Configuring Apache

How to install and configure Apache with custom options, including enabling SSL, CGI, SSI, and FrontPage Server Extensions.

Table of Contents

1. Basic Configuration

1.1. Install Apache

This is out of scope here, go to http://httpd.apache.org for help. I would recommend not using an RPM/deb/whatever for Apache. My philosophy is roll your own Apache, Perl, and kernel, always. If you want to

install mod_perl or mod_ssl or the like, and you really don’t feel comfortable trying to compile it all yourself, then you may want
to try Apache Toolbox, at http://www.apachetoolbox.com .

For the rest of the document, I’m going to assume that you
have Apache installed in /usr/local/apache , your docroot in /home/httpd/html , and your cgi-bin in /home/httpd/cgi-bin

1.2. Preliminary Setup (httpd.conf)

Apache comes almost ready to use after installation. I would recommend that you go over the config
file, /usr/local/apache/conf/httpd.conf , before firing it up the first time. The file is
extremely well-documented, and you shouldn’t have any problems as long as you take time to practice
the basic skill of reading . Nevertheless, I’ll go ahead and and explain the layout a little
bit, and list some of the things I personally had to change.

1.2.1. File Layout

This is explained at the top of the file. There are 3 basic sections to the httpd.conf file, as
follows:

  1. Options which modify the behavior and operation of the whole Apache server, aka the ‘global
    environment.’
  2. Options which set the behavior of the ‘default server.’ Things like security, file access,
    document sources, CGI settings, etc. are configured here. For a basic server, this is all you’ll
    need. Options in this section will also be the default options for virtual servers. More on those
    later.
  3. Settings for virtual servers. Explained in section 2 .

1.2.2. Resource & Access Config

There are two directives, ResourceConfig and AccessConfig which basically aren’t
used anymore. The files to which they point default to being empty, and should probably stay
that way. If you’re going to be using the FrontPage extensions, set the options like this:
ResourceConfig /dev/null
AccessConfig /dev/null

1.2.3. Extended Status

You may find it helpful to find out what’s going on with your new server. Apache provides
a special URL to help you with this, /server-status . To have it show you more information:ExtendedStatus On

1.2.4. Port Number

To aid me in writing this document, I did an install of Apache 1.3.23. I don’t know how long
it has been this way, but apparently Apache now defaults to running on port 8080. This just isn’t very nice at all…
Port 80

1.2.5. User Setup

Apache needs to run as an unprivileged user on your system. RedHat-type systems come pre-configured
with the nobody user. I’m not sure about anything else, but it seems like Debian may have
a www user…?
User nobody
Group nobody

1.2.6. Server Admin

The email address of the server’s administrator.
ServerAdmin admin@domain.com

1.2.7. Server Name

This needs to be the primary resolvable address for your website.
ServerName www.domain.com

1.2.8. Allow Override

See .htaccess, section 4 .

1.2.9. Document Root

This specifies the default directory where your html files and whatnot are pulled
from. Since I’m assuming the directory /home/httpd/html ,
DocumentRoot "/home/httpd/html"

1.2.10. Directory Sections

Apache has sections of its config file inside of <Directory> </Directory> tags.
These are for setting options on indexing, execution permissions, access permissions, etc.
on certain directories. For instance:
<Directory "/home/httpd/html">
Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All
Order allow,deny
Allow from all
</Directory>

Another directory section you may want to modify is the UserDir directory.
This is for functionality like on prism, where everything in your ~/public_html directory
will be served from a URL like http://www.prism.gatech.edu/~gte000a . By default this section
is commented out. If you uncomment it, users will be able to serve web pages. If you have
a few friends as users that you trust, you may want to give more lax permissions:
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit Options
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

1.2.11. Directory Index

When a directory is specified in the URL instead of a page, this directive comes into
play. Apache will look for files listed here, in this order. If it finds one, it
sends this page by default. If it doesn’t find one, and Options Indexes applies
to this directory, it will display a listing of all files (except those explicitly
hidden in the next section.
DirectoryIndex index.htm index.cgi index.html index.php index.php3 index.pl

1.2.12. Files Sections

These tags let you set access rights on specific files. For instance, CGI authors
often have a file with, say, usernames and passwords for a database that must be
accessed for the CGI executable. These can be protected from users on the system
by chown nobody.nobody access.conf; chmod 600 access.conf , but this doesn’t
keep somebody on the web from clicking the file or typing the name into the URL.

<Files ~ “^\.ht”>
Order allow,deny
Deny from all
</Files>
<Files “*.inc”>
Order allow,deny
Deny from all
</Files>
<Files “*.conf”>
Order allow,deny
Deny from all
</Files>

1.2.13. Add Handler

Inside of the <IfModule mod_mime.c> directive, there lives AddHandler statements.
These are useful for SSI (Server-Side Includes) and CGI.

I’m not going to go over what these are, you get to figure that out for yourself. In my
setup, I have Perl and Python files recognized as CGI scripts, and basically all HTML
files are parsed for SSI.

AddHandler cgi-script .pl
AddHandler cgi-script .py
AddHandler server-parsed .shtml
AddHandler server-parsed .html
AddHandler server-parsed .htm

1.2.14. Location Sections

Basically the only <Location> section I find useful is /server-status .
It shows you server uptime and recent requests, among other things. If you’d like
to use it, uncomment the section out in the file, and add locations where you’d like
to access it from.

<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 128.61.63.84
Allow from localhost
Allow from billy
Allow from 128.61.63.88
</Location>

1.3. Starting it Up

And here’s the final (and easiest) step in the process. Simply run
/usr/local/apache/bin/apachectl start
to get it going. Point your browser to http://localhost/ and cross your
fingers…

2. Virtual Servers or Hosts

Virtual Servers or Virtual Hosts is a method by which you can run multiple websites
with one instance of Apache on one machine. You can do this by using different IP
addresses or different port numbers, the easiest and probably most common way is
by using name-based virtual hosts. What this means is that Apache looks at what domain
name was used to reach the web server and chooses different content/configuration based on that.

You can see full documentation at http://www.apache.org/docs/vhosts/ .

If you want to use Virtual Hosts, you must enable it:
NameVirtualHost *:80
Like it shows in the configuration file, almost any option can be overridden for a
virtual server. Probably the simplest Virtual Host would just have a different DocumentRoot directive. I’ll list an example or two from my setup:
<VirtualHost *:80>
ServerName maes.progoth.com
DocumentRoot “/home/httpd/html/maes/”
AddHandler cgi-script .pl
<Directory “/home/httpd/html/maes”>
Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /home/httpd/html/maes/cgi-bin/
</VirtualHost>
<VirtualHost *:80>
ServerName www.mcsweetie.com
ServerAlias *.mcsweetie.com mcsweetie.com
ServerAdmin m8s_in_liver@yahoo.com
DocumentRoot “/home/bob/mcsweetie.com/”
<Directory “/home/bob/mcsweetie.com”>
Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

Make sure to have a virtual host that is your default server. Since you’ve probably
already listed default options, all you’ll need to have in this Host is ServerName and ServerAlias .

Keep in mind that you can’t just make up names and stick them here and expect them to
work, you have to have a DNS entry for the domains pointing to your IP.

3. SSL

I’m not going to explain what SSL is. You can read more than you want to know at http://www.modssl.com . Well, I hear that there’s other implementations of
SSL for Apache, but from everything I hear, just use mod_ssl.

3.1. Server Certificate

Before you can run your server, you’ll need to create a server certificate. You can
find everything you need to know at http://www.modssl.com/docs/2.8/ssl_faq.html ,
but I’ll give a quick rundown here. You’ll need to have OpenSSL installed, and a tool from mod_ssl.

Create a /cert directory in /usr/local/apache . Make sure only root has
permissions to the directory (700). The openssl executable should probably be
in your path.

openssl genrsa -des3 -out server.key 1024
openssl rsa -noout -text -in server.key
openssl rsa -in server.key -out server.key.unsecure
openssl req -new -key server.key -out server.csr
openssl req -noout -text -in server.csr

This creates a server key. You’ll need to replace your server.key with the server.key.unsecure
if you don’t want to be asked for your password every time Apache starts up. The next step
is to create a “Certificate Authority” to sign your key with.

openssl genrsa -des3 -out ca.key 1024
openssl rsa -noout -text -in ca.key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Next, according to the mod_ssl FAQ, there’s a shell script in the /contrib directory of the mod_ssl distro.

/path/to/modssl/contrib/sign.sh server.csr

You can now copy the server.crt et. al. to the appropriate directories as
listed in section 3.3 . Make sure those directories are only readable
by nobody.

3.2. Random Directives

There’s a couple of different options that you must set throughout the http.conf file to enable SSL. Usually they’re by another similar rule.

3.2.1. Load Module

There’s a place in the conf file for LoadModule directives.

<IfDefine SSL>
LoadModule ssl_module
</IfDefine>

3.2.2. Port

There should already be a line in the file with Port 80 . We want to make
it listen on port 443, which is the standard SSL port. Any port may be used, in
the same way that unencrypted HTTP traffic can be on any port.

Port 80
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>

3.2.3. Name Virtual Host

I’ll explain this in the Virtual Host section.
NameVirtualHost *:443

3.2.4. Add Type

Apache needs to know about some of the file types associated with SSL operation.

<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>

3.2.5. Module Options

The mod_ssl module has to have some things told to it about files and whatnot.
This can basically go anywhere in the global or default server config, as long
as it’s after the LoadModule ssl_module statement.

<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel info
</IfModule>

3.3. Virtual Host

The final step in setting up your SSL server is a virtual host directive.
The port that Apache is serving encrypted data through is just like any other
virtual server, and therefore can be given any options, such as a different
document root. For instance, on my server, the only thing I need encrypted is
the web-based access I provide to GaTech mail. Therefore my SSL server is
limited to the /mail subdirectory of my main document root.

<IfDefine SSL>
<VirtualHost *:443>
DocumentRoot “/home/httpd/html/mail”
<Directory “/home/httpd/html/mail/”>
Options Indexes FollowSymLinks ExecCGI Includes
AllowOverride All

Order allow,deny
Allow from all
</Directory>
ServerName www.progoth.com
ServerAdmin admin@progoth.com
ServerAlias progoth.com progoth
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLVerifyClient none
<Files ~ “\.(cgi|pl|shtml|phtml|php|php3?)$”> %$

SSLOptions +StdEnvVars
</Files>
<Directory “/home/httpd/cgi-bin”>
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log “%t %h \
%{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
</VirtualHost>
</IfDefine>

3.4. Starting Up

Did you notice all the <IfDefine SSL> statements? Those are just like preprocessor
statements in, say, C. The code inbetween the opening and closing <IfDefine> ’s is only
executed if it has been told to. When mod_ssl is patched into Apache, it creates a new
option in apachectl , startssl .

/usr/local/apache/bin/apachectl startssl

Keep in mind that running in with the restart option doesn’t seem to enable SSL, so
you’ll need to run stop then startssl . This might have been changed sinceI’ve tried it, though.

4. .htaccess

The .htaccess file is a simple mechanism for setting options in specific directories.
In effect, it can override practically any settings from the httpd.conf file, which is where
the AllowOverride directive comes in. The two I find useful are Options and AuthConfig .

4.1. AllowOverride Options

I find this the most useful when I’m dealing with directories full of images. A common
occurance is for a user to go to a directory of images and see a whole listing, instead
of only the images the author wants to post. A common way to get around this is to
put an empty index.html file in the directory. A way I like is to allow options
to be set in a .htaccess file, and put a .htaccess file in the directory with this
line:

Options -Indexes

4.2. AllowOverride AuthConfig

With AuthConfig you can use the .htaccess file to password protect directories.
Not only does it restrict access, but it also sets a nice REMOTE_USER variable that
is oh-so-handy in CGI programming…

The .htaccess file looks something like so:

AuthType Basic
AuthName “Administration”
AuthUserFile /home/httpd/.htpasswd
AuthGroupFile /home/httpd/.htgroups
require group admin

The files can be named anything you want. More on those in a moment.
The require statement is fairly flexible. In this example I’m requiring a user
that is in the “admin” group. Other valid directives might include:

require valid-user
require user Billy

4.2.1. .htpasswd

The .htpasswd file is a simple file. It is a list of usernames and
passwords separated by a colon, one username and password per line. The password is a hash,
created with the standard unix crypt() function. Or, it may optionally
be an md5 hash, but I don’t know anything about that. There’s a program in the
Apache /bin directory called htpasswd to help with creating/editing
these files. Run it with --help to see how to use it, basically
./htpasswd passwordfile username
adds a new user. The -c option will create a new file. The -b option lets you specify a password after the username on the commandline.

4.2.2. .htgroup

Not a whole lot to tell here. Contents of the file:
groupname: username anotheruser
anothergroup: admin auser

5. FrontPage Server Extensions

The FrontPage extensions can be a life saver if you need to host less technically-inclined
users. Even users who don’t want to use the cheesy FrontPage themes or “Web Objects” or
whatever can be helped a great deal by the simple publishing method (which is actually
built on DAV, an open standard…the #1 signal that FrontPage was consumed by Microsoft,
not developed by them).

The software and manuals are available at http://www.rtr.com/fpsupport/ . It’s a fairly
easy process, so I’m not going to spend a lot of time on it.

I’m going to assume you’re not using the version of Apache with the FrontPage extension
patched in.

The first step is to download the extensions, create /usr/local/frontpage , and
untar fp40.linux.tar.Z into /usr/local/frontpage . You’ll notice 4.0 isn’t the
latest version; given Microsoft’s less-than-stellar security track record, I decided
to stick with the FP2000 extensions. Next, do the following (ripped straight from
the Installation FAQ):

cd /usr/local/frontpage
ln -s version4.0 currentversion
cd currentversion/bin
fpsrvadm.exe -o install -p 80 -servconf /usr/local/apache/conf/httpd.conf
fpsrvadm.exe -o chown -xUser nobody -xGroup nobody

Then restart Apache.

This installs the FrontPage extensions on your main server. The only problem I ran
into was that I had an /admin directory in my main server which was protected
by a .htaccess file. For some reason FrontPage didn’t like that, so I had
to rename the directory.

The FP extensions integrate nicely with VirtualHosts. To make a virtual host into a
FrontPage web, run this command:

fpsrvadm.exe -o install -p 80 -m vh.domain.com -xu nobody -xg nobody -username admin \
-password password -t apache -s /usr/local/apache/conf/httpd.conf

where -username is your FrontPage user id and -password is your
FrontPage user password, and -m is the virtual server you’re installing on.

The website I gave for the extensions have a lot of documentation if you’re having
problems. I found the setup and the username/password settings flaky and confusing,
and you may have to play around with the setup for a while, but once it’s working it seems
to be flawless.

6. Resources