[LINUX] Let's summarize Apache

Let's take a look at Apache for learning Linuc2. To be honest, I didn't really care about the detailed settings because it can be used by installing with yum. If you edit httpd.conf and check it with apache configtest etc., an error starting with basic AH is displayed, so it is relatively easy to get to.

Installation

Compile from source

Personally, I always install only with yum, so please refer to the article below. Config, Compile, Install

You also need to install APR and APR-util to compile from source.

Use the package

# yum install -y httpd

setting file#

htpd.conf#

--Basic format

Directive name setting value

--When specifying the scope of application

<Files file name> ... </ Files> <Directory directory name> ... </ Directory> <LOcation URL>...</Location>

External configuration file

To use an external file (.htaccess) to override the httpd.conf settings, use the ** AccessFileName ** directory.

httpd.conf

AccessFileName .htaccess

To allow the use of external configuration files, specify in the ** AllowOverride ** directory.

The following example enables authentication and access control in .htaccess.

httpd.conf

AllowOverride AuthConfig Limit

apachectl#

module#

Module list

To load the module, specify:

httpd.conf

LoadModule perl_module modules/mod_perl.so

Use ** apxs ** to install the module after Apache is installed. After that, add it in the LoadModule directory as in ↑. To install apxs, install the httpd-devel package.

# yum install httpd-devel

# apxs -i -c mod_foobar.c

Built-in modules are ** httpd -l ** ** httpd -M ** to see a list of built-in modules and DSO modules and also check the syntax of the config file To use.

# httpd -l
# httpd -M

Scripting language

Let's take a look at php, which is often used as a web application.

# yum install -y php

The /etc/httpd/conf.d/php.conf file is added.

Create a file like the one below and restart Apache to see it.

/var/www/html/phpinfo.php

<?php
  phpinfo();
?>

Authentication of client access

BASIC authentication

To use BASIC authentication, add user authentication settings to httpd.conf and prepare a dedicated password file.

httpd.conf

<Directory "/var/www/html/private-area">
AuthType Basic
AuthName "Please enter your ID and password"
AuthUserfile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>

Use ** htpasswd ** to set the user and password used for authentication.

# htpasswd -c /etc/httpd/conf/htpasswd linuc1
New password: 
Re-type new password: 
Adding password for user linuc

# cat /etc/httpd/conf/.htpasswd
linuc:$apr1$szHx1lmc$PVMPwHwo/7T0bnlbRhAFP0

To configure BASIC authentication on a group-by-group basis, specify the group password file in AuthGroupfile.

The format of the password file is as follows. Group name: Username 1 Username 2 ...

Each specified user has a password set with htpasswd.

In require, specify the group name in the following format. require group group name

Digest authentication

httpd.conf

<Directory "/var/www/html/secret-area">
AuthType Digest
AuthName "secret-area"
AuthUserfile /etc/httpd/conf/.htdigestfile
require valid-user
</Directory>

Use ** htdigest ** to create a user or change a password for digest authentication.

# htdigest -c /etc/httpd/conf/.htdigest secret-area linuc2
Adding password for linuc2 in realm secret-area.
New password: 
Re-type new password: 

# cat /etc/httpd/conf/.htdigest
linuc2:secret-area:2b2b3ade579cc9e0121b4f1df227db6b

Host-based access control

If you want to control access by IP address, host name, domain name, etc., use the ** require ** directive. This feature is provided by ** authz_host_module **.

For example, to deny access from 172.31.0.0/16 and allow access from other hosts, specify:

require all granted
require not ip 172.31.0.0/16

Virtual host function

You can manage multiple websites on one host.

Name-based virtual host

Set up one IP address and multiple domains on one host. Describe it in the ** VirtualHost ** directive. With proper DNS settings, each website can operate independently.

<VirtualHost *:80>
  ServerName web.example.com
  DocumentRoot /var/www/virtual/web

<VirtualHost *:80>
  ServerName www.example.net
  DocumentRoot /var/www/virtual/example
</VirtualHost>

IP-based virtual host

Set up multiple IP addresses and multiple domains on one host. Describe it in the ** VirtualHost ** directive. Each IP address must be specified in the ** Listen ** directive.

Listen 192.168.1.10:80
Listen 192.168.1.11:80

<VirtualHost 192.168.1.10:80>
  ServerName web.example.com
  DocumentRoot /var/www/virtual/web

<VirtualHost 192.168.1.11:80>
  ServerName www.example.net
  DocumentRoot /var/www/virtual/example
</VirtualHost>

Monitoring and maintenance

** mod_status **: Information about server activity

LoadModule status_module modules/mod_status.so

<Location /server-status>
  SetHandler server-status
</Location>

** mod_info **: Information about server settings

LoadModule info_module modules/mod_info.so

<Location /server-info>
  SetHandler server-info
</Location>

SSL/TLS##

It supports SSL by using ** mod_ssl **.

You need to get a site certificate from a certificate authority.

① Create a public key and an encryption key. (2) Send the created public key to the certificate authority (CA) together with documents certifying the identity of the user company. ③ CA issues a certificate and returns it. (Using this certificate, the web server identifies itself to the web browser.) ④ Install the sent certificate on the Web server.

Server certificates are issued for IP addresses or domain names. Here, we will take up a self-signed certificate (a method of signing a certificate by the certificate authority with itself as its own certificate authority). In CentOS, a script called CA.sh is prepared in the directory where SSL is installed, so copy it and create it interactively.

# cd /etc/pki/tls/misc
# ./CA -newca

Private key: /etc/pki/CA/private/cakey.pem Public key: /etc/pki/CA/cacert.pem Is created like this.

Create the server private key ** server.key ** required to build an SSL-enabled HTTP server.

# openssl genrsa -out server.key 2048

Create a Certificate Issuance Request (CSR) ** server.csr ** that requires the certificate authority to issue a certificate.

# openssl -req -new -key server.key -out server.csr

The certificate signs the certificate issuance request file and creates a server certificate ** server.crt **.

# openssl ca -out server.crt -infiles server.csr

Move the server private key and server certificate to the appropriate directory and put the required settings in httpd.conf.

LoadModule ssl_module modules/mod_ssl.so
Listen 443 https

<VirtualHost _default_:443>
  ServerName www.example.net:443
  DocumentRoot "/var/www/html"
  ErrorLog logs/ssl_errorlog
  TransferLog logs/ssl_access_log
  LogLevel warn
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA:!DH
  SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>

• If you want to try it for verification etc., you can get a digital certificate issued free of charge at Let's Encrypt.

logfile#

Access log file

/var/log/httpd/access_log

Specify the format with the ** LogFormat ** directive and Associate the log file name with the format with the ** CustomLog ** directive.

httpd.conf

LogFormat

CustomLog logs/access_log combined

Error log file

/var/log/httpd/error_log

You can specify the log level to record with the LogLevel directive.

httpd.conf

LogLevel