# Redirect to homepage.
# RedirectMatch is the regexp version of "Redirect". Use this to suppress recursion.
RedirectMatch ^/$ /homepage/
Alias /siteB "siteB"
Options Multiviews FollowSymlinks
Allow from all
# require all granted
LoadModule php5_module "modulePath" should work. In Cent OS, installing by sudo yum install httpd php makes apache and PHP work directly, where its PHP does not work as apache module but independently.
Use chkconfig httpd on or chkconfig mysqld on to see whether these two services are installed and ran successfully.
To install php:
# php-gd is for creating and manipulating images. php-gd and php-xml are both needed for mediawiki.
sudo yum install php php-mysql php-gd php-xml
When installing mediawiki, entering mw-config/index.php and get a blank page, it is usually because you haven't installed php-xml. The mediawiki needs:
php-gd, for image handling.
php-apc, for php cache.
php-intl, for internationalization.
To install mysqld on Cent OS:
sudo yum install mysql-server
sudo service mysqld start
open /etc/httpd/conf/httpd.conf and replace: LoadModule mpm_event_module modules/mod_mpm_event.so with LoadModule mpm_prefork_module modules/mod_mpm_prefork.so.
Cause: libphp7.so included with php-apache does not work with mod_mpm_event.
To enable PHP, add these lines to /etc/httpd/conf/httpd.conf:
LoadModule php7_module modules/libphp7.so
If your DocumentRoot is not /srv/http, add it to open_basedir in /etc/php/php.ini as such: open_basedir=/srv/http/:/home/:/tmp/:/usr/share/pear/:/path/to/documentroot.
Restart httpd.service using systemd: systemctl httpd restart.
Test php with
<?php phpinfo(); ?>
The default path is "htdocs".
For example, in Linux:
and in Windows,
The path should not contain a trailing slash. Also make sure the path is readable but not writable to others.
You can also use virtual hosts, to set a custom document root for each particular site instead of the default. The virtual host's configuration file may be /var/www/vhosts/domain.name/conf/vhosts.conf. Add the DocumentRoot directive there.
apachectl -k restart
to make the change effective.
This stores the apache installation path. It commonly contains "conf/" and "logs/". Relative paths in configuration directives such as "Include" and "LoadModule" are taken as relative to this directory.
Alias /siteB "/home/somebody/siteB"
Options Multiviews FollowSymlinks
Allow from all
There are two types of virtual hosts (VH): IP-based and name-based.
IP-based VH requires a unique IP for every site, which is to say, if you have 3 sites on the server, you need 3 IP/Network Interface Card (NIC), which is not so attractive.
When we buy a web host, we usually share a single IP with many other sites, which is to say, several domain names are pointing to the same IP. This case is handled by the name-based VH. How does that work? Apache first looks for the hostname entry in the HTTP header, and then chooses the corresponding VH configuration.
In the config file "httpd.conf", there is a line saying
The directive "NameVirtualHost" indicates that all the name based VH be listening on port 80.
The two VH are both listening on port 80, and they are discriminated by ServerName and ServerAlias.
to test the configuration.
The DirectoryIndex directive sets the list of resources to look for, when the client requests an index of the directory by specifying a / at the end of the directory name.
Several URLs may be given, in which case the server will return the first one that it finds.
If none of the resources exist and the Indexes option is set, the server will generate its own listing of the directory.
This module provides a filter which will process files before they are sent to the client. The processing is controlled by specially formatted SGML comments, referred to as elements.
Server Side Includes are implemented by the INCLUDES filter. If documents containing server-side include directives are given the extension .shtml, the following directives will make Apache parse them and assign the resulting document the mime type of text/html:
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
# The following directive must be given for the directories containing the shtml files:
List directory contents or not
To make apache list your directory contents, add Options +Indexes. To prevent, add Options -Indexes instead. Reference.
When a directory is requested, you may want to see index.php instead of index.html, set like this: DirectoryIndex index.php index.html. See this reference.
Trailing slash redirection
When you type a URL like http://www.example.com/dir, apache must send a redirect to http://www.example.com/dir/ so that the relative hyperlinks will work. For Apache to know the server name, you'd better to set UseCanonicalName off so that the name supplied by the client in the host HTTP request header is used. Otherwise, you must guarantee that ServerName is set correctly.
Require: Selects which authenticated users can access a resource.
Multiple instances of this directive are combined with a logical "OR", such that a user matching any Require line is granted access.
The restrictions are processed by authorization modules.
The allowed syntaxes provided by mod_authz_user and mod_authz_groupfile are:
Require user userid [userid] ...
Only the named users can access the resource.
Require group group-name [group-name] ...
Only users in the named groups can access the resource.
All valid users can access the resource.
Other authorization modules that implement require options include mod_authnz_ldap, mod_authz_dbm, and mod_authz_owner.
AuthName: Authorization realm for use in HTTP authentication.
The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
It must be accompanied by AuthType and Require directives, and directives such as AuthUserFile and AuthGroupFile to work. See Apache auth.
The authentication types available are Basic (implemented by mod_auth_basic) and Digest (implemented by mod_auth_digest).
-n (display res on stdout),
-b (batch mode, get passwd from command line rather than prompting for it)
-c (create passwd file)
-p: plain text.
-m: md5. -s: SHA1. -d: crypt.
1. PLAIN TEXT (i.e. unencrypted)
$ htpasswd -nbm myName myPassword
$ openssl passwd -apr1 -salt r31..... myPassword
$ htpasswd -nbs myName myPassword
$ htpasswd -nbd myName myPassword
$ openssl passwd -crypt -salt rq myPassword
Warning: truncating password to 8 characters
The salt for a CRYPT password is the first two characters (converted to a binary value).
Note that using myPasswo instead of myPassword will produce the same result because only the first 8 characters of CRYPT passwords are considered.
The salt for an MD5 password is between $apr1$ and the following $ (as a Base64-encoded binary value - max 8 chars).
Apache recognizes one format for digest-authentication passwords - the MD5 hash of the string user:realm:password as a 32-character string of hexadecimal digits. realm is the Authorization Realm argument to the AuthName directive in httpd.conf.
Satisfy: Combine between host-level access control and user authentication.
By default, it is assumed that the value is all. This means that if several criteria are specified, then all of them must be met in order for someone to get in.
For example, if you wanted to let people on your network have unrestricted access to a portion of your website, but require that people outside of your network provide a password, you could use a configuration similar to the following:
# Host-level access
Allow from 192.168.1
Shell-style (fnmatch()) wildcard characters can be used in the filename or directory parts of the path to include several files at once, in alphabetical order.
If Include points to a directory, Apache httpd will read all files in that directory and any subdirectory. However, including entire directories is not recommended, because it is easy to accidentally leave temporary files in a directory that can cause httpd to fail.
The Include directive will fail with an error if a wildcard expression does not match any file. The IncludeOptional directive can be used if non-matching wildcards should be ignored.
The file path specified may be an absolute path, or may be relative to the ServerRoot directory.
wcfNote: actually, I need only to enable mod_actions.
The built-in handlers in the standard distribution are as follows:
default-handler: Send the file using the default_handler(), which is the handler used by default to handle static content. (core)
send-as-is: Send file with HTTP headers as is. (mod_asis)
cgi-script: Treat the file as a CGI script. (mod_cgi)
imap-file: Parse as an imagemap rule file. (mod_imagemap)
server-info: Get the server's configuration information. (mod_info)
server-status: Get the server's status report. (mod_status)
type-map: Parse as a type map file for content negotiation. (mod_negotiation)
Limit: Restrict enclosed access controls to only certain HTTP methods.
Access controls are normally effective for all access methods.
The method names listed can be one or more of: GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK. The method name is case-sensitive.
<Limit POST PUT DELETE>
Restrict access controls to all HTTP methods except the named ones. Opposite of Limit directive.
.htaccess is a per-directory configuration file. When a url, such as /site/image/ is requested, if the server configuration has no AllowOverride None, Apache will search .htaccess in those directories successively:
and the settings in /site/image/.htaccess override the settings in its ancestor directories.
This page from apache.org is against the use of .htaccess file. The main disadvantages include:
Everytime you visit a file, Apache has to check for the .htaccess.
It has security issue. For example, what if the user upload a file called .htaccess?
.htaccess could overwrite Directory sections, but not the others. So you still could constrict its usage, such as by:
Again and again, I met with "403: Forbidden" error. Now this time, I was sure that both the file permission and the apache configuration are right, but still the problem?
This page hints me that the Cent OS SELinux may have something with the problem. Yet another culprit! The redhat page also mentions the correlation. SELinux has a policy to define how processes running in confined domains interact with files or other processes, even if Linux (DAC) permissions are already there. Therefore, remember to use setenforce 0 to turn off the enforce mode, if you find your apache can't access your sites. This page provides several ways to work around this issue. My favorite one is adding the process type into permissive mode: semanage permissive -a httpd_t.
See also ssl.md.
See this page for how to install self-signed cert for apache.
Be cautious about the files permission of myCorp.crt, myCorp.key, gd_bundle.crt. Usually preferred permissions for certs: root:root 0444, and preferred permissions for the key root:root 0400.
dbm:logs/ssl_scache creates the Cache as DBM hashfile on the local disk. shmht: uses a Hash Table to Cache the SSL HandShake Information in the Shared Memory. shmcb: uses a Cyclic Buffer to Cache the SSL HandShake Informationin the Shared Memory.
-reconnect forces the s_client to connect to the server 5 times using the same SSL session ID. You should see 5 attempts of Reusing the same Session-ID as shown above.
DAV (Distributed Authoring and Versioning), sometimes WebDAV, is an protocol extension to HTTP. In spite of the name, the development group of DAV has now focused on the authoring only. It allows creating, moving, copying, and deleting resources and collections on a remote web server.
To enable mod_dav, set in conf: Dav on. It is implemented by the mod_dav_fs module.
Set lock DB: DavLockDB /usr/local/apache2/var/DavLock. The directory containing the lock database must be writable by the User and Group under which Apache is running.
If you want to set the maximum amount of bytes that a DAV client can send at one request, you have to use the LimitXMLRequestBody directive. The "normal" LimitRequestBody directive has no effect on DAV requests.
Allow from all
<LimitExcept GET OPTIONS>
Require user admin
Alias /phparea /home/gstein/php_files
Alias /php-source /home/gstein/php_files
With this setup, http://example.com/phparea can be used to access the output of the PHP scripts, and http://example.com/php-source can be used with a DAV client to manipulate them.
There are two different Subversion server processes: either svnserve, which is small standalone program similar to cvs pserver, or Apache httpd-2.0 using a special mod_dav_svn module. svnserve speaks a custom protocol, while mod_dav_svn uses WebDAV as its network protocol.
Must be included in any Directory or Location block for a Subversion repository. It tells httpd to use the Subversion backend for mod_dav to handle all requests.
# any "/svn/foo" URL will map to a repository in
# any "/svn/foo" URL will map to an activities db in
When set to On, allows a GET of SVNParentPath, which results in a listing of all repositories under that path. The default setting is Off.
Specifies the location in the filesystem of a parent directory whose child directories are Subversion repositories. In a configuration block for a Subversion repository, either this directive or SVNPath must be present, but not both.
Specifies the location in the filesystem for a Subversion repository's files. In a configuration block for a Subversion repository, either this directive or SVNParentPath must be present, but not both.
Controls path-based authorization by enabling subrequests (On), disabling subrequests (Off), or querying mod_authz_svn directly (short_circuit). The default value of this directive is On.
This module provides core authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site.
It is usually used in conjunction with an authentication provider module such as mod_authn_file and an authorization module such as mod_authz_user.
This module uses a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly.