_______________________________________________________________ / \ | A P A C H E W E B S E R V E R | \ / ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.apache.org - The Apache Software Foundation - provides some of the best documentation in the software community. There's no need to explain everything here. This document is only a quick reference to some specific aspects of the Apache web server.
The .htaccess File and the <Directory> section .o.o.
Any .htaccess configuration may also be placed in the <Directory> section of the Apache server configuration file. It is recommended using <Directory> rather than .htaccess.
Password Protect directories:
Configure for password file, create a password file, and optional creation of a group file.
AuthName "Message that appears in password prompt box" AuthType Basic AuthUserFile /filesystem/path/to/.webauth require valid-user
Make sure that .webauth (or whatever you call the file) is user 'nobody'. Leading dot + proper Apache conf hides .webauth if present in a web shared directory. Place code in <Directory> or .htaccess
To create the password file, use Apache's htpasswd utility.
htpasswd -c .webauth username htpasswd .webauth username2
Second line addes another user (no -c create flag). A group file is optional and is text. Group name on first line, semicolon, then a members list:
mygroup: lazygirl, ractive, jim
!!!!! .htaccess troubleshooting / common problems !!!!!
- check to ensure AllowOverride AuthConfig is set for the file system path to the protected directory. .htaccess MAY NOT BE ENABLED on a virtual domain basis, so check the Directory path. note: dir.conf
Server Version Identification
For security, privacy, or paranoia you may want to hide the version of Apache you are using from visitors to your server.
- Locate in httpd.h the version number and change it.
#define SERVER_BASEREVISION "9.9.99"
(This will disguise the version that appears in error messages with some versions of Apache web server)
- Edit httpd.conf and add the following line:
ServerTokens ProductOnly
(Limits the output identifiecation to only 'Apache' rather than the name, version, and operating system)
- Edit httpd.conf and add or modify the following:
ServerSignature Off
(Apache reports absolutely no name or version data to clients)
Directory Browsing on a directory
Forbidden You don't have permission to access /logo/ on this server.
If you would like to enable Directory Browsing for a specific directory you can do one of two things :
1. Add to your .htaccess file this line : Options Indexes
2. Add in your httpd.conf these lines :
<Directory /usr/your/directory/here> Options Indexes </Directory>
Access Control by IP Address using the Apache Rewrite Engine
You need to enable the rewrite engine, mod_rewrite. You can do this within a virtual host. RewriteEngine on
In this example the banned IP addresses are stored in a text file called bannedips.txt. When said IP user visits the site, he/she is redirected to an alternative page.
RewriteEngine on Rewritemap ipmap txt:/etc/apache/conf/bannedips.txt RewriteCond ${ipmap:%{REMOTE_ADDR}} ^b$ [NC] RewriteCond %{request_uri} !^/getlost.html$ [NC] RewriteRule .* /getlost.html [R,L]
There's a condition to prevent looping by exemption of the getlost.html page where upon the redirect destination message is. The format of the text file is IP address followed by the letter 'B', which could be anything, and must match the RewriteCond rule ^b$
X.X.X.X b
The apache mod_rewrite module is very powerful allowing for complex URL manipulation. The apache.org web site has many details and examples.
Here is another way to ban an IP or range:
RewriteCond %{REMOTE_ADDR} "^63\.148\.99\.2(2[4-9]|[3-4][0-9]|5[0-5])$" RewriteRule .* - [F,L]
The above example bans Cyveillance, a copyright bot used by the RIAA.
Using mod_ssl in Apache2 - configuration
Put the following in your ssl.conf file:
SSLRandomSeed startup builtin SSLRandomSeed connect builtin <IfDefine SSL> Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex </IfDefine>
Put the following in the virtual_host.conf file:
NameVirtualHost 192.168.0.2 <IfDefine SSL> <VirtualHost 192.168.0.2:443> DocumentRoot "/home/httpd/secure-html-directory" ServerName secure.yourcompany.com:443 ServerAdmin webmaster@yourcompany.com ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/certs/test.cert.cert SSLCertificateKeyFile /etc/httpd/conf/certs/test.cert.key <FilesMatch "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/home/httpd/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine>
Creating Self Signed "Test" SSL Certificates
Step one - create the key and request:
openssl req -new > new.cert.csr
Step two - remove the passphrase from the key (optional):
openssl rsa -in privkey.pem -out new.cert.key
Step three - convert request into signed cert:
openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365
The Apache-SSL directives that you need to use the resulting cert are:
SSLCertificateFile /path/to/certs/new.cert.cert SSLCertificateKeyFile /path/to/certs/new.cert.key
When prompted for "Common Name (eg, YOUR name) []:" enter the website url to the secure address, example: secure.domain.com
source: http://www.apache-ssl.org/
Wed Aug 25 17:54:18 CDT 2004
Some Updated Information for Apache2
httpd.conf is now apache2.conf
Looking at the Apache2.conf File. The main configuration details for your Apache server are held in the "/etc/apache2/apache2.conf" file.
- apache2.conf: the main Apache2 configuration file. Contains settings that are global to Apache2.
- httpd.conf: historically the main Apache2 configuration file, named after the httpd daemon. Now the file does not exist. In older versions of Ubuntu the file might be present, but empty, as all configuration options have been moved to the below referenced directories.
- conf-available: this directory contains available configuration files. All files that were previously in /etc/apache2/conf.d should be moved to /etc/apache2/conf-available.
- conf-enabled: holds symlinks to the files in /etc/apache2/conf-available. When a configuration file is symlinked, it will be enabled the next time apache2 is restarted.
- envvars: file where Apache2 environment variables are set.
- mods-available: this directory contains configuration files to both load modules and configure them. Not all modules will have specific configuration files, however.
- mods-enabled: holds symlinks to the files in /etc/apache2/mods-available. When a module configuration file is symlinked it will be enabled the next time apache2 is restarted.
- ports.conf: houses the directives that determine which TCP ports Apache2 is listening on.
- sites-available: this directory has configuration files for Apache2 Virtual Hosts. Virtual Hosts allow Apache2 to be configured for multiple sites that have separate configurations.
- sites-enabled: like mods-enabled, sites-enabled contains symlinks to the /etc/apache2/sites-available directory. Similarly when a configuration file in sites-available is symlinked, the site configured by it will be active once Apache2 is restarted.
- magic: instructions for determining MIME type based on the first few bytes of a file.