[LINUX] Let's summarize Apache

Let's take a look at Apache for learning Linuc2. To be honest, I didn't really care about the detailed settings because it can be used by installing with yum. If you edit httpd.conf and check it with apache configtest etc., an error starting with basic AH is displayed, so it is relatively easy to get to.

Installation

Compile from source

Personally, I always install only with yum, so please refer to the article below. Config, Compile, Install

You also need to install APR and APR-util to compile from source.

Use the package

# yum install -y httpd

setting file#

Directive Explanation
/etc/httpd/conf/httpd.conf Main configuration file
/etc/httpd/conf.d Directory for storing auxiliary configuration files
ssl.conf SSL/TLS settings
php.conf PHP module settings
perl.conf Perl module settings

htpd.conf#

--Basic format

Directive name setting value

--When specifying the scope of application

<Files file name> ... </ Files> <Directory directory name> ... </ Directory> <LOcation URL>...</Location>

Directive Explanation
ServerTokens version information
ServerRoot Top directory
ServerName hostname
ServerAdmin mail address
StartServers Number at startup
MinSpareServers Minimum number of wait child processes
MaxSpareServers Maximum number of wait child processes
ServerLimits Maximum number of child processes that can be set
Timeout Time when the connection from the client times out
KeepAlive Keepalive enabled/Invalid
KeepAliveRequests Maximum number of requests per TCP connection
KeepAliveTimeout Timeout time for one TCP connection
Listen Standby port
User Execution user of child process
Group Execution group of child process
DocumentRoot Document root directory
UserDir Public directory for general users
DirectoryIndex File name to return as a directory index
ErrorLog Log file that records errors
LogLevel Error log log level
LogFormat Items and formats to log
CustomLog access log
HostnameLookups Perform reverse DNS lookup and get the host name from the IP address of the access source
Alias You will be able to refer to places other than the document root tree.
ScliptAlias CGI script directory
ErrorDocument Specify what to do if an error occurs

External configuration file

To use an external file (.htaccess) to override the httpd.conf settings, use the ** AccessFileName ** directory.

httpd.conf


AccessFileName .htaccess

To allow the use of external configuration files, specify in the ** AllowOverride ** directory.

The following example enables authentication and access control in .htaccess.

httpd.conf


AllowOverride AuthConfig Limit
Subcommand Explanation
AuthConfig Authentication
Indexes DirectoryIndex
Fileinfo File type control
Limit Order,Allow,Deny
Options Options
None .Disable changes in htaccess
All .Enable all modifiable settings in htaccess

apachectl#

Subcommand Explanation
start Start-up
stop Stop
restart Reboot
graceful Start if stopped, wait for restart if request is restarted
reload Read the configuration file
configtest Check the syntax of the configuration file

module#

Module list

To load the module, specify:

httpd.conf


LoadModule perl_module modules/mod_perl.so

Use ** apxs ** to install the module after Apache is installed. After that, add it in the LoadModule directory as in ↑. To install apxs, install the httpd-devel package.

# yum install httpd-devel
# apxs -i -c mod_foobar.c

Built-in modules are ** httpd -l ** ** httpd -M ** to see a list of built-in modules and DSO modules and also check the syntax of the config file To use.

# httpd -l
# httpd -M

Scripting language

Let's take a look at php, which is often used as a web application.

# yum install -y php

The /etc/httpd/conf.d/php.conf file is added.

Create a file like the one below and restart Apache to see it.

/var/www/html/phpinfo.php


<?php
  phpinfo();
?>

Authentication of client access

BASIC authentication

To use BASIC authentication, add user authentication settings to httpd.conf and prepare a dedicated password file.

Directive Explanation
AuthType Basic
AuthName Message to be output to the dialog box during authentication
AuthUserfile Password file name
AuthGroupfile Group file name to authenticate
require Accessible users,valid-userIf is specified, users who have an entry in the password file will be allowed access.

httpd.conf


<Directory "/var/www/html/private-area">
AuthType Basic
AuthName "Please enter your ID and password"
AuthUserfile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>

Use ** htpasswd ** to set the user and password used for authentication.

# htpasswd -c /etc/httpd/conf/htpasswd linuc1
New password: 
Re-type new password: 
Adding password for user linuc

# cat /etc/httpd/conf/.htpasswd
linuc:$apr1$szHx1lmc$PVMPwHwo/7T0bnlbRhAFP0

To configure BASIC authentication on a group-by-group basis, specify the group password file in AuthGroupfile.

The format of the password file is as follows. Group name: Username 1 Username 2 ...

Each specified user has a password set with htpasswd.

In require, specify the group name in the following format. require group group name

Digest authentication

Directive Explanation
AuthType Digest
AuthName Area of authentication
AuthUserfile Password file name
AuthDigestGroupfile Group file name to authenticate
require Accessible users,valid-userIf is specified, users who have an entry in the password file will be allowed access.

httpd.conf


<Directory "/var/www/html/secret-area">
AuthType Digest
AuthName "secret-area"
AuthUserfile /etc/httpd/conf/.htdigestfile
require valid-user
</Directory>

Use ** htdigest ** to create a user or change a password for digest authentication.

# htdigest -c /etc/httpd/conf/.htdigest secret-area linuc2
Adding password for linuc2 in realm secret-area.
New password: 
Re-type new password: 

# cat /etc/httpd/conf/.htdigest
linuc2:secret-area:2b2b3ade579cc9e0121b4f1df227db6b

Host-based access control

If you want to control access by IP address, host name, domain name, etc., use the ** require ** directive. This feature is provided by ** authz_host_module **.

For example, to deny access from 172.31.0.0/16 and allow access from other hosts, specify:

require all granted
require not ip 172.31.0.0/16

Virtual host function

You can manage multiple websites on one host.

Name-based virtual host

Set up one IP address and multiple domains on one host. Describe it in the ** VirtualHost ** directive. With proper DNS settings, each website can operate independently.

<VirtualHost *:80>
  ServerName web.example.com
  DocumentRoot /var/www/virtual/web

<VirtualHost *:80>
  ServerName www.example.net
  DocumentRoot /var/www/virtual/example
</VirtualHost>

IP-based virtual host

Set up multiple IP addresses and multiple domains on one host. Describe it in the ** VirtualHost ** directive. Each IP address must be specified in the ** Listen ** directive.

Listen 192.168.1.10:80
Listen 192.168.1.11:80

<VirtualHost 192.168.1.10:80>
  ServerName web.example.com
  DocumentRoot /var/www/virtual/web

<VirtualHost 192.168.1.11:80>
  ServerName www.example.net
  DocumentRoot /var/www/virtual/example
</VirtualHost>

Monitoring and maintenance

** mod_status **: Information about server activity

LoadModule status_module modules/mod_status.so

<Location /server-status>
  SetHandler server-status
</Location>

** mod_info **: Information about server settings

LoadModule info_module modules/mod_info.so

<Location /server-info>
  SetHandler server-info
</Location>

SSL/TLS##

It supports SSL by using ** mod_ssl **.

You need to get a site certificate from a certificate authority.

① Create a public key and an encryption key. (2) Send the created public key to the certificate authority (CA) together with documents certifying the identity of the user company. ③ CA issues a certificate and returns it. (Using this certificate, the web server identifies itself to the web browser.) ④ Install the sent certificate on the Web server.

Server certificates are issued for IP addresses or domain names. Here, we will take up a self-signed certificate (a method of signing a certificate by the certificate authority with itself as its own certificate authority). In CentOS, a script called CA.sh is prepared in the directory where SSL is installed, so copy it and create it interactively.

# cd /etc/pki/tls/misc
# ./CA -newca

Private key: /etc/pki/CA/private/cakey.pem Public key: /etc/pki/CA/cacert.pem Is created like this.

Create the server private key ** server.key ** required to build an SSL-enabled HTTP server.

# openssl genrsa -out server.key 2048

Create a Certificate Issuance Request (CSR) ** server.csr ** that requires the certificate authority to issue a certificate.

# openssl -req -new -key server.key -out server.csr

The certificate signs the certificate issuance request file and creates a server certificate ** server.crt **.

# openssl ca -out server.crt -infiles server.csr

Move the server private key and server certificate to the appropriate directory and put the required settings in httpd.conf.

SSL/TLS related directives Explanation
SSLEngine Effectiveness/Invalid
SSLProtocol version
SSLCipherSuite Cryptographic algorithm
SSLCertificateFile Server certificate file
SSLCertificateKeyFile Server private key file
SSLCertificateChainFile Intermediate CA certificate file
SSLCACertificateFile CA certificate issuance file for issuing a client certificate
SSLCACertificatePAth CA certificate issuance directory for client certificate issuance
SSLVerifyClient Level of client authentication
LoadModule ssl_module modules/mod_ssl.so
Listen 443 https

<VirtualHost _default_:443>
  ServerName www.example.net:443
  DocumentRoot "/var/www/html"
  ErrorLog logs/ssl_errorlog
  TransferLog logs/ssl_access_log
  LogLevel warn
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA:!DH
  SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>

logfile#

Access log file

/var/log/httpd/access_log

Specify the format with the ** LogFormat ** directive and Associate the log file name with the format with the ** CustomLog ** directive.

httpd.conf


LogFormat

CustomLog logs/access_log combined

Error log file

/var/log/httpd/error_log

You can specify the log level to record with the LogLevel directive.

httpd.conf


LogLevel

Recommended Posts

Let's summarize Apache
Let's summarize Squid
Let's briefly summarize LPIC level 1 (102)
Let's briefly summarize LPIC level 1 (101 editions)
Summarize Doc2Vec
Let's summarize the Python coding standard PEP8 (1)
Let's summarize the Python coding standard PEP8 (2)
Let's summarize the construction of NFS server
Let's summarize what you want to do.
Let's integrate Django and apache (httpd) on Mac! !!