Creating a Web Server with the
Apache HTTP Server
When
you view a web page over the Internet, the code to create that page must be
retrieved from a server somewhere on the Internet. The server that sends your
web browser the code to display a web page is called a web server. There are
countless web servers all over the Internet serving countless websites to
people all over the world. A web server can also be set up on an internal
network so that it is only accessible by the computers inside the private
network. If this internal network is inside a company or corporation, it is
often called an intranet. Whether you need a web server to host a website on
the Internet or to host a company portal inside its internal network, a Red Hat
Eterprise Linux server can function as a web server using the Apache HTTP
server. The Apache HTTP server is a popular, open source server application that
runs on many UNIX-based systems as well as Microsoft Windows. This section
explains how to get a web server up and running on Red Hat Enterprise Linux.
Configuring the Server
To
configure a Red Hat Enterprise Linux system as a web server, the httpd RPM
package must be installed. If it is not installed, use Red Hat Network to
install it (refer to RPM package”).
The
main configuration file used by the web server is /etc/httpd/conf/httpd.conf.
It is a plain text file that can be edited with a simple text editor such as
Emacs or Vi.
The
configuration options in the /etc/httpd/conf/httpd.conf configuration file are called
directives. The file is divided into three main parts, or sets of directives:
·
Global
configuration options for the server process
·
Main server
options, which are also defaults for the virtual hosts
·
Virtual host
definitions
The
default configuration file is divided into these three categories, in the order
listed previously. The Apache HTTP server in Red Hat Enterprise Linux has been
customized for Red Hat Enterprise Linux. Thus, the default values in the
default configuration file might differ from the default values in other
documentation such as the ones found at apache.org.
Listing
shows common global configuration and main server directives that are explained
in this section. Any line that begins with the # character is considered a comment.
Listing Sample Apache HTTP Server Configuration File
#Section
1. Global configuration options
ServerRoot
/etc/httpd
Listen
80
Timeout
120
KeepAlive
Off
MaxKeepAliveRequests
100
KeepAliveTimeout
15
User
apache
Group
apache
#Section
2. Main server configuration options
ServerAdmin
webmaster@example.com
ServerName
example.com
DocumentRoot
/var/www/html
DirectoryIndex
index.html index.php index.txt
ErrorDocument
404 /errors/404.html
Options
Indexes MultiViews
Global Configuration Section
Common
directives for the global configuration section include the following. The default
values reflect the values found in the default configuration file included with
Red Hat Enterprise Linux.
ServerRoot
Directory that contains the configuration
files, error messages, and log files. Do not add a forward slash at the end of
the directory path. Default value: /etc/httpd
Listen
Port number on which to listen for
nonsecure (http) transfers. To specify multiple ports, list them on separate
lines with the Listen directive. To only listen on a specific network
interface, specify it before the port number such as Listen 192.168.1.1:80.
Default value: 80
SecureListen
Optional directive to configure a secure,
encrypted SSL connection on a specific port, usually port 443.
Timeout
Amount of time, in seconds, the server
will wait for the following events before failing:
. Receive a GET request
. Receive TCP packets on a POST or PUT
request
. Receive ACKs on transmissions of TCP
packets in responses
Default value: 120
KeepAlive
If set to On, more than one request is
allowed per connection, also known as a persistent connection. Default value:
Off
MaxKeepAliveRequests
If KeepAlive is set to On, number of
requests allowed per connection. To allow unlimited requests, set this
directive to 0. Default value: 100
KeepAliveTimeout
If KeepAlive is set to On, the amount of
time, in seconds, the server will wait for additional requests from the same
connection. The higher the number, the more httpd processes will wait for
subsequent connections instead of accepting connections from new clients. Use
caution when setting this value because waiting too long for subsequent
connections might result in a slow response to new
connections. Default value: 15
LoadModule
Module to be loaded. Specify multiple
modules on separate lines. Be sure the module can be used for the version of
Apache you are running. To specify multiple modules, list them on separate
lines preceded by the LoadModule directive.
User
Username or UID of the Apache process
(httpd) owner. After the service is started as root, the process changes
ownership to this user with fewer privileges. Default value: apache
Group
Group name or GID of the Apache process
(httpd) group. To be used in conjunction with the User directive. Default
value: apache
Main Server Section
Common directives for the main server
section include
ServerAdmin
Email address or URL to be used as the
contact link for the server administrator in error messages sent to clients.
This directive can also be used in a virtual host declaration so each site can
have different contact links.
ServerName
Hostname and port the server uses to identify
itself to clients. This directive can also be specified in a virtual host
section.
DocumentRoot
Location of files accessible by clients.
By default, the Apache HTTP server in Red Hat Enterprise Linux is configured to
serve files from the /var/www/html/ directory. The default web page of the
server such as http://www.example.com/ must be located in this directory with a
filename defined with the DirectoryIndex
directive
such as index.html. If subdirectories are created within /var/www/html/,
they are also
available on the website as subdirectories. For example, the /var/
www/html/about/
directory translates to the http://www.example.com/about/ URL.
DirectoryIndex
List of index files to use when a
directory such as http://www.example.com/ or http://www.example.com/about/ is
requested. Multiple index pages can be listed, separated by a space. Possible
values include index.html, index.php, and index.txt. This directive can be set
inside a virtual host or directory section as well. It requires the mod_dir
module to be loaded.
ErrorDocument
Provide a custom message, web page, or
remote URL to display for HTTP error codes. If this directive is not defined, a
default error message is displayed. This directive can be defined in a virtual
host or directory section to further customize error messages. Specify
different error codes and how to handle them on separate lines. The format is as follows:
ErrorDocument <code> <page>
where
<code> is the HTTP error code such as 404 for page not found and 500 for a
server error. The <page> can be one of the following:
.
Location of a web page from the same server, starting with a forward slash.
The
page is relative to the DocumentRoot. It can be a server-side script.
Example:
/errors/404.html
.
Remote URL. Specify the entire URL, including the http://. Example:
http://errors.example.com/404.html
.
Custom error message contained in quotation marks. Example: “Page not
found
on this server”
.
The keyword default to display the default error message from the Apache
HTTP
server.
Options
Allow a particular server feature for the
main server, in a virtual host declaration, or
in a directory section. List multiple options on the same line separated by spaces.
The following Options are available:
All
All options except MultiViews.
ExecCGI
Allow for the execution of CGI scripts
using the mod_cgi module.
FollowSymLinks
Follow symbolic links in the directory.
Includes
Allow server-side includes with the
mod_includes module.
IncludesNOEXEC
Allow server-side includes except for
#exec cmd and #exec cgi. Using
#include virtual, CGI scripts from
directories listed with the ScriptAlias directive are still allowed.
Indexes
If the DirectoryIndex directive is not
used to define valid index pages,
allow the mod_autoindex module to generate
the index pages list.
MultiViews
As provided by the mod_negotiation module,
allow for the selection of the content according to what works best for the
client based on the client’s browser, language, preferred encoding, and more.
SymLinksIfOwnerMatch
Only follow symbolic links if the target
file or directory is owned by the same user as the file or directory requested.
Directory Sections
In
the main server section, each directory that contains files accessible to
remote systems from the Apache HTTP server can be configured separately as
shown in the <Directory> sections in Listing. <Directory> sections
can also be configured within a virtual host section.
LISTING Example <Directory> Section
#
Defaults for all directories
<Directory
/>
Options
FollowSymLinks
</Directory>
#
Settings for DocumentRoot
<Directory
“/var/www/html”>
Options
Indexes MultiViews
</Directory>
#
Settings for /legal/
<Directory
“/var/www/html/legal”>
DirectoryIndex
index.html
ErrorDocument
404 /errors/legal/404.html
</Directory>
As
you can see from Listing, it is wise to set defaults for the root directory of
the files accessible by Apache and then modify them per directory and
subdirectory. Directives configured for a directory apply to that directory and
any subdirectories unless a separate set of directives is provided for the
subdirectory. If a directive is defined in the main server section as well as
within a directory declaration, the value in the directory declaration is used
for that particular directory.
Virtual Host Sections
To
serve more than one website from the same Apache HTTP server, you need to
configure virtual hosts. There are two types of virtual hosts: name-based and
IP-based. Namebased virtual host means that multiple names are running on each
IP address. IP-based virtual host means that a different IP address exists for
each website served. Most configurations are named-based because it only
requires one IP address, which is the type discussed in this section.
Virtual
hosts are configured one at a time usually at the end of the httpd.conf file.
An example is shown in Listing.
LISTING Example Virtual Host
#Enable
name-based virtual hosting
NameVirtualHost
*.80
<VirtualHost
*:80>
ServerName
www.example.org
DocumentRoot
/var/www/example.org
#add
other directives here
</VirtualHost>
Notice
the NameVirtualHost directive must be set to enable name-based virtual hosting.
The * in the value (and in the <VirtualHost> values) means requests are
answered from all server IP addresses that the Apache HTTP server is configured
to listen on with the Listen and SecureListen directives.
Most
of the directives that can be configured in the main server section can be
configured in a virtual host section. The ServerName and DocumentRoot
directives are required in a virtual host section so the server knows which
website the virtual host is for and where the files being served for the site
are located.
Loading Modules
The
Apache HTTP server supports the loading of modules to implement additional features.
Examples include mod_log_config for customizing log files, mod_alias for URL redirection,
and mod_cgi for executing CGI scripts.
For
each module you want to load, add a line similar to the following in the global
configuration section of httpd.conf (replace module_name and
module_filename.so):
LoadModule
module_name modules/module_filename.so
After
listing the module with the LoadModule directive, include any of the directives
from the module in the appropriate httpd.conf sections.
Logging Connections
By
default, log messages from the Apache HTTP server are written to the
/var/log/httpd/ directory. When a file is transferred to a client, information
such as the IP address of the client, the file transferred, a time stamp, and
the client’s browser are written to the transfer log. By default, the transfer
log is set to access_log in the /var/log/httpd/ directory.
Error
messages and messages from starting and stopping the server are written to the error_log
file. If you have enabled SSL connections on the web server, any secure
transfers are recorded in ssl_access_log, and any server messages are written
to ssl_error_log.
These
log files are rotated using the logrotate utility. By default, new log files
are started every week, and four weeks of log files are kept.
The following directives control
logging:
TransferLog
Filename
for the transfer log. If the filename does not begin with a forward slash (/),
it is relative to the server root. Default value: logs/access_log
ErrorLog
Filename for the error log. If the
filename does not begin with a forward slash (/),
it is relative to the server root. Default value: logs/error_log
LogFormat
Format used when writing log messages.
Refer to the apache.org directive page for
details on the available formats. The mod_log_config module must be loaded for
this directive.
LogLevel
Level of log messages written to the error
log file. Possible values include debug, info, notice, warn, error, crit,
alert, and emerg. The debug log level produces the most messages, and emerg
only logs messages about the system being unusable. Default value: warn
CustomLog
Sets the filename of the transfer log and
format of the log file. Can be used instead of using both TransferLog and
LogFormat. Refer to the apache.org directive page for details. The mod_log_config
module must be loaded for this directive.
Starting and Stopping the Server
Even
though a non-root user such as apache owns the httpd processes, you still must
be root to start and stop the service. Now that you have the basic settings
configured, use the service httpd start
command as root to start the server. If all goes well, the server will start.
If you have a syntax error in the configuration file, a message is displayed to
let you know the server hasn’t been started and a gives a hint on where the
syntax error is located. Also check the error log file as defined with the
ErrorLog directive for messages.
If
the web server is already running, the service
httpd reload command must be run before the changes take effect. To stop
the server, use the service httpd stop
command. To configure the web service to start automatically at boot time,
execute the chkconfig httpd on
command as root.
Apache HTTP Server and SELinux
If
SELinux, a mandatory access control security system, is enabled, the default
targeted policy protects the Apache HTTP daemon.
All
files accessed via the web server must be labeled with the proper security
context. For example, if SELinux is enabled and the DocumentRoot location is
modified, the SELinux security context of the new location must be changed. A
list of valid security contexts and their usages are given in the httpd_selinux
man page read with the man httpd_selinux command. The targeted SELinux policy
allows for CGI scripts and allows the Apache HTTP Server to read home
directories. Other features such as allowing Apache to run as an FTP server are
not allowed by default to increase security. SELinux booleans must be
explicitly set to 1 to allow these additional features. All of the SELinux
booleans that affect the Apache HTTP server are described in the httpd_selinux
man page viewable with the man httpd_selinux command.
These
SELinux booleans can be set with the setsebool command or with the SELinux Management
Tool, To use the SELinux Management Tool, start it by selecting Administration,
SELinux Management from the System menu on the top panel of the desktop or by
executing the system-config-selinux command. Enter the root password when
prompted if running as a non-root user. Select Boolean from the list on the left.
On the right, click the triangle icon next to HTTPD Service to view a list of
booleans.
Allowing Connections
By
default, the Apache HTTP server uses TCP and UDP port 80 for HTTP transfers and
TCP and UDP port 443 for HTTPS secure transfers. Verify that your firewall
settings allow incoming requests from port 80 if serving non-encrypted web
pages and port 443 if serving encrypted pages.
If
custom IPTables rules are being used, If using a default security level in Red
Hat Enterprise Linux, use the Security Level Configuration tool to allow the
system to serve web pages. Start the application by clicking on the System menu
on the top panel of the desktop and then selecting Administration, Security
Level and Firewall or by executing the system-config-securitylevel command. Enter
the root password when prompted if running as a non-root user. select the WWW
(HTTP) option in the Trusted services section to allow requests on port 80, and
select the Secure WWW (HTTPS) option to allow secure requests on port 443.
Click OK to enable the changes immediately.
0 comments:
Post a Comment