Tuesday, September 25, 2012

သူေစရာရဲ့ sharings


ReferenceServices

Chapter 18. The Apache HTTP Server

Contents
18.1. Quick Start
18.2. Configuring Apache
18.3. Starting and Stopping Apache
18.4. Installing, Activating, and Configuring Modules
18.5. Getting CGI Scripts to Work
18.6. Setting Up a Secure Web Server with SSL
18.7. Avoiding Security Problems
18.8. Troubleshooting
18.9. For More Information
With a share of more than 50%, the Apache HTTP Server (Apache) is the world's most widely-used Web server according to the survey from http://www.netcraft.com/. Apache, developed by the Apache Software Foundation (http://www.apache.org/), is available for most operating systems. openSUSE® includes Apache version 2.2. In this chapter, learn how to install, configure and set up a Web server; how to use SSL, CGI, and additional modules; and how to troubleshoot Apache.

18.1. Quick Start

With the help of this section, quickly set up and start Apache. You must be root to install and configure Apache.

18.1.1. Requirements

Make sure the following requirements are met before trying to set up the Apache Web server:
  1. The machine's network is configured properly. For more information about this topic, refer to Chapter 11, Basic Networking.
  2. The machine's exact system time is maintained by synchronizing with a time server. This is necessary because parts of the HTTP protocol depend on the correct time. See Chapter 15, Time Synchronization with NTP to learn more about this topic.
  3. The latest security updates are installed. If in doubt, run a YaST Online Update.
  4. The default Web server port (80) is opened in the firewall. For this, configure the SuSEFirewall2 to allow the service HTTP Server in the external zone. This can be done using YaST. See Section “Configuring the Firewall with YaST” (Chapter 13, Masquerading and Firewalls, ↑Security Guide) for details.

18.1.2. Installation

Apache on openSUSE is not installed by default. To install it with a standard, predefined configuration that runs out of the box, proceed as follows:
Procedure 18.1. Installing Apache with the Default Configuration
  1. Start YaST and select Software+Software Management.
  2. Choose Filter+Patterns and select Web and LAMP Server int Server Functions.
  3. Confirm the installation of the dependent packages to finish the installation process.
The installation includes the multiprocessing module apache2-prefork as well as the PHP5 module. Refer to Section 18.4, “Installing, Activating, and Configuring Modules” for more information about modules.

18.1.3. Start

You can start Apache automatically at boot time or start it manually.
Procedure 18.2. Starting Apache Automatically
  1. To make sure that Apache is automatically started during boot in runlevels 3 and 5, execute the following command: 
    chkconfig -a apache2
  2. Alternatively, start YaST and select System+System Services (Runlevel).
  3. Search for apache2 and Enable the service.
    The Web server starts immediately.
  4. Save your changes with Finish.
    The system is configured to automatically start Apache in runlevels 3 and 5 during boot.
To manually start Apache using the shell, run rcapache2 start.
Procedure 18.3. Checking if Apache is Running
If you do not receive error messages when starting Apache, this usually indicates that the Web server is running. To test this:
  1. Start a browser and open http://localhost/.
    If Apache is up and running, you get a test page stating It works!.
  2. If you do not see this page, refer to Section 18.8, “Troubleshooting”.
Now that the Web server is running, you can add your own documents, adjust the configuration according to your needs, or add functionality by installing modules.

18.2. Configuring Apache

openSUSE offers two configuration options:
Manual configuration offers a higher level of detail, but lacks the convenience of the YaST GUI.
[Important]Reload or Restart Apache after Configuration Changes
Most configuration changes require a reload (some also a restart) of Apache to take effect. Manually reload Apache with rcapache2 reload or use one of the restart options as described in Section 18.3, “Starting and Stopping Apache”.
If you configure Apache with YaST, this can be taken care of automatically if you set HTTP Service to Enabled as described in Section 18.2.3.2, “HTTP Server Configuration”.

18.2.1. Apache Configuration Files

This section gives an overview of the Apache configuration files. If you use YaST for configuration, you do not need to touch these files—however, the information might be useful for you if you want to switch to manual configuration later on.
Apache configuration files can be found in two different locations:

18.2.1.1. /etc/sysconfig/apache2

/etc/sysconfig/apache2 controls some global settings of Apache, like modules to load, additional configuration files to include, flags with which the server should be started, and flags that should be added to the command line. Every configuration option in this file is extensively documented and therefore not mentioned here. For a general-purpose Web server, the settings in /etc/sysconfig/apache2 should be sufficient for any configuration needs.

18.2.1.2. /etc/apache2/

/etc/apache2/ hosts all configuration files for Apache. In the following, the purpose of each file is explained. Each file includes several configuration options (also referred to as directives). Every configuration option in these files is extensively documented and therefore not mentioned here.
The Apache configuration files are organized as follows: 
/etc/apache2/
     |
     |- charset.conv 
     |- conf.d/
     |   |
     |   |- *.conf
     |
     |- default-server.conf
     |- errors.conf
     |- httpd.conf
     |- listen.conf
     |- magic
     |- mime.types
     |- mod_*.conf
     |- server-tuning.conf
     |- ssl.*
     |- ssl-global.conf
     |- sysconfig.d
     |   |
     |   |- global.conf
     |   |- include.conf
     |   |- loadmodule.conf . .
     |
     |- uid.conf
     |- vhosts.d
     |   |- *.conf
Apache Configuration Files in /etc/apache2/
charset.conv
Specifies which character sets to use for different languages. Do not edit this file.
conf.d/*.conf
Configuration files added by other modules. These configuration files can be included into your virtual host configuration where needed. See vhosts.d/vhost.template for examples. By doing so, you can provide different module sets for different virtual hosts.
default-server.conf
Global configuration for all virtual hosts with reasonable defaults. Instead of changing the values, overwrite them with a virtual host configuration.
errors.conf
Defines how Apache responds to errors. To customize these messages for all virtual hosts, edit this file. Otherwise overwrite these directives in your virtual host configurations.
httpd.conf
The main Apache server configuration file. Avoid changing this file. It primarily contains include statements and global settings. Overwrite global settings in the pertinent configuration files listed here. Change host-specific settings (such as document root) in your virtual host configuration.
listen.conf
Binds Apache to specific IP addresses and ports. Name-based virtual hosting is also configured here. For details, see Section 18.2.2.1.1, “Name-Based Virtual Hosts”.
magic
Data for the mime_magic module that helps Apache automatically determine the MIME type of an unknown file. Do not change this file.
mime.types
MIME types known by the system (this actually is a link to /etc/mime.types). Do not edit this file. If you need to add MIME types not listed here, add them to mod_mime-defaults.conf.
mod_*.conf
Configuration files for the modules that are installed by default. Refer to Section 18.4, “Installing, Activating, and Configuring Modules” for details. Note that configuration files for optional modules reside in the directory conf.d.
server-tuning.conf
Contains configuration directives for the different MPMs (see Section 18.4.4, “Multiprocessing Modules”) as well as general configuration options that control Apache's performance. Properly test your Web server when making changes here.
ssl-global.conf and ssl.*
Global SSL configuration and SSL certificate data. Refer to Section 18.6, “Setting Up a Secure Web Server with SSL” for details.
sysconfig.d/*.conf
Configuration files automatically generated from /etc/sysconfig/apache2. Do not change any of these files—edit /etc/sysconfig/apache2 instead. Do not put other configuration files in this directory.
uid.conf
Specifies under which user and group ID Apache runs. Do not change this file.
vhosts.d/*.conf
Your virtual host configuration should be located here. The directory contains template files for virtual hosts with and without SSL. Every file in this directory ending with .conf is automatically included in the Apache configuration. Refer to Section 18.2.2.1, “Virtual Host Configuration” for details.

18.2.2. Configuring Apache Manually

Configuring Apache manually involves editing plain text configuration files as user root.

18.2.2.1. Virtual Host Configuration

The term virtual host refers to Apache's ability to serve multiple universal resource identifiers (URIs) from the same physical machine. This means that several domains, such as www.example.com and www.example.net, are run by a single Web server on one physical machine.
It is common practice to use virtual hosts to save administrative effort (only a single Web server needs to be maintained) and hardware expenses (each domain does not require a dedicated server). Virtual hosts can be name based, IP based, or port based.
To list all existing virtual hosts, use the command httpd2 -S. This outputs a list showing the default server and all virtual hosts together with their IP addresses and listening ports. Furthermore, the list also contains an entry for each virtual host showing its location in the configuration files.
Virtual hosts can be configured via YaST as described in Section 18.2.3.1.4, “Virtual Hosts” or by manually editing a configuration file. By default, Apache in openSUSE is prepared for one configuration file per virtual host in /etc/apache2/vhosts.d/. All files in this directory with the extension .conf are automatically included to the configuration. A basic template for a virtual host is provided in this directory (vhost.template or vhost-ssl.template for a virtual host with SSL support).
[Tip]Always Create a Virtual Host Configuration
It is recommended to always create a virtual host configuration file, even if your Web server only hosts one domain. By doing so, you not only have the domain-specific configuration in one file, but you can always fall back to a working basic configuration by simply moving, deleting, or renaming the configuration file for the virtual host. For the same reason, you should also create separate configuration files for each virtual host.
When using name-based virtual hosts it is recommended to set up a default configuration that will be used when a domain name does not match a virtual host configuration. The default virtual host is the one whose configuration is loaded first. Since the order of the configuration files is determined by filename, start the filename of the default virtual host configuration with an underscore character (_) to make sure it is loaded first (for example: _default_vhost.conf).
The <VirtualHost></VirtualHost> block holds the information that applies to a particular domain. When Apache receives a client request for a defined virtual host, it uses the directives enclosed in this section. Almost all directives can be used in a virtual host context. See http://httpd.apache.org/docs/2.2/mod/quickreference.html for further information about Apache's configuration directives.
18.2.2.1.1. Name-Based Virtual Hosts
With name-based virtual hosts, more than one Web site is served per IP address. Apache uses the host field in the HTTP header that is sent by the client to connect the request to a matching ServerName entry of one of the virtual host declarations. If no matching ServerName is found, the first specified virtual host is used as a default.
The directive NameVirtualHost tells Apache on which IP address and, optionally, which port it should listen to for requests by clients containing the domain name in the HTTP header. This option is configured in the configuration file /etc/apache2/listen.conf.
The first argument can be a fully qualified domain name, but it is recommended to use the IP address. The second argument is the port and is optional. By default, port 80 is used and is configured via the Listen directive.
The wild card * can be used for both the IP address and the port number to receive requests on all interfaces. IPv6 addresses must be enclosed in square brackets.
Example 18.1. Variations of Name-Based VirtualHost Entries
# NameVirtualHost IP-address[:Port]
NameVirtualHost 192.168.3.100:80
NameVirtualHost 192.168.3.100
NameVirtualHost *:80
NameVirtualHost *
NameVirtualHost [2002:c0a8:364::]:80

The opening VirtualHost tag takes the IP address (or fully qualified domain name) previously declared with the NameVirtualHost as an argument in a name-based virtual host configuration. A port number previously declared with the NameVirtualHost directive is optional.
The wild card * is also allowed as a substitute for the IP address. This syntax is only valid in combination with the wild card usage in NameVirtualHost * . When using IPv6 addresses, the address must be included in square brackets.
Example 18.2. Name-Based VirtualHost Directives
<VirtualHost 192.168.3.100:80>
  ...
</VirtualHost>

<VirtualHost 192.168.3.100>
  ...
</VirtualHost>

<VirtualHost *:80>
  ...
</VirtualHost>

<VirtualHost *>
  ...
</VirtualHost>

<VirtualHost [2002:c0a8:364::]>
  ...
</VirtualHost>
18.2.2.1.2. IP-Based Virtual Hosts
This alternative virtual host configuration requires the setup of multiple IPs for a machine. One instance of Apache hosts several domains, each of which is assigned a different IP.
The physical server must have one IP address for each IP-based virtual host. If the machine does not have multiple network cards, virtual network interfaces (IP aliasing) can also be used.
The following example shows Apache running on a machine with the IP 192.168.3.100, hosting two domains on the additional IPs 192.168.3.101 and 192.168.3.102. A separate VirtualHost block is needed for every virtual server.
Example 18.3. IP-Based VirtualHost Directives
<VirtualHost 192.168.3.101>
  ...
</VirtualHost>

<VirtualHost 192.168.3.102>
  ...
</VirtualHost>

Here, VirtualHost directives are only specified for interfaces other than 192.168.3.100. When a Listen directive is also configured for 192.168.3.100, a separate IP-based virtual host must be created to answer HTTP requests to that interface—otherwise the directives found in the default server configuration (/etc/apache2/default-server.conf) are applied.
18.2.2.1.3. Basic Virtual Host Configuration
At least the following directives should be present in each virtual host configuration in order to set up a virtual host. See /etc/apache2/vhosts.d/vhost.template for more options.
ServerName
The fully qualified domain name under which the host should be addressed.
DocumentRoot
Path to the directory from which Apache should serve files for this host. For security reasons, access to the entire file system is forbidden by default, so you must explicitly unlock this directory within a Directory container.
ServerAdmin
E-mail address of the server administrator. This address is, for example, shown on error pages Apache creates.
ErrorLog
The error log file for this virtual host. Although it is not necessary to create separate error log files for each virtual host, it is common practice to do so, because it makes the debugging of errors much easier. /var/log/apache2/ is the default directory for Apache's log files.
CustomLog
The access log file for this virtual host. Although it is not necessary to create separate access log files for each virtual host, it is common practice to do so, because it allows the separate analysis of access statistics for each host. /var/log/apache2/ is the default directory for Apache's log files.
As mentioned above, access to the whole file system is forbidden by default for security reasons. Therefore, explicitly unlock the directories in which you have placed the files Apache should serve—for example the DocumentRoot: 
<Directory "/srv/www/www.example.com/htdocs">
  Order allow,deny
  Allow from all
</Directory>
The complete configuration file looks like this:
Example 18.4. Basic VirtualHost Configuration
<VirtualHost 192.168.3.100>
  ServerName www.example.com
  DocumentRoot /srv/www/www.example.com/htdocs
  ServerAdmin webmaster@example.com
  ErrorLog /var/log/apache2/www.example.com_log
  CustomLog /var/log/apache2/www.example.com-access_log common
  <Directory "/srv/www/www.example.com/htdocs">
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

18.2.3. Configuring Apache with YaST

To configure your Web server with YaST, start YaST and select Network Services+HTTP Server. When starting the module for the first time, the HTTP Server Wizard starts, prompting you to make a few basic decisions concerning administration of the server. After having finished the wizard, the HTTP Server Configuration dialog starts each time you call the HTTP Server module. For more information, see Section 18.2.3.2, “HTTP Server Configuration”.

18.2.3.1. HTTP Server Wizard

The HTTP Server Wizard consists of five steps. In the last step of the dialog, you are given the opportunity to enter the expert configuration mode to make even more specific settings.
18.2.3.1.1. Network Device Selection
Here, specify the network interfaces and ports Apache uses to listen for incoming requests. You can select any combination of existing network interfaces and their respective IP addresses. Ports from all three ranges (well-known ports, registered ports, and dynamic or private ports) that are not reserved by other services can be used. The default setting is to listen on all network interfaces (IP addresses) on port 80.
Check Open Port In Firewall to open the ports in the firewall that the Web server listens on. This is necessary to make the Web server available on the network, which can be a LAN, WAN, or the public Internet. Keeping the port closed is only useful in test situations where no external access to the Web server is necessary. If you have multiple network interfaces, click Firewall Details... to specify on which interface(s) the port(s) should be opened.
Click Next to continue with the configuration.
18.2.3.1.2. Modules
The Modules configuration option allows for the activation or deactivation of the script languages that the Web server should support. For the activation or deactivation of other modules, refer to Section 18.2.3.2.2, “Server Modules”. Click Next to advance to the next dialog.
18.2.3.1.3. Default Host
This option pertains to the default Web server. As explained in Section 18.2.2.1, “Virtual Host Configuration”, Apache can serve multiple virtual hosts from a single physical machine. The first declared virtual host in the configuration file is commonly referred to as the default host. Each virtual host inherits the default host's configuration.
To edit the host settings (also called directives), choose the appropriate entry in the table then click Edit. To add new directives, click Add. To delete a directive, select it and click Delete.
Figure 18.1. HTTP Server Wizard: Default Host
HTTP Server Wizard: Default Host

Here is list of the default settings of the server:
Document Root
Path to the directory from which Apache serves files for this host. /srv/www/htdocs is the default location.
Alias
With the help of Alias directives, URLs can be mapped to physical file system locations. This means that a certain path even outside the Document Root in the file system can be accessed via a URL aliasing that path.
The default openSUSE Alias /icons points to /usr/share/apache2/icons for the Apache icons displayed in the directory index view.
ScriptAlias
Similar to the Alias directive, the ScriptAlias directive maps a URL to a file system location. The difference is that ScriptAlias designates the target directory as a CGI location, meaning that CGI scripts should be executed in that location.
Directory
With Directory settings, you can enclose a group of configuration options that will only apply to the specified directory.
Access and display options for the directories /srv/www/htdocs, /usr/share/apache2/icons and /srv/www/cgi-bin are configured here. It should not be necessary to change the defaults.
Include
With include, additional configuration files can be specified. Two Include directives are already preconfigured: /etc/apache2/conf.d/ is the directory containing the configuration files that come with external modules. With this directive, all files in this directory ending in .conf are included. With the second directive, /etc/apache2/conf.d/apache2-manual.conf, the apache2-manual configuration file is included.
Server Name
This specifies the default URL used by clients to contact the Web server. Use a fully qualified domain name (FQDN) to reach the Web server at http://FQDN/ or its IP address. You cannot choose an arbitrary name here—the server must be known under this name.
Server Administrator E-Mail
E-mail address of the server administrator. This address is, for example, shown on error pages Apache creates.
After finishing with the Default Host step, click Next to continue with the configuration.
18.2.3.1.4. Virtual Hosts
In this step, the wizard displays a list of already configured virtual hosts (see Section 18.2.2.1, “Virtual Host Configuration”). If you have not made manual changes prior to starting the YaST HTTP wizard, no virtual host is present.
To add a host, click Add to open a dialog in which to enter basic information about the host, such as Server Name, Server Contents Root (DocumentRoot), and the Administrator E-Mail. Server Resolution is used to determine how a host is identified (name based or IP based). Specify the name or IP address with Change Virtual Host ID
Clicking Next advances to the second part of the virtual host configuration dialog.
In part two of the virtual host configuration you can specify whether or not to enable CGI scripts and which directory to use for these scripts. It is also possible to enable SSL. If you do so, you must specify the path to the certificate as well. See Section 18.6.2, “Configuring Apache with SSL” for details on SSL and certificates. With the Directory Index option, you can specify which file to display when the client requests a directory (by default, index.html). Add one or more filenames (space-separated) if you want to change this. With Enable Public HTML, the content of the users public directories (~user/public_html/) is made available on the server under http://www.example.com/~user.
[Important]Creating Virtual Hosts
It is not possible to add virtual hosts at will. If using name-based virtual hosts, each hostname must be resolved on the network. If using IP-based virtual hosts, you can assign only one host to each IP address available.
18.2.3.1.5. Summary
This is the final step of the wizard. Here, determine how and when the Apache server is started: when booting or manually. Also see a short summary of the configuration made so far. If you are satisfied with your settings, click Finish to complete configuration. If you want to change something, click Back until you have reached the desired dialog. Clicking HTTP Server Expert Configuration opens the dialog described in Section 18.2.3.2, “HTTP Server Configuration”.
Figure 18.2. HTTP Server Wizard: Summary
HTTP Server Wizard: Summary

18.2.3.2. HTTP Server Configuration

The HTTP Server Configuration dialog also lets you make even more adjustments to the configuration than the wizard (which only runs if you configure your Web server for the first time). It consists of four tabs described in the following. No configuration option you change here is effective immediately—you always must confirm your changes with Finish to make them effective. Clicking Abort leaves the configuration module and discards your changes.
18.2.3.2.1. Listen Ports and Addresses
In HTTP Service, select whether Apache should be running (Enabled) or stopped (Disabled). In Listen on Ports, Add, Edit, or Delete addresses and ports on which the server should be available. The default is to listen on all interfaces on port 80. You should always check Open Port In Firewall, because otherwise the Web server is not reachable from outside. Keeping the port closed is only useful in test situations where no external access to the Web server is necessary. If you have multiple network interfaces, click Firewall Details... to specify on which interface(s) the port(s) should be opened.
With Log Files, watch either the access log or the error log. This is useful if you want to test your configuration. The log file opens in a separate window from which you can also restart or reload the Web server. For details, see Section 18.3, “Starting and Stopping Apache”. These commands are effective immediately and their log messages are also displayed immediately.
Figure 18.3. HTTP Server Configuration: Listen Ports and Addresses
HTTP Server Configuration: Listen Ports and Addresses
18.2.3.2.2. Server Modules
You can change the status (enabled or disabled) of Apache2 modules by clicking Toggle Status. Click Add Module to add a new module that is already installed but not yet listed. Learn more about modules in Section 18.4, “Installing, Activating, and Configuring Modules”.
Figure 18.4. HTTP Server Configuration: Server Modules
HTTP Server Configuration: Server Modules
18.2.3.2.3. Main Host or Hosts
These dialogs are identical to the ones already described. Refer to Section 18.2.3.1.3, “Default Host” and Section 18.2.3.1.4, “Virtual Hosts”.

18.3. Starting and Stopping Apache

If configured with YaST as described in Section 18.2.3, “Configuring Apache with YaST”, Apache is started at boot time in runlevels 3 and 5 and stopped in runlevels 0, 1, 2, and 6. You can change this behavior using YaST's runlevel editor or the command line tool chkconfig.
To start, stop, or manipulate Apache on a running system, use the init script /usr/sbin/rcapache2. The rcapache2 command takes the following parameters:
status
Checks if Apache is started.
start
Starts Apache if it is not already running.
startssl
Starts Apache with SSL support if it is not already running. For more information about SSL support, refer to Section 18.6, “Setting Up a Secure Web Server with SSL”.
stop
Stops Apache by terminating the parent process.
restart
Stops and then restarts Apache. Starts the Web server if it was not running before.
try-restart
Stops then restarts Apache only if it is already running.
reload or graceful
Stops the Web server by advising all forked Apache processes to first finish their requests before shutting down. As each process dies, it is replaced by a newly started one, resulting in a complete restart of Apache.
[Tip]Restarting Apache in Production Environments
To activate changes in the Apache configuration without causing connection break-offs, use the rcapache2 reload command.
restart-graceful
Starts a second Web server that immediately serves all incoming requests. The previous instance of the Web server continues to handle all existing requests for a defined period of time configured with GracefulShutdownTimeout.
rcapache2 restart-graceful is either useful when upgrading to a new version or when having changed configuration options that require a restart. Using this option ensures a minimum server downtime.
GracefulShutdownTimeout needs to be set, otherwise restart-graceful will result in a regular restart. If set to zero, the server will wait indefinitely until all remaining requests have been fully served.
A graceful restart can fail if the original Apache instance is not able to clear all necessary resources. In this case, the command will result in a graceful stop.
stop-graceful
Stops the Web server after a defined period of time configured with GracefulShutdownTimeout in order to ensure that existing requests can be finished.
GracefulShutdownTimeout needs to be set, otherwise stop-graceful will result in a regular restart. If set to zero, the server will wait indefinitely until all remaining requests have been fully served.
configtest or extreme-configtest
Checks the syntax of the configuration files without affecting a running Web server. Because this check is forced every time the server is started, reloaded, or restarted, it is usually not necessary to run the test explicitly (if a configuration error is found, the Web server is not started, reloaded, or restarted). The extreme-configtest options start the Web server as user nobody and actually load the configuration, so more errors can be detected. Note that although the configuration is loaded, it is not possible to test the SSL setup because the SSL certificates cannot be read by nobody.
probe
Probes for the necessity of a reload (checks whether the configuration has changed) and suggests the required arguments for the rcapache2 command.
server-status and full-server-status
Dumps a short or full status screen, respectively. Requires either lynx or w3m installed as well as the module mod_status enabled. In addition to that, status must be added to APACHE_SERVER_FLAGS in the file /etc/sysconfig/apache2.
[Tip]Additional Flags
If you specify additional flags to the rcapache2, these are passed through to the Web server.

18.4. Installing, Activating, and Configuring Modules

The Apache software is built in a modular fashion: all functionality except some core tasks are handled by modules. This has progressed so far that even HTTP is processed by a module (http_core).
Apache modules can be compiled into the Apache binary at build time or dynamically loaded at runtime. Refer to Section 18.4.2, “Activation and Deactivation” for details of how to load modules dynamically.
Apache modules can be divided into four different categories:
Base Modules
Base modules are compiled into Apache by default. Apache in openSUSE has only mod_so (needed to load other modules) and http_core compiled in. All others are available as shared objects: rather than being included in the server binary itself, they can be included at runtime.
Extension Modules
In general, modules labeled as extensions are included in the Apache software package, but are usually not compiled into the server statically. In openSUSE, they are available as shared objects that can be loaded into Apache at runtime.
External Modules
Modules labeled external are not included in the official Apache distribution. However, openSUSE provides several of them.
Multiprocessing Modules (MPMs)
MPMs are responsible for accepting and handling requests to the Web server, representing the core of the Web server software.

18.4.1. Module Installation

If you have done a default installation as described in Section 18.1.2, “Installation”, the following modules are already installed: all base and extension modules, the multiprocessing module Prefork MPM, and the external modules mod_php5 and mod_python.
You can install additional external modules by starting YaST and choosing Software+Software Management. Now choose Filter+Search and search for apache. Among other packages, the results list contains all available external Apache modules.

18.4.2. Activation and Deactivation

Activate or deactivate particular modules either manually or with YaST. In YaST, script language modules (PHP5, Perl, and Python) need to be enabled or disabled with the module configuration described in Section 18.2.3.1, “HTTP Server Wizard”. All other modules can be enabled or disabled as described in Section 18.2.3.2.2, “Server Modules”.
If you prefer to activate or deactivate the modules manually, use the commands a2enmod mod_foo or a2dismod mod_foo, respectively. a2enmod -l outputs a list of all currently active modules.
[Important]Including Configuration Files for External Modules
If you have activated external modules manually, make sure to load their configuration files in all virtual host configurations. Configuration files for external modules are located under /etc/apache2/conf.d/ and are not loaded by default. If you need the same modules on each virtual host, you can include *.conf from this directory. Otherwise include individual files. See /etc/apache2/vhost.d/vhost.template for examples.

18.4.3. Base and Extension Modules

All base and extension modules are described in detail in the Apache documentation. Only a brief description of the most important modules is available here. Refer to http://httpd.apache.org/docs/2.2/mod/ to learn details about each module.
mod_actions
Provides methods to execute a script whenever a certain MIME type (such as application/pdf), a file with a specific extension (like .rpm), or a certain request method (such as GET) is requested. This module is enabled by default.
mod_alias
Provides Alias and Redirect directives with which you can map a URl to a specific directory (Alias) or redirect a requested URL to another location. This module is enabled by default.
mod_auth*
The authentication modules provide different authentication methods: basic authentication with mod_auth_basic or digest authentication with mod_auth_digest. Digest authentication in Apache 2.2 is considered experimental.
mod_auth_basic and mod_auth_digest must be combined with an authentication provider module, mod_authn_* (for example, mod_authn_file for text file–based authentication) and with an authorization module mod_authz_* (for example, mod_authz_user for user authorization).
More information about this topic is available in the Authentication HOWTO at http://httpd.apache.org/docs/2.2/howto/auth.html.
mod_autoindex
Autoindex generates directory listings when no index file (for example, index.html) is present. The look and feel of these indexes is configurable. This module is enabled by default. However, directory listings are disabled by default via the Options directive—overwrite this setting in your virtual host configuration. The default configuration file for this module is located at /etc/apache2/mod_autoindex-defaults.conf.
mod_cgi
mod_cgi is needed to execute CGI scripts. This module is enabled by default.
mod_deflate
Using this module, Apache can be configured to compress given file types on the fly before delivering them.
mod_dir
mod_dir provides the DirectoryIndex directive with which you can configure which files are automatically delivered when a directory is requested (index.html by default). It also provides an automatic redirect to the correct URL when a directory request does not contain a trailing slash. This module is enabled by default.
mod_env
Controls the environment that is passed to CGI scripts or SSI pages. Environment variables can be set or unset or passed from the shell that invoked the httpd process. This module is enabled by default.
mod_expires
With mod_expires, you can control how often proxy and browser caches refresh your documents by sending an Expires header. This module is enabled by default.
mod_include
mod_include lets you use Server Side Includes (SSI), which provide a basic functionality to generate HTML pages dynamically. This module is enabled by default.
mod_info
Provides a comprehensive overview of the server configuration under http://localhost/server-info/. For security reasons, you should always limit access to this URL. By default only localhost is allowed to access this URL. mod_info is configured at /etc/apache2/mod_info.conf.
mod_log_config
With this module, you can configure the look of the Apache log files. This module is enabled by default.
mod_mime
The mime module makes certain that a file is delivered with the correct MIME header based on the filename's extension (for example text/html for HTML documents). This module is enabled by default.
mod_negotiation
Necessary for content negotiation. See http://httpd.apache.org/docs/2.2/content-negotiation.html for more information. This module is enabled by default.
mod_rewrite
Provides the functionality of mod_alias, but offers more features and flexibility. With mod_rewrite, you can redirect URLs based on multiple rules, request headers, and more.
mod_setenvif
Sets environment variables based on details of the client's request, such as the browser string the client sends, or the client's IP address. This module is enabled by default.
mod_speling
mod_speling attempts to automatically correct typographical errors in URLs, such as capitalization errors.
mod_ssl
Enables encrypted connections between Web server and clients. See Section 18.6, “Setting Up a Secure Web Server with SSL” for details. This module is enabled by default.
mod_status
Provides information on server activity and performance under http://localhost/server-status/. For security reasons, you should always limit access to this URL. By default, only localhost is allowed to access this URL. mod_status is configured at /etc/apache2/mod_status.conf
mod_suexec
mod_suexec lets you run CGI scripts under a different user and group. This module is enabled by default.
mod_userdir
Enables user-specific directories available under ~user/. The UserDir directive must be specified in the configuration. This module is enabled by default.

18.4.4. Multiprocessing Modules

openSUSE provides two different multiprocessing modules (MPMs) for use with Apache:

18.4.4.1. Prefork MPM

The prefork MPM implements a nonthreaded, preforking Web server. It makes the Web server behave similarly to Apache version 1.x. In this version it isolates each request and handles it by forking a separate child process. Thus problematic requests cannot affect others, avoiding a lockup of the Web server.
While providing stability with this process-based approach, the prefork MPM consumes more system resources than its counterpart, the worker MPM. The prefork MPM is considered the default MPM for Unix-based operating systems.
[Important]MPMs in This Document
This document assumes Apache is used with the prefork MPM.

18.4.4.2. Worker MPM

The worker MPM provides a multi-threaded Web server. A thread is a lighter form of a process. The advantage of a thread over a process is its lower resource consumption. Instead of only forking child processes, the worker MPM serves requests by using threads with server processes. The preforked child processes are multi-threaded. This approach makes Apache perform better by consuming fewer system resources than the prefork MPM.
One major disadvantage is the stability of the worker MPM: if a thread becomes corrupt, all threads of a process can be affected. In the worst case, this may result in a server crash. Especially when using the Common Gateway Interface (CGI) with Apache under heavy load, internal server errors might occur due to threads being unable to communicate with system resources. Another argument against using the worker MPM with Apache is that not all available Apache modules are thread-safe and thus cannot be used in conjunction with the worker MPM.
[Warning]Using PHP Modules with MPMs
Not all available PHP modules are thread-safe. Using the worker MPM with mod_php is strongly discouraged.

18.4.5. External Modules

Find a list of all external modules shipped with openSUSE here. Find the module's documentation in the listed directory.
mod-apparmor
Adds support to Apache to provide AppArmor confinement to individual CGI scripts handled by modules like mod_php5 and mod_perl.
Package Name: apache2-mod_apparmor
More Information: Part “Confining Privileges with AppArmor” (↑Security Guide)
mod_mono
Using mod_mono allows you to run ASP.NET pages in your server.
Package Name: apache2-mod_mono
Configuration File: /etc/apache2/conf.d/mod_mono.conf
mod_perl
mod_perl enables you to run Perl scripts in an embedded interpreter. The persistent interpreter embedded in the server avoids the overhead of starting an external interpreter and the penalty of Perl start-up time.
Package Name: apache2-mod_perl
Configuration File: /etc/apache2/conf.d/mod_perl.conf
More Information: /usr/share/doc/packages/apache2-mod_perl
mod_php5
PHP is a server-side, cross-platform HTML embedded scripting language.
Package Name: apache2-mod_php5
Configuration File: /etc/apache2/conf.d/php5.conf
More Information: /usr/share/doc/packages/apache2-mod_php5
mod_python
mod_python allows embedding Python within the Apache HTTP server for a considerable boost in performance and added flexibility in designing Web-based applications.
Package Name: apache2-mod_python
More Information: /usr/share/doc/packages/apache2-mod_python
mod_tidy
mod_tidy validates each outgoing HTML page by means of the TidyLib. In case of a validation error, a page with an error list is delivered. Otherwise the original HTML page is delivered.
Package Name: apache2-mod_tidy
Configuration File: /etc/apache2/mod_tidy.conf
More Information: /usr/share/doc/packages/apache2-mod_tidy

18.4.6. Compilation

Apache can be extended by advanced users by writing custom modules. To develop modules for Apache or compile third-party modules, the package apache2-devel is required along with the corresponding development tools. apache2-devel also contains the apxs2 tools, which are necessary for compiling additional modules for Apache.
apxs2 enables the compilation and installation of modules from source code (including the required changes to the configuration files), which creates dynamic shared objects (DSOs) that can be loaded into Apache at runtime.
The apxs2 binaries are located under /usr/sbin:
  • /usr/sbin/apxs2—suitable for building an extension module that works with any MPM. The installation location is /usr/lib/apache2.
  • /usr/sbin/apxs2-prefork—suitable for prefork MPM modules. The installation location is /usr/lib/apache2-prefork.
  • /usr/sbin/apxs2-worker—suitable for worker MPM modules. The installation location is /usr/lib/apache2-worker.
Install and activate a module from source code with the following commands: 
cd /path/to/module/source; apxs2 -cia
    mod_foo.c
where -c compiles the module, -i installs it, and -a activates it. Other options of apxs2 are described in the apxs2(1) man page.

18.5. Getting CGI Scripts to Work

Apache's Common Gateway Interface (CGI) lets you create dynamic content with programs or scripts usually referred to as CGI scripts. CGI scripts can be written in any programming language. Usually, script languages such as Perl or PHP are used.
To enable Apache to deliver content created by CGI scripts, mod_cgi needs to be activated. mod_alias is also needed. Both modules are enabled by default. Refer to Section 18.4.2, “Activation and Deactivation” for details on activating modules.
[Warning]CGI Security
Allowing the server to execute CGI scripts is a potential security hole. Refer to Section 18.7, “Avoiding Security Problems” for additional information.

18.5.1. Apache Configuration

In openSUSE, the execution of CGI scripts is only allowed in the directory /srv/www/cgi-bin/. This location is already configured to execute CGI scripts. If you have created a virtual host configuration (see Section 18.2.2.1, “Virtual Host Configuration”) and want to place your scripts in a host-specific directory, you must unlock and configure this directory.
Example 18.5. VirtualHost CGI Configuration
ScriptAlias /cgi-bin/ "/srv/www/www.example.com/cgi-bin/"1

<Directory "/srv/www/www.example.com/cgi-bin/">
 Options +ExecCGI2
 AddHandler cgi-script .cgi .pl3
 Order allow,deny4
 Allow from all
</Directory>
1 Tells Apache to handle all files within this directory as CGI scripts.
2 Enables CGI script execution
3 Tells the server to treat files with the extensions .pl and .cgi as CGI scripts. Adjust according to your needs.
4 The Order and Allow directives control the default access state and the order in which allow and deny directives are evaluated. In this case allow statements are evaluated before deny statements and universal access is enabled.

18.5.2. Running an Example Script

CGI programming differs from "regular" programming in that the CGI programs and scripts must be preceded by a MIME-Type header such as Content-type: text/html. This header is sent to the client, so it understands what kind of content it receives. Secondly, the script's output must be something the client, usually a Web browser, understands—HTML in most cases or plain text or images, for example.
A simple test script available under /usr/share/doc/packages/apache2/test-cgi is part of the Apache package. It outputs the content of some environment variables as plain text. Copy this script to either /srv/www/cgi-bin/ or the script directory of your virtual host (/srv/www/www.example.com/cgi-bin/) and name it test.cgi.
Files accessible by the Web server should be owned by the user root. For additional information see Section 18.7, “Avoiding Security Problems”. Because the Web server runs with a different user, the CGI scripts must be world-executable and world-readable. Change into the CGI directory and use the command chmod 755 test.cgi to apply the proper permissions.
Now call http://localhost/cgi-bin/test.cgi or http://www.example.com/cgi-bin/test.cgi. You should see the CGI/1.0 test script report.

18.5.3. CGI Troubleshooting

If you do not see the output of the test program but an error message instead, check the following:
CGI Troubleshooting
  • Have you reloaded the server after having changed the configuration? Check with rcapache2 probe.
  • If you have configured your custom CGI directory, is it configured properly? If in doubt, try the script within the default CGI directory /srv/www/cgi-bin/ and call it with http://localhost/cgi-bin/test.cgi.
  • Are the file permissions correct? Change into the CGI directory and execute ls -l test.cgi. Its output should start with 
    -rwxr-xr-x  1 root root
  • Make sure that the script does not contain programming errors. If you have not changed test.cgi, this should not be the case, but if you are using your own programs, always make sure that they do not contain programming errors.

18.6. Setting Up a Secure Web Server with SSL

Whenever sensitive data, such as credit card information, is transferred between Web server and client, it is desirable to have a secure, encrypted connection with authentication. mod_ssl provides strong encryption using the secure sockets layer (SSL) and transport layer security (TLS) protocols for HTTP communication between a client and the Web server. Using SSL/TSL, a private connection between Web server and client is established. Data integrity is ensured and client and server are able to authenticate each other.
For this purpose, the server sends an SSL certificate that holds information proving the server's valid identity before any request to a URL is answered. In turn, this guarantees that the server is the uniquely correct end point for the communication. Additionally, the certificate generates an encrypted connection between client and server that can transport information without the risk of exposing sensitive, plain-text content.
mod_ssl does not implement the SSL/TSL protocols itself, but acts as an interface between Apache and an SSL library. In openSUSE, the OpenSSL library is used. OpenSSL is automatically installed with Apache.
The most visible effect of using mod_ssl with Apache is that URLs are prefixed with https:// instead of http://.
[Tip]Example Certificate
An example certificate for a hypothetical company Snake Oil is available when installing the package apache2-example-certificates.

18.6.1. Creating an SSL Certificate

In order to use SSL/TSL with the Web server, you need to create an SSL certificate. This certificate is needed for the authorization between Web server and client, so that each party can clearly identify the other party. To ensure the integrity of the certificate, it must be signed by a party every user trusts.
There are three types of certificates you can create: a dummy certificate for testing purposes only, a self-signed certificate for a defined circle of users that trust you, and a certificate signed by an independent, publicly-known certificate authority (CA).
Creating a certificate is basically a two step process. First, a private key for the certificate authority is generated then the server certificate is signed with this key.
[Tip]For More Information
To learn more about concepts and definitions of SSL/TSL, refer to http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html.

18.6.1.1. Creating a Dummy Certificate

Generating a dummy certificate is simple. Just call the script /usr/bin/gensslcert. It creates or overwrites the files listed below. Make use of gensslcert's optional switches to fine-tune the certificate. Call /usr/bin/gensslcert -h for more information.
  • /etc/apache2/ssl.crt/ca.crt
  • /etc/apache2/ssl.crt/server.crt
  • /etc/apache2/ssl.key/server.key
  • /etc/apache2/ssl.csr/server.csr
  • /root/.mkcert.cfg
A copy of ca.crt is also placed at /srv/www/htdocs/CA.crt for download.
[Important]For Testing Purposes Only
A dummy certificate should never be used on a production system. Only use it for testing purposes.

18.6.1.2. Creating a Self-Signed Certificate

If you are setting up a secure Web server for an Intranet or for a defined circle of users, it might be sufficient if you sign a certificate with your own certificate authority (CA).
Creating a self-signed certificate is an interactive nine-step process. Change into the directory /usr/share/doc/packages/apache2 and run the following command: ./mkcert.sh make --no-print-directory /usr/bin/openssl /usr/sbin/ custom. Do not attempt to run this command from outside this directory. The program provides a series of prompts, some of which require user input.
Procedure 18.4. Creating a Self-Signed Certificate with mkcert.sh
  1. Decide the signature algorithm used for certificates
    Choose RSA (R, the default), because some older browsers have problems with DSA.
  2. Generating RSA private key for CA (1024 bit)
    No interaction needed.
  3. Generating X.509 certificate signing request for CA
    Create the CA's distinguished name here. This requires you to answer a few questions, such as country name or organization name. Enter valid data, because everything you enter here later shows up in the certificate. You do not need to answer every question. If one does not apply to you or you want to leave it blank, use .. Common name is the name of the CA itself—choose a significant name, such as My company CA.
    [Important]Common Name of the CA
    The common name of the CA must be different from the server's common name, so do not choose the fully qualified hostname in this step.
  4. Generating X.509 certificate for CA signed by itself
    Choose certificate version 3 (the default).
  5. Generating RSA private key for SERVER (1024 bit)
    No interaction needed.
  6. Generating X.509 certificate signing request for SERVER
    Create the distinguished name for the server key here. Questions are almost identical to the ones already answered for the CA's distinguished name. The data entered here applies to the Web server and does not necessarily need to be identical to the CA's data (for example, if the server is located elsewhere).
    [Important]Selecting a Common Name
    The common name you enter here must be the fully qualified hostname of your secure server (for example, www.example.com). Otherwise the browser issues a warning that the certificate does not match the server when accessing the Web server.
  7. Generating X.509 certificate signed by own CA
    Choose certificate version 3 (the default).
  8. Encrypting RSA private key of CA with a passphrase for security
    It is strongly recommended to encrypt the private key of the CA with a password, so choose Y and enter a password.
  9. Encrypting RSA private key of SERVER with a passphrase for security
    Encrypting the server key with a password requires you to enter this password every time you start the Web server. This makes it difficult to automatically start the server on boot or to restart the Web server. Therefore, it is common sense to say N to this question. Keep in mind that your key is unprotected when not encrypted with a password and make sure that only authorized persons have access to the key.
    [Important]Encrypting the Server Key
    If you choose to encrypt the server key with a password, increase the value for APACHE_TIMEOUT in /etc/sysconfig/apache2. Otherwise you do not have enough time to enter the passphrase before the attempt to start the server is stopped unsuccessfully.
The script's result page presents a list of certificates and keys it has generated. Contrary to what the script outputs, the files have not been generated in the local directory conf, but to the correct locations under /etc/apache2/.
The last step is to copy the CA certificate file from /etc/apache2/ssl.crt/ca.crt to a location where your users can access it in order to incorporate it into the list of known and trusted CAs in their Web browsers. Otherwise a browser complains that the certificate was issued by an unknown authority. The certificate is valid for one year.
[Important]Self-Signed Certificates
Only use a self-signed certificate on a Web server that is accessed by people who know and trust you as a certificate authority. It is not recommended to use such a certificate for a public shop, for example.

18.6.1.3. Getting an Officially Signed Certificate

There are a number of official certificate authorities that sign your certificates. The certificate is signed by a trustworthy third party, so can be fully trusted. Publicly operating secure Web servers usually have got an officially signed certificate.
The best-known official CAs are Thawte (http://www.thawte.com/) or Verisign (http://www.verisign.com). These and other CAs are already compiled into all browsers, so certificates signed by these certificate authorities are automatically accepted by the browser.
When requesting an officially signed certificate, you do not send a certificate to the CA. Instead, issue a Certificate Signing Request (CSR). To create a CSR, call the script /usr/share/ssl/misc/CA.sh -newreq.
First the script asks for a password with which the CSR should be encrypted. Then you are asked to enter a distinguished name. This requires you to answer a few questions, such as country name or organization name. Enter valid data—everything you enter here later shows up in the certificate and is checked. You do not need to answer every question. If one does not apply to you or you want to leave it blank, use .. Common name is the name of the CA itself—choose a significant name, such as My company CA. Last, a challenge password and an alternative company name must be entered.
Find the CSR in the directory from which you called the script. The file is named newreq.pem.

18.6.2. Configuring Apache with SSL

The default port for SSL and TLS requests on the Web server side is 443. There is no conflict between a regular Apache listening on port 80 and an SSL/TLS-enabled Apache listening on port 443. In fact, HTTP and HTTPS can be run with the same Apache instance. Usually separate virtual hosts are used to dispatch requests to port 80 and port 443 to separate virtual servers.
[Important]Firewall Configuration
Do not forget to open the firewall for SSL-enabled Apache on port 443. This can be done with YaST as described in Section “Configuring the Firewall with YaST” (Chapter 13, Masquerading and Firewalls, ↑Security Guide).
The SSL module is enabled by default in the global server configuration. In case it has been disabled on your host, activate it with the following command: a2enmod ssl. To finally enable SSL, the server needs to be started with the flag SSL. To do so, call a2enflag SSL. If you have chosen to encrypt your server certificate with a password, you should also increase the value for APACHE_TIMEOUT in /etc/sysconfig/apache2, so you have enough time to enter the passphrase when Apache starts. Restart the server to make these changes active. A reload is not sufficient.
The virtual host configuration directory contains a template /etc/apache2/vhosts.d/vhost-ssl.template with SSL-specific directives that are extensively documented. Refer to Section 18.2.2.1, “Virtual Host Configuration” for the general virtual host configuration.
To get started, copy the template to /etc/apache2/vhosts.d/mySSL-host.conf and edit it. Adjusting the values for the following directives should be sufficient:
  • DocumentRoot
  • ServerName
  • ServerAdmin
  • ErrorLog
  • TransferLog

18.6.2.1. Name-Based Virtual Hosts and SSL

By default it is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. Name-based virtual hosting requires that Apache knows which server name has been requested. The problem with SSL connections is, that such a request can only be read after the SSL connection has already been established (by using the default virtual host). As a result, users will receive a warning message stating that the certificate does not match the server name.
openSUSE comes with an extension to the SSL protocol called Server Name Indication (SNI) addresses this issue by sending the name of the virtual domain as part of the SSL negotiation. This enables the server to switch to the correct virtual domain early and present the browser the correct certificate.
SNI is enabled by default on openSUSE. In order to enable Name-Based Virtual Hosts for SSL, configure the server as described in Section 18.2.2.1.1, “Name-Based Virtual Hosts” (note that you need to use port 443 rather than port 80 with SSL).
[Important]SNI Browser Support
SNI must also be supported on the client side. Although SNI is supported by most browsers, some browsers for mobile hardware as well as Internet Explorer and Safari on Windows* XP lack SNI support. See http://en.wikipedia.org/wiki/Server_Name_Indication for details.
Configure how to handle non-SNI capable browser with the directive SSLStrictSNIVHostCheck. When set to on in the server configuration, non-SNI capable browser will be rejected for all virtual hosts. When set to on within a VirtualHost directive, access to this particular Host will be rejected.
When set to off in the server configuration, the server will behave as if not having SNI support. SSL requests will be handled by the first Virtual host defined (for port 443).

18.7. Avoiding Security Problems

A Web server exposed to the public Internet requires an ongoing administrative effort. It is inevitable that security issues appear, both related to the software and to accidental misconfiguration. Here are some tips for how to deal with them.

18.7.1. Up-to-Date Software

If there are vulnerabilities found in the Apache software, a security advisory will be issued by SUSE. It contains instructions for fixing the vulnerabilities, which in turn should be applied as soon as possible. The SUSE security announcements are available from the following locations:

18.7.2. DocumentRoot Permissions

By default in openSUSE, the DocumentRoot directory /srv/www/htdocs and the CGI directory /srv/www/cgi-bin belong to the user and group root. You should not change these permissions. If the directories are writable for all, any user can place files into them. These files might then be executed by Apache with the permissions of wwwrun, which may give the user unintended access to file system resources. Use subdirectories of /srv/www to place the DocumentRoot and CGI directories for your virtual hosts and make sure that directories and files belong to user and group root.

18.7.3. File System Access

By default, access to the whole file system is denied in /etc/apache2/httpd.conf. You should never overwrite these directives, but specifically enable access to all directories Apache should be able to read. For details, see Section 18.2.2.1.3, “Basic Virtual Host Configuration”. In doing so, ensure that no critical files, such as password or system configuration files, can be read from the outside.

18.7.4. CGI Scripts

Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially run arbitrary commands and therefore present a general security issue. Scripts that will be executed from the server should only be installed from sources the server administrator trusts—allowing users to run their own scripts is generally not a good idea. It is also recommended to do security audits for all scripts.
To make the administration of scripts as easy as possible, it is common practice to limit the execution of CGI scripts to specific directories instead of globally allowing them. The directives ScriptAlias and Option ExecCGI are used for configuration. The openSUSE default configuration does not allow execution of CGI scripts from everywhere.
All CGI scripts run as the same user, so different scripts can potentially conflict with each other. The module suEXEC lets you run CGI scripts under a different user and group.

18.7.5. User Directories

When enabling user directories (with mod_userdir or mod_rewrite) you should strongly consider not allowing .htaccess files, which would allow users to overwrite security settings. At least you should limit the user's engagement by using the directive AllowOverRide. In openSUSE, .htaccess files are enabled by default, but the user is not allowed to overwrite any Option directives when using mod_userdir (see the /etc/apache2/mod_userdir.conf configuration file).

18.8. Troubleshooting

If Apache does not start, the Web page is not accessible, or users cannot connect to the Web server, it is important to find the cause of the problem. Here are some typical places to look for error explanations and important things to check:
Output of rcapache2
Instead of starting and stopping the Web server with the binary /usr/sbin/httpd2, rather use the rcapache2 script instead (described in Section 18.3, “Starting and Stopping Apache”). It is verbose about errors, and it even provides tips and hints for fixing configuration errors.
Log Files and Verbosity
In case of both fatal and nonfatal errors, check the Apache log files for causes, mainly the error log file located at /var/log/apache2/error_log by default. Additionally, you can control the verbosity of the logged messages with the LogLevel directive if more detail is needed in the log files.
[Tip]A Simple Test
Watch the Apache log messages with the command tail -F /var/log/apache2/my_error_log. Then run rcapache2 restart. Now, try to connect with a browser and check the output.
Firewall and Ports
A common mistake is to 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)