Creating a Web Server with the Apache HTTP Server
When you view a web page over the Internet, the code to create that page must be retrieved from a server somewhere on the Internet. The server that sends your web browser the code to display a web page is called a web server. There are countless web servers all over the Internet serving countless websites to people all over the world. A web server can also be set up on an internal network so that it is only accessible by the computers inside the private network. If this internal network is inside a company or corporation, it is often called an intranet. Whether you need a web server to host a website on the Internet or to host a company portal inside its internal network, a Red Hat Eterprise Linux server can function as a web server using the Apache HTTP server. The Apache HTTP server is a popular, open source server application that runs on many UNIX-based systems as well as Microsoft Windows. This section explains how to get a web server up and running on Red Hat Enterprise Linux.
Configuring the Server
To configure a Red Hat Enterprise Linux system as a web server, the httpd RPM package must be installed. If it is not installed, use Red Hat Network to install it (refer to RPM package”).
The main configuration file used by the web server is /etc/httpd/conf/httpd.conf. It is a plain text file that can be edited with a simple text editor such as Emacs or Vi.
The configuration options in the /etc/httpd/conf/httpd.conf configuration file are called directives. The file is divided into three main parts, or sets of directives:
· Global configuration options for the server process
· Main server options, which are also defaults for the virtual hosts
· Virtual host definitions
The default configuration file is divided into these three categories, in the order listed previously. The Apache HTTP server in Red Hat Enterprise Linux has been customized for Red Hat Enterprise Linux. Thus, the default values in the default configuration file might differ from the default values in other documentation such as the ones found at apache.org.
Listing shows common global configuration and main server directives that are explained in this section. Any line that begins with the # character is considered a comment.
Listing Sample Apache HTTP Server Configuration File
#Section 1. Global configuration options
#Section 2. Main server configuration options
DirectoryIndex index.html index.php index.txt
ErrorDocument 404 /errors/404.html
Options Indexes MultiViews
Global Configuration Section
Common directives for the global configuration section include the following. The default values reflect the values found in the default configuration file included with Red Hat Enterprise Linux.
Directory that contains the configuration files, error messages, and log files. Do not add a forward slash at the end of the directory path. Default value: /etc/httpd
Port number on which to listen for nonsecure (http) transfers. To specify multiple ports, list them on separate lines with the Listen directive. To only listen on a specific network interface, specify it before the port number such as Listen 192.168.1.1:80. Default value: 80
Optional directive to configure a secure, encrypted SSL connection on a specific port, usually port 443.
Amount of time, in seconds, the server will wait for the following events before failing:
. Receive a GET request
. Receive TCP packets on a POST or PUT request
. Receive ACKs on transmissions of TCP packets in responses
Default value: 120
If set to On, more than one request is allowed per connection, also known as a persistent connection. Default value: Off
If KeepAlive is set to On, number of requests allowed per connection. To allow unlimited requests, set this directive to 0. Default value: 100
If KeepAlive is set to On, the amount of time, in seconds, the server will wait for additional requests from the same connection. The higher the number, the more httpd processes will wait for subsequent connections instead of accepting connections from new clients. Use caution when setting this value because waiting too long for subsequent connections might result in a slow response to new connections. Default value: 15
Module to be loaded. Specify multiple modules on separate lines. Be sure the module can be used for the version of Apache you are running. To specify multiple modules, list them on separate lines preceded by the LoadModule directive.
Username or UID of the Apache process (httpd) owner. After the service is started as root, the process changes ownership to this user with fewer privileges. Default value: apache
Group name or GID of the Apache process (httpd) group. To be used in conjunction with the User directive. Default value: apache
Main Server Section
Common directives for the main server section include
Email address or URL to be used as the contact link for the server administrator in error messages sent to clients. This directive can also be used in a virtual host declaration so each site can have different contact links.
Hostname and port the server uses to identify itself to clients. This directive can also be specified in a virtual host section.
Location of files accessible by clients. By default, the Apache HTTP server in Red Hat Enterprise Linux is configured to serve files from the /var/www/html/ directory. The default web page of the server such as http://www.example.com/ must be located in this directory with a filename defined with the DirectoryIndex
directive such as index.html. If subdirectories are created within /var/www/html/,
they are also available on the website as subdirectories. For example, the /var/
www/html/about/ directory translates to the http://www.example.com/about/ URL.
List of index files to use when a directory such as http://www.example.com/ or http://www.example.com/about/ is requested. Multiple index pages can be listed, separated by a space. Possible values include index.html, index.php, and index.txt. This directive can be set inside a virtual host or directory section as well. It requires the mod_dir module to be loaded.
Provide a custom message, web page, or remote URL to display for HTTP error codes. If this directive is not defined, a default error message is displayed. This directive can be defined in a virtual host or directory section to further customize error messages. Specify different error codes and how to handle them on separate lines. The format is as follows:
ErrorDocument <code> <page>
where <code> is the HTTP error code such as 404 for page not found and 500 for a server error. The <page> can be one of the following:
. Location of a web page from the same server, starting with a forward slash.
The page is relative to the DocumentRoot. It can be a server-side script.
. Remote URL. Specify the entire URL, including the http://. Example:
. Custom error message contained in quotation marks. Example: “Page not
found on this server”
. The keyword default to display the default error message from the Apache
Allow a particular server feature for the main server, in a virtual host declaration, or in a directory section. List multiple options on the same line separated by spaces. The following Options are available:
All options except MultiViews.
Allow for the execution of CGI scripts using the mod_cgi module.
Follow symbolic links in the directory.
Allow server-side includes with the mod_includes module.
Allow server-side includes except for #exec cmd and #exec cgi. Using
#include virtual, CGI scripts from directories listed with the ScriptAlias directive are still allowed.
If the DirectoryIndex directive is not used to define valid index pages,
allow the mod_autoindex module to generate the index pages list.
As provided by the mod_negotiation module, allow for the selection of the content according to what works best for the client based on the client’s browser, language, preferred encoding, and more.
Only follow symbolic links if the target file or directory is owned by the same user as the file or directory requested.
In the main server section, each directory that contains files accessible to remote systems from the Apache HTTP server can be configured separately as shown in the <Directory> sections in Listing. <Directory> sections can also be configured within a virtual host section.
LISTING Example <Directory> Section
# Defaults for all directories
# Settings for DocumentRoot
Options Indexes MultiViews
# Settings for /legal/
ErrorDocument 404 /errors/legal/404.html
As you can see from Listing, it is wise to set defaults for the root directory of the files accessible by Apache and then modify them per directory and subdirectory. Directives configured for a directory apply to that directory and any subdirectories unless a separate set of directives is provided for the subdirectory. If a directive is defined in the main server section as well as within a directory declaration, the value in the directory declaration is used for that particular directory.
Virtual Host Sections
To serve more than one website from the same Apache HTTP server, you need to configure virtual hosts. There are two types of virtual hosts: name-based and IP-based. Namebased virtual host means that multiple names are running on each IP address. IP-based virtual host means that a different IP address exists for each website served. Most configurations are named-based because it only requires one IP address, which is the type discussed in this section.
Virtual hosts are configured one at a time usually at the end of the httpd.conf file. An example is shown in Listing.
LISTING Example Virtual Host
#Enable name-based virtual hosting
#add other directives here
Notice the NameVirtualHost directive must be set to enable name-based virtual hosting. The * in the value (and in the <VirtualHost> values) means requests are answered from all server IP addresses that the Apache HTTP server is configured to listen on with the Listen and SecureListen directives.
Most of the directives that can be configured in the main server section can be configured in a virtual host section. The ServerName and DocumentRoot directives are required in a virtual host section so the server knows which website the virtual host is for and where the files being served for the site are located.
The Apache HTTP server supports the loading of modules to implement additional features. Examples include mod_log_config for customizing log files, mod_alias for URL redirection, and mod_cgi for executing CGI scripts.
For each module you want to load, add a line similar to the following in the global configuration section of httpd.conf (replace module_name and module_filename.so):
LoadModule module_name modules/module_filename.so
After listing the module with the LoadModule directive, include any of the directives from the module in the appropriate httpd.conf sections.
By default, log messages from the Apache HTTP server are written to the /var/log/httpd/ directory. When a file is transferred to a client, information such as the IP address of the client, the file transferred, a time stamp, and the client’s browser are written to the transfer log. By default, the transfer log is set to access_log in the /var/log/httpd/ directory.
Error messages and messages from starting and stopping the server are written to the error_log file. If you have enabled SSL connections on the web server, any secure transfers are recorded in ssl_access_log, and any server messages are written to ssl_error_log.
These log files are rotated using the logrotate utility. By default, new log files are started every week, and four weeks of log files are kept.
The following directives control logging:
Filename for the transfer log. If the filename does not begin with a forward slash (/), it is relative to the server root. Default value: logs/access_log
Filename for the error log. If the filename does not begin with a forward slash (/), it is relative to the server root. Default value: logs/error_log
Format used when writing log messages. Refer to the apache.org directive page for details on the available formats. The mod_log_config module must be loaded for this directive.
Level of log messages written to the error log file. Possible values include debug, info, notice, warn, error, crit, alert, and emerg. The debug log level produces the most messages, and emerg only logs messages about the system being unusable. Default value: warn
Sets the filename of the transfer log and format of the log file. Can be used instead of using both TransferLog and LogFormat. Refer to the apache.org directive page for details. The mod_log_config module must be loaded for this directive.
Starting and Stopping the Server
Even though a non-root user such as apache owns the httpd processes, you still must be root to start and stop the service. Now that you have the basic settings configured, use the service httpd start command as root to start the server. If all goes well, the server will start. If you have a syntax error in the configuration file, a message is displayed to let you know the server hasn’t been started and a gives a hint on where the syntax error is located. Also check the error log file as defined with the ErrorLog directive for messages.
If the web server is already running, the service httpd reload command must be run before the changes take effect. To stop the server, use the service httpd stop command. To configure the web service to start automatically at boot time, execute the chkconfig httpd on command as root.
Apache HTTP Server and SELinux
If SELinux, a mandatory access control security system, is enabled, the default targeted policy protects the Apache HTTP daemon.
All files accessed via the web server must be labeled with the proper security context. For example, if SELinux is enabled and the DocumentRoot location is modified, the SELinux security context of the new location must be changed. A list of valid security contexts and their usages are given in the httpd_selinux man page read with the man httpd_selinux command. The targeted SELinux policy allows for CGI scripts and allows the Apache HTTP Server to read home directories. Other features such as allowing Apache to run as an FTP server are not allowed by default to increase security. SELinux booleans must be explicitly set to 1 to allow these additional features. All of the SELinux booleans that affect the Apache HTTP server are described in the httpd_selinux man page viewable with the man httpd_selinux command.
These SELinux booleans can be set with the setsebool command or with the SELinux Management Tool, To use the SELinux Management Tool, start it by selecting Administration, SELinux Management from the System menu on the top panel of the desktop or by executing the system-config-selinux command. Enter the root password when prompted if running as a non-root user. Select Boolean from the list on the left. On the right, click the triangle icon next to HTTPD Service to view a list of booleans.
By default, the Apache HTTP server uses TCP and UDP port 80 for HTTP transfers and TCP and UDP port 443 for HTTPS secure transfers. Verify that your firewall settings allow incoming requests from port 80 if serving non-encrypted web pages and port 443 if serving encrypted pages.
If custom IPTables rules are being used, If using a default security level in Red Hat Enterprise Linux, use the Security Level Configuration tool to allow the system to serve web pages. Start the application by clicking on the System menu on the top panel of the desktop and then selecting Administration, Security Level and Firewall or by executing the system-config-securitylevel command. Enter the root password when prompted if running as a non-root user. select the WWW (HTTP) option in the Trusted services section to allow requests on port 80, and select the Secure WWW (HTTPS) option to allow secure requests on port 443. Click OK to enable the changes immediately.