Difference between revisions of "Apache HTTP Server"

From ArchWiki
Jump to: navigation, search
(this is not "more secure", just adds more complexity)
(Apache: remove useless bullets, clean up, update for Apache 2.4)
Line 50: Line 50:
  
 
==== SSL ====
 
==== SSL ====
* Create a self-signed certificate (you can change the key size and the number of days of validity):
+
Create a self-signed certificate (you can change the key size and the number of days of validity):
 
  # cd /etc/httpd/conf
 
  # cd /etc/httpd/conf
 
  # openssl genrsa -out server.key 2048
 
  # openssl genrsa -out server.key 2048
Line 57: Line 57:
 
  # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
 
  # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  
* Then, in {{ic|/etc/httpd/conf/httpd.conf}}, uncomment the line containing:
+
Then, in {{ic|/etc/httpd/conf/httpd.conf}}, uncomment the line containing:
 
  Include conf/extra/httpd-ssl.conf
 
  Include conf/extra/httpd-ssl.conf
  
Restart {{ic|httpd}} to apply any changes.
+
Restart {{ic|httpd.service}} to apply any changes.
  
 
==== Virtual Hosts ====
 
==== Virtual Hosts ====
* If you want to have more than one host, uncomment the following line in {{ic|/etc/httpd/conf/httpd.conf}}:
+
If you want to have more than one host, uncomment the following line in {{ic|/etc/httpd/conf/httpd.conf}}:
 
  Include conf/extra/httpd-vhosts.conf
 
  Include conf/extra/httpd-vhosts.conf
  
* In {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} set your virtual hosts according the example, e.g.:
+
In {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} set your virtual hosts according the example, e.g.:
 
{{hc|/etc/httpd/conf/extra/httpd-vhosts.conf|
 
{{hc|/etc/httpd/conf/extra/httpd-vhosts.conf|
 
'''NameVirtualHost *:80 ''' #this allows name based virtual hosts
 
'''NameVirtualHost *:80 ''' #this allows name based virtual hosts
Line 122: Line 122:
 
}}
 
}}
  
* Add your virtual host names to your {{ic|/etc/hosts}} file (not necessary if a DNS server is serving these domains already, but will not hurt to do it anyway):
+
Add your virtual host names to your {{ic|/etc/hosts}} file (not necessary if a DNS server is serving these domains already, but will not hurt to do it anyway):
 
  127.0.0.1 domainname1.dom  
 
  127.0.0.1 domainname1.dom  
 
  127.0.0.1 domainname2.dom
 
  127.0.0.1 domainname2.dom
  
Restart {{ic|httpd}} to apply any changes.
+
Restart {{ic|httpd.service}} to apply any changes.
  
* If you setup your virtual hosts to be in your user directory, sometimes it interferes with Apache's {{ic|Userdir}} settings. To avoid problems disable {{ic|Userdir}} by comment the following line in:
+
If you setup your virtual hosts to be in your user directory, sometimes it interferes with Apache's {{ic|Userdir}} settings. To avoid problems disable {{ic|Userdir}} by comment the following line in:
 
  #Include conf/extra/httpd-userdir.conf
 
  #Include conf/extra/httpd-userdir.conf
  
* As said above, ensure that you have the proper permissions:
+
As said above, ensure that you have the proper permissions:
 
  # chmod 0775 /home/''yourusername''/
 
  # chmod 0775 /home/''yourusername''/
  
* If you have a huge amount of virtual hosts, you may want to easily disable and enable them. It is recommended to create one configuration file per virtual host and store them all in one folder, eg: {{ic|/etc/httpd/conf/vhosts}}.
+
If you have a huge amount of virtual hosts, you may want to easily disable and enable them. It is recommended to create one configuration file per virtual host and store them all in one folder, eg: {{ic|/etc/httpd/conf/vhosts}}.
  
* First create the folder:
+
First create the folder:
 
  # mkdir /etc/httpd/conf/vhosts
 
  # mkdir /etc/httpd/conf/vhosts
  
* Then place the single configuration files in it:
+
Then place the single configuration files in it:
 
  # nano /etc/httpd/conf/vhosts/domainname1.dom
 
  # nano /etc/httpd/conf/vhosts/domainname1.dom
 
  # nano /etc/httpd/conf/vhosts/domainname2.dom
 
  # nano /etc/httpd/conf/vhosts/domainname2.dom
 
  ...
 
  ...
  
* In the last step, {{ic|Include}} the single configurations in your {{ic|/etc/httpd/conf/httpd.conf}}:
+
In the last step, {{ic|Include}} the single configurations in your {{ic|/etc/httpd/conf/httpd.conf}}:
 
  #Enabled Vhosts:
 
  #Enabled Vhosts:
 
  Include conf/vhosts/domainname1.dom
 
  Include conf/vhosts/domainname1.dom
 
  Include conf/vhosts/domainname2.dom
 
  Include conf/vhosts/domainname2.dom
  
* You can enable and disable single virtual hosts by commenting or uncommenting them.
+
You can enable and disable single virtual hosts by commenting or uncommenting them.
  
 
==== Advanced Options ====
 
==== Advanced Options ====
These options in {{ic|/etc/httpd/conf/httpd.conf}} might be interesting for you.
+
These options in {{ic|/etc/httpd/conf/httpd.conf}} might be interesting for you:
  
  # Listen 80
+
  Listen 80
* This is the port Apache will listen to. For Internet-access with router, you have to forward the port.
+
:This is the port Apache will listen to. For Internet-access with router, you have to forward the port.
  
If you setup Apache for local development you may want it to be only accessible from your computer. Then change this line to:
+
:If you want to setup Apache for local development you may want it to be only accessible from your computer. Then change this line to {{ic|Listen 127.0.0.1:80}}.
# Listen 127.0.0.1:80
+
  
* This is the admin's email address which can be found on e.g. error pages:
+
ServerAdmin you@example.com
# ServerAdmin you@example.com
+
:This is the admin's email address which can be found on e.g. error pages.
  
* This is the directory where you should put your web pages:
+
DocumentRoot "/srv/http"
# DocumentRoot "/srv/http"
+
:This is the directory where you should put your web pages.
  
Change it, if you want to, but do not forget to also change
+
:Change it, if you want to, but do not forget to also change {{ic|<Directory "/srv/http">}} to whatever you changed your {{ic|DocumentRoot}} too, or you will likely get a '''403 Error''' (lack of privileges) when you try to access the new document root. Do not forget to change the {{ic|Require all denied}} line, otherwise you will get a '''403 Error'''.
<Directory "/srv/http">
+
to whatever you changed your {{ic|DocumentRoot}} too, or you will likely get a '''403 Error''' (lack of privileges) when you try to access the new document root. Do not forget to change the {{ic|Deny from all}} line, otherwise you will get a '''403 Error'''.
+
  
  # AllowOverride None
+
  AllowOverride None
* This directive in {{ic|<Directory>}} sections causes Apache to completely ignore {{ic|.htaccess}} files. If you intend to use {{ic|mod_rewrite}} or other settings in {{ic|.htaccess}} files, you can allow which directives declared in that file can override server configuration. For more info refer to the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation].
+
:This directive in {{ic|<Directory>}} sections causes Apache to completely ignore {{ic|.htaccess}} files. If you intend to use {{ic|mod_rewrite}} or other settings in {{ic|.htaccess}} files, you can allow which directives declared in that file can override server configuration. For more info refer to the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation].
  
{{Note|If you have issues with your configuration you can have Apache check the configuration with: {{ic|apachectl configtest}}}}
+
{{Tip|If you have issues with your configuration you can have Apache check the configuration with: {{ic|apachectl configtest}}}}
  
* More settings in {{ic|/etc/httpd/conf/extra/httpd-default.conf}}:
+
More settings can be found in {{ic|/etc/httpd/conf/extra/httpd-default.conf}}:
  
* To turn off your server's signature:
+
To turn off your server's signature:
 
  ServerSignature Off
 
  ServerSignature Off
  
* To hide server information like Apache and PHP versions:
+
To hide server information like Apache and PHP versions:
 
  ServerTokens Prod
 
  ServerTokens Prod
  
 
==== Troubleshooting ====
 
==== Troubleshooting ====
* If you encounter '''Error: PID file /run/httpd/httpd.pid not readable (yet?) after start.'''
+
If you encounter '''Error: PID file /run/httpd/httpd.pid not readable (yet?) after start.'''
 
:Comment out the unique_id_module:
 
:Comment out the unique_id_module:
 
   #LoadModule unique_id_module modules/mod_unique_id.so
 
   #LoadModule unique_id_module modules/mod_unique_id.so

Revision as of 23:09, 9 March 2014

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: This article needs to be updated to Apache 2.4. (Discuss in Talk:Apache HTTP Server#)
LAMP refers to a common combination of software used in many web servers: Linux, Apache, MySQL/MariaDB, and PHP. This article describes how to set up the Apache HTTP Server on an Arch Linux system. It also tells you how to optionally install PHP and MariaDB and integrate these in the Apache server.

If you only need a web server for development and testing, Xampp might be a better and easier option.

Installation

This document assumes you will install Apache, PHP and MariaDB together. If desired however, you may install Apache, PHP, and MariaDB separately and simply refer to the relevant sections below.

You can install apache, php, php-apache and mariadb from the official repositories.

Configuration

Apache

For security reasons, as soon as Apache is started by the root user (directly or via startup scripts) it switches to the UID/GID specified in /etc/httpd/conf/httpd.conf. The default is user http and it is created automatically during installation.

Change httpd.conf and optionally extra/httpd-default.conf to your liking and start httpd.service using systemd.

Apache should now be running. Test by visiting http://localhost/ in a web browser. It should display a simple Apache test page.

User directories

User directories are available by default through http://localhost/~yourusername/ and show the contents of ~/public_html (this can be changed in /etc/httpd/conf/extra/httpd-userdir.conf).

If you do not want user directories to be available on the web, comment out the following line in /etc/httpd/conf/httpd.conf:

Include conf/extra/httpd-userdir.conf

You must make sure that your home directory permissions are set properly so that Apache can get there. Your home directory and ~/public_html/ must be executable for others ("rest of the world"). This seems to be enough:

$ chmod o+x ~
$ chmod o+x ~/public_html

Restart httpd.service to apply any changes.

SSL

Create a self-signed certificate (you can change the key size and the number of days of validity):

# cd /etc/httpd/conf
# openssl genrsa -out server.key 2048
# chmod 600 server.key
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Then, in /etc/httpd/conf/httpd.conf, uncomment the line containing:

Include conf/extra/httpd-ssl.conf

Restart httpd.service to apply any changes.

Virtual Hosts

If you want to have more than one host, uncomment the following line in /etc/httpd/conf/httpd.conf:

Include conf/extra/httpd-vhosts.conf

In /etc/httpd/conf/extra/httpd-vhosts.conf set your virtual hosts according the example, e.g.:

/etc/httpd/conf/extra/httpd-vhosts.conf
NameVirtualHost *:80  #this allows name based virtual hosts

#this first virtualhost enables: http://127.0.0.1, or: http://localhost, 
#to still go to /srv/http/*index.html(otherwise it will 404_error).
#the reason for this: once you tell httpd.conf to include extra/httpd-vhosts.conf, 
#ALL vhosts are handled in httpd-vhosts.conf(including the default one),
# E.G. the default virtualhost in httpd.conf is not used and must be included here, 
#otherwise, only domainname1.dom & domainname2.dom will be accessible
#from your web browser and NOT http://127.0.0.1, or: http://localhost, etc.
#

<VirtualHost *:80>
    DocumentRoot "/srv/http"
    ServerAdmin root@localhost
    ErrorLog "/var/log/httpd/127.0.0.1-error_log"
    CustomLog "/var/log/httpd/127.0.0.1-access_log" common
    <Directory /srv/http/>
      DirectoryIndex index.htm index.html
      AddHandler cgi-script .cgi .pl
      Options ExecCGI Indexes FollowSymLinks MultiViews +Includes
      AllowOverride None
      Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin your@domainname1.dom
    DocumentRoot "/home/username/yoursites/domainname1.dom/www"
    ServerName domainname1.dom
    ServerAlias domainname1.dom
    <Directory /home/username/yoursites/domainname1.dom/www/>
      DirectoryIndex index.htm index.html
      AddHandler cgi-script .cgi .pl
      Options ExecCGI Indexes FollowSymLinks MultiViews +Includes
      AllowOverride None
      Require all granted
</Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin your@domainname2.dom
    DocumentRoot "/home/username/yoursites/domainname2.dom/www"
    ServerName domainname2.dom
    ServerAlias domainname2.dom
    <Directory /home/username/yoursites/domainname2.dom/www/>
      DirectoryIndex index.htm index.html
      AddHandler cgi-script .cgi .pl
      Options ExecCGI Indexes FollowSymLinks MultiViews +Includes
      AllowOverride None
      Require all granted
</Directory>
</VirtualHost>

Add your virtual host names to your /etc/hosts file (not necessary if a DNS server is serving these domains already, but will not hurt to do it anyway):

127.0.0.1 domainname1.dom 
127.0.0.1 domainname2.dom

Restart httpd.service to apply any changes.

If you setup your virtual hosts to be in your user directory, sometimes it interferes with Apache's Userdir settings. To avoid problems disable Userdir by comment the following line in:

#Include conf/extra/httpd-userdir.conf

As said above, ensure that you have the proper permissions:

# chmod 0775 /home/yourusername/

If you have a huge amount of virtual hosts, you may want to easily disable and enable them. It is recommended to create one configuration file per virtual host and store them all in one folder, eg: /etc/httpd/conf/vhosts.

First create the folder:

# mkdir /etc/httpd/conf/vhosts

Then place the single configuration files in it:

# nano /etc/httpd/conf/vhosts/domainname1.dom
# nano /etc/httpd/conf/vhosts/domainname2.dom
...

In the last step, Include the single configurations in your /etc/httpd/conf/httpd.conf:

#Enabled Vhosts:
Include conf/vhosts/domainname1.dom
Include conf/vhosts/domainname2.dom

You can enable and disable single virtual hosts by commenting or uncommenting them.

Advanced Options

These options in /etc/httpd/conf/httpd.conf might be interesting for you:

Listen 80
This is the port Apache will listen to. For Internet-access with router, you have to forward the port.
If you want to setup Apache for local development you may want it to be only accessible from your computer. Then change this line to Listen 127.0.0.1:80.
ServerAdmin you@example.com
This is the admin's email address which can be found on e.g. error pages.
DocumentRoot "/srv/http"
This is the directory where you should put your web pages.
Change it, if you want to, but do not forget to also change <Directory "/srv/http"> to whatever you changed your DocumentRoot too, or you will likely get a 403 Error (lack of privileges) when you try to access the new document root. Do not forget to change the Require all denied line, otherwise you will get a 403 Error.
AllowOverride None
This directive in <Directory> sections causes Apache to completely ignore .htaccess files. If you intend to use mod_rewrite or other settings in .htaccess files, you can allow which directives declared in that file can override server configuration. For more info refer to the Apache documentation.
Tip: If you have issues with your configuration you can have Apache check the configuration with: apachectl configtest

More settings can be found in /etc/httpd/conf/extra/httpd-default.conf:

To turn off your server's signature:

ServerSignature Off

To hide server information like Apache and PHP versions:

ServerTokens Prod

Troubleshooting

If you encounter Error: PID file /run/httpd/httpd.pid not readable (yet?) after start.

Comment out the unique_id_module:
 #LoadModule unique_id_module modules/mod_unique_id.so

PHP

Note: libphp5.so included with php-apache does not work with mod_mpm_event (FS#39218). You'll have to use mod_mpm_prefork instead. Otherwise you will get the following error:
Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.  You need to recompile PHP.
AH00013: Pre-configuration failed
httpd.service: control process exited, code=exited status=1

To use mod_mpm_prefork, open /etc/httpd/conf/httpd.conf and replace

LoadModule mpm_event_module modules/mod_mpm_event.so

with

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
  • To enable PHP, add these lines to /etc/httpd/conf/httpd.conf:
Place this in the LoadModule list anywhere after LoadModule dir_module modules/mod_dir.so:
 LoadModule php5_module modules/libphp5.so
Place this at the end of the Include list:
 Include conf/extra/php5_module.conf

/etc/httpd/conf/extra/php5_module.conf

Uncomment the following line (optional):
 MIMEMagicFile conf/magic
  • Add this line in /etc/httpd/conf/mime.types:
 application/x-httpd-php       php    php5
Note: If you do not see libphp5.so in the Apache modules directory (/etc/httpd/modules), you may have forgotten to install php-apache.
  • If your DocumentRoot is not /srv/http, add it to open_basedir in /etc/php/php.ini as such:
 open_basedir=/srv/http/:/home/:/tmp/:/usr/share/pear/:/path/to/documentroot
  • To test whether PHP was correctly configured: create a file called test.php in your Apache DocumentRoot directory (e.g. /srv/http/ or ~/public_html) and inside it put:
<?php phpinfo(); ?>
To see if it works go to: http://localhost/test.php or http://localhost/~myname/test.php
If the PHP code is not executed (you see plain text in test.php), check that you have added Includes to the Options line for your root directory in /etc/httpd/conf/httpd.conf. Moreover, check that TypesConfig conf/mime.types is uncommented in the <IfModule mime_module> section, you may also try adding the following to the <IfModule mime_module> in httpd.conf:
AddHandler application/x-httpd-php .php

Advanced options

  • It is recommended to set your timezone (list of timezones) in /etc/php/php.ini like so:
date.timezone = Europe/Berlin
  • If you want to display errors to debug your PHP code, change display_errors to On in /etc/php/php.ini:
display_errors=On
  • If you want the libGD module, install php-gd and uncomment extension=gd.so in /etc/php/php.ini:
extension=gd.so
Note: Pay attention to which extension you uncomment, as this extension is sometimes mentioned in an explanatory comment before the actual line you want to uncomment.
  • If you want the mcrypt module, install php-mcrypt and uncomment extension=mcrypt.so in /etc/php/php.ini:
extension=mcrypt.so
  • Remember to add a file handler for .phtml, if you need it, in /etc/httpd/conf/extra/php5_module.conf:
DirectoryIndex index.php index.phtml index.html

Using php5 with php-fpm, mod_proxy_fcgi and mod_proxy_handlerAUR

Note: Unlike the widespread setup with ProxyPass, the proxy configuration with mod_proxy_handler and SetHandler respects other Apache directices like DirectoryIndex. This ensures a better compatibility with software designed for libphp5, mod_fastcgi and mod_fcgid. If you still want to try ProxyPass, experiment with a line like this:
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/srv/http/$1
  • Set listen in /etc/php/php-fpm.conf like this:
; use ip/port instead of unix socket, mod_proxy_fcgi does not support it
listen = 127.0.0.1:9000
;listen = /run/php-fpm/php-fpm.sock
  • Uncomment following in /etc/php/php-fpm.conf:
listen.allowed_clients = 127.0.0.1
  • Append following to /etc/httpd/conf/httpd.conf:
LoadModule proxy_handler_module modules/mod_proxy_handler.so
<FilesMatch \.php$>
    SetHandler "proxy:fcgi://127.0.0.1:9000/"
</FilesMatch>
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>
  • Make sure /etc/php/php.ini has the directive enabled:
cgi.fix_pathinfo=1

Using php5 with apache2-mpm-worker and mod_fcgid

  • Uncomment following in /etc/conf.d/apache:
HTTPD=/usr/bin/httpd.worker
  • Uncomment following in /etc/httpd/conf/httpd.conf:
Include conf/extra/httpd-mpm.conf
  • Create /etc/httpd/conf/extra/php5_fcgid.conf with following content:
/etc/httpd/conf/extra/php5_fcgid.conf
# Required modules: fcgid_module

<IfModule fcgid_module>
	AddHandler php-fcgid .php
	AddType application/x-httpd-php .php
	Action php-fcgid /fcgid-bin/php-fcgid-wrapper
	ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/
	SocketPath /var/run/httpd/fcgidsock
	SharememPath /var/run/httpd/fcgid_shm
        # If you don't allow bigger requests many applications may fail (such as WordPress login)
        FcgidMaxRequestLen 536870912
        PHP_Fix_Pathinfo_Enable 1
        # Path to php.ini – defaults to /etc/phpX/cgi
        DefaultInitEnv PHPRC=/etc/php/
        # Number of PHP childs that will be launched. Leave undefined to let PHP decide.
        #DefaultInitEnv PHP_FCGI_CHILDREN 3
        # Maximum requests before a process is stopped and a new one is launched
        #DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000
        <Location /fcgid-bin/>
		SetHandler fcgid-script
		Options +ExecCGI
	</Location>
</IfModule>
  • Create the needed directory and symlink it for the PHP wrapper:
# mkdir /srv/http/fcgid-bin
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper
  • Edit /etc/httpd/conf/httpd.conf:
#LoadModule php5_module modules/libphp5.so
LoadModule fcgid_module modules/mod_fcgid.so
Include conf/extra/php5_fcgid.conf
  • Make sure /etc/php/php.ini has the directive enabled:
cgi.fix_pathinfo=1

and restart httpd.

Note: As of Apache 2.4 you can now use mod_proxy_fcgi (part of the official distribution) with PHP-FPM (and the new event MPM). See this configuration example.

MariaDB

  • Configure MySQL/MariaDB as described in MariaDB.
  • Uncomment at least one of the following lines in /etc/php/php.ini:
extension=pdo_mysql.so
extension=mysqli.so
Warning: As of PHP 5.5, mysql.so is deprecated and will fill up your log files.
  • You can add minor privileged MySQL users for your web scripts. You might also want to edit /etc/mysql/my.cnf and uncomment the skip-networking line so the MySQL server is only accessible by the localhost. You have to restart MySQL for changes to take effect.
Tip: You may want to install a tool like phpMyAdmin, Adminer or mysql-workbenchAUR to work with your databases.

External links