An introduction to Apache

Different Types of Web Servers

Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.Other popular web server is Sun’s iPlanet. Or Netscape’s web server.

Web Server Survey

What is apache?

Apache is the most widely used web server software package in the world. Apache is highly configurable and can be setup to support technologies such as, password protection, virtual hosting(name based and IP based), SSL encryption.

Starting a stopping apache

To start /stop or restart apache one would use the apachectl command.apachectl restart

will stop the server then restart it (rereading the configuration files.)

Apache Configuration

All core configuration of apache is contained in a single file httpd.conf. This file is typically around 1000 lines (mostly comments)The location will vary from Unix version to Unix version.

What’s in the httpd.confNumber of processes to start, various timeout, performance settings,ports to use, User to run as;

BindAddress * (use all network interfaces for server.)

ServerName (sets the server name manually)

DocumentRoot(Specifies the root directory of the server.)

What’s in the httpd.conf

The Apache server is very modularized (loads between 30-40 modules)Modules are used for such things as php, cgi, authentication, making home directories available.

Making user home directories available under apache.

Simply uncomment the following lines.

#<IfModule mod_userdir.c># UserDir public_html#</IfModule>

Note: public_html is the name of the dir under the user’s home directory. Everyone must have read access to this directory.

Using apache to “web enable” additional directories

Simply create a <directory> entry in the httpd.conf to make any directory available to apache.

<directory /path/to/dir/>Options</directory>

A Sample <Directory> Entry

<Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes

SymLinksIfOwnerMatch IncludesNoExecOrder deny,allow Deny from all</Directory>

AllowOverride

This tell apache under what conditions previous settings may be over written.Authconfig - allows the use of authenticationMultiview- If the file /bobo is entered and bobo is not a directory then apache Will search for files bobo.*

<Directory> Options

ExecCGI Execution of CGI scripts is permitted.

FollowSymLinks The server will follow symbolic links in this directory.

SymLinksIfOwnerMatch The server will only follow symbolic links

for which the target file or directory is owned by the same user id as the link.

<Directory> Options

Indexes If a URL which maps to a directory is requested, and the there is no DirectoryIndex (e.g., index.html) in that directory, then the server will return a formatted listing of the directory.

Note: this option gets ignored if set inside a <Location> section.

Apache Authentication

Apache authentication should not be used to protect highly sensitive data. As passwords credentials are sent as plain text with each web request.

A sample authentication window

www.myserver.com

Setting up apache authentication

Make sure that for the <directory> entry that you are using, the

AllowOverride AuthConfig directive is on.Secondly you must create a password file for the “zone” that you are protecting.

Creating an apache password file

One would use the htpasswd command to create this file

htpasswd –c file user (you will then be prompted for the password )

Note: Use the –c switch to create a new file if that file already exists. and you are just adding another user then do not use the –c switch.

Automating the creation process

Should you wish to create an authentication entry via a script one may do it this way;

htpasswd –nb user passwd >>file

Where to put password files

Password files can reside anywhere on the server. However for security reasons it would not be a good idea to put this file in a directory that is “web-shared”Generally putting it in the same directory as the httpd.conf will suffice

Using the password fileNext you must create a .htaccess file in the directory that you wish to protect. The contents of the .htaccess will look similar to this;

AuthName “My Secret Place"AuthType BasicAuthUserFile /etc/apache/passwd/secretfilerequire valid-user

The .htaccess file

The AuthName specifies the name of the “Zone”. This will be displayed in the login box.AuthUserFile specifies the location of the password file.

Virtual Hosts

<VirtualHost *>Options IndexesServerAdmin webmaster@pens.caDocumentRoot /var/www/pensServerName pens.caServerAlias *.pens.caErrorLog /var/www/logs/pens-error_logTransferLog /var/www/logs/pens-access_log</VirtualHost>

Virtual Hosts

<VirtualHost *>Options IndexesServerAdmin webmaster@localhostDocumentRoot /var/www/pencilsServerName pencils.caServerAlias *.pencils.caErrorLog /var/www/logs/pencils-error_logTransferLog /var/www/logs/pencils-access_log</VirtualHost>

Sample access log

65.48.0.105 - - [02/Feb/2003:12:56:58 -0500] "GET / HTTP/1.1" 200 10160

65.48.0.105 - - [02/Feb/2003:12:56:59 -0500] "GET /images/logo.jpg HTTP/1.1" 200 12105

65.48.0.105 - - [02/Feb/2003:12:56:59 -0500] "GET /images/menu-top.gif HTTP/1.1" 200 2111

65.48.0.105 - - [02/Feb/2003:12:57:00 -0500] "GET /images/fade.jpg HTTP/1.1" 200 439

65.48.0.105 - - [02/Feb/2003:12:57:00 -0500] "GET /images/pixel.gif HTTP/1.1" 200 43

What is this?

63.200.6.116 - - [04/Feb/2003:15:27:38 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 296

Code Red …Luckly it’s Linux.

[Tue Feb 4 15:27:41 2003] [error] [client 63.200.6.116] File does not exist: /var/www/scripts/..Á../winnt/system32/cmd.exe