fp-wiki>ImportUser (Imported from MoinMoin) |
Yanglifu90 (talk | contribs) |
||
(9 intermediate revisions by 5 users not shown) | |||
Line 15: | Line 15: | ||
</pre> | </pre> | ||
In addition to the<code>httpd</code> package, the command above installs software needed to run Apache with the support for database driven web sites, support for common web scripting languages, such as <code>PHP</code>, <code>perl</code>, and <code>python</code>, Apache documentation provided by <code>httpd-manual</code> rpm package and support for serving secure, encrypted content through <code>HTTPS</code> protocol. | In addition to the <code>httpd</code> package, the command above installs software needed to run Apache with the support for database driven web sites, support for common web scripting languages, such as <code>PHP</code>, <code>perl</code>, and <code>python</code>, Apache documentation provided by <code>httpd-manual</code> rpm package and support for serving secure, encrypted content through <code>HTTPS</code> protocol. | ||
{{Admon/tip|The <code>Web Server</code> package group can be installed during Fedora installation, using the option to customize software packages."}} | |||
To start the Apache server, run: | To start the Apache server, run: | ||
<pre>su -c " | <pre> su -c "systemctl start httpd.service"</pre> | ||
</pre> | |||
To test the correct operation of the Apache server, point the web browser to <code>http://localhost</code>. If the browser displays ''Fedora Test Page'', the Apache is installed correctly. | To test the correct operation of the Apache server, point the web browser to <code>http://localhost</code>. If the browser displays ''Fedora Test Page'', the Apache is installed correctly. | ||
Line 28: | Line 27: | ||
To configure the Apache server to start at the boot time, run: | To configure the Apache server to start at the boot time, run: | ||
<pre>su -c " | <pre>su -c "systemctl enable httpd.service"</pre> | ||
</pre> | |||
=== Configuring Apache web server === | === Configuring Apache web server === | ||
Line 35: | Line 33: | ||
There are a few characteristic directories that contain files needed for proper operation of the Apache web server: | There are a few characteristic directories that contain files needed for proper operation of the Apache web server: | ||
/etc/httpd:: The location of Apache configuration files, referred to as <code>Server</code><code>Root</code>. | <code>/etc/httpd</code>:: The location of Apache configuration files, referred to as <code>Server</code><code>Root</code>. | ||
/usr/lib/httpd/modules:: The location of various Apache modules, loaded on demand from the main configuration file. | <code>/usr/lib/httpd/modules</code>:: The location of various Apache modules, loaded on demand from the main configuration file. | ||
/var/www:: Default location for storing web site content. | <code>/var/www/html</code>:: Default location for storing web site content, referred to as <code>DocumentRoot</code>. | ||
/var/log/httpd:: The location of the Apache log files. | <code>/var/log/httpd</code>:: The location of the Apache log files. | ||
The main Apache configuration file is <code>/etc/httpd/conf/httpd.conf</code>. At the minimum, there are only two directives in this file that need to be specified to enable Apache to serve the content over the Internet, The name to which server responds and the location of the web site content on the system. To serve the web content for '''www.example.com''', these two entries are: | The main Apache configuration file is <code>/etc/httpd/conf/httpd.conf</code>. At the minimum, there are only two directives in this file that need to be specified to enable Apache to serve the content over the Internet, The name to which server responds and the location of the web site content on the system. To serve the web content for '''www.example.com''', these two entries are: | ||
Line 51: | Line 49: | ||
Reload the configuration file for these changes to take effect: | Reload the configuration file for these changes to take effect: | ||
<pre>su -c " | <pre>su -c "systemctl reload httpd.service"</pre> | ||
</pre> | |||
{{Admon/note|This configuration assumes that www.example.com resolves correctly in DNS and that the content for the web site is in the <code>/var/www/html</code>, the default <code>Document</code><code>Root</code> in Fedora."}} | |||
<code>/etc/httpd/conf/httpd.conf</code> file includes instructions for almost all of the configuration options in the form of comments, ie. the lines beginning with <code>#</code> character. This feature makes the configuration file very long and does not allow quick changes to it. However, the <code>Include</code> directive within a file provides a way for splitting the configuration file into smaller, more manageable sections. The line: | <code>/etc/httpd/conf/httpd.conf</code> file includes instructions for almost all of the configuration options in the form of comments, ie. the lines beginning with <code>#</code> character. This feature makes the configuration file very long and does not allow quick changes to it. However, the <code>Include</code> directive within a file provides a way for splitting the configuration file into smaller, more manageable sections. The line: | ||
Line 70: | Line 67: | ||
* <code>Time</code><code>Out</code> instructs the <code>httpd</code> daemon when to stop responding if it is under heavy load. | * <code>Time</code><code>Out</code> instructs the <code>httpd</code> daemon when to stop responding if it is under heavy load. | ||
{{Admon/warning|Apache performance tuning is the art of managing the trade-off against the benefit. It requires good understanding of the server's capabilities and seldom improves by including arbitrary parameters.}} | |||
* '''Log configuration''': | * '''Log configuration''': | ||
Line 77: | Line 74: | ||
* <code>Custom</code><code>Log</code> points to the location where the requests are logged. | * <code>Custom</code><code>Log</code> points to the location where the requests are logged. | ||
{{Admon/tip|The Apache web server logs the requests and errors to <code>/var/log/httpd/access_log</code> and <code>/var/log/httpd/error_log</code> by default.}} | |||
* '''Other configuration options''': | * '''Other configuration options''': | ||
Line 86: | Line 83: | ||
* <code>Add</code><code>Handler</code> maps scripts to script handlers, such as <code>.cgi</code>, <code>.php</code>, etc. | * <code>Add</code><code>Handler</code> maps scripts to script handlers, such as <code>.cgi</code>, <code>.php</code>, etc. | ||
{{Admon/note|Refer to the Apache documentation in the Additional Information section for the extensive list of the Apache configuration options and their usage.}} | |||
=== Virtual Hosts === | === Virtual Hosts === | ||
Line 123: | Line 120: | ||
The order in which the virtual hosts are listed is significant to the extent that the Apache will always serve the content from the first listed virtual host in case the request was made for the site that is resolvable in DNS but not defined as a <code>Server</code><code>Name</code> or a <code>Server</code><code>Alias</code>. | The order in which the virtual hosts are listed is significant to the extent that the Apache will always serve the content from the first listed virtual host in case the request was made for the site that is resolvable in DNS but not defined as a <code>Server</code><code>Name</code> or a <code>Server</code><code>Alias</code>. | ||
{{Admon/tip|Once the first <code>Virtual</code><code>Host</code> is defined, all of the content served by Apache must also be moved into virtual hosts.}} | |||
=== Security Considerations === | === Security Considerations === | ||
Line 131: | Line 128: | ||
By default, the <code>httpd</code> daemon runs as the user and group <code>apache</code>. Therefore, all files that the <code>httpd</code> needs to access to operate properly must be accessible by user <code>apache</code>. The safe way to accomplish this is to set the ownership on all of the files to another user and allow read-only access to all other users. For example, to allow read-only access to www.foobar.com content, so it can be served over the Internet, run the following: | By default, the <code>httpd</code> daemon runs as the user and group <code>apache</code>. Therefore, all files that the <code>httpd</code> needs to access to operate properly must be accessible by user <code>apache</code>. The safe way to accomplish this is to set the ownership on all of the files to another user and allow read-only access to all other users. For example, to allow read-only access to www.foobar.com content, so it can be served over the Internet, run the following: | ||
<pre>su -c "/bin/chown -R root | <pre>su -c "/bin/chown -R root:root /var/www/virtual/foobar.com" | ||
su -c "/bin/chmod 755 /var/www/virtual/foobar.com /var/www/virtual/foobar.com/html" | su -c "/bin/chmod 755 /var/www/virtual/foobar.com /var/www/virtual/foobar.com/html" | ||
su -c "/bin/chmod 644 /var/www/virtual/foobar.com/html/*" | su -c "/bin/chmod 644 /var/www/virtual/foobar.com/html/*" | ||
Line 184: | Line 181: | ||
* <code>/var/www/manual</code> - requires <code>httpd-manual</code> rpm package | * <code>/var/www/manual</code> - requires <code>httpd-manual</code> rpm package | ||
[[Category:Administration Guide]] |
Latest revision as of 14:15, 9 July 2013
Apache web server
Installing Apache Web Server
The basic Apache
functionality, serving static web sites, is provided by the httpd
rpm package. To install Apache, run:
su -c "/usr/bin/yum install httpd"
Unless the requirement is to run a very basic web site, the more convenient way of installing the Apache web server is:
su -c "/usr/bin/yum groupinstall 'Web Server'"
In addition to the httpd
package, the command above installs software needed to run Apache with the support for database driven web sites, support for common web scripting languages, such as PHP
, perl
, and python
, Apache documentation provided by httpd-manual
rpm package and support for serving secure, encrypted content through HTTPS
protocol.
To start the Apache server, run:
su -c "systemctl start httpd.service"
To test the correct operation of the Apache server, point the web browser to http://localhost
. If the browser displays Fedora Test Page, the Apache is installed correctly.
To configure the Apache server to start at the boot time, run:
su -c "systemctl enable httpd.service"
Configuring Apache web server
There are a few characteristic directories that contain files needed for proper operation of the Apache web server:
/etc/httpd
:: The location of Apache configuration files, referred to as Server
Root
.
/usr/lib/httpd/modules
:: The location of various Apache modules, loaded on demand from the main configuration file.
/var/www/html
:: Default location for storing web site content, referred to as DocumentRoot
.
/var/log/httpd
:: The location of the Apache log files.
The main Apache configuration file is /etc/httpd/conf/httpd.conf
. At the minimum, there are only two directives in this file that need to be specified to enable Apache to serve the content over the Internet, The name to which server responds and the location of the web site content on the system. To serve the web content for www.example.com, these two entries are:
ServerName www.example.com:80 DocumentRoot "/var/www/html"
Reload the configuration file for these changes to take effect:
su -c "systemctl reload httpd.service"
/etc/httpd/conf/httpd.conf
file includes instructions for almost all of the configuration options in the form of comments, ie. the lines beginning with #
character. This feature makes the configuration file very long and does not allow quick changes to it. However, the Include
directive within a file provides a way for splitting the configuration file into smaller, more manageable sections. The line:
Include conf.d/*.conf
causes the httpd
daemon to read all *.conf
files placed in the /etc/httpd/conf.d
directory, in addition to to a main configuration file, during start up process. The common use of conf.d/*.conf
files is to have separate configuration files for various Apache extensions or virtual hosts.
/etc/httpd/conf/httpd.conf
includes numerous options for configuring the Apache web server. Other notable options are:
- Performance tuning:
Max
Clients
limits the number of allowed simultaneous connections to the server and works together with theServer
Limit
option.Keep
Alive
allows for a number of concurrent HTTP requests over a single TCP connection.Time
Out
instructs thehttpd
daemon when to stop responding if it is under heavy load.
- Log configuration:
Error
Log
points to the location where the server's errors are logged.Log
Level
sets the verbosity of theError
Log
entries.Custom
Log
points to the location where the requests are logged.
- Other configuration options:
Add
Language
associates files with certain extension to certain languages. Useful when the web server serves pages in multiple languages.Load
Module
loads dynamically shared objects.Script
Alias
specifies the location of CGI scripts.Server
Admin
specifies who is the server administrator.Add
Handler
maps scripts to script handlers, such as.cgi
,.php
, etc.
Virtual Hosts
The Apache web server has the ability to serve the content for multiple sites from the single server through the concept of Virtual Hosts. Virtual hosts can be configured in two ways:
- IP based Virtual Hosts:
- Each virtual host has its own IP address and port combination.
- Required for serving HTTPS requests, due to restrictions in the SSL protocol.
- Name based Virtual Hosts:
- All virtual hosts share the common IP address.
- The Apache web server responds to the request by mapping the
host
header in the request toServer
Name
andServer
Alias
directives in the particular virtual host's configuration file.
The example of the simple name based virtual hosts configuration:
# global configuration options NameVirtualHost *:80 <VirtualHost *:80> ServerName localhost </VirtualHost> <VirtualHost *:80> ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/virtual/example.com/html </VirtualHost> <VirtualHost *:80> ServerName foobar.com ServerAlias www.foobar.com DocumentRoot /var/www/virtual/foobar.com/html </VirtualHost>
The order in which the virtual hosts are listed is significant to the extent that the Apache will always serve the content from the first listed virtual host in case the request was made for the site that is resolvable in DNS but not defined as a Server
Name
or a Server
Alias
.
Security Considerations
Apache File Security
By default, the httpd
daemon runs as the user and group apache
. Therefore, all files that the httpd
needs to access to operate properly must be accessible by user apache
. The safe way to accomplish this is to set the ownership on all of the files to another user and allow read-only access to all other users. For example, to allow read-only access to www.foobar.com content, so it can be served over the Internet, run the following:
su -c "/bin/chown -R root:root /var/www/virtual/foobar.com" su -c "/bin/chmod 755 /var/www/virtual/foobar.com /var/www/virtual/foobar.com/html" su -c "/bin/chmod 644 /var/www/virtual/foobar.com/html/*"
In case the content should be readable by the Apache and nobody else, the good practice is to change the group ownership to group apache
and deny access to others.
User-level ownership on files should be granted to the apache
user only if the web server is expected to modify the files, for example, through the use of CGI scripts.
Apache Access Controls
To control the access to the content served by the Apache web server, use the Order
, Deny
, and Allow
directives, within the Directory
container directive. To allow access to the content of www.foobar.com:
<Directory /var/www/virtual/foobar.com/html> Order deny,allow </Directory>
The Order
directive controls the behavior of how the access to the content is evaluated and sets the default precedence if Allow
and Deny
directives are not defined:
Order deny,allow
defaults to "allow access"Order allow,deny
defaults to "deny access"
The latter value always overrides the former. For example, to allow access to all hosts on the 192.168.1 subnet and deny the host with the 192.168.1.66 IP address, add these options:
<Directory /var/www/virtual/foobar.com/html/priv> Order allow,deny Allow from 192.168.1. Deny from 192.168.1.66 </Directory>
SELinux Notes
The best way to avoid SELinux errors while running Apache is to store the Apache related files in the default system locations. If this is not possible, the solution is to change the SELinux context on non-standard directories, using default ones as a reference:
su -c "/usr/bin/chcon -R --reference=/etc/httpd/conf /path/to/new/conf"
or
su -c "/usr/bin/chcon -R --reference=/var/www/html /path/to/site/content"
Additional Information
Related Web Sites
Installed Documentation
/var/www/manual
- requireshttpd-manual
rpm package