin/ /var/www/cgi-bin
Windows example, use the URL format (no backslash):
ScriptAlias /cgi-bin/ "C:/wamp/bin/apache/apache2.2.27/cgi-bin/"
Actually the path
/cgi-bin/ doesn't really exist, it's redirected to the scripts path, set by the directive, and it allows to write some URL like
The following clause activates the option
/var/www/cgi-bin, which authorize Apache to execute some scripts on the server:
<Directory /var/www/cgi-bin> Options ExecCGI </Directory>
For example, if a script is called
<Directory /home/httpd/cgi-bin> Options ExecCGI </Directory>
Then, call the URL:
This clause permits to choose the files extensions which will be authorized, eg:
AddHandler cgi-script .cgi .exe .pl .py .vbs
Full example on Windows, in the Apache configuration:
ScriptAlias /cgi-bin/ "E:/www/cgi-bin/" <Directory "E:/www/cgi-bin/"> Options FollowSymLinks Indexes AllowOverride All Order deny,allow Allow from all Require all granted </Directory>
AddHandler cgi-script .cgi .exe .pl .py .vbs
Write a CGI program
The main constraint concerns the program outputs. If a CGI script generates some data on its standard output, he must display an HTTP header before, allowing to identify them.
#!/bin/bash # Header echo "Content-type: text/html" # Header end echo "" # Content to display in the navigator echo "<html><body>Hello World!</body></html>"
This script generates an HTML page.
#!c:/perl/perl/bin/perl.exe -w use CGI; my $query = new CGI; my $Name = $query->param('Name'); print $query->header(); print "Hello World!"
#!C:\Program Files (x86)\Python\python.exe # -*- coding: UTF-8 -*- print "Content-Type: text/plain;charset=utf-8" print print "Hello World!"
'!c:/windows/system32/cscript //nologo Wscript.Echo "Content-type: text/html" & vbLF & vbLF WScript.Echo "Hello World!" Wscript.Quit 0
- Error 500 Server error!: replace a
Deny from allby a
Allow from all.
# setsebool -P httpd_enable_cgi 1 # chcon -R -t httpd_sys_script_exec_t cgi-bin/your_script.cgi
- Error 403 Forbidden access: impossible to list this folder, so call directly its files.
- If the file source code is appearing in the navigator: the .htaccess is not properly set.
- couldn't create child process: replace the path after shebang. For example:
#!C:\Program Files (x86)\Python\python.exe.
- End of script output before headers: missing header (eg: move the importation before
print "Content-Type: text/plain;charset=utf-8"). But it can also be the symptom of a compilation error in the script language.
- malformed header from script: Bad header: : the header is not adapted (eg: replace
#print "Content-Type: text/plain;charset=utf-8"by
print "Content-type: text/html\n\n"if there is a
Otherwise consult the Apache logs...