Configuring Apache Main Server

The main server configuration applies to the default Web site Apache serves. This is the site that will come up when you run Apache and use the server’s IP address or host name on a Web browser.

Port

The very first directive in this section is the Port directive, which sets the TCP port that Apache listens to for connections. The default value of 80 is the standard HTTP port. If you change this to another number, such as 8080, you can only access the server using a URL such as http://hostname:8080/. You must specify the port number in the URL if the server runs on a nonstandard port.

There are many reasons for running Apache on nonstandard ports, but the only good one I can think of is that you do not have permission to run Apache on the standard HTTP port. As a nonroot user you can only run Apache on ports higher than 1024. After you have decided to run Apache by using a port, you need to tell Apache what its user and group names are.

User and Group directives

The User and Group directives tell Apache the user (UID) and group (GID) names to use. These two directives are very important for security reasons. When the primary Web server process launches a child server process to fulfill a request, it changes the child’s UID and GID according to the values set for these directives.

If the child processes are run as root user processes, a potential security hole will be opened for attack by hackers. Enabling the capability to interact with a root user process maximizes a potential breach of security in the system; hence, this is not recommended. Rather, I highly recommend that you choose to run the child server processes as a very low-privileged user belonging to a very low-privileged group.

In most Unix systems, the user named nobody (usually UID = -1) and the group named nogroup (usually GID = -1) are low-privileged. You should consult your /etc/group and /etc/passwd files to determine these settings. If you plan to run the primary Web server as a nonroot (regular) user, it will not be able to change the UID and GID of child processes, because only root user processes can change the UID or GID of other processes.

Therefore, if you run your primary server as the user named ironsheik, then all child processes will have the same privileges as ironsheik. Similarly, whatever group ID you have will also be the group ID for the child processes.

ServerAdmin

ServerAdmin defines the e-mail address that is shown when the server generates an error page. Set this to your e-mail address.ServerName. Now you need to set the host name for the Server using the ServerName directive. This directive is commented out by default because Apache install cannot guess what host name to use for your system. So if the host name is called www.domain.com, set ServerName directive accordingly.

DocumentRoot

Like all other Web servers, Apache needs to know the path of the top-level directory where Web pages will be kept. This directory is typically called the document root directory. Apache provides a directive called DocumentRoot, which can be used to specify the path of the top-level Web directory. This directive instructs the server to treat the supplied directory as the root directory for all documents. This is a very important decision for you to make. For example, if the directive is set as:

DocumentRoot /

then every file on the system becomes accessible by the Web server. Of course, you can protect files by providing proper file permission settings, but setting the document root to the physical root directory of your system is definitely a major security risk. Instead, you should point the document root to a specific subdirectory of your file system. If you have used the --prefix=/usr/local/apache option in configuring the Apache source, this directive will be set as:

DocumentRoot “/usr/local/apache/htdocs”

Directory container directives

The next set of directives are enclosed in a <Directory . . .> container as shown here:

<Directory /> Options FollowSymLinks AllowOverride None Directory >

The scope of the enclosed directives is limited to the named directory (with any subdirectories); however, you may only use directives that are allowed in a directory context (you learn about these directives in detail in the next chapter). Here the Options and the AllowOverride directives apply to %DocumentRoot% that is root (/) or the top-level directory of the main Web site.

Because directives enclosed within a directory container apply to all the subdirectories below the named directory, the directives apply to all directories within %DocumentRoot%. The Options directive is set to FollowSymLinks, which tells Apache to allow itself to traverse any symbolic within %DocumentRoot%.

Because the Options directive is only set to follow symbolic links, no other options are available to any of the directories within %DocumentRoot%. Effectively, the Options directive is:

Options FollowSymLinks -ExecCGI -Includes -Indexes -MultiViews

The other options are explained in the Options directive section in the next chapter. However, be assured that the big idea here is to create a very closed server. Because only symbolic link traversal is allowed, you must explicitly enable other options as needed on a per directory basis. This is very good thing from a security prospective. The next directory container opens up the %DocumentRoot% directory as shown here:

Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all Directory >

If your %DocumentRoot% is different, change the named directory path. Here is what the above configuration means to Apache:

  • The named directory and its subdirectories can be indexed. If there is an index file, it will be displayed; in the absence of an index file, the server will create a dynamic index for the directory. The Options directive specifies this.
  • The named directory and all subdirectories under it can have symbolic links that the server can follow (that is, use as a path) to access information. The Options directive also specifies this.
  • The named directory and all subdirectories under it can be part of content negotiations. The MultiViews option for the Options directive sets this. I am not a fan of this option but do not so dislike it as to remove it. For example, when the given Options directive is enabled within the %DocumentRoot% directory as shown above, a request for http://www.domain.com/ ratecard.html can answered by a file called ratecard.html.bak, or ratecard.bak, ratecard.old, and the like if ratecard.html is missing. This may or may not be desirable.
  • No options specified here can be overridden by a local access control file (specified by the AccessFileName directive in httpd.conf; the default is .htaccess). This is specified using the AllowOverride directive. ✦ The Allow directives are evaluated before the Deny directives. Access is denied by default. Any client that does not match an Allow directive or that does match a Deny directive is denied access to the server.
  • Access is permitted for all.

The default setting should be sufficient.

UserDir

The UserDir directive tells Apache to consider %UserDir% as document root (~username/%UserDir%) of each user Web site. This only makes sense if you have multiple users on the system and want to allow each user to have his or her own Web directory. The default setting is:

UserDir public_html

which means that if you set up your Web server’s name to be www.yoursite.com, and you have two users (joe and jenny), their personal Web site URLs would be:

http://www.yoursite.com/~joe Physical directory: ~joe/public_html http://www.yoursite.com/~jenny Physical directory: ~jenny/public_html

Note that on Unix systems, ~ (tilde) expands to a user’s home directory. The directory specified by the UserDir directive resides in each user’s home directory, and Apache must have read and execute permissions to read files and directories within the public_html directory. This can be accomplished using the following commands on a Unix system:

chown -R . ~/ chmod -R 770 ~/

For example, if the username is joe and Apache’s group is called httpd, and public_ html is assigned in the UserDir directive, the preceding commands will look like this:

chown -R joe.httpd ~joe/public_html chmod -R 2770 ~joe/public_html

The first command, chown, changes ownership of the ~joe/public_html directory (and that of all files and subdirectories within it) to joe.httpd. In other words, it gives the user joe and the group httpd full ownership of all the files and directories in the public_html directory.

The next command, chmod, sets the access rights to 2770—in other words, only the user (joe) and the group (httpd) have full read, write, and execute privileges in public_html and all files and subdirectories under it. It also ensures that when a new file or subdirectory is created in the public_ html directory, the newly created file has the group ID set. This enables the Web server to access the new file without the user’s intervention.

DirectoryIndex

Next, you need to configure the DirectoryIndex directive, which has the following syntax:

DirectoryIndex [filename1, filename2, filename3, ... ]

This directive specifies which file the Apache server should consider as the index for the directory being requested. For example, when a URL such as www.yourcompany. com/ is requested, the Apache server determines that this is a request to access the / (document root) directory of the Web site. If the DocumentRoot directive is set as:

DocumentRoot “/www/www.yourcompany.com/public/htdocs”

then the Apache server looks for a file named /www/www.yourcompany.com/ public/htdocs/index.html; if it finds the file, Apache services the request by returning the content of the file to the requesting Web browser. If the DirectoryIndex is assigned welcome.html instead of the default index.html, however, the Web server will look for /www/www.yourcompany.com/public/ htdocs/welcome.html instead. If the file is absent, Apache returns the directory listing by creating a dynamic HTML page.

You can specify multiple index filenames in the DirectoryIndex directive. For example:

DirectoryIndex index.html index.htm welcome.htm

tells the Web server that it should check for the existence of any of the three files, and if any one file is found, it should be returned to the requesting Web client.

AccessFileName

The AccessFileName directive defines the name of the per-directory access control configuration file. The default name .htaccess has a leading period to hide the file from normal directory listing under Unix systems. The only reason to change the name to something else is to increase security by obscurity, which is not much of a reason. However, if you do change the filename to something else, make sure that you change the regular expression “^\.ht” to “^\.whatever” where .whatever is the first view character of what you set AccessFileName to.

Files container

The following container tells Apache to disallow access to any file that starts with a .ht (that is, the .htaccess or .htpasswd). This corresponds to the default %AccessFileName%.

UseCanonicalName

Next directive is UseCanonicalName, which is set to On. It tells Apache to create all self-referencing URLs using %ServerName%:%Port% format. Leaving it on is a good idea.

TypesConfig

The TypesConfig directive points to the mime configuration file mime.types that resides in the default conf directory. You do not need to change it unless you have relocated this file.

DefaultType

The DefaultType directive sets the Content-Type header for any file whose MIME type cannot be determined from the file extension. For example if you have a file %DocumentRoot%/myfile, then Apache uses the %DefaultType, which is set to text/plain, as the content type for the file. This means that when the Web browser requests and receives such a file in response, it will display the contents in the same way it will display a plain-text file. Now, if you think most of your unknown file contents should be treated as HTML, then use text/html in place of text/plain.

IfModule container

The next container tells Apache to enable the MIME magic module (mod_mime_magic) if it exists, and to use the %MIMEMagicFile% as the magic information (bytes patterns) needed to identify MIME-type files. The default should be left alone unless you want to change the path of the magic file.

MIMEMagicFile conf/magic

HostnameLookups

The HostnameLookups directive tells Apache to enable DNS lookup per request if it is set to On. However, the default setting is Off and therefore no DNS lookup is performed to process a request, which speeds up response time. Performing a DNS lookup to resolve an IP address to the host name is a time-consuming step for a busy server and should only be done using the logresolve utility as discussed in Chapter 8. Leave the default as is.

ErrorLog

The ErrorLog directive is very important. It points to the log file dedicated to recording server errors. The default value of logs/errors translates to %ServerRoot%/logs/error_log, which should work for you, unless you want to write a log in a different place. Generally, it is a good idea to create a log partition for keeping your logs. It is also preferable that your log partition be on one or more dedicated log disks. If you have such a hardware configuration, you might want to change the directive to point to a new log path.

LogLevel

The LogLevel directive sets the level of logging that will be done. The default value of warn is sufficient for getting started. The LogFormat directives dictate what is logged and in what format it is logged. In most cases, you should be able to live with the defaults.

CustomLog

The CustomLog directive sets the path for the access log, which stores you server hits. By default it uses the common log format (CLF), which is defined in the preceding LogFormat directive. Consider the advice about keeping logs on their own disk and partition, and make changes to the path if necessary.

ServerSignature

The next directive is ServerSignature, which displays server name and version number and is a server-generated page such as dynamic directory index pages, error pages, and the like. If you feel uncomfortable about displaying your server information so readily to everyone, set it to Off. I do.

Alias

The Alias directive defines a new directory alias called /icons/ to point to /usr/local/apache/icons/ (that is, %ServerRoot%/icons/). The icon images stored in this directory are used to display dynamic directory listings when no %DirectoryIndex%-specified files are found in that directory. You should leave the alias alone unless you changed the path of the icons directory.

The directory container that follows the alias definition sets the permission for this icon directory. I do not like the idea that it enables directory browsing (that is, dynamic directory indexing) by setting Options to Indexes. You should change Options Indexes to Options -Indexes and not worry about the MultiViews option.

ScriptAlias

The ScriptAlias directive is used to set a widely used CGI script alias directory /cgi-bin/ to point to /usr/local/apache/cgi-bin/ (that is, %ServerRoot%/ cgi-bin/). If you plan on using CGI scripts from the main server, keep it; otherwise, remove this directive. Or, if you want to change the CGI script directory another location, change the physical path given in the directive to match yours.

Next, a directory container places restriction on the %ScriptAlias% directory to ensure that no directory level options are allowed. Here the Options directive is set to None, which means that the contents of %ScriptAlias% is not browsable, that symbolic links within the %ScriptAlias% directory are not followed.

The rest of the directives

The rest of the directives—IndexOptions; AddIconByEncoding; AddIconByType; AddIcon; DefaultIcon; ReadmeName; HeaderName; IndexIgnore; AddEncoding; AddLanguage; AddCharset; BrowserMatch; and AddType—are not important to get up and running, so they are ignored for now. You can learn about these directives in Chapter 4. However, there are two directives that you might want to consider changing if necessary: LanguagePriority and AddDefaultCharset.

LanguagePriority

By default, the LanguagePriority directive sets the default language to be en (English), which might not work for everyone in the world. So, you might want to change the default language to your native language, if it is supported.

AddDefaultCharset

AddDefaultCharset should be set to the character set that best suits your local needs. If you do not know which character set you should use, you can leave the default alone, find out which character set you should use, and change the default later.