Directives for a minimal install

  • ServerType - how apache runs, either daemon or inetd (usually daemon)
  • ServerRoot - the directory under which apache is installed, e.g. /usr/local/apache
  • DocumentRoot - the directory (html) documents are kept in, e.g. /usr/local/apache/htdocs
  • User - the user apache runs as after the initial start up as root, e.g. apache
  • Group - the group apache will run as , e.g. httpd
  • TransferLog - the file the server will record information about requests it receives, e.g. logs/access.log (without a leading / , the path will be interpreted as relative to the ServerRoot ).
  • ErrorLog - the file errors are recorded in
  • Port - the port the server listens on, by default 80 (if the port is below 1024, root has to start the server as it will be a privileged port)
  • ServerName - the name the server identifies itself as and should be the fully qualified hostname, e.g. www.in2nix.com (this should be recorded in /etc/hosts in case of DNS problems)
  • PidFile - Where to record the process number of the parent process (used for communicating with and controlling the server)
  • ServerAdmin - Normally an email address to report problems to

Security

Normally there is a default security entry e.g.

<Directory />
AllowOveride None
Options None
Order deny,allow
Deny from all
</Directory>

This disallows access to all directories, i.e. / downwards . This is then normally overriden with further directives allowing access to specific directories.

Permissions

These are best set as follows (the ServerRoot in this example is /usr/local/ apache):

 1. chown -R root:root /usr/local/apache
 2. chmod -R 740 /usr/local/apache/*
 3. chmod 755 /usr/local/apache/cgi-bin /usr/local/apache/cgi-bin/*
 4. chgrp -R wwwdocs /usr/local/htdocs
 5. chmod -R 775 /usr/local/apache/htdocs

Note: wwwdocs would be a group containing users who can update web pages.

httpd command flags

  • -d - server root directory
  • -f - location of config file
  • -h - list directives
  • -l - list modules
  • -v - echo version
  • -X - for debugging, won't go into daemon mode
  • apachectl start/stop - start or stop the httpd daemon

Authentication directives

The following security related directives can be used (often in conjunction with one another) to control who can access what…

  • Allow from host/network/all - mod_access module
  • Deny from host/network/all - mod_access module
  • Order deny/allow - process the deny first the allow, i.e. if not specifically denied, is allowed
  • Order allow/deny - if not specifically allowed, is denied
  • Order mutual-failure - Must be allowed and not match any deny rules, i.e. both allow and deny rules checked before authenticated
  • AuthType type - e.g. authentication type, type could be basic
  • AuthName realname - A name representing an area users need to be authenticated for
  • Require user username [username] - access will be denied unless the authenticated username is in the list username [username]
  • Require group groupname [groupname] - access will be denied unless the authenticated groupname is in the list groupname [groupname]
  • Require valid-user - acess will be granted if user authenticated
  • Satisfy All - the allow/deny and username, password, group rules must all be satisfied
  • Satisfy Any - Either allow/deny or network identity checks can be met

mod_auth module

Enhanced authentication is provided by running apache with the mod_auth module included. This has the following directives:

  • AuthUser File filename - file containing usernames and encrypted passwords
  • AuthGroup File filename - file containing a group name and users in that group
  • AuthAuthoritive Boolean - either on or off. If on, only AuthUser/AuthGroup used. Otherwise a request is passwed to any other authentication methods installed.
  • mod_auth_db/mod_auth_dbm - allows authentication to be stored in DBM or BerkelyDB database

Other Directives (containers)

  • <Directory directory> - Directives inside apply to this directory only
  • <Files files > - Directives inside apply to these files only
  • <Location location > - Directives inside apply to this URL location only
  • <VirtualHost virtualhost > - Defines a virtual web site. Directives inside apply to the virtual web site only.

Recent Changes