Chapter 6. Apache Web Server on Linux

Table of Contents

Introduction to the 'apache' Web Server
apache Installation
apache Configuration
PHP Configuration
Perl Configuration
Apache Virtual Host Configuration
Web Server Logs
Password Protected Directories
HTTP Firewall
Web Server Check Point

Introduction to the 'apache' Web Server

In this chapter we will address the main topic of this course, the apache web server. There is a bit of a naming misalignment with this software that must be clarified. The software is called apache, and name of the package that contains it as well as the service that runs it is httpd. In short, the httpd package installs the apache software, which runs under the service called httpd. To further confuse the issue, the protocol that apache and other web servers use for communication is http (Hyper Text Transfer Protocol), which is the protocol used for typical web and Internet communication.

The apache web server is only one of many projects sponsored by the Apache Software Foundation . The apache web server documentation is extremely well written, and can be referenced at Apache Webserver Documentation .

[Important] Versions of apache

The different versions of apache introduce very different functionality, and bear consideration. Specifically, version 2.0 is very different from version 2.2 (our version), which is again very different from version 2.4. If problems abound during configuration and testing of apache, keep the version number in mind. In short, configuration directives and solutions for one version may not apply to a different version.

apache Installation

In the next few steps we'll take a look at installing the httpd package.

Figure 6.1. apache Installation Image #1

apache Installation Image #1

The image above shows the input and output of the command `which httpd`. This command essentially checks to see if the httpd service is installed on the computer. As can be seen in the returned output of the command, which is empty, the apache is not installed.

[Note] Different Results to `which httpd` Command

If the returned output to the above command lists a path to the httpd executable, as seen in the next image, the software is installed. In this instance, it does not need to be reinstalled.

Figure 6.2. apache Installation Image #2

apache Installation Image #2

The image above shows that the httpd package is installed. The output of the command shows the location of the executable httpd.

Figure 6.3. apache Installation Image #3

apache Installation Image #3

In the image above, the command `rpm -qa | grep httpd` has been issued. This is yet another way to verify that the httpd package has been installed. Additionally, any other packages which contain the string 'httpd' are shown in the result set returned.

Figure 6.4. apache Installation Image #4

apache Installation Image #4

The results of the command shown above indicate that there are three packages installed which pertain to httpd.

Figure 6.5. apache Installation Image #5

apache Installation Image #5

The command shown above, `yum groupinstall web-server` will install the httpd package along with several other utilities that are useful for web server functionality. This command is in essence like one-stop-shopping in terms of web server tools.

[Note] apache Group Installation

To see the full list of what packages are installed with the above command, issue `yum groupinfo web-server`.

Figure 6.6. apache Installation Image #6

apache Installation Image #6

Verification step for installing the 'web-server' group. Type y + ENTER to proceed.

Figure 6.7. apache Installation Image #7

apache Installation Image #7

The final step for apache installation. The packages are listed with a success message. Note that there have been many packages installed automatically that are dependencies to the apache web server.[11]

apache Configuration

Now that the web server software and supporting packages have been installed, it's time to configure the server. apache is a very modular server; different parts can be loaded and unloaded as needed to keep it "lean and clean". In this section, we'll look at some very basic items that will customize our apache installation for our specific server.

Figure 6.8. apache Configuration Image #1

apache Configuration Image #1

The apache configuration files are kept in the '/etc/httpd' directory. The main configuration file is '/etc/httpd/conf/httpd.conf'. The first thing we need to do is create a copy of the initial, pristine file that was installed with the software. This way, we can always refer to the original configuration file as a benchmark for our various configurations. Also, we can always return to the initial state of the server if needed. Therefore, run the following command as the root user:

    cat /etc/httpd/conf/httpd.conf > /etc/httpd/conf/httpd.conf.init

Figure 6.9. apache Configuration Image #2

apache Configuration Image #2

The image above shown the contents of the 'httpd.conf' file as viewed from within the vi editor. Our next step, once the initial file has been backed up, is to manually edit this file with your editor of choice. We need to edit three directives in this file:

  1. ServerName
  2. ServerAdmin
  3. The default VirtualHost stanza
[Note] Inside the 'httpd.conf' File

The httpd.conf file, in its initial state, is liberally commented. These comments are extremely helpful. Simply reading the file can be key to understanding much of the capability of the apache web server.

Figure 6.10. apache Configuration Image #3

apache Configuration Image #3

The screenshot above shows two of our three initial configuration changes. Find the ServerName and ServerAdmin lines in the file and change them according to your a) server name, and b) email address, as shown.

Figure 6.11. apache Configuration Image #4

apache Configuration Image #4

The screenshot above shows a very important location in terms of the server file system. This directive is called the DocumentRoot. Files placed in this location will be served by the web server. That's what's called web content. We'll return to this concept shortly.

Figure 6.12. apache Configuration Image #5

apache Configuration Image #5

The screenshot above shows the default VirtualHost stanza. This is a complex configuration concept. For now, simply update your default VirtualHost stanza with similar directives as shown above, making sure to use your personal server info as appropriate. he image also shows a NameVirtualHost directive. That's important, and needs to be there as well.

[Important] Three sections of 'httpd.conf'

The httpd.conf file is divided into three distinct sections. This fact is documented in the notes and comments within the file. The sections are as follows:

  1. Section I - contains configuration directives that apply to running server processes.
  2. Section II - contains configuration directives that apply to the main web server.
  3. Section III - contains configuration directives that apply to various Virtual Hosts.[12]

Figure 6.13. apache Configuration Image #6

apache Configuration Image #6

The screenshot above shows a series of commands for manipulating the httpd process. These commands are necessary for checking the status of the web server as well as manipulating it for various reasons.[13]

    `service httpd status`          # check status of the existing httpd process;
                                    # note that it's not running
    `service httpd start`           # start the httpd process
    `service httpd status`          # it's running now
    `service httpd restart`         # necessary after any changes to httpd.conf
    `service httpd status`          # note that the process ID (pid) is now different after the restart

Figure 6.14. apache Configuration Image #7

apache Configuration Image #7

Next we want to ensure that the httpd process runs every time the server starts. The above series of commands ensure this.

Figure 6.15. The 'httpd' Command

The 'httpd' Command

The httpd command has several options. A couple of the most useful are listed below:

    `httpd -t`                  # run a test of the configuration file;
                                # useful to test a configuration before taking it live
    `httpd -S`                  # dump the active virtual host configuration; think 'Status'
    `httpd -M`                  # dump the loaded and configured apache modules

Figure 6.16. apache Index File

apache Index File

OK. If we've made it this far, it's time to see the fruit of our labor. The screenshot above shows the creation of a simple "index.html" file. Note that it's placed in the '/var/www/html' directory. That was previously shown to be the DocumentRoot of the webserver. Set up that file, then navigate to your web site: http://<server-name> should do it. If it's not there as shown below, stop now and figure out why.[14]

Figure 6.17. Simple Web Page Test

Simple Web Page Test

The image above shows the effect of a properly configure web server with the file indicated above in the correct ('/var/www/html/index.html') location.[15]

[Important] Problems with the Firewall

If you have problems accessing the page as indicated, the first thing to check is the section called "HTTP Firewall"

PHP Configuration

In this section we will install the PHP scripting engine and ensure that it's set to work with apache. PHP has become very popular, and - by design - is made to work with apache. There are a couple of steps to install PHP and set it to be parsed correctly through apache. Also, PHP has its own configuration file, which is typically located at '/etc/php.ini'. For fine-tuning PHP , that's the file to consider.

Figure 6.18. PHP Image #1

PHP Image #1

In the screenshot above, we have checked for the presence of PHP . As shown in the return, it's not installed.

Figure 6.19. PHP Image #2

PHP Image #2

PHP , when configured to work with apache, inserts as a module[16] The screenshot above parses the loaded modules in apache's configuration, and looks for the presence of PHP . Once again, no return. (However, note that the Syntax of the file is OK.)

Figure 6.20. PHP Image #3

PHP Image #3

By running the command shown above, `yum -y install php`, PHP will be installed with all dependencies.

Figure 6.21. PHP Image #4

PHP Image #4

This screenshot shows the action as PHP is installed.

Figure 6.22. PHP Image #5

PHP Image #5

Now, running the same checks as before, we can see that PHP has been installed as well as initially configured to work with apache.

Figure 6.23. PHP Image #6

PHP Image #6

We need to make an adjustment to the httpd configuration file. Perform the following steps:

  1. `cd /etc/httpd/conf` - change to the apache config directory.
  2. cat httpd.conf > httpd.conf.`date +%s` - backs up the 'httpd.conf' file.[17]
  3. `vi httpd.conf` - edit the file with your editor of choice.
  4. Look for the line shown in the screenshot above. The line will not have the index.php part.
  5. Insert the index.php part before the index.html part.
  6. Save and exit the file.
  7. Restart the web server: `service httpd restart`.
[Warning] Backing Up Config Files

It is extremely important to backup config files before making changes to them. If you don't believe me, don't do it. Just wait and see what your karma will eventually do to you.

Figure 6.24. PHP Image #7

PHP Image #7

In the image above, we have done the following:

  1. Changed location to the '/var/www/html' directory.
  2. Created a directory called 'php'.
  3. cd'd into the 'php' directory.
  4. Created a file called test.php inside the '/var/www/html/php' directory.

Figure 6.25. PHP Image #8

PHP Image #8

The 'test.php' file should have the simple contents as shown above, and below.

  <?php
  phpinfo();
  ?>
[Important] Getting PHP Files to Parse Properly

There are two things necessary to tell apache to parse PHP properly:

  1. The file must end with the .php extension.
  2. Any (and/or all) PHP code within the file must have container tags as shown.[18]

Figure 6.26. PHP Configuration Read-Out

PHP Configuration Read-Out

Et voilĂ . If all has gone well, when you navigate to the page http://<server-name>/php/test.php, the output should be similar to that shown above. If not, stop and figure out why. Take a look through the page that results. It shows most everything your web server, now equipped with PHP , is capable of.[19]

Perl Configuration

Perl , the Practical Extraction and Report Language, has - as of this writing - over 26 years of development. It's one of the oldest programming languages, and has been in use on websites since they were first conceived and launched. In this section, we'll consider setting our web site up to run Perl scripts. Also, we'll write a simple script to show a very basic example of how Perl works.

Figure 6.27. PERL Configuration Image #1

PERL Configuration Image #1

The image above shows our check on the system to see if Perl is installed. In this case, it is - which is typically the case on most default installations of Linux.

Figure 6.28. PERL Configuration Image #2

PERL Configuration Image #2

We need to alter the '/etc/httpd/conf/httpd.conf' file again. Therefore, the first thing to do is create a "point-in-time" backup of the file, which is shown in the image above.

Figure 6.29. PERL Configuration Image #3

PERL Configuration Image #3

The next step is to vi the file, or use your editor of choice, and look inside it. Find the two directives that are listed above: the ScriptAlias, and the <Directory> container that will apply to our need. If the directives are commented out, uncomment them as shown. If they are already uncommented, leave them alone and exit the file.

Figure 6.30. PERL Configuration Image #4

PERL Configuration Image #4

Next we need to cd to the directory shown above. You can see that there's a cgi-bin directory, the same one that was mentioned in the apache directives we saw previously. This directory is the one that must contain any Perl scripts we write.[20]

Figure 6.31. PERL Configuration Image #5

PERL Configuration Image #5

The next steps are to a) `cd /var/www/cgi-bin`, and `vi first.pl`. As always, you can use your editor of choice.

Figure 6.32. PERL Configuration Image #6

PERL Configuration Image #6

Inside the first.pl file, create content exactly as shown above. The same content is shown below, as "live" text, in case you have problems.[21]

        #!/usr/bin/perl  1
        print "Content-type: text/html\n\n"; 2
        print "Hello from the World of PERL."; 
    

1

This line, called the "she-bang", must point to the Perl executable on your system. That location is found by the `which` command used earlier.

2

These lines must be duplicated exactly as shown.

Figure 6.33. PERL Configuration Image #7

PERL Configuration Image #7

After the Perl script has been created, it must be executable by setting the execute bit as shown.

Figure 6.34. PERL Configuration Image #8

PERL Configuration Image #8

Finally, when all of the above is in place, the script can be called by navigating to http://<server-name>/cgi-bin/first.pl. If it works, congratulations. If not, stop here and figure out why before proceeding.

Apache Virtual Host Configuration

The definition of an apache Virtual Host is as follows:

The term Virtual Host refers to the practice of running more than one web site (such as company1.example.com and company2.example.com) on a single machine. Virtual hosts can be "IP-based", meaning that you have a different IP address for every web site, or "name-based", meaning that you have multiple names running on each IP address. The fact that they are running on the same physical server is not apparent to the end user.

--Apache Virtual Host Documentation

In this section, we're going to create a name-based virtual host complete with a DNS entry that will call it by name.

Figure 6.35. apache Virtual Host Image #1

apache Virtual Host Image #1

This first image shows the typical config file backup that we've done before. Please perform this step before changing the httpd.conf file.

Figure 6.36. apache Virtual Host Image #2

apache Virtual Host Image #2

The screenshot above shows our edit of the httpd.conf file. In essence, there's another stanza below the first VirtualHost[22] that we created earlier. Please make the entries as shown, altering them to suit your server.[23] See the notes below for further details.

  1. Enter a ServerAdmin declaration as indicated. Note that this person or email address does not need to be the same as the other Virtual Hosts.
  2. You will need to place the files that will be served in location as indicated by DocumentRoot. You must manually create this directory.
  3. Give your Virtual Host a name. As stated, you can be creative.
  4. Enter the names of the locations for your log files. Note that it's simpler to identify them if the name matches the name of your Virtual Host.
  5. Save and exit the file.

Figure 6.37. apache Virtual Host Image #3

apache Virtual Host Image #3

In the above screenshot, three crucial steps have occurred.

  1. The appropriate directory for the Virtual Host has been created.
  2. An index.html file has been placed in that directory with content that identifies the Virtual Host.
  3. The apache server has been restarted to enable the new configuration.

Figure 6.38. apache Virtual Host Image #4

apache Virtual Host Image #4

This screenshot show the next step, which is to create a DNS entry in the RackSpace interface.

Figure 6.39. apache Virtual Host Image #5

apache Virtual Host Image #5

As shown above, we've created a CNAME record that reflects the name of our Virtual Host, and it points to our RackSpace virtual machine. The apache software will figure out the rest for us.

Figure 6.40. apache Virtual Host Image #6

apache Virtual Host Image #6

This screenshot shows the new CNAME record alongside all the other DNS entries we have created for our zone.

Figure 6.41. apache Virtual Host Image #7

apache Virtual Host Image #7

Finally, when called by name, the new Virtual Host shows the content we placed in the appropriate directory.

Web Server Logs

Web logs are one of the most important tools a system administrator can have. A variety of information can be logged, and it can be logged in a variety of ways. We won't be working with custom log creation or manipulation in this course. However, knowing where to look and what to look at is the topic of this section.

Figure 6.42. Web Logs Image #1

Web Logs Image #1

The screenshot above shows the contents of the '/var/log/httpd' directory, which is the default location for apache log files. Note that there are the Virtual Host log files we configured earlier. The apache server creates these files for us when we set the configuration properly and restart the server.

Figure 6.43. Web Logs Image #2

Web Logs Image #2

In this image, you can see that I've "catted" the Virtual Host access file. You can see where I accessed it from (IP address), as well as the time and return codes.

Figure 6.44. Web Logs Image #3

Web Logs Image #3

This image shows the contents of the Virtual Host error log. These log files are extremely helpful when troubleshooting the server.

[Note] Use of the `tail -f` Command

The command `tail -f <file-to-tail>` will watch the file given for changes. One can use this command, watching the results, while accessing the web site. The results are shown in real time.

Figure 6.45. Web Logs Image #4

Web Logs Image #4

This image shows how to stop the `tail -f` command: press CTRL + C.

Password Protected Directories

This section addresses httpd security in the form of a password-protected directory. There are several ways to approach this configuration, so we'll stick with the simplest of approaches. Further refinements are left to the student as needed.[24]

Figure 6.46. Password Protected Directory Image #1

Password Protected Directory Image #1

The image above shows out typical backup of the config file before editing. Once this is done, open the file with your editor of choice.

Figure 6.47. Password Protected Directory Image #2

Password Protected Directory Image #2

Somewhere within the main server configuration section[25] create a stanza for a <Directory> - </Directory>container as shown.

[Note] The Protected Directory Must Exist

The directory that is being protected must exist. Most likely, you'll have to create the directory manually. However, in some instances, you may simply need to secure a directory that already exists. All other steps remain the same, except for the directory creation.

Figure 6.48. Password Protected Directory Image #3

Password Protected Directory Image #3

The series of commands above have the following context.

  1. The command `htpasswd -cm /etc/http/.htpasswd secure-user1`creates the password file as well as adds the indicated user to that file. The location is arbitrary, and can be somewhere else if desired. Note that the command automatically prompts to enter the user's password.
  2. When the command is run for the second time, the '-c' flag isn't necessary. However, the '-m' (modify) flag is important. Once again, prompts for the new user's password are issued.
  3. Finally, after the file has been created, the contents contain the hashed passwords that were entered.
[Warning] httpd Basic Authentication Sends Passwords In Clear Text

Although the passwords as they exist on disk are encrypted, they are not encrypted when entered in the browser prompts that are shown below. This is the default behavior of Basic authentication. A person using a packet sniffer on the wired or wireless network can capture the passwords of httpd Basic authentication. Use of Digest authentication changes this behavior, but the configuration is more complex.

Figure 6.49. Password Protected Directory Image #4

Password Protected Directory Image #4

The image above shows the next two steps in this process. First, we have created the directory that is to be protected: '/var/www/html/secure'. Next, we have created a simple index.html file in that directory. When a call is made through a browser to access this directory, the request will not be serviced until a valid username and password are entered.

Figure 6.50. Password Protected Directory Image #5

Password Protected Directory Image #5

Since we've modified the apache configuration file, a server restart is necessary.[26]

Figure 6.51. Password Protected Directory Image #6

Password Protected Directory Image #6

This is the password dialog that is presented by the browser when attempting to access the secure area. Note that where "The Site Says:" section corresponds to the AuthName directive in the stanza of the config file that configures this directory. See Figure 6.47, "Password Protected Directory Image #2" for details.

Figure 6.52. Password Protected Directory Image #7

Password Protected Directory Image #7

Finally, after entering a valid username and password, we are granted access to the secure area.

HTTP Firewall

If the iptables firewall is running, it will need to be configured to pass http traffic on port 80. The steps below show how this is done.

Figure 6.53. http Firewall Image #1

http Firewall Image #1

The image above shows the current state of the iptables firewall, the outcome of the command `iptables -vnL`. Note that there is no line permitting traffic on port 80, which is the standard port for httpd traffic.

Figure 6.54. http Firewall Image #2

http Firewall Image #2

In this image, we have called upon the `system-config-firewall-tui` utility.

Figure 6.55. http Firewall Image #3

http Firewall Image #3

We want to Customize the configuration of the firewall.

Figure 6.56. http Firewall Image #4

http Firewall Image #4

Here we scrolled down to select (SPACE) the 'www' selection. Once selected, press TAB to the Close option.

Figure 6.57. http Firewall Image #5

http Firewall Image #5

Now TAB through the selections to say 'OK'. Note that 'Enabled' is checked.

Figure 6.58. http Firewall Image #6

http Firewall Image #6

Finally, TAB to 'Yes', and press ENTER.

Figure 6.59. http Firewall Image #7

http Firewall Image #7

Now, as we check the status of the firewall, there is a line permitting traffic on port 80. This is the desired outcome.

Web Server Check Point

If you've made it to this point, congratulations! Send me an email with the name of your Virtual Host, the location/link of your PHP test file, and the location/link of your secure area with the username/password.



[11] There is a package automatically installed as part of the group installation that provides local access to the entire apache documentation (httpd-manual) appropriate to the installed version of the software. To access this documentation, especially in a development or isolated environment, enter the url: http://localhost/manual, or http://<server-name>/manual.

[12] An apache Virtual Host is a web site or container for online documents that does not require a dedicated physical machine. It's virtual.

[13] For a full listing of the available options to this command, run `service httpd`. If you don't understand what those options are, try reading the man page `man service`.

[14] If you'd like to see what I did, navigate to The Blue Meltdown .

[15] Problems? Check the section called "HTTP Firewall" first.

[16] The apache core is compiled with built-in modules. Other modules can be inserted at run time, which is how PHP will be treated. This keeps the basic apache executable "clean and lean", and gives the option to only load modules that are needed for the specific purpose of the server.

[17] NOTE the use of `backticks` in this command. This does command substitution in the command itself. This command will create a backup of the config file for future use if needed, adding the date (in the form of a Unix Timestamp) so we have a specific version of the file as a backup. Typically, throughout this text, backticks show commands. However, in this line, we want the backticks in the command itself. You should end up with a backup of the config file with a name like httpd.conf.1388018856.

[18] There are actually several variations of the PHP container tags. In some instances, the closing tag is not required or preferred. However, that subject is beyond the scope of this course. See the PHP documentation for more details.

[19] Leaving the phpinfo() page accessible is considered a security risk. Anyone accessing this page can potentially target vulnerabilities on your web server. Our page is relatively obscured, and our server is not a "high-test" production machine. Therefore, you can leave the page there, at your discretion.

[20] This approach, and CGI programming itself, is governed by a set of standards. See the CGI link, or the CGI Wikipedia Article for more details.

[21] Bear in mind that every character and quote in this file is important, and the script will not run if it's not right. CGI programming can be very unforgiving. For more information, see Apache 2.2 Webserver Documentation - click on "CGI: Dynamic Content", or Apache 2.2 CGI Documentation - click on "Writing a CGI Program", for more details.

[22] The first VirtualHost in the httpd.conf file is closely tied to the main server configuration of that file. In short, any entries that are not present in the first VirtualHost are borrowed from the main server configuration. I've found it useful to create the first VirtualHost and duplicate the main server configuration in order to prevent any ambiguity.

[23] You can name the virtual host whatever you want, you're not bound to the name I've given here.

[24] Additional concepts regarding this method are a) digest authentication, b) group authorization, c) use of '.htaccess' files, and more. See Apache 2.2 Webserver Documentation , then click on Authentication and Authorization in the upper right corner, for more details.

[25] Note that the use of password-protected directories is not limited to the main server. Indeed, an Virtual Host is also fair game for this configuration.

[26] While the word necessary is true, it's true only to a certain extent. It's possible to also issue the command `service httpd reload`, which will reread the config file and not stop the server. This is a graceful way to restart the server, thereby not disconnecting existing traffic.