Installation
The RPM packages required by Apache are included in the Web Server package group. If required on the Installation and Configuration portion of the exam, you should install Apache during the installation process. But mistakes happen. Just remember that the simplest way to install Apache after installation is with the following command:
# yum install httpd
Alternatively, if you need the Red Hat GUI Apache Management tool, run the following command, which also installs the Apache httpd RPM as a dependency:
# yum install system-config-httpd
Another option is to just install the default packages associated with the entire Web Server package group with the following command:
# yum groupinstall web-server
If you don't remember the names of available groups, run the yum grouplist command. From the output, you should see "Web Server"; in other words, the following command also works:
# yum groupinstall "Web Server"
If your exam instructions require the installation of other packages such as mod_ssl (required for secure Web sites) and Squid, you can combine their installation in the same command:
# yum install mod_ssl squid
If in doubt about package names, you can find them in the Web Server package group, as documented on the first installation CD in the Server/repodatata/comps-rhel5-server-core.xml file. If you're working with the RHEL 5 desktop, substitute Client for Server (upper- and lowercase). Once you've connected to a repository such as the RHN, the same information should be available in comps.xml in the /var/cache/yum/rhel-i386-server-5 directory. If you're working a different architecture and a client, substitute accordingly.
Starting on Reboot
Once Apache is installed, you'll want to make sure it starts the next time you boot Linux. If it doesn't start when the person who grades your Red Hat exam reboots your computer, you may not get credit for your work on the Apache service.
The most straightforward way to make sure Apache starts the next time you boot Linux is with the chkconfig command. You'll need to set it to start in at least runlevels 3 and 5, with a command such as:
# chkconfig --level 35 httpd on
Alternatively, you can configure it to start in all standard runlevels (2, 3, 4, and 5) with the following command:
# chkconfig httpd on
To determine whether the chkconfig command worked, use the --list switch:
# chkconfig --list httpd
Normally to start services, it's best to use the associated script in the /etc/init.d directory, which contains an httpd script. However, Apache often starts and stops more gracefully with the following commands:
# apachectl stop
# apachectl start
The Apache Configuration Files
There are two key configuration files for the Apache Web server: httpd.conf in the /etc/httpd/conf directory and ssl.conf in the /etc/httpd/conf.d directory. The default versions of these files create a generic Web server service you can further customize and optimize, as desired. There are other configuration files in two directories: /etc/httpd/conf and /etc/httpd/conf.d. They're illustrated in Figure 9-2.
Figure 9-2: Apache configuration files
On the Job Previous versions of Apache-1.3.x and earlier-required two other Apache configuration files in the same directory: access.conf and srm.conf. Even though these files were essentially blank in later versions of Apache 1.3.x, they were still required. These files are no longer required in any way in Apache 2.x.
You need to know the httpd.conf file in the /etc/httpd/conf directory well. If you're required to configure a secure Web server during the RHCE exam, you'll also need to configure the ssl.conf configuration file in the /etc/httpd/conf.d directory.
Analyzing the Default Apache Configuration
Apache comes with a well-commented set of default configuration files. In this section, you'll look at the key commands in the httpd.conf configuration file, in the /etc/httpd/conf directory. Browse through this file in your favorite text editor or using a command such as less. Before beginning this analysis, keep two things in mind:
If you configure Apache with the Red Hat HTTP tool (system-config-httpd), it overwrites any changes that you may have made with a text editor.
The main Apache configuration file incorporates the files in the /etc/httpd/conf.d directory with the following directive:
Include conf.d/*.conf
There are a couple of basic constructs in httpd.conf. First, directories, files, and modules are configured in "containers." The beginning of the container starts with the name of the directory, file, or module to be configured, contained in directional brackets (< >). Examples of this include:
The end of the container starts with a forward slash (/). For the same examples, the ends of the containers would look like:
Next, Apache includes a substantial number of directives-commands that Apache can understand that have some resemblance to English. For example, the ExecCGI directive allows executable CGI scripts.
As the RHCE course divides the discussion of Apache into different units, I do the same here. However, the following sections, with the exception of secure virtual hosts, are based on the same httpd.conf file in the /etc/httpd/conf/ directory.
While this provides an overview, the devil is often in the details, which are analyzed (briefly) in the next section. For detailed information, see the Apache Web site at http://httpd.apache.org.
Analyzing httpd.conf
This section examines the default Apache configuration file, httpd.conf. If you want to follow along, open it on your system. Only the default active directives in that file are discussed here. Read the comments; they include more information and options.
For detailed information on each directive, see http://httpd.apache.org/docs/2.2/mod/quickreference.html. The default directives are summarized in the following three tables. Table 9-1 specifies directives associated with Section 1: Global Environment.
Table 9-1: Global Environment Directives Directive
Description
ServerTokens
Specifies the response code at the bottom of error pages; if you're interested, see what happens when you change the values between OS, Prod, Major, Minor, Min, and Full.
ServerRoot
Sets the default directory; other directives are subdirectories.
PidFile
Names the file with the Process ID (and locks the service).
Timeout
Limits access time for both sent and received messages.
KeepAlive
Supports persistent connections.
MaxKeepAliveRequests
Limits requests during persistent connections (unless set to 0, which is no limit).
KeepAliveTimeout
Sets a time limit, in seconds, before a connection is closed.
StartServers
Adds child Apache processes; normally set to 8, which means 9 Apache processes run upon startup.
MinSpareServers
Specifies a minimum number of idle child servers.
MaxSpareServers
Specifies a maximum number of idle child servers; always at least +1 greater than MinSpareServers.
ServerLimit
Sets a limit on configurable processes; cannot exceed 20000.
MaxClients
Limits the number of simultaneous requests; other requests to the server just have to wait.
MaxRequestsPerChild
Limits the requests per child server process.
MinSpareThreads
Specifies the minimum number of spare threads to handle additional requests.
MaxSpareThreads
Specifies the maximum number of available idle threads to handle additional requests.
ThreadsPerChild
Sets the number of threads per child server process.
Listen
Specifies a port and possibly an IP address (for multihomed systems) to listen for requests.
LoadModule
Loads various modular components, such as authentication, user tracking, executable files, and more.
Include
Adds the content of other configuration files.
User
Specifies the username run by Apache on the local system.
Group
Specifies the group name run by Apache on the local system.
In all three tables, directives are listed in the order shown in the default version of httpd.conf. If you want to experiment with different values for each directive, save the change and then use apachectl restart to restart the Apache daemon. If not defined in these tables, directives are described, later in this chapter, as they appear in the configuration file.
Table 9-2 specifies directives associated with Section 2: Main Server Configuration.
Table 9-2: Main Server Configuration Directives Directive
Description
ServerAdmin
Sets the administrative e-mail address; may be shown (or linked to) on default error pages.
UseCanonicalName
Supports the use of ServerName as the referenced URL.
DocumentRoot
Assigns the root directory for Web site files.
Options
Specifies features associated with Web directories, such as ExecCGI, FollowSymLinks, Includes, Indexes, MultiViews, and SymLinksIfOwnerMatch.
AllowOverride
Supports overriding of previous directives from .htaccess files.
Order
Sets the sequence for evaluating Allow and Deny directives.
Allow
Configures host computers that are allowed access.
Deny
Configures host computers that are denied access.
UserDir
Specifies location of user directories; can be set to enable or disable for all or specified users.
DirectoryIndex
Specifies files to look for when navigating to a directory; set to index.html by default.
AccessFileName
Sets a filename within a directory for more directives; normally looks for .htaccess.
TypesConfig
Locates mime.types, which specifies file types associated with extensions.
DefaultType
Sets a default file type if not found in mime.types.
MIMEMagicFile
Normally looks to /etc/httpd/conf/magic to look inside a file for its MIME type.
HostNameLookups
Requires URL lookups for IP addresses; results are logged.
ErrorLog
Locates the error log file, relative to ServerRoot.
LogLevel
Specifies the level of log messages.
LogFormat
Sets the information included in log files.
CustomLog
Creates a customized log file, in a different format, with a location relative to ServerRoot.
ServerSignature
Adds a list with server version and possibly ServerAdmin e-mail address to error pages and file lists; can be set to On, OFF, or EMail.
Alias
Configures a directory location; similar to a soft link.
DAVLockDB
Specifies the path to the lock file for the WebDAV (Web-based Distributed Authoring and Versioning) database.
ScriptAlias
Similar to Alias; for scripts.
IndexOptions
Specifies how files are listed from a DirectoryIndex.
AddIconByEncoding
Assigns an icon for a file by MIME encoding.
AddIconByType
Assigns an icon for a file by MIME type.
AddIcon
Assigns an icon for a file by extension.
DefaultIcon
Sets a default icon for files not otherwise configured.
ReadmeName
Configures a location for a README file to go with a directory list.
HeaderName
Configures a location for a HEADER file to go with a directory list.
IndexIgnore
Adds files that are not included in a directory list.
AddLanguage
Assigns a language for file name extensions.
LanguagePriority
Sets a priority of languages if not configured in client browsers.
ForceLanguagePriority
Specifies action if a Web page in the preferred language is not found.
AddDefaultCharset
Sets a default character set; you may need to change it for different languages.
AddType
Maps file name extensions to a specified content type.
AddHandler
Maps file name extensions to a specified handler; commonly used for scripts or multiple languages.
AddOutputFilter
Maps file name extensions to a specified filter.
BrowserMatch
Customizes responses to different browser clients.
Table 9-3 specifies directives associated with Section 3: Virtual Hosts. While virtual host directives are disabled by default, I include those directives in the commented example near the end of the default httpd.conf file. While these directives were already used in other sections, you can-and should-customize them for individual virtual hosts to support different Web sites on the same Apache server.
Table 9-3: Virtual Host Configuration Directives Directive
Description
NameVirtualHost
Specifies an IP address for multiple virtual hosts.
ServerAdmin
Assigns an e-mail address for the specified virtual host.
DocumentRoot
Sets a root directory for the virtual host.
ServerName
Names the URL for the virtual host.
ErrorLog
Creates an error log; the location is based on the DocumentRoot.
CustomLog
Creates an custom log; the location is based on the DocumentRoot.
Basic Apache Configuration for a Simple Web Server
As described earlier, Apache looks for Web pages in the directory specified by the DocumentRoot directive. In the default httpd.conf file, this directive points to the /var/www/html directory.
In other words, all you need to get your Web server up and running is to transfer Web pages to the /var/www/html directory.
The default DirectoryIndex directive looks for an index.html Web page file in this directory. You can test this for yourself by copying the default Firefox home page file, index.html, from the /usr/share/doc/HTML directory.
The base location of configuration and log files is determined by the ServerRoot directive. The default value from httpd.conf is
ServerRoot "/etc/httpd"
You'll note that the main configuration files are stored in the conf and conf.d subdirectories of the ServerRoot. If you run the ls -l /etc/httpd command, you'll find that Red Hat links /etc/httpd/logs to the directory with the actual log files, /var/log/httpd.
Apache Access Configuration
There are several parameters associated with security on the Apache Web server. The security of the server is enforced in part by firewalls and SELinux. Internal Apache security measures are associated with the main Apache httpd.conf configuration file.
Now that you've glanced at the configuration file, it's time to analyze it, and its associated directories, with a view toward security.
Basic Apache Security
You can modify the httpd.conf configuration file to secure the entire server or manage security on a directory-by-directory basis. Directory controls secure access by the server, as well as users who connect to the Web sites on the server. To explore the basics of Apache security, start with the first default active line in httpd.conf:
ServerTokens OS
This line looks deceptively simple; it limits what readers see about your Web server when you browse to a nonexistent page. If you don't use this command, outsiders can see whether you've loaded modules such as Perl, Python, and PHP. Sharing this knowledge can make your system more vulnerable. You can restrict access to the root directory on your Web server as shown here:
Options FollowSymLinks
AllowOverride None
This configures a very restrictive set of permissions. The Options FollowSymLinks line supports the use of symbolic links for Web pages. The AllowOverride None line disables any .htaccess files. Otherwise, .htaccess can allow others to administer your server, starting from the DocumentRoot directory. If .htaccess is in a subdirectory, such as /var/www/html/data/, the additional directives, if permitted by AllowOverride, would apply only to that directory.
You can improve this by limiting access to all but explicitly allowed users, such as those within your company, by adding the following commands to the
container:
Order deny,allow
Deny from all
The next excerpt limits access to /var/www/html, which corresponds to the default DocumentRoot directive (while these directives are divided by numerous comments, they are all in the same stanza):
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
You'll note that the Options directive has changed; the Indexes setting allows readers to see a list of files on your Web server if no index.html file is present in the directory as defined by DocumentRoot. The Order and Allow lines allow all users to access the Web pages on this server.
Finally, the Listen directive defines the IP address and TCP/IP port for this server. For example, the default shown next means that this server will work with every computer that requests a Web page from any of the IP addresses for your computer on the standard TCP/IP port, 80:
Listen 80
If you have more than one IP address on your computer, you can use this directive to limit this Web server to one specific IP address. For example, if you've set up an intranet on this Web server, you could use the IP address that connects to your private network here.
If you're also setting up secure Web services, there's a second Listen directive in the ssl.conf file in the /etc/httpd/conf.d directory. The data from this file is automatically incorporated into your Apache configuration. It includes the following directive, which points to the default secure HTTP (HTTPS) port for TCP/IP, 443:
Listen 443
Exam Watch
The Red Hat Exam Prep guide suggests that you need to be ready to configure a regular HTTP and a secure HTTPS Web site.
Apache and Security Arrangements
If you have an iptables firewall on your computer, you'll need to disable it at least for TCP/IP port 80. If you're configuring a secure Web site, you'll also need to disable iptables for port 443. If you've enabled SELinux, you'll need to change the Access Control List (ACL) security contexts of key directories. Chapter 15 describes these processes in detail. For now, just take the following two steps:
Run system-config-securitylevel, allow incoming WWW (HTTP) and Secure WWW (HTTPS) connections as "Trusted Services," and exit normally.
Run the ls -Z /var/www command. Note the ACL settings. If you configure other directories for Web services, you'll need to change their ACL settings. For example, if you create and then use the /www directory, run the following commands:
# chcon -R -u system_u /www/
# chcon -R -t httpd_sys_content_t /www/
Host-Based Security
You can add the Order, allow, and deny directives to regulate access based on host names or IP addresses. This basic command allows access by default. It reads the deny directive first:
Order deny,allow