Talk:Apache HTTP Server
Keep getting PID-errors: systemd: PID file /run/httpd/httpd.pid not readable (yet?) after start. (even when modules/mod_unique_id.so is disabled)
About the PHP Installation, mod_mpm_prefork seems not the best choice: https://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634 I would vote for mod_proxy_handler
If the service httpd don't start, take a look at /var/log/httpd/error_log. If appears this line: -[alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of "myhost" you must uncomment the line: LoadModule unique_id_module. Restart httpd and now it should work. --Nak 17:22, 22 April 2007 (GMT+1)
Could the SSL section be expanded to include how to use .htaccess and mod_rewrite to redirect traffic for certain sections or the whole site? I found apache2-forcing-all-inbound-traffic-to-ssl to be a useful resource in this respect. Corburn 13:58, 23 March 2012 (EDT)
Continuing discussion from the main page, you do not have to make your home directory world-readable in order to make your public_html directory available to the web server. To minimize home directory exposure, I generally set the permission for both /home/$USER and /home/$USER/public_html to 0750 and change the group ownership to http. E.g.:
mkdir -p $HOME/public_html chmod 0750 $HOME $HOME/public_html chown $USER:http $HOME $HOME/public_html
That way you have given only read (descend into) permission to the web server user for both your home directory and your userdir. David C. Rankin, J.D.,P.E. -- Rankin Law Firm, PLLC (talk) 07:22, 25 August 2015 (UTC)
I think that section need add:
#LoadModule userdir_module modules/mod_userdir.so
to fully disable userdir.
- According to :
- "User directory substitution is not active by default in versions 2.1.4 and later. In earlier versions, UserDir public_html was assumed if no UserDir directive was present."
- So I think it is safe to just not include the conf. --Lonaowna (talk) 18:20, 23 August 2014 (UTC)
Which MPM to use with php-fpm and mod_proxy_fcgi?
The section about php-fpm and mod_proxy_fcgi does not say which MPM (event, prefork, worker) is optimal for this configuration. If I understand correctly (but I'm not an expert), the default mpm_event_module would be the best choice. It would be good to document this, because users coming from a mod_php / mpm_prefork_module configuration would need to actively switch back to mpm_event_module. --Marcvangend (talk) 09:24, 23 November 2015 (UTC)
The best MPM to use is to be determined by individual benchmarks. But event MPM should be good as a default.
Shouldn't this page mention the need to disallow access to root directory?
Now I'm not an admin of an Apache server, so what I'm saying here is not necessarily correct. I was just browsing through Apache docs, and I found something that might be very interesting here.
To be more exact, http://httpd.apache.org/docs/2.4/en/mod/core.html#directory states (in bold) that:
Note that the default access for <Directory "/"> is to permit all access. This means that Apache httpd will serve any file mapped from an URL. It is recommended that you change this with a block such as
Require all denied
and then override this for directories you want accessible. See the Security Tips page for more details.
Okay, that sounds serious. Yet this article just claims that "The default configuration file should be fine for a simple setup."
Am I right in my supposition that this recommendation should be changed to match the recommendation of Apache docs?
- Hi, thanks for you concern.
- The default
/etc/httpd/conf/httpd.confprovided by the Arch package already contains the following:
# # Deny access to the entirety of your server's filesystem. You must # explicitly permit access to web content directories in other # <Directory> blocks below. # <Directory /> AllowOverride none Require all denied </Directory>
The article says: "After obtaining a key and certificate, make sure the SSLCertificateFile and SSLCertificateKeyFile lines in /etc/httpd/conf/extra/httpd-ssl.conf point to the key and certificate."
In my experience the SSLCertificateChainFile variable needs also to be defined, at least when using Let's Encrypt. This way I fixed problems at downloading stuff with wget from my server. It also improved SSL rating of my server from B to A (via https://www.ssllabs.com/ssltest/).