Apache Webserver Tips

Tips for the configuration of the Apache webserver. Unless noted otherwise, the settings were performed on a Slackware Linux system. Necessary steps for other Systems my vary slightly.

Tips refer to apache 2.x.

• chmod +x /etc/rc.d/rc.httpd is necssary to start apache automatically at system boot.
• To enable per-directory settings with .htaccess files, you have to set the AllowOverride directive for the document root (usually /srv/httpd/htdocs) accordingly. Amongst others, this is usually necessary fot URL Rewriting. When on doubt, set AllowOverride to all. More Info
• To tell the browsers in the HTTP-header to use UTF-8 as default encoding, add AddDefaultCharset UTF-8 to the DocumentRoot section (<Directory „/srv/httpd/htdocs“>)
• Uncomment Include /etc/httpd/extra/httpd-autoindex.conf to enable fancy directory listings
• Uncomment /etc/httpd/extra/httpd-userdir.conf to enable user home directories Include, eg. http://~sandy/…
• See Subversion Tips for using apache as subversion server

Enable php by doing the following changes in /etc/httpd/httpd.conf (old: /etc/apache/httpd.conf):

<     DirectoryIndex index.html
---
>     DirectoryIndex index.php index.html
< #Include /etc/httpd/mod_php.conf
---
> Include /etc/httpd/mod_php.conf

Make sure that /etc/httpd/php.ini is based on /etc/httpd/php.ini-production. See notes

As of Slack 13.37 you have to set your timezone in php.ini, eg date.timezone = „Europe/Berlin“ in order to avoid warnings in error log.

(Re)start apache with /etc/rc.d/rc.httpd restart

Test apache & php by saving the following line as /var/www/htdocs/index.php

<?php phpinfo(); ?>

Point your browser to http://localhost/. You should see infomations about your php installation there. If you get a download dialog window with something about application/x-httpd-php instead the page, especially with firefox, then empty your browser cache (you go to tools>clear private data) and try again

Note: With Slack 13.0 (PHP 5.2.10) there is a problem with semaphore creating rights. To fix this change session.save_path from /var/lib/php/ back to /tmp in /etc/httpd/php.ini ¹⁾. An alternative might be to fix the permission settings of /var/lib/php/.

Note: PHP is also a great alternative to Perl or Bash command line scripts. See PHP Manual

Quick and dirty example with these parameters:

• Directory to be protected: /var/www/htdocs/digestTest/
• Realm: 'Digest Authentication Test' (arbitrary selectable)
• Username: testuser
• Module auth_digest_module is loaded in httpd.conf
• AllowOverride directive is set to All for that direcory for for the document root in general

Create password file .htpasswd with:

htdigest -c .htpasswd 'Digest Authentication Test' testuser

Create config file .htaccess (for Apache 1.x):

AuthType Digest
AuthName "Digest Authentication Test"
AuthDigestFile /var/www/htdocs/digestTest/.htpasswd
Require valid-user

Create config file .htaccess (for Apache 2.x):

AuthType Digest
AuthName "Digest Authentication Test"
AuthDigestProvider file
AuthUserFile /var/www/htdocs/digestTest/.htpasswd
Require valid-user

Put .htpasswd and .htaccess into /var/www/htdocs/digestTest/

Note that the manual discourages to put .htpasswd into the same directory which is to be protected, however it seems common usage. Check at least .htpasswd and .htaccess will not be displayed in your webbrowser!

More useres can be added to .htpasswd (or existing users modified) with:

htdigest .htpasswd 'Digest Authentication Test' newusername

More details at Apache manual

In DocumentRoot section do

-    Options Indexes FollowSymLinks
+    Options FollowSymLinks

Create an .htaccess file in the regarding directory and add this line:

Options +Indexes

Note that the AllowOverride Directive must allow this. More: htaccess, Options

Fancy directory listings:

Include /etc/httpd/extra/httpd-autoindex.conf

Disable access to the entire file system except for the directories that are explicitly allowed later.

<Directory />
        AllowOverride None
        Order Deny,Allow
        Deny from all
</Directory>

Further measures:

ServerTokens Minimal
ServerSignature Off
TraceEnable On

(Proposals taken from Debian Lenny /etc/apache2/conf.d/security)

Vhost documentation start

See also CalDAV/CardDAV with Baïkal Server

Name-based virtual hosting cannot be used with SSL secure servers. More: http://httpd.apache.org/docs/2.2/vhosts/name-based.html

First you need the NameVirtualHost directive somwhere in your Apache config file(s). On Debian Lenny it is already present in /etc/apache2/ports.conf:

NameVirtualHost *:80

Next for each domain a <VirtualHost *:80> section is necessary. There you must specify your domain name, domain aliases (for www etc), the document root and settings for the document root. Example:

<VirtualHost *:80>
    ServerName mydomain.com
    ServerAlias mydomain.com *.mydomain.com
    DocumentRoot /var/www/mydomain.com/
    <Directory /var/www/mydomain.com/>
        Options FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

Settings for eg. ServerAdmin, ErrorLog, LogLevel and CustomLog should have global default values outside of the virtual host sections. But you may optionally overwrite those for each VirtualHost section as well. Note however, that the security settings (see above) IMHO shouldn't be overwritten in the VirtualHost sections!