Difference between revisions of "Apache HTTP Server"

From ArchWiki
Jump to navigation Jump to search
m (→‎TLS/SSL: Clarify impact of vulnerabilities, added links, re-organized into {{Tip|}})
Line 105: Line 105:
  Include conf/extra/httpd-ssl.conf
  Include conf/extra/httpd-ssl.conf
{{Warning|Some variations and implementations of SSL and TLS are [http://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS.2FSSL vulnerable to attack]. Mozilla has a useful [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS article] which includes [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache specific] configuration guidelines as well as an [https://mozilla.github.io/server-side-tls/ssl-config-generator/ automated tool] to help create a more secure configuration.}}
{{Warning|Some variations and implementations of SSL/TLS are that are [https://weakdh.org/#affected still implemented] are [http://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS.2FSSL vulnerable to attack]. For details on these current vulnerabilities within SSL/TLS and how they apply to Apache and other services (such as email) visit http://disablessl3.com/ and https://weakdh.org/sysadmin.html}}
{{Tip|Mozilla has a useful [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS article] which includes [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache specific] configuration guidelines as well as an [https://mozilla.github.io/server-side-tls/ssl-config-generator/ automated tool] to help create a more secure configuration.}}
Restart {{ic|httpd.service}} to apply any changes.
Restart {{ic|httpd.service}} to apply any changes.

Revision as of 14:29, 26 June 2015


The Apache HTTP Server, or Apache for short, is a very popular web server, developed by the Apache Software Foundation.

Apache is often used together with a scripting language such as PHP and database such as MySQL. This combination is often referred to as a LAMP stack (Linux, Apache, MySQL, PHP). This article describes how to set up Apache and how to optionally integrate it with PHP and MySQL.


Install the apache package.


Apache configuration files are located in /etc/httpd/conf. The main configuration file is /etc/httpd/conf/httpd.conf, which includes various other configuration files. The default configuration file should be fine for a simple setup. By default, it will serve the directory /srv/http to anyone who visits your website.

To start Apache, start httpd.service using systemd.

Apache should now be running. Test by visiting http://localhost/ in a web browser. It should display a simple index page.

For optional further configuration, see the following sections.

Advanced options

These options in /etc/httpd/conf/httpd.conf might be interesting for you:

User http
For security reasons, as soon as Apache is started by the root user (directly or via startup scripts) it switches to this UID. The default user is http, which is created automatically during installation.
Listen 80
This is the port Apache will listen to. For Internet-access with router, you have to forward the port.
If you want to setup Apache for local development you may want it to be only accessible from your computer. Then change this line to Listen
ServerAdmin you@example.com
This is the admin's email address which can be found on e.g. error pages.
DocumentRoot "/srv/http"
This is the directory where you should put your web pages.
Change it, if you want to, but do not forget to also change <Directory "/srv/http"> to whatever you changed your DocumentRoot to, or you will likely get a 403 Error (lack of privileges) when you try to access the new document root. Do not forget to change the Require all denied line to Require all granted, otherwise you will get a 403 Error. Remember that the DocumentRoot directory and its parent folders must allow execution permission to others (can be set with chmod o+x /path/to/DocumentRoot), otherwise you will get a 403 Error.
AllowOverride None
This directive in <Directory> sections causes Apache to completely ignore .htaccess files. Note that this is now the default for Apache 2.4, so you need to explicitly allow overrides if you plan to use .htaccess files. If you intend to use mod_rewrite or other settings in .htaccess files, you can allow which directives declared in that file can override server configuration. For more info refer to the Apache documentation.
Tip: If you have issues with your configuration you can have Apache check the configuration with: apachectl configtest

More settings can be found in /etc/httpd/conf/extra/httpd-default.conf:

To turn off your server's signature:

ServerSignature Off

To hide server information like Apache and PHP versions:

ServerTokens Prod

User directories

User directories are available by default through http://localhost/~yourusername/ and show the contents of ~/public_html (this can be changed in /etc/httpd/conf/extra/httpd-userdir.conf).

If you do not want user directories to be available on the web, comment out the following line in /etc/httpd/conf/httpd.conf:

Include conf/extra/httpd-userdir.conf

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: It is not necessary to set +x for every users, setting it only for the webserver via ACLs suffices (see Access_Control_Lists#Granting_execution_permissions_for_private_files_to_a_Web_Server). (Discuss in Talk:Apache HTTP Server#)

You must make sure that your home directory permissions are set properly so that Apache can get there. Your home directory and ~/public_html must be executable for others ("rest of the world"):

$ chmod o+x ~
$ chmod o+x ~/public_html
$ chmod -R o+r ~/public_html

Restart httpd.service to apply any changes. See also Umask#Set the mask value.


To use TLS/SSL, you will need to install openssl.

Create a private key and certificate signing request (CSR) and optionally self-sign the CSR (which creates a certificate):

Note: You may want to change the key size in bits (rsa_keygen_bits:2048), remove -sha256 to use SHA-1 instead of SHA-2, or change the number of days of validity (-days 365).
# cd /etc/httpd/conf
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out server.key
# chmod 600 server.key
# openssl req -new -sha256 -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Then, in /etc/httpd/conf/httpd.conf, uncomment the following three lines:

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf
Warning: Some variations and implementations of SSL/TLS are that are still implemented are vulnerable to attack. For details on these current vulnerabilities within SSL/TLS and how they apply to Apache and other services (such as email) visit http://disablessl3.com/ and https://weakdh.org/sysadmin.html
Tip: Mozilla has a useful SSL/TLS article which includes Apache specific configuration guidelines as well as an automated tool to help create a more secure configuration.

Restart httpd.service to apply any changes.

Virtual hosts

Note: You will need to add a separate <VirtualHost dommainame:443> section for virtual host SSL support. See #Managing lots of virtual hosts for an example file.

If you want to have more than one host, uncomment the following line in /etc/httpd/conf/httpd.conf:

Include conf/extra/httpd-vhosts.conf

In /etc/httpd/conf/extra/httpd-vhosts.conf set your virtual hosts. The default file contains an elaborate example that should help you get started.

To test the virtual hosts on you local machine, add the virtual names to your /etc/hosts file: domainname1.dom domainname2.dom

Restart httpd.service to apply any changes.

Managing lots of virtual hosts

If you have a huge amount of virtual hosts, you may want to easily disable and enable them. It is recommended to create one configuration file per virtual host and store them all in one folder, eg: /etc/httpd/conf/vhosts.

First create the folder:

# mkdir /etc/httpd/conf/vhosts

Then place the single configuration files in it:

# nano /etc/httpd/conf/vhosts/domainname1.dom
# nano /etc/httpd/conf/vhosts/domainname2.dom

In the last step, Include the single configurations in your /etc/httpd/conf/httpd.conf:

#Enabled Vhosts:
Include conf/vhosts/domainname1.dom
Include conf/vhosts/domainname2.dom

You can enable and disable single virtual hosts by commenting or uncommenting them.

A very basic vhost file will look like this:

<VirtualHost domainname1.dom:80>
    ServerAdmin webmaster@domainname1.dom
    DocumentRoot "/home/user/http/domainname1.dom"
    ServerName domainname1.dom
    ServerAlias domainname1.dom
    ErrorLog "/var/log/httpd/domainname1.dom-error_log"
    CustomLog "/var/log/httpd/domainname1.dom-access_log" common

    <Directory "/home/user/http/domainname1.dom">
        Require all granted

<VirtualHost domainname1.dom:443>
    ServerAdmin webmaster@domainname1.dom
    DocumentRoot "/home/user/http/domainname1.dom"
    ServerName domainname1.dom:443
    ServerAlias domainname1.dom:443
    ErrorLog "/var/log/httpd/domainname1.dom-error_log"
    CustomLog "/var/log/httpd/domainname1.dom-access_log" common

    <Directory "/home/user/http/domainname1.dom">
        Require all granted
    SSLEngine on
    SSLCertificateFile "/etc/httpd/conf/server.crt"
    SSLCertificateKeyFile "/etc/httpd/conf/server.key"



To install PHP, first install the php and php-apache packages.

Note: libphp5.so included with php-apache does not work with mod_mpm_event (FS#39218). You will have to use mod_mpm_prefork instead. Otherwise you will get the following error:
Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.  You need to recompile PHP.
AH00013: Pre-configuration failed
httpd.service: control process exited, code=exited status=1

As the configuration of /etc/httpd/conf/httpd.conf has for standard the mod_mpm_event you'll have to use mod_mpm_prefork in order to libphp5.so work properly, so open /etc/httpd/conf/httpd.conf and replace:

LoadModule mpm_event_module modules/mod_mpm_event.so


LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
As an alternative, you can use mod_proxy_fcgi (see #Using php5 with php-fpm and mod_proxy_fcgi below).

To enable PHP, add these lines to /etc/httpd/conf/httpd.conf:

  • Place this in the LoadModule list anywhere after LoadModule dir_module modules/mod_dir.so:
LoadModule php5_module modules/libphp5.so
  • Place this at the end of the Include list:
Include conf/extra/php5_module.conf

If your DocumentRoot is not /srv/http, add it to open_basedir in /etc/php/php.ini as such:


Restart httpd.service using systemd

To test whether PHP was correctly configured: create a file called test.php in your Apache DocumentRoot directory (e.g. /srv/http/ or ~/public_html) with the following contents:

<?php phpinfo(); ?>

To see if it works go to: http://localhost/test.php or http://localhost/~myname/test.php

For advanced configuration and extensions, please read PHP.

Using php5 with php-fpm and mod_proxy_fcgi

Note: Unlike the widespread setup with ProxyPass, the proxy configuration with SetHandler respects other Apache directives like DirectoryIndex. This ensures a better compatibility with software designed for libphp5, mod_fastcgi and mod_fcgid. If you still want to try ProxyPass, experiment with a line like this:
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/srv/http/$1
  • Set listen in /etc/php/php-fpm.conf like this (these values are currently the defaults):
;listen =
listen = /run/php-fpm/php-fpm.sock
listen.owner = http
listen.group = http
  • Append following to /etc/httpd/conf/httpd.conf:
<FilesMatch \.php$>
    SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"
<IfModule dir_module>
    DirectoryIndex index.php index.html

The pipe between sock and fcgi is not allowed to be surrounded by a space!

  • If you have it added, remove the php module, as this is no longer needed.
LoadModule php5_module modules/libphp5.so
  • Restart the apache php-fpm daemon again.

Using php5 with apache2-mpm-worker and mod_fcgid

  • Uncomment following in /etc/conf.d/apache:
  • Uncomment following in /etc/httpd/conf/httpd.conf:
Include conf/extra/httpd-mpm.conf
  • Create /etc/httpd/conf/extra/php5_fcgid.conf with following content:
# Required modules: fcgid_module

<IfModule fcgid_module>
    AddHandler php-fcgid .php
    AddType application/x-httpd-php .php
    Action php-fcgid /fcgid-bin/php-fcgid-wrapper
    ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/
    SocketPath /var/run/httpd/fcgidsock
    SharememPath /var/run/httpd/fcgid_shm
        # If you don't allow bigger requests many applications may fail (such as WordPress login)
        FcgidMaxRequestLen 536870912
        # Path to php.ini – defaults to /etc/phpX/cgi
        DefaultInitEnv PHPRC=/etc/php/
        # Number of PHP childs that will be launched. Leave undefined to let PHP decide.
        #DefaultInitEnv PHP_FCGI_CHILDREN 3
        # Maximum requests before a process is stopped and a new one is launched
        #DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000
        <Location /fcgid-bin/>
        SetHandler fcgid-script
        Options +ExecCGI
  • Create the needed directory and symlink it for the PHP wrapper:
# mkdir /srv/http/fcgid-bin
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper
  • Edit /etc/httpd/conf/httpd.conf:
#LoadModule php5_module modules/libphp5.so
LoadModule fcgid_module modules/mod_fcgid.so
Include conf/extra/php5_fcgid.conf

and restart httpd.

Note: As of Apache 2.4 you can now use mod_proxy_fcgi (part of the official distribution) with PHP-FPM (and the new event MPM). See this configuration example.


Follow the instructions in PHP#MySQL/MariaDB.

When configuration is complete, restart the httpd service to apply all the changes.


mod_spdy is a SPDY module for Apache 2.2 that allows your web server to take advantage of SPDY features like stream multiplexing and header compression.

Follow the instructions in Apache_and_spdy.


Apache Status and Logs

See the status of the Apache daemon with systemctl.

Apache logs can be found in /var/log/httpd/

Error: PID file /run/httpd/httpd.pid not readable (yet?) after start

Comment out the unique_id_module: #LoadModule unique_id_module modules/mod_unique_id.so

Upgrading Apache to 2.4 from 2.2

If you use php-apache, follow the introductory note to Apache with PHP above.

Access Control has changed. Convert all Order, Allow, Deny and Satisfy directives to the new Require syntax. mod_access_compat allows you to use the deprecated format during a transition phase.

More information: Upgrading to 2.4 from 2.2

Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.

If when loading php5_module the httpd.service fails, and you get an error like this in the journal:

Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.  You need to recompile PHP.

you need to replace mpm_event_module with mpm_prefork_module:

LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

and restart httpd.service.

See also