Apache Web Server
_______________________________________________________________
/ \ | A P A C H E W E B S E R V E R | \ / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.apache.org - The Apache Software Foundation - provides some of the best documentation in the software community. There's no need to explain everything here. This document is only a quick reference to some specific aspects of the Apache web server.
>== The .htaccess File and the <Directory> section .o.o. ==
Any .htaccess configuration may also be placed in the <Directory> section of the Apache server configuration file. It is recommended using <Directory> rather than .htaccess.
Contents
- 1 Password Protect directories:
- 2 !!!!! .htaccess troubleshooting / common problems !!!!!
- 3 Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly
- 4 CLICK HERE
Password Protect directories:
Configure for password file, create a password file, and optional creation of a group file.
AuthName "Message that appears in password prompt box" AuthType Basic AuthUserFile /filesystem/path/to/.webauth require valid-user
Make sure that .webauth (or whatever you call the file) is user 'nobody'. Leading dot + proper Apache conf hides .webauth if present in a web shared directory. Place code in <Directory> or .htaccess
To create the password file, use Apache's htpasswd utility.
htpasswd -c .webauth username htpasswd .webauth username2
Second line addes another user (no -c create flag). A group file is optional and is text. Group name on first line, semicolon, then a members list:
mygroup: lazygirl, ractive, jim
!!!!! .htaccess troubleshooting / common problems !!!!!
- check to ensure AllowOverride AuthConfig is set for the file system path to the protected directory. .htaccess MAY NOT BE ENABLED on a virtual domain basis, so check the Directory path. note: dir.conf
Server Version Identification
For security, privacy, or paranoia you may want to hide the version of Apache you are using from visitors to your server.
- Locate in httpd.h the version number and change it.
#define SERVER_BASEREVISION "9.9.99"
(This will disguise the version that appears in error messages with some versions of Apache web server)
- Edit httpd.conf and add the following line:
ServerTokens ProductOnly
(Limits the output identifiecation to only 'Apache' rather than the name, version, and operating system)
- Edit httpd.conf and add or modify the following:
ServerSignature Off
(Apache reports absolutely no name or version data to clients)
Directory Browsing on a directory
Forbidden You don't have permission to access /logo/ on this server.
If you would like to enable Directory Browsing for a specific directory you can do one of two things :
1. Add to your .htaccess file this line : Options Indexes
2. Add in your httpd.conf these lines :
<Directory /usr/your/directory/here> Options Indexes </Directory>
Access Control by IP Address using the Apache Rewrite Engine
You need to enable the rewrite engine, mod_rewrite. You can do this within a virtual host. RewriteEngine on
In this example the banned IP addresses are stored in a text file called bannedips.txt. When said IP user visits the site, he/she is redirected to an alternative page.
RewriteEngine on
Rewritemap ipmap txt:/etc/apache/conf/bannedips.txt
RewriteCond ${ipmap:%{REMOTE_ADDR}} ^b$ [NC]
RewriteCond %{request_uri} !^/getlost.html$ [NC]
RewriteRule .* /getlost.html [R,L]
There's a condition to prevent looping by exemption of the getlost.html page where upon the redirect destination message is. The format of the text file is IP address followed by the letter 'B', which could be anything, and must match the RewriteCond rule ^b$
X.X.X.X b
The apache mod_rewrite module is very powerful allowing for complex URL manipulation. The apache.org web site has many details and examples.
Here is another way to ban an IP or range:
RewriteCond %{REMOTE_ADDR} "^63\.148\.99\.2(2[4-9]|[3-4][0-9]|5[0-5])$"
RewriteRule .* - [F,L]
The above example bans Cyveillance, a copyright bot used by the RIAA.
Using mod_ssl in Apache2 - configuration
Put the following in your ssl.conf file:
SSLRandomSeed startup builtin SSLRandomSeed connect builtin <IfDefine SSL> Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex </IfDefine>
Put the following in the virtual_host.conf file:
NameVirtualHost 192.168.0.2
<IfDefine SSL>
<VirtualHost 192.168.0.2:443>
DocumentRoot "/home/httpd/secure-html-directory"
ServerName secure.yourcompany.com:443
ServerAdmin webmaster@yourcompany.com
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/certs/test.cert.cert
SSLCertificateKeyFile /etc/httpd/conf/certs/test.cert.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/home/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Creating Self Signed "Test" SSL Certificates
Step one - create the key and request:
openssl req -new > new.cert.csr
Step two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out new.cert.key
Step three - convert request into signed cert:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
The Apache-SSL directives that you need to use the resulting cert are:
SSLCertificateFile /path/to/certs/new.cert.cert SSLCertificateKeyFile /path/to/certs/new.cert.key
When prompted for "Common Name (eg, YOUR name) []:" enter the website url to the secure address, example: secure.domain.com
source: http://www.apache-ssl.org/
Wed Aug 25 17:54:18 CDT 2004
