Archive:Docs/Drafts/AdministrationGuide/Servers/WebServer

From FedoraProject

Jump to: navigation, search

Contents

Apache web server

Installing Apache Web Server

Web server functionality in Fedora is provided by Apache. There are two methods to install Apache:

  • Basic
  • Groupinstall

Basic

To serve simple static web sites, install the httpd rpm package.

su -c "/usr/bin/yum install httpd"

Groupinstall

Use the following command to install all packages grouped under Web server:

su -c "/usr/bin/yum groupinstall 'Web Server'"

This command installs the basic web server - httpd package along with additional packages, such as:

  • Apache modules
  • Scripting languages - PHP, perl, python.
  • Documentation - httpd-manual rpm package
  • Protocols - HTTPS for serving secure websites
Idea.png
The Web Server package group can be installed during Fedora installation, using the option to customize software packages

To start Apache web server enter:

su -c "/sbin/service httpd start"

Test if Apache web server is functioning correctly by browsing to http://localhost. If the browser displays Fedora Test Page, then Apache is installed and functioning correctly.

Configure Apache web server to start at boot time:

su -c "/sbin/chkconfig httpd on"

This checks httpd as a service and configures it to start up on run levels 2,3,4 and 5.

Configuring Apache web server

Familiarize yourself with the following directories before configuring Apache web server:

  • /etc/httpd - directory holding Apache configuration files, referred to as ServerRoot.
  • /usr/lib/httpd/modules - directory holding Apache modules, loaded on demand by the main configuration file ( /etc/httpd/conf/httpd.conf )
  • /var/www - Default location for storing web site content.
  • /var/log/httpd - location of the Apache log files.

Take time to understand directives in the main configuration file /etc/httpd/conf/httpd.conf. At the minimum, two directives in this file should be configured to allow Apache to serve the content over the Internet.

  • The name to which server responds
  • The location of the web site content on the system.

For example, to serve the web content for www.example.com, the two directives would be configured as below:

ServerName www.example.com:80
DocumentRoot "/var/www/html"

To effect any changes made to the main configuration file, you must reload the web service:

su -c "/sbin/service httpd reload"

This configuration assumes that www.example.com resolves correctly in DNS and that the content for the web site is in the /var/www/html, the default DocumentRoot in Fedora.

/etc/httpd/conf/httpd.conf file includes instructions for almost all configuration options in the form of comments, ie. the lines beginning with # character. In this main configuration file you will notice the Include directive that allows including .conf files. This provides a way for creating seperate configuration files that are smaller and manageable. The line:

Include conf.d/*.conf

causes the httpd daemon to read all configuration options in *.conf files placed under /etc/httpd/conf.d directory, in addition to to the main configuration file during service start up. The common use of conf.d/*.conf files is to have separate configuration files for various Apache modules, extensions or virtual hosts.

/etc/httpd/conf/httpd.conf includes numerous options for configuring the Apache web server. Other notable options are:

  • Performance tuning:
  • MaxClients limits the number of allowed simultaneous connections to the server and works together with the ServerLimit option.
  • KeepAlive allows for a number of concurrent HTTP requests over a single TCP connection.
  • TimeOut instructs the httpd daemon when to stop responding if it is under heavy load.

Apache performance tuning is the art of managing the trade-off against the benefit. It requires good understanding of the server's capabilities and seldom improves by including arbitrary parameters.

  • Log configuration:
  • ErrorLog points to the location where the server's errors are logged.
  • LogLevel sets the verbosity of the ErrorLog entries.
  • CustomLog points to the location where the requests are logged.
Idea.png
The Apache web server logs the requests /var/log/httpd/access_log and errors to /var/log/httpd/error_log by default
  • Other configuration options:
  • AddLanguage associates files with certain extension to certain languages. Useful when the web server serves pages in multiple languages.
  • LoadModule loads dynamically shared objects.
  • ScriptAlias specifies the location of CGI scripts.
  • ServerAdmin specifies who is the server administrator.
  • AddHandler maps scripts to script handlers, such as .cgi, .php, etc.
Note.png
Refer to the Apache documentation in the [#Additional_Information Additional Information] section for the extensive list of the Apache configuration options and their usage.

Virtual Hosts

The Apache web server has the ability to serve the content for multiple sites from the single server through the concept of Virtual Hosts. Virtual hosts can be configured in two ways:

  • IP based Virtual Hosts:
  • Each virtual host has its own IP address and port combination.
  • Required for serving HTTPS requests, due to restrictions in the SSL protocol.
  • Name based Virtual Hosts:
  • All virtual hosts share the common IP address.
  • The Apache web server responds to the request by mapping the host header in the request to ServerName and ServerAlias directives in the particular virtual host's configuration file.

The example of the simple name based virtual hosts configuration:

# global configuration options
NameVirtualHost *:80
<VirtualHost *:80>
ServerName localhost
</VirtualHost>

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/virtual/example.com/html
</VirtualHost>

<VirtualHost *:80>
ServerName foobar.com
ServerAlias www.foobar.com
DocumentRoot /var/www/virtual/foobar.com/html
</VirtualHost>

The order in which the virtual hosts are listed is significant to the extent that the Apache will always serve the content from the first listed virtual host in case the request was made for the site that is resolvable in DNS but not defined as a ServerName or a ServerAlias.

Important.png
Once the first VirtualHost is defined, all of the content served by Apache must also be moved into virtual hosts.

Security Considerations

Apache File Security

By default, the httpd daemon runs as the user and group apache. Therefore, all files that the httpd needs to access to operate properly must be accessible by user apache. The safe way to accomplish this is to set the ownership on all of the files to another user and allow read-only access to all other users. For example, to allow read-only access to www.foobar.com content, so it can be served over the Internet, run the following:

su -c "/bin/chown -R root.root /var/www/virtual/foobar.com"
su -c "/bin/chmod 755 /var/www/virtual/foobar.com /var/www/virtual/foobar.com/html"
su -c "/bin/chmod 644 /var/www/virtual/foobar.com/html/*"

In case the content should be readable by the Apache and nobody else, the good practice is to change the group ownership to group apache and deny access to others.

User-level ownership on files should be granted to the apache user only if the web server is expected to modify the files, for example, through the use of CGI scripts.

Apache Access Controls

To control the access to the content served by the Apache web server, use the Order, Deny, and Allow directives, within the Directory container directive. To allow access to the content of www.foobar.com:

<Directory /var/www/virtual/foobar.com/html>
Order deny,allow
</Directory>

The Order directive controls the behavior of how the access to the content is evaluated and sets the default precedence if Allow and Deny directives are not defined:

  • Order deny,allow defaults to "allow access"
  • Order allow,deny defaults to "deny access"

The latter value always overrides the former. For example, to allow access to all hosts on the 192.168.1 subnet and deny the host with the 192.168.1.66 IP address, add these options:

<Directory /var/www/virtual/foobar.com/html/priv>
Order allow,deny
Allow from 192.168.1.
Deny from 192.168.1.66
</Directory>

SELinux Notes

The best way to avoid SELinux errors while running Apache is to store the Apache related files in the default system locations. If this is not possible, the solution is to change the SELinux context on non-standard directories, using default ones as a reference:

su -c "/usr/bin/chcon -R --reference=/etc/httpd/conf /path/to/new/conf"

or

su -c "/usr/bin/chcon -R --reference=/var/www/html /path/to/site/content"

Additional Information

Related Web Sites

Installed Documentation

  • /var/www/manual - requires httpd-manual rpm package