The Apache web server has got to be the easiest server-based package I have ever set up on a Linux server (unlike the beast known as samba). It typically takes about 5 minutes for me to get Apache up, running, and serving web pages correctly. Hats off (Fedoras off?) to the developers, because they have done an excellent job in their coding, implementation, documentation, etc.
The master configuration file for Apache is found in /etc/httpd/conf/httpd.conf. The file is extensively documented, meaning that it is very, very easy to just read through the file and set the appropriate options as you scroll through it. Some of the more important options that need to be made include:
ServerAdmin
[user]@[domain].[name]
ServerName [host].[domain].[name]:80
DocumentRoot "/var/www/html"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
The first line
sets the e-mail address where problems
with the server should be e-mailed. The address appears on some
server-generated pages, such as error documents. The second line
sets the fully qualified domain name and port number that the server
uses to identify itself. The third line sets the directory where
web pages will actually served from. /var/www/html
is the default directory for Fedora Core distributions. Next, we change
the default permissions for Apache. I have set
the "AllowOverride
AuthConfig" option because I need to be able to setup
certain web pages that first request a valid username and password,
such as the networking
page. This is easily accomplished by creating a .htaccess
file in the directory that you want to protect. The
contents of the .htaccess
file are:
ServerName [host].[domain].[name]:80
DocumentRoot "/var/www/html"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
AuthUserFile
/[path]/[to]/[protected]/[directory]/.htpasswd
AuthName "[Title for Protected Directory]"
AuthType Basic
Require valid-user
Then, a valid
user and password file (typically .htpasswd)
needs to be created in the same directory:AuthName "[Title for Protected Directory]"
AuthType Basic
Require valid-user
~> cd
/[path]/[to]/[protected]/directory]
~> htpasswd .htpasswd [user]
Hit Enter,
and you will be prompted for a password. Now, whenever a user
attempts to access the given directory via the web, he or she will
first be prompted for a valid username and password based upon what was
just created in the .htpasswd
file. Easy as can be!~> htpasswd .htpasswd [user]
Back to the /etc/httpd/conf/httpd.conf file. Additional settings include:
<Directory
"/var/www/html">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_userdir.c>
UserDir www
</IfModule>
<Directory /home/*/www>
AllowOverride All
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
</Directory>
The biggest
change to note is the setting of the user directory to "www" ("UserDir www"),
which allows for local users to create their own web pages within a ~/www
directory. This means that "www" is
appended to a user's home directory if a ~[user]
request is received. For example, I keep the vast majority of my web
files in a /home/kriehn/www
directory, with additional subdirectories under it. The Linux
Systems Administration - Fedora Core Notes page, for example,
is
stored in /home/kriehn/www/fedora/fedora.html,
meaning that Apache
will allow access to this page if you type in the name of the server,
in addition to the location where the local user's page is
kept,
based upon the ~[user]
rule. So, access to the fedora.html
page is granted with the following web address:Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<IfModule mod_userdir.c>
UserDir www
</IfModule>
<Directory /home/*/www>
AllowOverride All
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
</Directory>
http://optics.csufresno.edu/~kriehn/fedora/fedora.html
A caveat to this is that SELinux must be set up properly to allow access to home directories. See the SELinux page for details under HTTPD Service. Some view this setup as a security hole, since it confirms the presence of a username on the system, but I have a program called blockhosts that only allows for 3 failed logins from a remote IP address before shutting the offending party out of the server's login process for 3 months. It also has the added benefit of very quickly shutting down script kiddies. blockhosts is discussed in detail in the blockhosts page.
Sometimes I like to have symlinks present in my ~/www directory that point to other files that may be updated on a regular basis, like my vitae vitae.pdf, but as an added security precaution, I only allow for Apache to access the symlinked file if it also owned by me (the "SymLinksIfOwnerMatch" option). This prevents me from, say, linking to a file owned by root and allowing the file to be accessed by the world via Apache. Basically, it is a nice guard against stupidity. Save and exit. Be sure to restart the httpd daemon:
Backups
As mentioned earlier, the base page (index.html) on my web server is located under /var/www/html. Most of my web pages, however, are located in a local ~/www directory that is backed up on an hourly, daily, weekly, and monthly basis. It would be nice to backup the /var/www directory as well, so let's do so now. First, create a ~/linux/backups/www directory:
Next add the following to the /etc/logrotate.d/backups file:
MIME Types
As a final note, if you want Apache to serve specific files a certain way, the configuration file to edit is /etc/mime.types. For example, when someone wants to download one my Animated Backgrounds for Enlightenment (See the Enlightenment pages), I want a Save as window to appear so that the file is automatically saved when someone clicks on .edj link. Therefore, I have added edj (along with sys and inf) to the application/octet-stream line in /etc/mime.types. The line now reads:
References:
http://httpd.apache.org/docs/2.2/
http://www.cs.dal.ca/studentservices/faq/tutorials/web_sites/htaccess.shtml
A caveat to this is that SELinux must be set up properly to allow access to home directories. See the SELinux page for details under HTTPD Service. Some view this setup as a security hole, since it confirms the presence of a username on the system, but I have a program called blockhosts that only allows for 3 failed logins from a remote IP address before shutting the offending party out of the server's login process for 3 months. It also has the added benefit of very quickly shutting down script kiddies. blockhosts is discussed in detail in the blockhosts page.
Sometimes I like to have symlinks present in my ~/www directory that point to other files that may be updated on a regular basis, like my vitae vitae.pdf, but as an added security precaution, I only allow for Apache to access the symlinked file if it also owned by me (the "SymLinksIfOwnerMatch" option). This prevents me from, say, linking to a file owned by root and allowing the file to be accessed by the world via Apache. Basically, it is a nice guard against stupidity. Save and exit. Be sure to restart the httpd daemon:
~> sudo
service httpd restart
You should see
the daemon successfully stop and restart:Stopping
httpd:
[ OK
]
Starting httpd: [ OK ]
Apache is now
ready to serve web pages.Starting httpd: [ OK ]
Backups
As mentioned earlier, the base page (index.html) on my web server is located under /var/www/html. Most of my web pages, however, are located in a local ~/www directory that is backed up on an hourly, daily, weekly, and monthly basis. It would be nice to backup the /var/www directory as well, so let's do so now. First, create a ~/linux/backups/www directory:
~>
mkdir -p ~/linux/backups/www
Open up the /etc/cron.daily/backups-daily
file that was created under the Backups
& rync page, and add the following lines:# Backup the
contents of /var/www/ to /home/[user]/linux/backups/www:
rsync -avz --delete /var/www/ /home/[user]/linux/backups/www >> /var/log/rsync/backup-daily-www.log
chown [user].[user] -R /home/[user]/linux/backups/www
I like to place
these lines above the rsync
command that performs the backup of my home directory so that /var/www is
backed up to /home/[user]
before /home[user]
is backed up to the remote NFS server. Please note
that "/var/log/rsync/backup-daily-www.log"
should be on the same line as the rsync
command, and replace [user]
with your username. Save and exit.rsync -avz --delete /var/www/ /home/[user]/linux/backups/www >> /var/log/rsync/backup-daily-www.log
chown [user].[user] -R /home/[user]/linux/backups/www
Next add the following to the /etc/logrotate.d/backups file:
/var/log/rsync/backup-daily-www.log
{
notifempty
weekly
missingok
rotate 4
}
This will setup
log rotation for the log file. Save and exit. The nice thing about
backing up /var/www
instead of just /var/www/html
is that all of the usage statistics are backed up as well, in addition
to local cgi scripts, or personalized error pages.notifempty
weekly
missingok
rotate 4
}
MIME Types
As a final note, if you want Apache to serve specific files a certain way, the configuration file to edit is /etc/mime.types. For example, when someone wants to download one my Animated Backgrounds for Enlightenment (See the Enlightenment pages), I want a Save as window to appear so that the file is automatically saved when someone clicks on .edj link. Therefore, I have added edj (along with sys and inf) to the application/octet-stream line in /etc/mime.types. The line now reads:
application/octet-stream
bin dms lha lzh exe class so dll img iso edj inf sys
That is pretty
much it. Save and exit, and restart the httpd daemon:~> sudo
service httpd restart
You should see
the daemon successfully stop and restart:Stopping
httpd:
[ OK
]
Starting httpd: [ OK ]
Serve those web
pages, baby!Starting httpd: [ OK ]
References:
http://httpd.apache.org/docs/2.2/
http://www.cs.dal.ca/studentservices/faq/tutorials/web_sites/htaccess.shtml