Skip to content

Apache

Prereqs

  • Networking fundamentals like hostname and IP, etc

Terminology

  • Secure Shell (SSH) - secure way to remotely logining into through command line and executing commands. Services runs on port 22 on guest.
  • SSH Client - For mac, Terminal. For Windows, PuTTY
  • Hypervisor - Software that allows guest VMs to use resources of host and hardware. Eg. VirtualBox
  • localhost - A network name for the computer you're already on.
  • httpd - Is a service that's serviced by Apache and runs on port 80 on guest.
  • apachectl - It's a script that comes bundled with apache that can be used to manage and interact with Apache service.
  • root - Linux sudo user
  • sudo - command that provides elevated privileges to regular accounts
  • service - a wrapper on apachectl and the prefered way

Apache HTTP Server

  • A web server application that delivers web content that can be accessed through the internet.
    • Eg: HTML, CSS, JS
  • Open Source project
  • Modular so can add modules for specific use cases such as SSL, load balancing, etc
  • Apache is a parent process but a whole bunch of child processes where each child can serve dif page at the same time
  • Apache configuration can be in a plaint text file .htaccess
  • Can be used to configure what can and cannot be changed within a directory
    • Useful for shared hosts, untrusted user (?how)
  • htaccess are read at every request (so no restart needed)
    • underprivileged users can access this
  • Disadvantages:
    • slower than server config files cause' the configuration is searched for and read for every request
    • increases security risk of site if someone is looking to exploit the system (?how)
  • Apache's configuration is stored in place text files
  • Primary config file is named httpd.conf
    • Changes are recognized when server is started or re-started, including graceful
    • Location is set at compile time and depends on Distribution unless overridden (rare)
      • Fedora and CentOS - /etc/httpd/conf/httpd.conf
        • monolithic layout unless stuff is split up and included using include
      • Debian and Ubuntu - /etc/apache2/apache2.conf
        • usually setup as one small config file per site or per group of configuration

Directive Containers

  • Configuration is a bunch of directives (instructions) one per line
    • Unless in <> brackets. Then treat it like XML with a start and end tag grouped together
      • This helps restrict the scope of the directives they contain
    • If there's information following a directive, then that's the argument
      • Eg Order allow,deny
  • Some are case-insensitive and some are case-sensitive so best practice is to consider them case-sensitive
<Directory /var/www/cgi-bin>
    AllowOverride none
    Require all denied
</Directory>

ServerRoot directive

  • The directory that will have the configuration and log files
  • Eg: ServerRoot "/etc/httpd"

Virtual Hosting

  • Virtual Hosting is used when you want to host multiple domain names on a single server or pool of servers

VirtualHost directive

  • Virtual Hosting the the ability to serve content for multiple domains from the same server
    • Apache's feature
    • Commonly used by shared web hosts (??)
  • 2 types:
    • Name-Based Virtual Hosting
      • Routes requests based on domain name
        • Issues might come with multiple SSL where the server doesn`t know which to use
        • Fully qualified domain name isn't recommended by Apache
    • IP Based Virtual Hosting
      • Separate IP per site
      • Solves SSL challenges but costlier and more technical overhead involved
        • Eg: VirtualHost 10.0.2.56:80
  • Arguments can be something like Virtual Host *:8071 meaning that the virtual host is only listening on port 8071
    • ServerAdmin username@example.com
      • sets the contact info used for error messages returned to client
      • If the server is using custom error messages, this isn't needed
    • ServerName blah.example.com - Imp!
      • Typically set system wide by Virtual Host should set this too
      • Uniquely identifies name based virtual host and is the qualified domain name of the server
    • <Directory /blah/blah2/>
      • Doesn't have to be set within Virtual Host. Might just be set system wide
      • Argument is the directory path that contains the html
        • Directives that control permissions:
          • Order allow deny
            • controls the default access site and controls the order in which the allow and deny directives are evaluated
          • Allow from all/hostName/IPaddress/variable
            • meaning acess allowed from 'all'
          • Require all granted
            • meaning all users are granted access unconditionally
      • Without these, Apache wont' know what the permissions are and won't serve content from the directory
    • <DocumentRoot /blah/blah2>
      • directory that Apache uses to server files
  • https://httpd.apache.org/docs/2.4/vhosts/examples.html

Listen directive

  • This directive tells Apache to listen for connection requests on a specified port such as 80
  • Eg: Listen 12.34.56.78:80 or Listen 8072

DocumentRoot directive

  • Defines the top level directory of the web site
  • Eg: DocumentRoot "/var/www/html" or DocumentRoot "/app/apache/htdocs"
  • If the url used by user is https://blah.com/blah.html, the file will be served from /var/www/html/blah.html

Identity(User/Group) directive

  • Apache needs a user identity that it can run as to perform access contal checks to the file system
  • When it starts, it runs as root and bind to port 80 (privilege port)
    • ports less than 1024 can only be bound and used by root
  • Child processes that span take up the User and group identity
  • Eg: User apache or User daemon
  • Eg: Group apache or Group daemon
  • apache account and group are added when the httpd package is installed

LoadModule directive

  • The default config file loads a large number of modules
    • Centos will load a load so apache has a rich feature set
    • The secure way is to start with an empty list and load only the modules you need as your site evolves
  • Eg: Load Module ldap_module modules/mod_ldap.so

ServerName directive

  • sets the hostname and port that the server uses to identify itself before redirecting
    • Eg: ServerName www.example.com

DirectoryIndex directive

  • Give info on which file Apache will look for in the directory as the trailing part in the url
  • Eg: DirectoryIndex index.html

IfModule container

  • Anything inside will only take effect if whatever's after the IfModule is loaded

Include directive

  • Will load and pick up configuration from an extra conf file.
  • Eg: Include blah.conf

Multiple Process Settings

  • Apache tends to have spare pool of processes ready to pick up to improve performance/response times
  • The settings that control the size of the pool are:
    • StartServers - num of server processes to start
    • MinSpareServers - min num of server processes which are kept spare
    • MaxSpareServers - max num of server processes which are kept spare
    • ServerLimit - max value for MaxClients for the lifetime of the server
    • MaxClients - maximum number of server processes allowed to start
    • MaxRequestsPerChild - max num of requests a server process serves
  • Don't change these settings unless you know what you're doing
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>

Debugging

  • Examine error log located at /var/log/httpd/error_log for installation failures
  • Check if multiple processes are listening on port 80 in case you previosuly installed a dif web server
  • If SELinux is enabled, try disabled it

Commands

  • Find the configuration files.
    • Shows list of configuration settings including the HTTPD_ROOT (the default location of configuration) and SERVER_CONFIG_FILE
    • apachectl -V
  • Check to see if configuration file exists
    • ls -la REPLACEWITH_httpd_rOOT/REPLACEWITH_server_config_File
  • Check permissions of a directory
    • ls -lR
  • Brute force way to find configuration file
    • Find every single file on that matches the string
      • find / | grep "httpd\.conf" or
      • find / | grep "apache2\.conf"
  • Install Apache
    • For CentOS:
      • yum install httpd
  • Install Apache documentation
    • For CentOS:
      • yum install httpd-manual
    • Will be available at ``localhost/manual
  • Check if Apache is installed:
    • rpm -qa | grep httpd or
    • dpkg -l | grep apache
  • Check which version of Linux distribution is installed
    • cat /etc/issue or
    • cat /etc/*-release
  • To connect using ssh client: ssh -p2222 user@localhost
    • Replace 2222 with port name and localhost with host name
  • See what Apache is doing - status
    • Eg: apachectl status
      • Gives info on Apache server that's running and the number of child servers
    • Eg: service httpd status?
  • Start parent web server - start
    • apachectl -k start
    • /etc/init.d/apache2 start
    • service httpd start
  • Have service starts at boot time
    • chkconfig httpd on
  • Look at current boot time settings
    • chkconfig httpd --list
  • See list of processes listening on http TCP port (specifically the ones listening on port 80)
    • lsof -i | grep http
      • -i is to see open ports
      • output eg:
        • httpd 27710 root TCP *: http (LISTEN)
        • httpd 27712 apache TCP *: http (LISTEN)
        • httpd 27713 apache TCP *: http (LISTEN)
        • httpd 27714 apache TCP *: http (LISTEN)
        • httpd 27715 apache TCP *: http (LISTEN)
  • Stop parent web server and parent process immediately with all connections terminating - stop *apachectl -k stop
    • /etc/init.d/apache2 stop
  • Stop parent process after the requests in progress are completed
    • graceful-stop
  • Keep the parent alive while children are killed off where the configuration is re-read and children are re-spawned with new config
    • service httpd restart
  • Restart the server after children are done doing what they're doing before doing a graceful shutdown and config re-read - graceful
    • service apache2 graceful aka reload
  • Page through contents of config file
    • less fileNameAndLocation. Use space to go through
  • Find matches for a certain Directive
    • grep -Ri DirectiveName
  • Reboot Linux VM using root account:
    • sudo reboot
      • simple way to force vm to pick up changes assuming apache restart isn't working
  • Test configuration for syntax errors
    • apachectl -t
  • List all Virtual Hosts and details:
    • apachectl -t -D DUMP_VHOSTS
  • Check if SELinux is enabled:
    • sestatus
      • If enforcing then any action prohibted by selinux policies will be prohibited
  • Turn off SELinux temporarily to permissive instead of enforcing:
    • setenforce 0
  • Filter out comments in .conf file to see true configuration
    • grep -v '^#' /etc/httpd/conf/httpd.conf | less
  • Change owner of directory to apache for all files
    • chown -R apache:apache *

Currently don't care about:

  • Creating publicly accessible content on the apache web server
Last update: October 10, 2020