|
Softpanorama
(slightly skeptical)
Open Source Software Educational Society |
May the
source be with you,
but remember the KISS principle ;-)
|
Apache
Apache is configured by placing
directives in
plain text configuration files. The main configuration file is usually called
httpd.conf. The location of this file is set at compile-time, but
may be overridden with the -f command line flag. Some sites also
have srm.conf and access.conf files for
historical
reasons. In addition, other configuration files may be added using the
Include
directive. Any directive may be placed in any of these configuration files.
Changes to the main configuration files are only recognized by Apache when it is
started or restarted.
New with Apache 1.3.13 is a feature where if any configuration file is
actually a directory, Apache will enter that directory and parse any files (and
subdirectories) found there as configuration files. One possible use for this
would be to add VirtualHosts by creating small configuration files for each
host, and placing them in such a configuration directory. Thus, you can add or
remove VirtualHosts without editing any files at all, simply adding or deleting
them. This makes automating such processes much easier.
The server also reads a file containing mime document types; the filename is
set by the
TypesConfig directive, and is mime.types by default.
Apache configuration files contain one directive per line. The back-slash "\"
may be used as the last character on a line to indicate that the directive
continues onto the next line. There must be no other characters or white space
between the back-slash and the end of the line.
Directives in the configuration files are case-insensitive, but arguments to
directives are often case sensitive. Lines which begin with the hash character
"#" are considered comments, and are ignored. Comments may not
be included on a line after a configuration directive. Blank lines and white
space occurring before a directive are ignored, so you may indent directives for
clarity.
You can check your configuration files for syntax errors without starting the
server by using apachectl configtest or the -t command
line option.
Apache is a modular server. This implies that only the most basic
functionality is included in the core server. Extended features are available
through modules
which can be loaded into Apache. By default, a
base
set of modules is included in the server at compile-time. If the server is
compiled to use dynamically
loaded modules, then modules can be compiled separately and added at any
time using the
LoadModule
directive. Otherwise, Apache must be recompiled to add or remove modules.
Configuration directives may be included conditional on a presence of a
particular module by enclosing them in an
<IfModule>
block.
To see which modules are currently compiled into the server, you can use the
-l command line option.
Directives placed in the main configuration files apply to the entire server.
If you wish to change the configuration for only a part of the server, you can
scope your directives by placing them in
<Directory>,
<DirectoryMatch>,
<Files>,
<FilesMatch>,
<Location>,
and
<LocationMatch>
sections. These sections limit the application of the directives which they
enclose to particular filesystem locations or URLs. They can also be nested,
allowing for very fine grained configuration.
Apache has the capability to serve many different websites simultaneously.
This is called Virtual
Hosting. Directives can also be scoped by placing them inside
<VirtualHost>
sections, so that they will only apply to requests for a particular website.
Although most directives can be placed in any of these sections, some
directives do not make sense in some contexts. For example, directives
controlling process creation can only be placed in the main server context. To
find which directives can be placed in which sections, check the
Context of the directive. For further information, we provide details on
How Directory, Location
and Files sections work.
Apache allows for decentralized management of configuration via special files
placed inside the web tree. The special files are usually called .htaccess,
but any name can be specified in the
AccessFileName directive. Directives placed in .htaccess
files apply to the directory where you place the file, and all sub-directories.
The .htaccess files follow the same syntax as the main
configuration files. Since .htaccess files are read on every
request, changes made in these files take immediate effect.
To find which directives can be placed in .htaccess files, check
the
Context of the directive. The server administrator further controls what
directives may be placed in .htaccess files by configuring the
AllowOverride directive in the main configuration files.
For more information on .htaccess files, see Ken Coar's tutorial
on Using .htaccess
Files with Apache, or the
.htaccess tutorial
in the Apache docs.
Notes:
- Those pages are written by people for whom English is not a
native language. Some amount of grammar and spelling errors
should be expected.
- This is a Spartan WHYFF (We Help You For Free) site. It
cannot replace the best teachers and
the
best books.
- The site contain some obsolete pages as it develops like a
living tree... Some links on older pages
are broken. Please
try to use Google, Open directory, etc. to find a replacement link
(see
HOWTO search the WEB for details).
We would appreciate if you can
mail us a correct link.
|
|
(nixCraft)When you are updating website you may need to send error 503 to
client. Error 503 indicates that web server is temporary out of
service or down. This is useful if you are running popular database
driven website such as a forum or e-commerce site. So when the site
is under maintenance you can send user a good message indicating
that site is down for some work.
This tip will help you to disable a site for maintenance using
mod_rewrite without redirecting url.
Both Lighttpd and Apache webserver allows you to send this
message to client using server side rewriting using mod_rewrite and
php.
Error 503 means
=> Server is too busy to serve your request
=> Server is slashdotted or dugg to death
=> Server is forced to send this message etc
But why to send error 503?
Error 503 informs search engine that site is temporary out of
service. This is quite important for site which is heavily depends
upon search engine for selling products and services.
November 2006 (Bigadmin) This guide serves as a starting point for users to
install, configure, and perform basic tuning of the open source
stack SAMP (Solaris 10 OS, Apache 2.0.52, MySQL 5.0, and PHP 5). The
article also covers PostgreSQL and Tomcat. The Solaris Zones feature
(part of Solaris Containers technology in the Solaris 10 OS) is
discussed to help users with scalability in mind.
Download the document as
PDF.
Until now FastCGI was behind mod_php, java and
mod_perl in terms of popularity among web server administrators and
web developers. But times have changed and changed for good.
In the early days of web development when the CGI interface was the
leader and web servers were quite slow, developers felt that they
needed a faster server technology, that can be used to run their web
applications on high-traffic web sites. The solution to the problem
seemed obvious – the developers had to take their CGI-based code and
put it into the web server process.
With this solution, the operating system didn’t have to start a new
process every time a request had been received, which is very
expensive, and you could write your application with a persistent
functionality in mind and ability to cache data between several
different http requests.
These were the days when some of the most popular web server APIs
were born – Internet Information Server’s ISAPI, Netscape Server’s
NSAPI, and Apache’s module API. This trend created some of the best
known and quite often used technologies in web development like
mod_php, mod_python, java servlets (and later jsp), asp. But the
conception that stays behind these technologies is not flawless.
There are many problems with applications that run inside your
average web server.
For example mod_perl’s high memory usage per child process can suck
the available ram, php’s problems with threads can kill the whole
web server, and many security problems arising from the fact that
the most popular web server (Apache) can’t do simple things like
changing the OS user it executes the request with. For quite some
time there have been solutions, like putting a light-weight proxy
server in front of apache, installing third-parity software for IIS
or using php’s safe mode and OpenBasedir (Oh GOD!) on apache, but
these are not elegant and pose other problems on their own. Also the
hardware progress in the last few years made the server modules
obsolete.
In the mean time, when the server modules were gaining glory and
fame, a little-known technology with a different conception and
implementation was born. It was called FastCGI and the basic problem
it was designed to solve was to make CGI programs run faster. Later,
it became clear that FastCGI solves many other problems and design
flaws that the server modules had.
How FastCGI works?
FastCGI runs in the web server process, but doesn’t handle the
request itself. Instead it manages a pool of the so-called FastCGI
servers outside of the web server process and when a request
arrives, the FastCGI manager sends the http data through a socket to
one of the available fastcgi servers to handle this request. This
strategy is quite simple and has the following advantages:
- The FastCGI servers can be written in any language that has
an api to communicate through sockets
- The FastCGI servers run outside of the web server thus
improving stability and allowing the web server to handle only
requests for static data with very little overhead. You won’t
need a front-end proxy for this. Thread-unsafe applications can
be run with
threaded web servers.
- The FastCGI manager can change the owner of the FastCGI
servers, which allows the web administrator to have different
virtual hosts served by different OS users. (Anyone remember
Apache2’s
perchild MPM?)
- The FastCGI servers are persistent processes, which serve
requests many times faster than standard CGIs.
In the beginning FastCGI was not so popular, because its use of
external processes and communication through sockets required
more resources to be allocated on the host system. Today this is
not the case, because for the last few years the hardware
development made huge leaps ahead and system memory is not so
expensive anymore. In present days many of the web servers have
full support for FastCGI and the trend is to migrate the current
web applications to run under it. These are some of the most
popular web servers that have support for FastCGI:
The Apache Software
Foundation released a maintenance update to the 2.2 httpd
branch. Version 2.2.2 is now considered the gold standard that
outfits running Apache should be using. It is available for
download, here.
As usual, the full cadre of
release
notes are online. Changes have been made to mod_deflate, so
that it works correctly in an internal redirect;
mod_proxy_balancer, which now initializes members of a balancer
correctly; mod_proxy, so that it no longer releases connections
from the connection pool twice; prevent the reading
uninitialized memory while reading a line of protocol input;
mod_dbd, whose defaults have been updated and error reporting
improved; and mod_dbd, which creates its own pool and mutex to
avoid problem use of process pool in request processing.
Version 2.2 was initially released in December 2005.
Core enhancements include, refactored authentication and
authorization modules; a host of changes to mod_cache,
mod_disk_cache, and mod_mem_cache; a simplified and modularized
default configuration layout; and graceful shutdown for prefork,
worker, and event MPMs. Changes were also made to the mod_auth,
mod_authnz_ldap, mod_authz_owner, mod_version, mod_info, mod_ssl,
and mod_imagemap modules.
The ASF also recommends anyone still running the 2.0 or 1.3
forks that does not plan to upgrade be sure to patch to 2.0.58
and 1.3.37, respectively.
With mod_perl, Perl code can be embedded directly in the Apache
configuration file. Perl in httpd.conf is commonly used to
dynamically configure Apache, but anything from URL translation to
content generation can be accomplished directly in the configuration
file within <Perl> sections.
This example reads configuration settings from a text file and
configures Apache's virtual hosts.
The httpd.conf setup:
NameVirtualHost 192.168.0.1:80
<Perl>
my $config = "/etc/apache/vhosts.txt";
open HOSTS, $config or die "Failed to open $config: $!";
while (<HOSTS>) {
my %config;
my @params = qw/ServerName DocumentRoot ErrorLog TransferLog ServerAdmin/;
@config{ @params } = split /\t/;
$config{ Directory }{ $config{DocumentRoot} } = { Allow => 'from all' };
push @{ $VirtualHost{'192.168.0.1:80'} }, \%config;
}
close HOSTS;
</Perl>
See
The Guide for other examples of configuring Apache with mod_perl.
This document is a quick overview of Solaris 10's zones,
intended for use by ASF infrastructure to establish zones and
for PMCs to manage their zones.
Some quasi-helpful resources:
These are notes to assist the root people at ASF infrastructure
to create Solaris zones for certain PMCs. See the other notes
below for PMCs to
manage zones.
Please add notes about your zone to the https://svn.apache.org/repos/asf/infrastructure/trunk/docs/helios/zones.txt
file (PMC name, root name and other maintainers, docs
reference). See the notes for other zones.
One of the first things you will want to setup on
your new Solaris/OpenSolaris operating system is a
web server, even though Solaris now comes with Perl
and Apache installed by default, it is still worth
installing your own version. New versions of Perl
and Apache will always be ahead of the Solaris
version, plus you will never damage the
pre-installed version.
The procedure has been test on:
- Solaris 10 3/05 SPARC & X86
- Fully Patched
- Installed Solaris Software Companion (/opt/sfw)
The following steps will install:
- perl 5.8.7
- basic perl modules used by apache
- Apache 1.3.34 (Version 1 is still widely
used)
Articles and FAQs Apache 2.xx is included with Solaris 10. A few configuration details need to
be addressed prior to starting Apache 2.xx (you need to be root):
- Copy the file, /etc/apache2/httpd.conf-example to /etc/apache2/httpd.conf
# cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
- Edit /etc/apache2/httpd.conf
- Set ServerName if necessary (default is 127.0.0.1)
- Set ServerAdmin to a valid email address
- From the command line type:
# svcadm enable apache2
The Apache 2 web service should persist through server and/or zone boots. The
actual web pages are located in the /var/apache2/htdocs directory by default.
I installed on m sun solaris 10,
just the core sdistribution
I installed packages:
system SUNWapch2d Apache Web Server V2 Documentation
system SUNWapch2r Apache Web Server V2 (root)
system SUNWapch2u Apache Web Server V2 (usr)
But when i try to enable apache
svcadm enable apache2
i get:
svcadm: Pattern 'apache2' doesn't match any instances
i looked all day in doc's the internet, but no good solution.
Who has got the answer for me.
hey rebooting a unix box
worked????????
svcs -a | grep apache2
no showed disabled ???
before rebooting i didn't show up.
Strange!!
[Nov 06, 2003] Apache, a
guide in how to optimally compile and install Apache in Sun Solaris, with
support for Perl, Python, PHP+MySQL, faster CGI's, etc.
Posted by timothy on Sunday
October 19, @08:19AM
from the driven-by-the-forces-of-evil dept.
ivan.ristic writes
"Mod_security
1.7 has been
released. Mod_security is an open source intrusion detection and prevention
engine for web applications. It operates embedded into the web server, acting as
a powerful umbrella - shielding applications from attacks. The latest release
adds output scanning to Apache 2.x; the ability to analyze cookies;
functionality to change the identity of the web server; several new actions for
rule grouping; new null-byte attack anti-evasion code."
| Etc
|
|
This sounds like a great
idea. (Score:2)
by daviddennis (10926) <david@amazing.com>
on Sunday October 19, @12:26PM (#7254633)
(http://www.amazing.com/)
|
To try and pull the subject away from the usual trolls, this sounds like
something I really need on my web server.
Has anyone tried it? Any success or failure stories?
D |
|
|
|
|
powerful umbrella
shielding apps from attacks" (Score:2)
by
brlewis (214632) on Tuesday
October 21, @12:25PM (#7272502)
(http://brl.codesimply.net/)
|
| The article's description of mod_security as a "powerful umbrella shielding
applications from attacks" seems to oversell it. If you have a known app with a
known exploit, you can use mod_security instead of fixing the app. But even the
mod_security docs themselves say it's better to fix the app.
For apps which accept arbitrary text input (most do!) a general filter
against, e.g. "insert into", is a bad idea? This slashdot post includes those
two words together; you have to be specific about which inputs get filtered how.
Again, this is better done in the app itself. |
|
|
|
Another neat module I've
never heard of before... (Score:2)
by
WoTG (610710) on Tuesday October 21,
@02:07PM (#7273748)
(http://www.myphotoprinter.net/
| Last Journal: Monday August 04,
@12:43AM) |
|
I had to browse the site to see what this does, this
overview page [modsecurity.org] was good.
It reminds me of
URLScan [microsoft.com] for MS's IIS - but with extra features. |
|
|
|
For those who don't want
to do this on the server (Score:1)
by
jjeffrey (558890) <james@jgj.org.uk>
on Wednesday October 22, @08:20AM (#7280159)
(http://jgj.org.uk/)
|
...you can of course spin up Apache on another box,
preferably not the firewall, and set it up in proxy mode to forward the
requests. Though this generates some SSL issues. Mabye you could even use
mod_balance and have a security appliance / load balancer?
Of course Checkpoint already offer this functionality in FW-1 NG to a limited
degree, and Netscreen are introducing it across their range as a free update
(for those with a software subscription) in ScreenOS 5 later this year or early
next. |
|
|
|
mod_security evaluation
by Tegatai Systems (Score:1)
by
konduct (691763) on Wednesday
October 29, @06:06AM (#7336442)
(http://www.tegatai.com/~jbl/)
|
| Tegatai Systems [tegatai.com]
has been using mod_security [modsecurity.org] in its development labs recently. It has been
determined through white and blackbox testing that mod_security needs more work
before it will be stable enough for wide-spread production use. |
|
|
|
Similar to Microsoft's
URLScan... (Score:1)
by sk3tch (165010) on Wednesday
October 29, @12:46PM (#7339210)
(http://www.sk3tch.com/)
|
http://www.microsoft.com/technet/security/tools/ur
lscan.asp [microsoft.com]
Nice to see Apache adding this functionality. As a web admin, the availability
of another layer of security is always appreciated.
|
|
|
RSA SecurID
module for Apache
About:
The mod_securid Apache module implements RSA SecurID authentication for the
Apache Web server. It allows administrators to restrict access to Web sites
(or parts of Web sites) to users authenticated using a SecurID token and an
ACE server.
I should preface this by noting that I usually install Apache from source for
this very reason. It's often not clear where the contents of an RPM will end up
and Apache is a prime example.
There is, however, a nifty way to do a little digging BEFORE you install an
RPM. On the command line, type:
rpm -qpil path/to/apache-xyz.rpm | more
where 'path/to/apache-xyz.rpm' is the location of the RPM you wish to
install.
Running this on apache-1.3.9-4.i386.rpm under RH6.1 reveals...
-----
% rpm -qpil apache-1.3.9-4.i386.rpm | more
[uninteresting bits and general verbosity deleted]
/etc/httpd/conf
/etc/httpd/conf/access.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/conf/magic
/etc/httpd/conf/srm.conf
/etc/httpd/logs
...
/etc/rc.d/init.d/httpd
...
/home/httpd
/home/httpd/cgi-bin
/home/httpd/html
/home/httpd/html/index.html
...
/usr/sbin/httpd
/usr/sbin/logresolve
/usr/sbin/rotatelogs
/usr/sbin/suexec
...
-----
The Apache program itself is /usr/sbin/httpd. You can either run that from
the command-line thusly:
% /usr/sbin/httpd
or by rebooting your server since all those files in /etc/rc.d will start
Apache automagically when you start your server.
Before doing so, however, be sure to make the appropriate configuration
changes in the /etc/httpd/conf/httpd.conf,
srm.conf, and access.conf files -- newer versions of Apache only use httpd.conf.
There are some instructions available on RedHat's site; while they're not
particularly geared toward a first time user, they may be of some help in
initial Apache configuration...
http://www.redhat.com/support/docs/tips/WWW-Server-Tips/WWW-Server-Tips-3.html
Re: Latest Apache RPM; undefined symbol
Hi Arend,
Thank you.
I replaced the original httpd.conf file and restarted manually without error.
I am wearing my dunce's hat with pride...
Cheers
Geoff
>>> arend@meetsma.org 03 July 2002 17:46:50 >>>
On Tue, 2 Jul 2002, Geoff Amabilino wrote:
> Hi all,
>
> We have just upgraded our Apache packages to the latest RH version
>(1.3.22-5.7.1) to avoid the recent security problem.
>
> We are now getting a problem starting the web server as follows:
>
> Syntax error on line 212 of /etc/httpd/conf/httpd.conf:
> Cannot load /etc/httpd/modules/mod_log_config.so into server:
>/etc/httpd/modules
> /mod_log_config.so: undefined symbol: ap_escape_logitem
>
> I cannot find any clues around the web, and for the moment have had to
>disable custom logging to get the site going again.
>
> Has anyone else seen this? Any help would be welcome.
Hi Geoff,
With the recent update, you need to stop and then restart apache by hand
the first time, then the -HUP at 4:00 will work from then on.
So do this:
/etc/init.d/httpd stop
/etc/init.d/httpd start
then check the logs.
Hope this helps,
Arend
Copyright © 1996-2007 by Dr. Nikolai Bezroukov.
www.softpanorama.org was
created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time.
Submit
comments This document is an industrial compilation designed and created
exclusively for educational use and is placed under the copyright of the
Open Content License(OPL).
Original materials copyright belong to respective owners. Quotes are made
for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on
this web page are those of the author and are not endorsed by, nor do they necessarily
reflect, the opinions of the author present and former employers, SDNP or any other
organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Last modified:
March 15, 2008
