apache by sai vasanth

APACHE

If you intend to set up a web server in your boss machine, apache is one important module that you must install. In this tutorial, we will show you how to install and configure apache for your boss.

Installing Apache: Getting apache onto your boss machine is easy. Using either the Synaptic Package Manager(System->Administrator -->, Synaptic Package Manager) search and install the “apache2” module. Alternatively, you can open a terminal and type the following command: sudo apt-get install apache2 Once the installation finished, open a browser and go to the URL “http://localhost“. If you see the word “It Works!“, then your installation of apache is successful.

Configuring Apache : After you have installed Apache, it will be added to the init.d list and will auto start whenever you boot up your computer. The following commands allow you to start, restart, stop Apache. sudo /etc/init.d/apache2 start

#start apache

sudo /etc/init.d/apache2 stop

#stop apache

sudo /etc/init.d/apache2 restart #restart apache

Changing the default localhost folder By default, apache will operate on the “/var/www” folder. This means that whatever files you place in this /var/www folder will be visible from the URL http://localhost. In some instances, you may want the “localhost” to point to another folder instead, say /root/sai /public_html. Here is how you do it: Step 1: First, make sure the /root/sai/public_html folder exists. Create a simple html file, name it index.html and place it in the public_html folder. Step 2: Open a terminal and type: /etc/apache2/sites-enabled/000-default

Change DocumentRoot /var/www to DocumentRoot /root/sai/public_html. Change <Directory /var/www/> to <Directory /root/sai/public_html/>.

Save and exit the file. Restart the apache sudo /etc/init.d/apache2 restart

APACHE FOLDERS: move into the config folder and have a look: command cd /etc/apache2 ls

The folders are highlighted in blue. Let's look at those first:

sites-available : Inside sites-available will be files containing the configurations for each site you want to serve - these are known as vhosts or virtual hosts. Have a look now and see that there is one site (default) available: ls sites-available/ ... default default-ssl The apache install has a 'default' and a 'default-ssl' Do note that a file in sites-available does not mean they are active. They are simply available for serving if you enable them.

Sites-enabled : This folder contains symlinks to the sites you actually want to serve. For example, you could have two vhosts configured and ready to use in the sites-available folder, but only one of them enabled. Only the one symlinked from the sites-enabled folder would be served.

Have a look at the default contents: ls -l sites-enabled ... lrwxrwxrwx 1 root root 26 Nov 28 22:38 000-default This means that the 'default' site has been enabled - the symlink named '000-default' links to the 'default' file in the sites-available folder. Without the symlink in this folder it would remain available (in the sites-available folder) but not active.

Mods-available : Well, I guess you get the idea already but this folder holds the modules that are available to be loaded. Have a look: ls mods-available A fair list is available from our base install but remember that they are not all enabled, merely available for use. Just as with the vhosts files, any modules that we want to use must be enabled.

Mods-enabled : This folder contains symlinks to the modules that we want enabled. Have a look and compare it to the list of modules available: ls mods-enabled This list is a lot shorter than the list of available modules (meaning not all the available modules are enabled) and includes php5.conf - which is handy as we installed PHP5 earlier.

a2en and a2dis: How to enable and disable your sites and modules? There are some commands that make this process much easier. They are a2dissite, a2ensite, a2dismod and a2enmod.

a2dissite :

This will delete the symlink to a site you have previously enabled. For example, let's disable the default site: sudo a2dissite default The symlink in sites-enabled has been deleted and the output is as follows: Site default disabled. Run '/etc/init.d/apache2 reload' to activate new configuration! Reload Apache as indicated to ensure the site is fully disabled:

sudo /etc/init.d/apache2 reload

Note the main vhosts file in sites-available is still there - all the a2dissite command did was remove the symlink in the sites-enabled folder.

a2ensite : Let's enable the default site again: sudo a2ensite default The output: Enabling site default. Run '/etc/init.d/apache2 reload' to activate new configuration! Reload Apache: sudo /etc/init.d/apache2 reload Visit your http://localhost - the default 'It works!' page is being served again.

a2dismod : In the same way as just shown, a2dismod will disable any modules you have previously enabled: sudo a2dismod php5 The output: Module php5 disabled. Run '/etc/init.d/apache2 restart' to activate new configuration! That will disable the php5 module and if you look in the mods-enabled folder, you will see that the symlinks php5.conf and php5.load have been deleted.

a2enmod : I reckon you've got it now, but to enable the php5 module simply enter: sudo a2enmod php5 The output: Enabling module php5.

Run '/etc/init.d/apache2 restart' to activate new configuration! And a quick check will show that indeed, the php5.conf and php5.load symlinks are back in the modsenabled folder.

Apache2.conf The default Apache2 configuration file is /etc/apache2/apache2.conf . You can edit this file to configure the Apache2 server. You can configure the port number, document root, modules, log files, virtual hosts, etc. Global Environment The directives in this section affect the overall operation of Apache, such as the number of concurrent requests it can handle or where it can find its configuration files. ServerRoot The top of the directory tree under which the server's configuration, error, and log files are kept. PidFile: PidFile: The file in which the server should record its process identification number when it starts. ErrorLog: The location of the error log file. If you do not specify an ErrorLog directive within a <VirtualHost> container, error messages relating to that virtual host will be logged here. If you *do* define an error logfile for a <VirtualHost> container, that host's errors will be logged there and not here.

Include module configuration: Ex: Include mods-enabled/*.load Include mods-enabled/*.conf

conf.d Files in this directory are included by this line in apache2.conf:# Include generic snippets of statements Include/etc/apache2/conf.d/ This is a good place to add additional configuration directives. Contains configuration files which apply globally to Apache2 The conf.d directory is meant to hold "generic snippets of statements", according to the apache folks. You got a look at it when we were installing apache and wanted to set the ServerName directive. Rather than edit the main config file, we created a new file in conf.d to hold the ServerName directive. When adding a directive to apache that doesn't belong somewhere else, consider putting it in a file in conf.d instead of editing the main config file. Using conf.d makes it easier to isolate a recent configuration change (by checking modification dates), lets you find directives you've added quicker, and reduces the risk that you could make a bad edit in the main config file.

ports.conf The ports.conf file contains the instructions to apache to listen to port 80 (the default port for HTTP traffic), as well as port 443 if SSL support is installed. If you want apache to listen to additional ports, just add more "Listen" directives. If you want to fix it so apache is listening to a port other than port 80, just change that entry in ports.conf.

envvars The "envvars" file contains some environment variables that are used by some apache-related scripts, like apache2ctl. You should only need to modify this file if you change the user and group apache runs under. httpd.conf The httpd.conf file is empty by default. Normally the main Apache configuration file is called httpd.conf. Although that file exists on Debian, it is only there for compatibility with other software that expects it to exist. The real configuration starts with the file apache2.conf

Magic Magic data for mod_mime_magic Apache module, documented in htdocs/manual/mod/mod_mime_magic.html. You probably donâ&#x20AC;&#x2122;t need to touch this.

Apache Virtual Hosting: Apache supports both IP-based and name-based virtual hosting, allowing you to host multiple domains on a single server. Multiple Web Sites:(name-based virtual hosts.) If you want to host multiple Web sites on your server (i.e. use the Virtual Hosts feature of Apache) you'll need to set things up a little differently. In the following examples we're going to set up the following three Web sites: exp1.com, exp2.com, Because the 'www' DNS records for each of these domains are all going to point to the same IP address (and all use the same port 80) we'll be using Apache's name-based virtual hosts. With name-based virtual hosts, the browser includes the domain name in the HTTP request it sends to the IP address of the Web server. This is how Apache knows which Web site is being requested. Very early browsers didn't support name-based virtual hosts but all current browsers do. Step 1: create a 'example' folder in /var/www directory cd /var/www mkdir example Step 2: Now for each domain we want to host create a folder with a standard set of sub-folders mkdir -p example/exp1.com/{public,private,log,cgi-bin,backup} mkdir -p example/exp2.com/{public,private,log,cgi-bin,backup} That will create the folders public, private, log, cgi-bin and backup for each of our domains Step 3: index.html The content of the public folder is, naturally, up to you but for this example I am going to use a very simple html file so we can check the virtual hosts work. So for each domain create an index.html file:

nano example/exp1.com/public/index.html add the following to the index.html file: <html>

<head> <title>domain1.com</title> </head> <body> <h1>domain1.com</h1> </body> </html> Repeat the process so you have a similar file for exp2.com (simply replace all instances of 'exp1.com' with 'exp2.com). OK. Now we have a basic structure for our two domains we can look at defining two virtual hosts.

Custom VirtualHost We've set up the basics and now we're ready to add our own virtual hosts so we can start to serve our domains. Let's go ahead and create the vhost file for exp1: The contents look like this: # Place any notes or comments you have here

# It will make any customisation easier to understand in the weeks to come # domain: domain1.com # public: /var/www/example/exp1.com/ <VirtualHost *:80> # Admin email, Server Name (domain name) and any aliases ServerAdmin webmaster@exp1.com ServerName exp1.com

ServerAlias www.exp1.com

# Index file and Document Root (where the public files are located) DirectoryIndex index.html DocumentRoot /var/www/example/exp1.com/public # Custom log file locations LogLevel warn ErrorLog /var/www/example/exp1.com/log/error.log CustomLog /var/www/example/exp1.com/log/access.log combined </VirtualHost>

a2ensite Now we have the site available, we need to enable it: sudo a2ensite exp1.com The output of the command is: Site exp1.com installed; run /etc/init.d/apache2 reload to enable.

Seems like good advice: sudo /etc/init.d/apache2 reload

Navigate To test the domain without creating a DNS zone and record(s) on some Internet namserver(s), I've modified the '/etc/hosts' file on my local computer to include some entries mapping 'exp1.com', etc. to the demo Slice's public IP: 127.0.0.1

...

localhost

# entries related to the demo slice 192.168.36.18 domain1.com 192.168.36.18 www.domain1.com 192.168.36.18 domain2.com You can add similar entries in your own 'hosts' file, though it's location will vary depending on what OS is loaded on your local computer NOTE: entries in the 'hosts' file will need to be removed prior to testing and using live DNS zones and records created on Internet nameservers. Failure to remove them will likely lead to confusion on your part and inaccurate tests of new or modified public DNS records. With such changes made for testing purposes, you can navigate to your site in a web browser on your local computer:

Repeat as necessary: To create and enable exp2.com simply go through the process again: sudo nano /etc/apache2/sites-available/domain2.com ... # Enter the details for domain2.com as per the example shown above Then enable the site and restart Apache: sudo a2ensite domain2.com

... sudo /etc/init.d/apache2 reload Finally navigate to your second domain: http://exp2.com

or http://www.exp2.com All being well, you will see the 'domain2.com' index file. Log Files: As defined in the vhosts file, each domain has its own log files. Let's take a quick look: ls /var/www/example/exp1.com/log/

The output is exactly as expected: access.log error.log This makes for much easier analysis as each set of logs is self contained.

Default : Remember that although we changed the default virtual host, we did leave it in place. Now, if someone enters the IP address of the Slice they are served the contents of that default vhosts file (providing, of course, you have not set up a separate vhost for the IP address). Why are they served from that vhost file? Apache searches the enabled vhosts in alphabetical order and if it can't find one for the requested IP address or domain name, it serves the first one (alphabetically). If we had disabled or deleted the default vhost, then the contents of exp1.com would be displayed (being before exp2.com alphabetically).

Enabling .htaccess file : .htaccess file is a powerful file that can be used to control and customize a site server behavior without editing the core Apache module. By default, the .htaccess functionality is turned off and all instances of .htaccess files are completely ignored. The server will not even attempt to read .htaccess files in the filesystem. To enable .htaccess file, open up the settings file that you have created earlier: nano/etc/apache2/sites-available/default Scroll down the file until you see the part â&#x20AC;&#x153;<Directory /var/www/>â&#x20AC;&#x153;. Underneath that line of code, change AllowOverride None to AllowOverride All.

Save and exit the file.

Set Apache Password Protected Directories With .htaccess File

Step # 1: Make sure Apache is configured to use .htaccess file

Step # 2: Create a password file with htpasswd htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax: htpasswd -c password-file username Step # 3: Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:# mkdir -p /home/secure/ Add new user called sai htpasswd -c /home/secure/apasswords sai Step # 4:

Make sure /home/secure/apasswords file is readable by Apache web server. If Apache cannot read your password file, it will not authenticate you. You need to setup a correct permission using chown command. allow apache user www-data to read our password file: chown www-data:www-data /home/secure/apasswords chmod 0660 /home/secure/apasswords Step # 5: Now our user sai is added but you need to configure the Apache web server to request a password and tell the server which users are allowed access. Let us assume you have directory called /var/www/docs and you would like to protect it with a password. Create a directory /var/www/docs if it does not exist: mkdir -p /var/www/docs

Step # 6 : Create .htaccess file using text editor: cd /var/www/docs vi .htaccess

Add following text: AuthType Basic

AuthName "Restricted Access" AuthUserFile /home/secure/apasswords Require user sai Save file and exit to shell prompt. Step # 7: Test your configuration Fire your browser type url http://yourdomain.com/docs/ or http://localhost/docs/ or http://ipaddress/docs

Apache files location ServerRoot

DocumentRoot

/etc/apache2 ::

Apache Config Files ::

/var/www

/etc/apache2/apache2.conf

/etc/apache2/ports.conf

Default VHost Config :: /etc/apache2/sites-available/default, /etc/apache2/sites-enabled/000-default Module Locations :: enabled ErrorLog

AccessLog cgi-bin

/var/log/apache2/error.log

:: ::

binaries (apachectl)

/etc/apache2/mods-available, /etc/apache2/mods-

/var/log/apache2/access.log /usr/lib/cgi-bin ::

/usr/sbin

APACHE PERFORMANCE TUNNING

Compile-Time Configuration Options Load only the required modules : Run apache with only the required modules. This reduces the memory footprint and hence the server performance. Statically compiling modules will save RAM that's used for supporting dynamically loaded modules, but one has to recompile Apache whenever a module is to be added or dropped. This is where the DSO mechanism comes handy. Once the mod_so module is statically compiled, any other module can be added or dropped using the LoadModule command in httpd.conf file - of course, you will have to compile the modules using apxs if it wasn't compiled when the server was built. Choose appropriate MPM Apache server ships with a selection of Multi-Processing Modules (MPMs) which are responsible for binding to network ports on the machine, accepting requests, and dispatching children to handle the requests. Only one MPM can be loaded into the server at any time. Choosing an MPM depends on various factors such as whether the OS supports threads, how much memory is available, scalability versus stability, whether non-thread-safe third-party modules are used, etc.. Linux systems can choose to use a threaded MPM like worker or a non-threaded MPM like prefork: Worker MPM uses multiple child processes. It's multi-threaded within each child and each thread handles a single connection. Worker is fast and highly scalable and the memory footprint is comparatively low. It's well suited for multiple processors. On the other hand, worker is less tolerant to faulty modules and faulty threads can affect all the threads in a child process. Prefork MPM uses multiple child processes, each child handles one connection at a time. Prefork is well suited for single or double CPU systems, speed is comparable to that of worker and it's highly tolerant to faulty modules and crashing children. But the memory usage is high, more traffic leads to more memory usage.

Run-Time Configuration Options Hostname lookups Is HostNameLookups set to on Apache2 does a hostname lookup for every IP. You donâ&#x20AC;&#x2122;t need this functionality, because it has no impact on the response and it needs a lot of time. So, set this directive to off.

HostNameLookups Off AllowOverride If AllowOverride is not set to 'None', then Apache will attempt to open .htaccess file (as specified by AccessFileName directive) in each directory that it visits. For example: DocumentRoot /var/www/html <Directory /> AllowOverride all </Directory>If a request is made for URI /index.html, then Apache will attempt to open /.htaccess, /var/.htaccess, /var/www/.htaccess, and /var/www/html/.htaccess. These additional file system lookups add to the latency. If .htaccess is required for a particular directory, then enable it for that directory alone. Keep-alive To keep alive a HTTP connection means to let the file descriptors open to handle the next request (from the same user) faster. The idea of keep-alive is cool, but it only makes sense if you have a small amount of users. Otherwise you have open file descriptors that need unnecessary resources. So, it would be better to set this mechanism to Off to serve a high number of requests faster. Modify the configuration file: KeepAlive Off MaxKeepAliveRequests Default: MaxKeepAliveRequests 100 Now we have our persistent connection, set the maximum number of requests per connection. Keep this high for more efficiency. If you have a site with images, javascripts, etc, try increasing this to 200. KeepAliveTimeout Default: KeepAliveTimeout 15 So how long does the persistent connection wait for the next request? The default setting is very high and can easily be reduced to 2 or 3 seconds. If no new requests are received during this time the connection is killed.

What does this mean? Well, once a connection has been established and the client has requested the files needed for the web page, this setting says "sit there and ignore everyone else until the time limit is reached or you get a new request from the client". Why would you want a higher time? In cases where there will be a lot of interactivity on the site. However, in most cases, people will go to a page, read it for a while and then click for the next page. You don't want the connection sat there doing nothing and ignoring other users Timeout Default: Timeout 300 This sets (in simple terms) the maximum time, in seconds, to wait for a request, action it and the response to the request. The default is deliberately set high to allow for varied situations. You can reduce this to something more sane, such as 45 or even lower. A decrease may also help in reducing the effects of a DOS attack. Adapt workers The optimal number of workers (multi-thread & multi-process module) is important for a well working webserver. On the one hand you can have to less workers and on the other hand you can have to much workers. Both cases are not desirable. The problem is, that you have to test the server under a realistic load. You can control the behavior of the Apache2 with the following calculation: # ServerLimit * ThreadsPerChild = MaxClients ThreadLimit 50 ServerLimit 30 StartServers 5 MaxClients 1500 MinSpareThreads 30 MaxSpareThreads 50 ThreadsPerChild 50 The setting depends on the power of the hardware. If you have a server that have only one task (to respond HTTP requests), you can increase this settings to make the server more powerful.

Apache benchmark To test your web server configuration/performance you can use ab (Apache Benchmark) which would be delivered with the Apache2 binary (If not, download it afterwards). You can use this benchmarking tool with: ab -n 1000 -c 100 http://example.com/ •

n: number of total requests

• c: number of concurrent requests • url: url to test The tool sends out 1000/100 waves with 100 concurrent requests. Note that you can plot the output with gnuplot.

Mod_expires Apache2 handles the expires header with mod_expires. The expires header is a HTTP header, that tells the browser, how long the transfered file is valid. You can turn on this module with typing: a2enmod expires into the shell. After that you can configure the web server (apache2.conf): <IfModule mod_expires.c> ExpiresActive On ExpiresByType text/html "access plus 2 hours" ExpiresByType text/xml "access plus 2 hours" ExpiresByType image/jpg "access plus 10 weeks" ExpiresByType image/gif "access plus 10 weeks" #add all types of tiles that you need </IfModule> The webserver then adds the expires header to the files. It automatically calculates the timestamp after your settings.

Mod_headers This module is used to append headers to the HTTP response. After enabling mod_headers with a2enmod headers you can use the functionality with adding the following line to the configuration file:

Header append Cache-Control "public"

Mod_deflate This module is used to compress the server output. You have to a2enmod this module and after that you can use it by typing this into the configuration file: SetOutputFiler DEFLATE <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/plain text/html text/htm AddOutputFilterByType DEFLATE application/javascript #add all types that you need </IfModule>

mod_status : The Status module (mod_status) allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh.

The details given are: â&#x20AC;˘

The number of children serving requests. * The number of idle children. * The status of each child, the number of requests that child has performed and the total number of bytes served by the child (*) * A total number of accesses and byte count served (*). * The time the server was started/restarted and the time it has been running for * Averages giving the number of requests per second, the number of bytes served per second and the average number of bytes per request (*). * The current percentage CPU used by each child and in total by Apache (*). * The current hosts and requests being processed (*).

â&#x20AC;˘

Details marked "(*)" are only available with ExtendedStatus On.

Configure Apache mod_status Open your httpd.conf file: # vi apache2.conf Add this lines <Location /server-status> SetHandler server-status Order Deny,Allow Deny from all Allow from 192.168.1.5 </Location> Replace 192.168.1.5 with your workstation IP address. Save and close the file. Restart the server. # /etc/init.d/httpd restart You can now access server statistics by using a Web browser to access the page http://your.server.name/server-status

Apache2 SSL Now we are going to setup SSL with apache2.

Install packages First make sure all needed packages are installed. sudo apt-get install apache2 libapache-mod-ssl

Generate the certificate Create a certificate which is valid for one year. sudo apache2-ssl-certificate -days 365

Enable the SSL module sudo a2enmod ssl Listen to port 443 sudo bash echo "Listen 443" >> /etc/apache2/ports.conf Create and enable the SSL site sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl Modify it so it looks something like this NameVirtualHost *:443 <virtualhost *:443> ServerAdmin webmaster@localhost SSLEngine On 1. Use pem instead of key in order not to be prompted for password. 2. Point where your crt and pem is stored as well. SSLCertificateFile /etc/apache2/ssl/certs/apache.crt SSLCertificateKeyFile /etc/apache2/apache-ssl/apache.pem DocumentRoot /var/www/ <directory />

Options FollowSymLinks AllowOverride None </directory> <directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place # Commented out for Ubuntu #RedirectMatch ^/$ /apache2-default/ </directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" <directory "/usr/share/doc/">

Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </directory> </virtualhost> ...and enable it

sudo a2ensite ssl

Mod rewrite It's always good to force users to access things like webmail via https, this can be accomplished with mod_rewrite. First you'll have to enable the module sudo a2enmod rewrite Then add the following to /etc/apache2/sites-available/default RewriteEngine on RewriteCond

%{SERVER_PORT} ^80$

RewriteRule

^/webmail(.*)$ https://%{SERVER_NAME}/webmail$1 [L,R]

RewriteLog

"/var/log/apache2/rewrite.log"

RewriteLogLevel 2

If you want to force an SSL connection and redirect all traffic to port 80 to port 443 (HTTPS), use this instead: RewriteEngine on RewriteCond

%{SERVER_PORT} ^80$

RewriteRule

^(.*)$ https://%{SERVER_NAME}$1 [L,R]

I had trouble with the above working. I ended up with a 302 Found response with a bad URL. Instead, I found this achieved what I was looking for. I put this at the top of the file to force my whole server to use SSL: RewriteEngine on RewriteCond

%{HTTPS}!=on

RewriteRule

^(.*)$ https://servername/$1 [L,R]

Don't forget to restart apache sudo /etc/init.d/apache2 force-reload

ServerRoot

/etc/apache2

DocumentRoot

Apache Config Files ::

/etc/apache2/apache2.conf

/etc/apache2/ports.conf

Default VHost Config Module Locations

/var/www

:: /etc/apache2/sites-available/default, /etc/apache2/sites-enabled/000-default ::

/etc/apache2/mods-available, /etc/apache2/mods-enabled

ErrorLog

AccessLog cgi-bin

/var/log/apache2/error.log

:: ::

binaries (apachectl)

/var/log/apache2/access.log /usr/lib/cgi-bin ::

/usr/sbin