All notes
Apach

Template

DocumentRoot "/var/www/html"
<Directory "/var/www/html">
	...
	# Redirect to homepage.
	# RedirectMatch is the regexp version of "Redirect". Use this to suppress recursion.
	RedirectMatch ^/$ /homepage/
	...
</Directory>
             
Alias /siteB "siteB"
<Directory "siteB">
	Options Multiviews FollowSymlinks
	AllowOverride None
	Order allow,deny
	Allow from all
# require all granted
</Directory>

Installation

Cent OS

LoadModule php5_module "modulePath" should work. In Cent OS, installing by sudo yum install httpd php makes apache and PHP work directly, where its PHP does not work as apache module but independently.

Use chkconfig httpd on or chkconfig mysqld on to see whether these two services are installed and ran successfully.

To install php:

# php-gd is for creating and manipulating images. php-gd and php-xml are both needed for mediawiki.
sudo yum install php php-mysql php-gd php-xml

When installing mediawiki, entering mw-config/index.php and get a blank page, it is usually because you haven't installed php-xml. The mediawiki needs:

To install mysqld on Cent OS:

sudo yum install mysql-server
sudo service mysqld start
mysql-secure-installation

Arch linux

Install PHP support

ArchWiki.

Test php with

<?php phpinfo(); ?>

DocumentRoot

DocumentRoot directory_path

The default path is "htdocs".
For example, in Linux: DocumentRoot /var/www/public_html
and in Windows, DocumentRoot "e:/works/homepage"

The path should not contain a trailing slash. Also make sure the path is readable but not writable to others.

You can also use virtual hosts, to set a custom document root for each particular site instead of the default. The virtual host's configuration file may be /var/www/vhosts/domain.name/conf/vhosts.conf. Add the DocumentRoot directive there.

Use

apachectl -k restart
to make the change effective.

ServerRoot

This stores the apache installation path. It commonly contains "conf/" and "logs/". Relative paths in configuration directives such as "Include" and "LoadModule" are taken as relative to this directory.

Alias

Alias /siteB "/home/somebody/siteB"
<Directory "/home/somebody/siteB">
	Options Multiviews FollowSymlinks
	AllowOverride None
	Order allow,deny
	Allow from all
</Directory>

VirtualHost

There are two types of virtual hosts (VH): IP-based and name-based.

IP-based VH requires a unique IP for every site, which is to say, if you have 3 sites on the server, you need 3 IP/Network Interface Card (NIC), which is not so attractive.

When we buy a web host, we usually share a single IP with many other sites, which is to say, several domain names are pointing to the same IP. This case is handled by the name-based VH. How does that work? Apache first looks for the hostname entry in the HTTP header, and then chooses the corresponding VH configuration.

In the config file "httpd.conf", there is a line saying

Include conf/extra/httpd-vhosts.conf
It is recommended to add VH configurations here.

A typical conf file is:

<VirtualHost *:80>
	ServerAdmin [email protected]
	DocumentRoot "/usr/local/me/..."
	ServerName mydomain.com
	ServerAlias www.mydomain.com
	ErrorLog "/var/log/mydomain_err.log"
	CustomLog "/var/log/mydomain_access.log" common
</VirtualHost>

<VirtualHost *:80>
	ServerAdmin [email protected]
	DocumentRoot "/usr/local/she/..."
	ServerName herdomain.com
	ServerAlias www.herdomain.com
	ErrorLog "/var/log/herdomain_err.log"
	CustomLog "/var/log/herdomain_access.log" common
</VirtualHost>

The directive "NameVirtualHost" indicates that all the name based VH be listening on port 80.

The two VH are both listening on port 80, and they are discriminated by ServerName and ServerAlias.

Use

httpd -S
to test the configuration.

Options

DirectoryIndex

ApacheDoc. The DirectoryIndex directive sets the list of resources to look for, when the client requests an index of the directory by specifying a / at the end of the directory name.
Several URLs may be given, in which case the server will return the first one that it finds.
If none of the resources exist and the Indexes option is set, the server will generate its own listing of the directory.

Filters

ApacheDoc. This module provides a filter which will process files before they are sent to the client. The processing is controlled by specially formatted SGML comments, referred to as elements.

Server Side Includes are implemented by the INCLUDES filter. If documents containing server-side include directives are given the extension .shtml, the following directives will make Apache parse them and assign the resulting document the mime type of text/html:

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

# The following directive must be given for the directories containing the shtml files:
Options +Includes

List directory contents or not

To make apache list your directory contents, add Options +Indexes. To prevent, add Options -Indexes instead.
Reference.

Default page

When a directory is requested, you may want to see index.php instead of index.html, set like this: DirectoryIndex index.php index.html. See this reference.

Trailing slash redirection

When you type a URL like http://www.example.com/dir, apache must send a redirect to http://www.example.com/dir/ so that the relative hyperlinks will work. For Apache to know the server name, you'd better to set UseCanonicalName off so that the name supplied by the client in the host HTTP request header is used. Otherwise, you must guarantee that ServerName is set correctly.

Authentication

Require

Require: Selects which authenticated users can access a resource.

AuthName

AuthName: Authorization realm for use in HTTP authentication.

AuthType

The authentication types available are Basic (implemented by mod_auth_basic) and Digest (implemented by mod_auth_digest).

Basic

http://httpd.apache.org/docs/2.2/misc/password_encryptions.html.

To create a plaintext password file,

htpasswd -c /path/to/file username

AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user username

<Directory /www/docs/private>
AuthName "Private"
AuthType Basic
AuthBasicProvider dbm
AuthDBMUserFile /www/passwords/passwd.dbm
Require valid-user
</Directory>

Basic authentication includes:

htpasswd:
-n (display res on stdout),
-b (batch mode, get passwd from command line rather than prompting for it)
-c (create passwd file)
-p: plain text.
-m: md5. -s: SHA1. -d: crypt.

1. PLAIN TEXT (i.e. unencrypted)

2. MD5
$ htpasswd -nbm myName myPassword
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
To validate:
$ openssl passwd -apr1 -salt r31..... myPassword
$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

3. SHA1
$ htpasswd -nbs myName myPassword
myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=

4. CRYPT
$ htpasswd -nbd myName myPassword
myName:rqXexS6ZhobKA
To validate:
$ openssl passwd -crypt -salt rq myPassword
Warning: truncating password to 8 characters
rqXexS6ZhobKA

The salt for a CRYPT password is the first two characters (converted to a binary value).
Note that using myPasswo instead of myPassword will produce the same result because only the first 8 characters of CRYPT passwords are considered.

The salt for an MD5 password is between $apr1$ and the following $ (as a Base64-encoded binary value - max 8 chars).

Digest

Apache recognizes one format for digest-authentication passwords - the MD5 hash of the string user:realm:password as a 32-character string of hexadecimal digits. realm is the Authorization Realm argument to the AuthName directive in httpd.conf.

PHP
md5($user . ':' . $realm . ':' .$password)

Authenticate a group

AuthType Basic
AuthName "By Invitation Only"
# Optional line:
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group GroupName

The /usr/local/apache/passwd/groups should contain all the usernames with the format:

GroupName: rbowen dpitts sungo rshersey

To add a user to the existing password file:

htpasswd /usr/local/apache/passwd/passwords dpitts
It will be appended to the existing file, rather than creating a new file. (It's the -c that makes it create a new password file).

Require valid-user Using that rather than the Require user rbowen line will allow anyone in that is listed in the password file, and who correctly enters their password.

To select a dbd file rather than a text file, for example:

<Directory /www/docs/private>
AuthName "Private"
AuthType Basic
AuthBasicProvider dbm
AuthDBMUserFile /www/passwords/passwd.dbm
Require valid-user
</Directory>

Satisfy

Satisfy: Combine between host-level access control and user authentication.

Satisfy All/Any
By default, it is assumed that the value is all. This means that if several criteria are specified, then all of them must be met in order for someone to get in.

For example, if you wanted to let people on your network have unrestricted access to a portion of your website, but require that people outside of your network provide a password, you could use a configuration similar to the following:

# Authentication
Require valid-user

# Host-level access
Order allow,deny
Allow from 192.168.1

Satisfy Any

Other directives

Include

Apache.org: core/include

Include /usr/local/apache2/conf/ssl.conf
Include /usr/local/apache2/conf/vhosts/*.conf

Include conf/ssl.conf
Include conf/vhosts/*.conf

Include conf/vhosts/*/*.conf
IncludeOptional conf/vhosts/*/*.conf

Action, AddHandler

ApacheDoc.

Related Modules:
mod_actions
mod_mime
mod_negotiation

Related Directives:
Action
AddHandler
RemoveHandler
SetHandler

wcfNote: actually, I need only to enable mod_actions.

The built-in handlers in the standard distribution are as follows:

default-handler: Send the file using the default_handler(), which is the handler used by default to handle static content. (core)
send-as-is: Send file with HTTP headers as is. (mod_asis)
cgi-script: Treat the file as a CGI script. (mod_cgi)
imap-file: Parse as an imagemap rule file. (mod_imagemap)
server-info: Get the server's configuration information. (mod_info)
server-status: Get the server's status report. (mod_status)
type-map: Parse as a type map file for content negotiation. (mod_negotiation)

Action markdown /notes/markdown/handler.php
AddHandler markdown .md

Limit

Limit: Restrict enclosed access controls to only certain HTTP methods.

<Limit POST PUT DELETE>
Require valid-user
</Limit>

LimitExcept

Restrict access controls to all HTTP methods except the named ones. Opposite of Limit directive.

.htaccess

.htaccess is a per-directory configuration file. When a url, such as /site/image/ is requested, if the server configuration has no AllowOverride None, Apache will search .htaccess in those directories successively:

  1. /
  2. /site/
  3. /site/image/
and the settings in /site/image/.htaccess override the settings in its ancestor directories.

This page from apache.org is against the use of .htaccess file. The main disadvantages include:

.htaccess could overwrite Directory sections, but not the others. So you still could constrict its usage, such as by:

<Directory />
	Allowoverride All
</Directory>
<Location />
	Options +IncludesNoExec -ExecCGI
</Location>

Other issues

SELinux and apache: 403 Error

Again and again, I met with "403: Forbidden" error. Now this time, I was sure that both the file permission and the apache configuration are right, but still the problem?

This page hints me that the Cent OS SELinux may have something with the problem. Yet another culprit! The redhat page also mentions the correlation. SELinux has a policy to define how processes running in confined domains interact with files or other processes, even if Linux (DAC) permissions are already there. Therefore, remember to use setenforce 0 to turn off the enforce mode, if you find your apache can't access your sites. This page provides several ways to work around this issue. My favorite one is adding the process type into permissive mode: semanage permissive -a httpd_t.

SSL

See also ssl.md.

See this page for how to install self-signed cert for apache.

Be cautious about the files permission of myCorp.crt, myCorp.key, gd_bundle.crt. Usually preferred permissions for certs: root:root 0444, and preferred permissions for the key root:root 0400.

LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost *:443>
	ServerName www.example.com
	SSLEngine on
	SSLCertificateFile "/path/to/www.example.com.cert"
	SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

SSL Performance Tuning

Inter Process SSL Session Cache

TLDP. Apache uses a multi-process model, in which all the request are NOT handled by the same process. This causes the SSL Session Information to be lost when a Client makes multiple requests.

SSLSessionCache        shmht:logs/ssl_scache(512000)
#SSLSessionCache        shmcb:logs/ssl_scache(512000)
#SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300
dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local disk. shmht: uses a Hash Table to Cache the SSL HandShake Information in the Shared Memory. shmcb: uses a Cyclic Buffer to Cache the SSL HandShake Informationin the Shared Memory.

Verifying SSLSession Cache

openssl s_client -connect your.server.dom:443 -state  -reconnect

# CONNECTED(00000003)
# .......
# .......
# Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
# SSL-Session:
# .....
# Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
# SSL-Session:
# .....
# Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
# SSL-Session:
# .....
# Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
# SSL-Session:
# .....
# Reused, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
# SSL-Session:
# .....
-reconnect forces the s_client to connect to the server 5 times using the same SSL session ID. You should see 5 attempts of Reusing the same Session-ID as shown above.

WebDAV

DAV (Distributed Authoring and Versioning), sometimes WebDAV, is an protocol extension to HTTP. In spite of the name, the development group of DAV has now focused on the authoring only. It allows creating, moving, copying, and deleting resources and collections on a remote web server.

http://httpd.apache.org/docs/2.2/mod/mod_dav.html.

DavLockDB /usr/local/apache2/var/DavLock

<Location /foo>
Order Allow,Deny
Allow from all
Dav On

AuthType Basic
AuthName DAV
AuthUserFile user.passwd

<LimitExcept GET OPTIONS>
Require user admin
</LimitExcept>
</Location>

Alias /phparea /home/gstein/php_files
Alias /php-source /home/gstein/php_files
<Location /php-source>
DAV On
ForceType text/plain
</Location>
With this setup, http://example.com/phparea can be used to access the output of the PHP scripts, and http://example.com/php-source can be used with a DAV client to manipulate them.

mod_dav_svn

https://subversion.apache.org/faq.html#collab. There are two different Subversion server processes: either svnserve, which is small standalone program similar to cvs pserver, or Apache httpd-2.0 using a special mod_dav_svn module. svnserve speaks a custom protocol, while mod_dav_svn uses WebDAV as its network protocol.

http://svnbook.red-bean.com/en/1.7/svn.ref.mod_dav_svn.conf.html.

DAV svn

Must be included in any Directory or Location block for a Subversion repository. It tells httpd to use the Subversion backend for mod_dav to handle all requests.

<Location /svn>
DAV svn

# any "/svn/foo" URL will map to a repository in 
# /net/svn.nfs/repositories/foo
SVNParentPath         "/net/svn.nfs/repositories"

# any "/svn/foo" URL will map to an activities db in
#  /var/db/svn/activities/foo
SVNActivitiesDB       "/var/db/svn/activities"
</Location>

SVNListParentPath On|Off

When set to On, allows a GET of SVNParentPath, which results in a listing of all repositories under that path. The default setting is Off.

SVNParentPath directory-path

Specifies the location in the filesystem of a parent directory whose child directories are Subversion repositories. In a configuration block for a Subversion repository, either this directive or SVNPath must be present, but not both.

SVNPath directory-path

Specifies the location in the filesystem for a Subversion repository's files. In a configuration block for a Subversion repository, either this directive or SVNParentPath must be present, but not both.

SVNPathAuthz On|Off|short_circuit

Controls path-based authorization by enabling subrequests (On), disabling subrequests (Off), or querying mod_authz_svn directly (short_circuit). The default value of this directive is On.

FAQ

Why apache depends on lynx?

TechJourney: running apachectl status returns lynx not found error.

apachectl status calls a web browser (in this case, lynx) to look at a URL that may be specified in the configuration file that has some status information.