Apache Server Survival Guide asg09.htm
|
Syntax: | AccessConfig filename |
Default: | AccessConfig conf/access.conf |
Extent: | server configuration, virtual host |
Status: | core |
The AccessConfig directive defines the location of the global access control file. A filename can be specified relative to the ServerRoot pathname or as a full pathname. Traditionally, this file contained <Directory> sections and other directives that affected access control and user authentication; today, however, you can put any server-configuration directives allowed in the server configuration context.
If not defined, the default is
AccessConfig conf/access.conf |
AuthName This is a secured resource, please login first. |
This directive requires the use of the AuthType and require directives, and requires that directives such as AuthUserFile and AuthGroupFile or any of their derivatives work properly.
|
Syntax: | AuthType [Basic] | [Digest] |
Context: | directory, .htaccess |
Status: | core |
The AuthType directive controls the type of authentication used. Basic authentication provides no encryption to the authentication session. Password information is transmitted in code form but not encrypted, making it quite simple to decode.
These directives require the use of the AuthName and require directives. In addition, if you using Basic authentication, you need to use directives such as AuthUserFile and AuthGroupFile or any of their derivatives work properly. When using Digest authentication, you'll need to use AuthDigestFile.
Syntax: | BindAddress [*] | [IP] | [fully qualified domain name] |
Default: | BindAddress * |
Context: | server configuration |
Status: | core |
The httpd server can listen for connections to the host's IP address or to multiple IP addresses if the server is multihomed. If given a BindAddress, the httpd server will only listen for connections to the IP address specified by this directive. BindAddress can be specified by IP, such as
BindAddress 204.12.123.123
or by the fully qualified name of the machine, such as
BindAddress www.foo.com
To have the server listen to all IP addresses accepted by the host, use
BindAddress *
This is also the default value if not specified.
Syntax: | DefaultType mime-type |
Default: | DefaultType text/html |
Context: | server configuration, virtual host, directory, .htaccess |
Override: | FileInfo |
Status: | core |
When a client requests a document, the server is responsible for setting the document type of the requested document in the HTTP header. If a client asks for a document type that the server does not recognize (either because the extension of the document is missing or because the extension is not registered as a valid MIME type) the server returns the mime-type defined by DefaultType.
If you have a directory that contains many Graphical Interchange Format (GIF) files that are not properly named with a .gif extension, an entry in an .htaccess such as
DefaultType image/gif
would ensure that the client browser would handle unknown files as GIFs. Some browsers are fairly smart and actually identify a type based on the encoding and format of the file.
Syntax: | DocumentRoot path |
Default: | DocumentRoot /usr/local/etc/httpd/htdocs |
Context: | server configuration, virtual host |
Status: | core |
The DocumentRoot directive specifies the server's document root. The server will append path to all requests prior to executing them, unless the paths are matched by an Alias directive. Do not terminate the path with a trailing slash (/).
DocumentRoot /usr/local/etc/httpd/htdocs |
A request for http://www.foo.com/index.html will translate into /usr/local/etc/htdocs/index.html.
|
Syntax: | ErrorDocument error-code [pathname] | [URL] | [message string] |
Default: | none |
Context: | server configuration, virtual host |
Status: | core |
This is one of the great features of Apache. Instead of returning the standard error responses, Apache can be configured to return customized error messages or to redirect the request to a local or external URL that can handle the request.
You can specify that a file be retrieved by putting in the complete pathname to the file:
# Error code 404 - file not found ErrorDocument 404 /error/filenotfound.html |
Or you can specify a message on-the-fly:
|
ErrorDocument 404 "This file is not on this server. Go away. ErrorDocument 500 "Your request failed, because: %s. Oh well |
If you provide the characters %s in message string, Apache inserts further information about the error if available.
You can also force the client to redirect to an external site by specifying a complete URL:
|
ErrorDocument 404 http://www.server.com/filex.html |
|
Syntax: | ErrorLog filename |
Default: | ErrorLog logs/error_log |
Context: | server configuration, virtual host |
Status: | core |
This directive specifies the location of the error-log file. The error log is, not surprisingly, the file where the httpd server logs errors. An error can be any request that timed out, or any request that the server could not fulfill because of an access- or resource-availability error. As system administrator, you should check error logs often, especially after upgrading or adding a new CGI program. Many problems of which you may be unaware get logged here, and checking the error log may be the only way to see if someone is trying to attack your server.
If the filename specified in this directive is not an absolute path (a path starting with a /), the filename location is assumed to be relative to the path indicated by ServerRoot.
To turn off error logging, execute
ErrorLog /dev/null
Syntax: | Group GID |
Default: | Group #-1 |
Context: | server configuration |
Status: | core |
The Group directive sets the group ID (GID) that the server will use to answer any requests. In order to use this directive, the standalone server needs to be started as root because only the superuser is able to change the real and effective GID of a process.
When started by root, the parent httpd process will have root GID (usually wheel). However, httpd requests are served by child processes that use the GID assigned by the Group directive. If started by a user other than root, the GID is inherited from the user that started the httpd process.
You can supply the GID in number format by preceding it with a #, like this:
Group #-1
You can also specify a valid group name as an argument:
Group nogroup
On my system, nogroup has a GID of -2. On many systems, however, nogroup has a GID of -1, which is the default setting for Apache.
Syntax: | IdentityCheck [on] | [off] |
Default: | IdentityCheck off |
Context: | server configuration virtual host, directory, .htaccess |
Status: | core |
The IdentityCheck directive determines whether the user name of the remote user is logged to the transfer log. For this feature to work, the remote machine must be running an RFC931-compliant identity daemon. It should be obvious that this information should not be trusted outside of your network. The transferlog file is defined by the TransferLog directive.
This directive creates an additional server load because the server tries to determine the identity of each user making a request.
Only one IdentityCheck directive is allowed in your server-configuration file. If omitted, the default is
IdentityCheck off
Apache 1.1 enhances the IdentityCheck directive. It can now be used on a per-directory basis. The new version of IdentityCheck is RFC1413-compliant.
Syntax: | KeepAlive numrequests |
Default: | KeepAlive 5 |
Context: | server configuration |
Status: | core |
The KeepAlive directive enables multiple transactions to be sent by the server over a single TCP connection, otherwise known as a persistent connection. Persistent connections greatly enhance the performance of the transaction because the overhead of establishing a new connection for each request is reduced or eliminated. The numrequests limit is imposed to prevent a client from grabbing all the server resources.
The following criteria must be met in order for this feature to work:
Syntax: | KeepAliveTimeout seconds |
Default: | KeepAliveTimeout 15 |
Context: | server configuration |
Status: | core |
This directive sets the maximum amount of time, in seconds, that the server will wait for subsequent requests before closing the connection. The time-out period starts the moment a request is received by the server. (See KeepAlive.)
Syntax: | Listen IP_address[:port] |
Context: | server configuration |
Status: | core |
This directive is similar to the BindAddress directive. The Listen directive instructs Apache to listen to more than one IP address or port; by default it listens in for requests on all interfaces, but only on the port given by the Port directive (Port is by default set to 80, the standard HTTP port). New versions of Stronghold (see Chapter 14, "Secure Web Servers") will use this feature to implement both SSL and standard servers in a single process. (Currently, you need two servers running: one for standard requests and another for SSL requests).
Syntax: | MaxClients number |
Default: | MaxClients 150 |
Context: | server configuration |
Status: | core |
This directive specifies the maximum number of connections that the httpd server will handle. Connections beyond number get put on a wait state until the server gets freed. number should be changed with care, because setting it too low will place new connections on a wait state, and setting it too high will rapidly exhaust server resources. The default setting is probably fine for the typical server. High-performance servers may benefit from setting number higher, as long as the hardware resources are able to cope with the additional load.
Syntax: | MaxRequestsPerChild number |
Default: | MaxRequestsPerChild 30 |
Context: | server configuration |
Status: | core |
This directive specifies how many requests an individual child httpd process will handle before getting terminated. MaxRequestPerChild was initially developed to autokill processes that had aged longer than a certain number of requests with the intention of limiting the number of memory leaks that the process could consume. This option is still valuable on many systems such as Solaris where memory leaks in the libraries still exist.
Syntax: | MaxSpareServers number |
Default: | MaxSpareServers 10 |
Context: | server configuration |
Status: | core |
The MaxSpareServers directive sets the maximum number of idle child processes. Idle processes are httpd server processes not currently fulfilling HTTP requests.
Should the number of idle processes increase above what is specified by number, the parent process will terminate the excess processes.
Extremely busy sites can benefit from increasing the default setting of 10, in case there's a drop in usage for a few seconds. If usage drops, idle processes will go up, which the server will then kill. When usage resumes, the system will be scrambling to find resources to fulfill the requests. Unless you have a very good reason for altering it, don't change the default setting.
(See MinSpareServers and StartServers.)
Syntax: | MinSpareServers number |
Default: | MinSpareServers 5 |
Context: | server configuration |
Status: | core |
The MinSpareServers directive controls the minimum number of idle child server processes that are available at any one time. Idle processes are server processes not currently handling HTTP requests. If the idle-process count should decrease below the amount designated by MinSpareServers, the parent process will create new child processes. New processes are created at one-second intervals.
This setting should not be changed from the default value unless you have a very good reason for the change.
(See MaxSpareServers and StartServers.)
Syntax: | Options [All] | [None] | [ExecCGI] [FollowSymLinks] [Includes] [IncludesNOEXEC] [Indexes] [MultiViews] [SymLinksIfOwnerMatch] |
Context: | server configuration, virtual host, directory, .htaccess |
Override: | Options |
Status: | core |
The Options directive controls which server options are available in a particular directory:
All | Enables all options except MultiViews. |
ExecCGI | Execution of CGI programs is allowed. |
FollowSymLinks | Following of symbolic links is allowed. |
Includes | Use of Server Side Includes (SSI) is allowed |
IncludesNOEXEC | SSI is allowed with the following restrictions: the #exec and #include commands are disabled. |
Indexes | Enables return of directory listings in cases where a client requests a directory for which there is no DirectoryIndex file (index.html). |
MultiViews | Enables content negotiation based on document language. See LanguagePriority. |
SymLinksIfOwnerMatch | Following of symbolic links is allowed if the target file or directory is owned by the same user as the link. This setting offers better security than the FollowSymLinks option. |
When multiple <Directory> sections that contain Options directives match a request, the Options in the best match are applied. As the following script shows, Option settings are not cumulative:
<Directory /usr/local/etc/htdocs/miscfiles> Options Indexes </Directory> <Directory /usr/local/etc/htdocs> Options MultiViews </Directory> |
For requests in the /usr/local/etc/htdocs/miscfiles tree, the only option enforced is MultiViews.
|
Syntax: | PidFile filename |
Default: | PidFile logs/httpd.pid |
Context: | server configuration |
Status: | core |
This directive specifies the location of a file that contains the process ID of the main httpd process on a standalone configuration. The contents of this file are very useful if you need to stop or start the server. A convenient way to restart the server is to run
# kill -HUP 'cat pathToPidFile'
If you are running your server using inetd instead of standalone, the contents of this file are bogus.
A filename is set to be relative to ServerRoot if it's not an absolute path specification (begins with a slash).
Syntax: | Port number |
Default: | Port 80 |
Context: | server configuration |
Status: | core |
The Port directive sets the port where a standalone server listens for requests. The standard port for the HTTP protocol is 80.
The number is a TCP port, and as such it has certain restrictions. Ports numbered below 1024 are reserved for the system. Nonroot users cannot bind to reserved ports. If you want to use the default HTTP port (80), httpd must be started by root.
Syntax: | require option name name... |
Context: | directory, .htaccess |
Override: | AuthConfig |
Status: | core |
This directive sets the selection criteria used to determine which authenticated users may access a restricted resource.
require also selects which authenticated users can access a directory. The allowed options are as follows:
user | Only users named in the list can access the resource: |
require user1 user2 ... | |
group | Only users that are members of the groups specified in the list can access the resource: |
require group1 group2 ... | |
valid-user | Any valid user can access the resource: |
require valid-user |
If the require directive appears inside a <Limit> section, it restricts access to the named HTTP methods; otherwise, access is restricted for all methods:
AuthType Basic AuthName somedomain AuthUserFile /web/users AuthGroupFile /web/groups Limit <GET POST> require group admin </Limit> |
This directive requires the use of the AuthName and AuthType directives, and directives such as AuthUserFile and AuthGroupFile or any of their derivatives, to work properly.
|
Syntax: | ResourceConfig filename |
Default: | ResourceConfig conf/srm.conf |
Context: | server configuration, virtual host |
Status: | core |
The ResourceConfig directive defines the location of a secondary configuration file. Filename can be specified relative to the ServerRoot or as a full pathname. Traditionally, this file contained most configuration directives with the exception of the server configuration and <Directory> sections. This file can contain any directive with a context of server configuration.
If not defined, the default is
ResourceConfig conf/srm.conf
The ResourceConfig directive can also be specified inside a <VirtualHost> section. Only one ResourceConfig directive is allowed in the server configuration file unless the additional directives are part of a <VirtualHost> section, and then only a single ResourceConfig directive is allowed per <VirtualHost> section.
To ignore the default setting for the ResourceConfig, define /dev/null as the filename parameter. The file specified by ResourceConfig is read after the server configuration file.
Syntax: | ServerAdmin emailaddress |
Default: | none |
Context: | server configuration, virtual host |
Status: | core |
The ServerAdmin directive sets the e-mail address of the webmaster that will be returned to a client in case of an error.
If you are hosting virtual domains, this directive gives you an opportunity to effectively add information; in some cases, it may be valuable to set up more elaborate aliases (such as ServerAdmin webmaster-smartsoft@accesslink.com) so that you know which server caused the problem. When you receive e-mail addressed to webmaster-smartsoft@accesslink.com, you know immediately that the sender was at SmartSoft's Web site.
For a more sophisticated method of handling e-mail aliases, please see Appendix B, "Managing Virtual Domains with sendmail V8."
Syntax: | ServerAlias host1 host2... |
Context: | server configuration, virtual host |
Status: | core |
The ServerAlias directive sets additional names the server will respond to for requests. This directive is intended for use with non-IP intensive virtual hosts. For more information, please refer to Chapter 4, "Virtual Hosts," for the section titled, "Non-IP Virtual Hosts."
Syntax: | ServerName hostname |
Default: | ServerName (Deduced from IP; may not be what you want.) |
Context: | server configuration, virtual host |
Status: | core |
This directive sets the name returned by your server. hostname should be a fully qualified domain name. hostname should be a valid DNS name.
Syntax: | ServerPath path |
Context: | server configuration, |
virtual host | |
Status: | core |
The ServerPath directive is used as a workaround for browsers that don't support non-IP virtual hosts. Non-IP virtual hosts are supported by a browser by including an extra HTTP header, HTTP_HOST, that contains the name of the server requested. Because older browsers don't include this information, requests for a non-IP virtual host will end up in your real server's home page, which the virtual host shares its IP address.
ServerPath provides you with a mechanism to redirect requests to the proper place by using additional path information. Please refer to Chapter 4 for additional information on how to use and implement non-IP intensive virtual hosts.
Syntax: | ServerRoot path |
Default: | ServerRoot /usr/local/etc/httpd |
Context: | server configuration |
Status: | core |
The ServerRoot directive specifies where the server directory tree lives. Path is appended to all relative path definitions. Many of the server resources are expected to be found in this tree.
The location of this tree can also be specified by using the -d option to the httpd executable.
Syntax: | ServerType [standalone] | [inetd] |
Default: | ServerType standalone |
Context: | server configuration |
Status: | core |
The ServerType directive sets how the HTTP server is run by UNIX. The server can be run from inetd (which listens for socket connections to the Internet ports and then passes the request to the appropriate software) or in standalone mode (where the server itself listens and handles requests to its port).
inetd runs a new copy of the server per request. After the request is processed, the server exits. Standalone servers fork several server processes that handle several connections before being disposed of by the main server process. This reuse of existing processes provides for increased efficiency.
inetd-run servers are considered by many administrators to be more secure and less prone to attack than standalone servers.
To have inetd start the Web server, you need to edit /etc/inetd.conf and /etc/services. For more information, please refer to Chapter 2, "Installing and Configuring an Apache Server."
Syntax: | StartServers number |
Default: | StartServers 5 |
Context: | server configuration |
Status: | core |
The StartServers directive specifies the number of child server processes that are forked at server startup. The actual number of server processes at any one time is dynamically controlled by the server load and the MaxSpareServers, MinSpareServers, and MaxClients directives.
There's no need to change this parameter from its default setting.
Syntax: | TimeOut seconds |
Default: | TimeOut 1200 |
Context: | server configuration |
Status: | core |
This directive sets the maximum amount of time, in seconds, that the server will wait for a request to be completed. If it is set too low, the server will terminate the connection before a large transfer is completed. Note that unless you are downloading huge pages, the default is set to 20 minutes. If you notice problems with many stuck-open connections, reducing this number will increase performance of your site.
Syntax: | User uid |
Default: | User #-1 |
Context: | server configuration |
Status: | core |
The User directive sets the user ID (UID) the server will use to answer requests. In order for the server to change UIDs, the server needs to be started as root, because only the superuser is able to change the real and effective UID of a process.
When started as root, the owner of the parent server will remain as root. However, requests are handled by child processes will run under the UID assigned by this directive.
To set the user ID of httpd to nobody, use
User nobody
or
User #-1
where # is followed by the UID. You may find nobody to have a UID of -1 on many systems. The default for the User directive is -1. On my system, nobody has an UID of -2.
When specifying UIDs by number, verify the /etc/passwd file for the proper UID of the user under which you want the httpd daemon run. On most systems, the format of the passwd file is
login:encryptedPassword:UID:GID:realname and other info:home directory:shell program |
As seen in the preceding /etc/passwd sample entry, UID is the third field. All fields on the passwd file are separated by colons (:).
|
Syntax: | <Directory dir>...</Directory> |
Context: | server configuration, virtual host |
Status: | core |
A <Directory> section is a group of control directives enclosed by a <Directory dir> and </Directory> tag pair. Control directives inside a <Directory> section only apply to the document tree specified by dir. The effects of a <Directory> section apply to any subdirectories in the tree.
You can use any directive in a <Directory> section that is allowed in a directory context. dir is specified either as a full path or as a wildcard string. Wildcard strings can use ? and * characters, with results similar to a shell; ? matches any single character, whereas * matches any sequence of characters.
Because a directory may match various <Directory> sections, the directives are applied in the order of the shortest match first:
<Directory /usr/local/etc/htdocs> AllowOverride None </Directory> <Directory /usr/local/etc/htdocs/public/*> AllowOverride AuthConfig Limit </Directory> |
For a request to /usr/local/etc/htdocs/public/project/foo.html, the preceding directives get applied in the following order:
<Directory> sections are usually found in the global ACF conf/access.conf, or inside a <VirtualHost> section. However, you can put them in any configuration file, with the exception of per-directory ACFs (.htaccess). <Directory> sections cannot nest or appear inside a <Limit> section.
You can specify dir, using a regular expression. For information on creating regular expressions, please see Table 6.1.
|
Syntax: | <File filepath>...</File> |
Context: | server configuration, virtual |
host | |
Status: | core |
The <File> section provides for access control on a per-file basis. It functions exactly like the <Directory> section; however, instead of using a directory specification, it specifies a file in a directory.
You can specify filepath, using a regular expression. For information on creating regular expressions, please see Table 6.1.
Syntax: | <Limit method method...>...</Limit> |
Context: | any |
Status: | core |
A <Limit> section is a group of access control directives, enclosed by a <Limit> and </Limit> tag pair, which applies only to listed HTTP access methods such as GET, POST, HEAD, and so on.
Typically, you use a require directive nested by limit tags to specify authentication requirements before the request is served:
... <Limit Get> require valid-user order deny,allow deny from all allow from domain </Limit> ... |
Any HTTP request that uses the GET or POST method will be processed by the server only if the user authenticates (other authentication directives are not shown) and is a member of the group groupname. For the sake of completeness:
|
Syntax: | <Location URI>...</Location> |
Context: | server configuration, virtual host |
Status: | core |
The <Location> section provides for access control on a per-file or per-URL basis. It functions exactly like the <Directory> section, but instead of using a filepath specification, it uses an URI for its target.
URI is a URL without the http://servername portion. URI is specified either as a full path or a wildcard string. Wildcard strings can use ? and * characters, with results similar to a shell. ? matches any single character; * matches any sequence of characters.
<Location> sections are evaluated in the order listed after <Directory> sections and .htaccess files have been evaluated.
You can specify URI, using a regular expression. For information on creating regular expressions, please see Table 6.1.
Syntax: | <VirtualHost host[:port]>...</VirtualHost> |
Context: | server configuration, virtual host |
Status: | core |
The <VirtualHost> and </VirtualHost> section tags are used to group directives that only apply to a particular host. Any directive that is allowed in a virtual host context can be used. The server receives a request directed toward a virtual host; the configuration directives enclosed in the <VirtualHost> and </VirtualHost> section tags override directives found elsewhere.
You can specify the host to which the section applies by specifying the IP address of the virtual host, or by specifying a fully qualified domain name (fqdn). In addition, you can specify the TCP port for the configuration. This way virtual hosts can return different content solely on the basis of the port used to access it.
<VirtualHost www.company.com> ServerAdmin webmaster@company.com DocumentRoot /www/docs/company ServerName www.company.com ErrorLog logs/company.error_log TransferLog logs/company.transfer_log </VirtualHost> |
New in Apache 1.1 is support for non-IP intensive virtual hosts. The declaration of the directive is identical to the original IP-intensive version. The difference in implementation is that the IP of the virtual host must be the same as that of the main host. This new functionality works in conjunction with an HTTP/1.1 protocol, which requires the browser sends the name used for addressing the server.
For IP-intensive virtual hosts, each host IP-identified by the VirtualHost directive must be unique; in order for the host to work, the computer must be configured to accept multiple IP addresses. This configuration, unlike the new non-IP virtual hosts, works regardless of the browser.
For more information on how to build virtual hosts, refer to Chapter 4.
|