Difference between revisions of "Apache HTTP Server"

From ArchWiki
Jump to: navigation, search
(Apache)
(TLS/SSL: maybe it's good for newbies to tell them, that they don't should forget to open port 443 in httpd.conf :))
 
(234 intermediate revisions by 69 users not shown)
Line 1: Line 1:
[[Category:Web Server]]
+
[[Category:Web server]]
[[cs:LAMP]]
+
[[cs:Apache HTTP Server]]
 
[[de:LAMP Installation]]
 
[[de:LAMP Installation]]
[[el:LAMP]]
+
[[el:Apache HTTP Server]]
[[es:LAMP]]
+
[[es:Apache HTTP Server]]
 
[[fr:Lamp]]
 
[[fr:Lamp]]
[[it:LAMP]]
+
[[it:Apache HTTP Server]]
[[pl:LAMP]]
+
[[ja:LAMP]]
[[ru:LAMP]]
+
[[ko:Apache HTTP Server]]
[[sr:LAMP]]
+
[[pl:Apache HTTP Server]]
 +
[[ru:Apache HTTP Server]]
 +
[[sr:Apache HTTP Server]]
 
[[tr:LAMP]]
 
[[tr:LAMP]]
[[zh-CN:LAMP]]
+
[[zh-cn:Apache HTTP Server]]
[http://en.wikipedia.org/wiki/LAMP_%28software_bundle%29 LAMP] refers to a common combination of software used in many web servers: '''L'''inux, '''A'''pache, '''M'''ySQL, and '''P'''HP. This article describes how to set up the [http://httpd.apache.org Apache HTTP Server] on an Arch Linux system. It also tells you how to optionally install [[PHP]] and [[MySQL]] and integrate these in the Apache server.
+
{{Related articles start}}
 +
{{Related|PHP}}
 +
{{Related|MySQL}}
 +
{{Related|PhpMyAdmin}}
 +
{{Related|Adminer}}
 +
{{Related|Xampp}}
 +
{{Related|mod_perl}}
 +
{{Related articles end}}
 +
The [[Wikipedia:Apache HTTP Server|Apache HTTP Server]], or Apache for short, is a very popular web server, developed by the Apache Software Foundation.
  
If you only need a web server for development and testing, [[Xampp]] might be a better and easier option.
+
Apache is often used together with a scripting language such as PHP and database such as MySQL. This combination is often referred to as a [[Wikipedia:LAMP (software bundle)|LAMP]] stack ('''L'''inux, '''A'''pache, '''M'''ySQL, '''P'''HP). This article describes how to set up Apache and how to optionally integrate it with [[PHP]] and [[MySQL]].
  
==Installation==
+
== Installation ==
# pacman -S apache php php-apache mysql
+
[[Install]] the {{Pkg|apache}} package.
  
This document assumes you will install Apache, PHP and MySQL together. If desired however, you may install Apache, PHP, and MySQL separately and simply refer to the relevant sections below.
+
== Configuration ==
 +
Apache configuration files are located in {{ic|/etc/httpd/conf}}. The main configuration file is {{ic|/etc/httpd/conf/httpd.conf}}, which includes various other configuration files.
 +
The default configuration file should be fine for a simple setup. By default, it will serve the directory {{ic|/srv/http}} to anyone who visits your website.
  
{{Note|New default user and group: Instead of group "nobody", apache now runs as user/group "http" by default. You might want to adjust your httpd.conf according to this change, though you may still run httpd as nobody.}}
+
To start Apache, start {{ic|httpd.service}} [[systemd#Using units|using systemd]].
  
==Configuration==
+
Apache should now be running. Test by visiting http://localhost/ in a web browser. It should display a simple index page.
  
===Apache===
+
For optional further configuration, see the following sections.
For security reasons, as soon as Apache is started by the root user (directly or via startup scripts) it switches to the UID/GID specified in {{ic|/etc/httpd/conf/httpd.conf}}
+
  
* Check for the existence of the http user by looking for ''http'' in the output of the following command:
+
=== Advanced options ===
  # grep http /etc/passwd
+
These options in {{ic|/etc/httpd/conf/httpd.conf}} might be interesting for you:
 +
 
 +
User http
 +
:For security reasons, as soon as Apache is started by the root user (directly or via startup scripts) it switches to this UID. The default user is ''http'', which is created automatically during installation.
 +
 
 +
Listen 80
 +
:This is the port Apache will listen to. For Internet-access with router, you have to forward the port.
 +
 
 +
:If you want to setup Apache for local development you may want it to be only accessible from your computer. Then change this line to {{ic|Listen 127.0.0.1:80}}.
 +
 
 +
ServerAdmin you@example.com
 +
:This is the admin's email address which can be found on e.g. error pages.
 +
 
 +
DocumentRoot "/srv/http"
 +
:This is the directory where you should put your web pages.
 +
 
 +
:Change it, if you want to, but do not forget to also change {{ic|<Directory "/srv/http">}} to whatever you changed your {{ic|DocumentRoot}} to, or you will likely get a '''403 Error''' (lack of privileges) when you try to access the new document root. Do not forget to change the {{ic|Require all denied}} line to {{ic|Require all granted}}, otherwise you will get a '''403 Error'''. Remember that the DocumentRoot directory and its parent folders must allow execution permission to others (can be set with {{ic|chmod o+x /path/to/DocumentRoot}}), otherwise you will get a '''403 Error'''.
 +
 
 +
AllowOverride None
 +
:This directive in {{ic|<Directory>}} sections causes Apache to completely ignore {{ic|.htaccess}} files. Note that this is now the default for Apache 2.4, so you need to explicitly allow overrides if you plan to use {{ic|.htaccess}} files. If you intend to use {{ic|mod_rewrite}} or other settings in {{ic|.htaccess}} files, you can allow which directives declared in that file can override server configuration. For more info refer to the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation].
 +
 
 +
{{Tip|If you have issues with your configuration you can have Apache check the configuration with: {{ic|apachectl configtest}}}}
 +
 
 +
More settings can be found in {{ic|/etc/httpd/conf/extra/httpd-default.conf}}:
 +
 
 +
To turn off your server's signature:
 +
ServerSignature Off
  
* Create the system user http if it does not exist already:
+
To hide server information like Apache and PHP versions:
  # useradd -d /srv/http -r -s /bin/false -U http
+
ServerTokens Prod
:This creates the http user with home directory {{ic|/srv/http/}}, as a system account (-r), with a bogus shell (-s {{ic|/bin/false}}) and creates a group with the same name (-U).
+
  
* Make sure the hostname is set in /etc/hosts or apache will fail to start. Alternatively, you can edit {{ic|/etc/httpd/conf/httpd.conf}} and comment the following module:
+
=== User directories ===
  LoadModule unique_id_module        modules/mod_unique_id.so
+
  
* Change {{ic|httpd.conf}} and optionally {{ic|extra/httpd-default.conf}} to your liking. For security reasons, you might want to change '''ServerTokens Full''' to '''ServerTokens Prod''' and '''ServerSignature On''' to '''ServerSignature Off''' in {{ic|extra/httpd-default.conf}}.
+
User directories are available by default through http://localhost/~yourusername/ and show the contents of {{ic|~/public_html}} (this can be changed in {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}}).
  
* [[Daemons#Starting manually|Start]] '''httpd''' (the Apache daemon).
+
If you do not want user directories to be available on the web, comment out the following line in {{ic|/etc/httpd/conf/httpd.conf}}:
  
:Apache should now be running. Test by visiting http://localhost/ in a web browser. It should display a simple Apache test page. If you receive a 403 Error, comment out the following line in {{ic|/etc/httpd/conf/httpd.conf}}:
 
 
  Include conf/extra/httpd-userdir.conf
 
  Include conf/extra/httpd-userdir.conf
  
* It is also possible to start '''httpd''' automatically [[Daemons#Starting on boot|at boot]].
+
{{Accuracy|It is not necessary to set {{ic|+x}} for every users, setting it only for the webserver via ACLs suffices (see [[Access Control Lists#Granting execution permissions for private files to a Web Server]]).}}
  
====User dirs====
+
You must make sure that your home directory permissions are set properly so that Apache can get there. Your home directory and {{ic|~/public_html}} must be executable for others ("rest of the world"):
* If you do not want user directories to be available on the web (e.g., {{ic|~/public_html}} on the machine is accessed as http://localhost/~user/ -Note that you can change what this points to in {{ic|/etc/httpd/conf/extra/httpd-userdir.conf}}), comment the following line in {{ic|/etc/httpd/conf/httpd.conf}} since they are activated by default:
+
  Include conf/extra/httpd-userdir.conf
+
  
* You must make sure that your home directory permissions are set properly so that Apache can get there. Your home directory and {{ic|~/public_html/}} must be executable for others ("rest of the world"). This seems to be enough:
+
$ chmod o+x ~
  $ chmod o+x ~
+
$ chmod o+x ~/public_html
  $ chmod o+x ~/public_html
+
$ chmod -R o+r ~/public_html
  
* More secure way to share your home folder with apache is to add '''http user''' in group that your home folder belongs. For example, if your home folder and other sub-folders in your home folder belong to group '''piter''', all you have to do is following:
+
Restart {{ic|httpd.service}} to apply any changes. See also [[Umask#Set the mask value]].
  
  $ usermod -aG piter http
+
=== TLS/SSL ===
 +
{{Warning|If you plan on implementing SSL/TLS, know that some variations and implementations are [https://weakdh.org/#affected still] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|vulnerable to attack]]. For details on these current vulnerabilities within SSL/TLS and how to apply appropriate changes to the web server, visit http://disablessl3.com/ and https://weakdh.org/sysadmin.html}}
 +
{{pkg|openssl}} provides TLS/SSL support and is installed by default on Arch installations.
  
* Of course, you have to give ''read'' and ''execute'' permissions on {{ic|~/}},  {{ic|~/public_html}}, and all other sub-folders in {{ic|~/public_html}} to the group members (group '''piter''' in our case). Do something like following ('''modify commands for your specific case'''):
+
In {{ic|/etc/httpd/conf/httpd.conf}}, uncomment the following three lines:
 +
  LoadModule ssl_module modules/mod_ssl.so
 +
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 +
Include conf/extra/httpd-ssl.conf
  
  $ chmod g+xr-w /home/''yourusername''
+
Don't forget to add Port 443 to your listen ports in {{ic|/etc/httpd/conf/httpd.conf}}
  $ chmod -R g+xr-w /home/''yourusername''/public_html
+
Listen 443
  
{{Note|This way you do not have to give access to your folder to every single user in order to give access to '''http user'''. Only '''http user''' and other potential users that are in '''piter''' group will have access to your home folder.}}
+
For TLS/SSL, you will need a key and certificate. If you own a public domain, you can use [[Let's Encrypt]] to obtain a certificate for free, otherwise follow [[#Create a key and (self-signed) certificate]].
  
and restart '''httpd'''.
+
After obtaining a key and certificate, make sure the {{ic|SSLCertificateFile}} and {{ic|SSLCertificateKeyFile}} lines in {{ic|/etc/httpd/conf/extra/httpd-ssl.conf}} point to the key and certificate.
  
====SSL====
+
Finally, restart {{ic|httpd.service}} to apply any changes.
Create self-signed certificate (you can change key size and days of validity)
+
  # cd /etc/httpd/conf
+
  # openssl genrsa -des3 -out server.key 1024
+
  # openssl req -new -key server.key -out server.csr
+
  # cp server.key server.key.org
+
  # openssl rsa -in server.key.org -out server.key
+
  # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+
In {{ic|/etc/httpd/conf/httpd.conf}} uncomment line
+
  Include conf/extra/httpd-ssl.conf
+
and restart '''httpd'''.
+
  
====Virtual Hosts====
+
{{Tip|Mozilla has a useful [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS article] which includes [https://wiki.mozilla.org/Security/Server_Side_TLS#Apache Apache specific] configuration guidelines as well as an [https://mozilla.github.io/server-side-tls/ssl-config-generator/ automated tool] to help create a more secure configuration.}}
If you want to have more than one host, make sure you have
+
{{bc|
+
# Virtual hosts
+
Include conf/extra/httpd-vhosts.conf
+
}}
+
in {{ic|/etc/httpd/conf/httpd.conf}}.
+
  
In {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} set your virtual hosts according the example, e.g.:
+
==== Create a key and (self-signed) certificate ====
{{bc|
+
NameVirtualHost *:80
+
  
#this first virtualhost enables: http://127.0.0.1, or: http://localhost,
+
Create a private key and self-signed certificate. This is adequate for most installations that do not require a [[wikipedia:Certificate signing request|CSR]]:
#to still go to /srv/http/*index.html(otherwise it will 404_error).
+
#the reason for this: once you tell httpd.conf to include extra/httpd-vhosts.conf,
+
#ALL vhosts are handled in httpd-vhosts.conf(including the default one),
+
# E.G. the default virtualhost in httpd.conf is not used and must be included here,
+
#otherwise, only domainname1.dom & domainname2.dom will be accessible
+
#from your web browser and NOT http://127.0.0.1, or: http://localhost, etc.
+
#
+
  
<VirtualHost *:80>
+
# cd /etc/httpd/conf
    DocumentRoot "/srv/http"
+
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095
    ServerAdmin root@localhost
+
# chmod 400 server.key
    ErrorLog "/var/log/httpd/127.0.0.1-error_log"
+
    CustomLog "/var/log/httpd/127.0.0.1-access_log" common
+
    <Directory /srv/http/>
+
    DirectoryIndex index.htm index.html
+
    AddHandler cgi-script .cgi .pl
+
    Options ExecCGI Indexes FollowSymLinks MultiViews +Includes
+
    AllowOverride None
+
    Order allow,deny
+
    allow from all
+
</Directory>
+
</VirtualHost>
+
  
 +
{{Note|The -days switch is optional and RSA keysize can be as low as 2048 (default).}}
  
<VirtualHost *:80>
+
If you need to create a [[wikipedia:Certificate signing request|CSR]], follow these keygen instructions instead of the above:
    ServerAdmin your@domainname1.dom
+
    DocumentRoot "/home/username/yoursites/domainname1.dom/www"
+
    ServerName domainname1.dom
+
    ServerAlias domainname1.dom
+
    <Directory /home/username/yoursites/domainname1.dom/www/>
+
    DirectoryIndex index.htm index.html
+
    AddHandler cgi-script .cgi .pl
+
    Options ExecCGI Indexes FollowSymLinks MultiViews +Includes
+
    AllowOverride None
+
    Order allow,deny
+
    allow from all
+
</Directory>
+
</VirtualHost>
+
  
<VirtualHost *:80>
+
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key
    ServerAdmin your@domainname2.dom
+
# chmod 400 server.key
    DocumentRoot "/home/username/yoursites/domainname2.dom/www"
+
# openssl req -new -sha256 -key server.key -out server.csr
    ServerName domainname2.dom
+
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt
    ServerAlias domainname2.dom
+
 
    <Directory /home/username/yoursites/domainname2.dom/www/>
+
{{Note|For more openssl options, read the [https://www.openssl.org/docs/apps/openssl.html man page] or peruse openssl's [https://www.openssl.org/docs/ extensive documentation].}}
    DirectoryIndex index.htm index.html
+
 
    AddHandler cgi-script .cgi .pl
+
=== Virtual hosts ===
    Options ExecCGI Indexes FollowSymLinks MultiViews +Includes
+
 
    AllowOverride None
+
{{Note|You will need to add a separate <VirtualHost dommainame:443> section for virtual host SSL support.
    Order allow,deny
+
See [[#Managing many virtual hosts]] for an example file.}}
    allow from all
+
 
</Directory>
+
If you want to have more than one host, uncomment the following line in {{ic|/etc/httpd/conf/httpd.conf}}:
</VirtualHost>
+
Include conf/extra/httpd-vhosts.conf
}}
+
  
Add your virtual host names to your {{ic|/etc/hosts}} file (NOT necessary if bind is serving these domains already, but will not hurt):
+
In {{ic|/etc/httpd/conf/extra/httpd-vhosts.conf}} set your virtual hosts. The default file contains an elaborate example that should help you get started.
{{bc|127.0.0.1 domainname1.dom
+
127.0.0.1 domainname2.dom}}
+
  
and restart '''httpd'''.
+
To test the virtual hosts on you local machine, add the virtual names to your {{ic|/etc/hosts}} file:
 +
127.0.0.1 domainname1.dom
 +
127.0.0.1 domainname2.dom
  
If you setup your virtual hosts to be in your user directory, sometimes it interferes with Apache's 'Userdir' settings. To avoid problems disable 'Userdir' by commenting it out:
+
Restart {{ic|httpd.service}} to apply any changes.
{{bc|
+
# User home directories
+
#Include conf/extra/httpd-userdir.conf}}
+
  
As said above, ensure that you have the proper permissions:
+
==== Managing many virtual hosts ====
# chmod 0775 /home/yourusername/
+
  
If you have a huge amount of virtual hosts you easily want to dis- and enable, it's recommended to create one config file per virtualhost and store them all in one folder, eg: {{ic|/etc/httpd/conf/vhosts}}.
+
If you have a huge amount of virtual hosts, you may want to easily disable and enable them. It is recommended to create one configuration file per virtual host and store them all in one folder, eg: {{ic|/etc/httpd/conf/vhosts}}.
  
 
First create the folder:
 
First create the folder:
 
  # mkdir /etc/httpd/conf/vhosts
 
  # mkdir /etc/httpd/conf/vhosts
  
Then place the single config files in them:
+
Then place the single configuration files in it:
 
  # nano /etc/httpd/conf/vhosts/domainname1.dom
 
  # nano /etc/httpd/conf/vhosts/domainname1.dom
 
  # nano /etc/httpd/conf/vhosts/domainname2.dom
 
  # nano /etc/httpd/conf/vhosts/domainname2.dom
 
  ...
 
  ...
  
In the last step, "Include" the single configs in your {{ic|/etc/httpd/conf/httpd.conf}}:
+
In the last step, {{ic|Include}} the single configurations in your {{ic|/etc/httpd/conf/httpd.conf}}:
{{bc|#Enabled Vhosts:
+
#Enabled Vhosts:
Include conf/vhosts/domainname1.dom
+
Include conf/vhosts/domainname1.dom
#Include conf/vhosts/domainname1.dom}}
+
Include conf/vhosts/domainname2.dom
  
You can enable and disable single virtual hosts by commenting them out or uncommenting them.
+
You can enable and disable single virtual hosts by commenting or uncommenting them.
  
====Advanced Options====
+
A very basic vhost file will look like this:
These options in {{ic|/etc/httpd/conf/httpd.conf}} might be interesting for you:
+
  
# Listen 80
+
{{hc|/etc/httpd/conf/vhosts/domainname1.dom|<nowiki>
This is the port Apache will listen to. For Internet-access with router, you have to forward the port.
+
<VirtualHost domainname1.dom:80>
 +
    ServerAdmin webmaster@domainname1.dom
 +
    DocumentRoot "/home/user/http/domainname1.dom"
 +
    ServerName domainname1.dom
 +
    ServerAlias domainname1.dom
 +
    ErrorLog "/var/log/httpd/domainname1.dom-error_log"
 +
    CustomLog "/var/log/httpd/domainname1.dom-access_log" common
  
If you setup Apache for local development you may want it to be only accessible from your computer. Then change this line to:
+
    <Directory "/home/user/http/domainname1.dom">
# Listen 127.0.0.1:80
+
        Require all granted
 +
    </Directory>
 +
</VirtualHost>
  
This is the admin's email-address which can be found on e.g. error-pages:
+
<VirtualHost domainname1.dom:443>
# ServerAdmin sample@sample.com
+
    ServerAdmin webmaster@domainname1.dom
 +
    DocumentRoot "/home/user/http/domainname1.dom"
 +
    ServerName domainname1.dom:443
 +
    ServerAlias domainname1.dom:443
 +
    ErrorLog "/var/log/httpd/domainname1.dom-error_log"
 +
    CustomLog "/var/log/httpd/domainname1.dom-access_log" common
  
This is the directory where you should put your web pages:
+
    <Directory "/home/user/http/domainname1.dom">
# DocumentRoot "/srv/http"
+
        Require all granted
 +
    </Directory>
 +
   
 +
    SSLEngine on
 +
    SSLCertificateFile "/etc/httpd/conf/apache.crt"
 +
    SSLCertificateKeyFile "/etc/httpd/conf/apache.key"
 +
</VirtualHost></nowiki>}}
  
Change it, if you want to, but do not forget to also change the
+
== Extensions ==
<Directory "/srv/http">
+
to whatever you changed your DocumentRoot to, or you will likely get a 403 error (lack of privileges) when you try to access the new document root. Do not forget to change the Deny from all line, otherwise you will get 403 error too.
+
  
# AllowOverride None
+
=== PHP ===
This directive in {{ic|<Directory>}} sections causes apache to completely ignore .htaccess files. If you intend to use rewrite mod or other settings in .htaccess files, you can allow which directives declared in that file can override server configuration. For more info refer to http://httpd.apache.org/docs/current/mod/core.html#allowoverride
+
To install [[PHP]], first [[install]] the {{Pkg|php}} and {{Pkg|php-apache}} packages.
  
{{Note|If you have issues with your configuration you can have apache check the configuration with:
+
In {{ic|/etc/httpd/conf/httpd.conf}}, comment the line:
{{Ic|apachectl configtest}}}}
+
#LoadModule mpm_event_module modules/mod_mpm_event.so
 +
and uncomment the line:
 +
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
  
===PHP===
+
{{Note|1=The above is required, because {{ic|libphp7.so}} included with {{pkg|php-apache}} does not work with {{ic|mod_mpm_event}}, but will only work {{ic|mod_mpm_prefork}} instead. ({{bug|39218}})
* [[pacman|Install]] {{pkg|php-apache}} from the [[Official repositories]].
+
  
* Add these lines in {{ic|/etc/httpd/conf/httpd.conf}}:
+
Otherwise you will get the following error:
:Place this in the {{ic|LoadModule}} list anywhere after {{ic|LoadModule dir_module modules/mod_dir.so}}:
+
{{bc|1=Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.  You need to recompile PHP.
  LoadModule php5_module modules/libphp5.so
+
AH00013: Pre-configuration failed
 +
httpd.service: control process exited, code=exited status=1}}
  
:Place this at the end of the {{ic|Include}} list:
+
As an alternative, you can use {{ic|mod_proxy_fcgi}} (see [[#Using php-fpm and mod_proxy_fcgi]] below).
  Include conf/extra/php5_module.conf
+
}}
  
:Make sure that the following line is uncommented in the {{ic|<IfModule mime_module>}} section:
+
To enable PHP, add these lines to {{ic|/etc/httpd/conf/httpd.conf}}:
  TypesConfig conf/mime.types
+
*Place this in the {{ic|LoadModule}} list anywhere after {{ic|LoadModule dir_module modules/mod_dir.so}}:
 +
LoadModule php7_module modules/libphp7.so
 +
*Place this at the end of the {{ic|Include}} list:
 +
Include conf/extra/php7_module.conf
 +
*And the handler at the end of the {{ic|LoadModule}}:
 +
AddHandler php7-script php
  
:Uncomment the following line (optional):
+
Restart {{ic|httpd.service}} [[systemd#Using units|using systemd]]
  MIMEMagicFile conf/magic
+
  
* Add this line in {{ic|/etc/httpd/conf/mime.types}}:
+
To test whether PHP was correctly configured: create a file called {{ic|test.php}} in your Apache {{ic|DocumentRoot}} directory (e.g. {{ic|/srv/http/}} or {{ic|~/public_html}}) with the following contents:
  application/x-httpd-php5 php php5
+
<?php phpinfo(); ?>
 +
To see if it works go to: http://localhost/test.php or http://localhost/~myname/test.php
  
{{Note|If you do not see {{ic|libphp5.so}} in the Apache modules directory ({{ic|/etc/httpd/modules}}), you may have forgotten to install {{Pkg|php-apache}}.}}
+
For advanced configuration and extensions, please read [[PHP]].
  
* If your {{Ic|DocumentRoot}} is not {{ic|/srv/http}}, add it to {{ic|open_basedir}} in {{ic|/etc/php/php.ini}} as such:
+
==== Using php-fpm and mod_proxy_fcgi ====
  open_basedir=/srv/http/:/home/:/tmp/:/usr/share/pear/:/path/to/documentroot
+
  
* [[systemd#Using units|Restart]] '''httpd'''.
+
{{Note|Unlike the widespread setup with ProxyPass, the proxy configuration with SetHandler respects other Apache directives like DirectoryIndex. This ensures a better compatibility with software designed for libphp7, mod_fastcgi and mod_fcgid.
 +
If you still want to try ProxyPass, experiment with a line like this: {{bc|ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock&#124;fcgi://localhost/srv/http/$1}}}}
  
* Test PHP: Create the file test.php in your Apache DocumentRoot directory (e.g. {{ic|/srv/http/}} or {{ic|~/public_html}}) and inside it put:
+
[[Install]] the {{pkg|php-fpm}} package.
<?php phpinfo(); ?>
+
:See if it works: http://localhost/test.php or http://localhost/~myname/test.php
+
  
:If the PHP code is is not executed (you see : <html>...</html>), check that you have added "Includes" to the "Options" line for your root directory in {{ic|/etc/httpd/conf/httpd.conf}}. Moreover, check that {{ic|TypesConfig conf/mime.types}} is uncommented in the <IfModule mime_module> section, you may also try adding the following to the <IfModule mime_module> in httpd.conf:
+
Enable proxy modules:
AddHandler application/x-httpd-php .php
+
{{hc|/etc/httpd/conf/httpd.conf|<nowiki>
 +
LoadModule proxy_module modules/mod_proxy.so
 +
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
 +
</nowiki>}}
  
====Advanced options====
+
Create {{ic|/etc/httpd/conf/extra/php-fpm.conf}} with the following content:
* It is recommended to set your timezone in {{ic|/etc/php/php.ini}} like so: ([http://www.php.net/manual/en/timezones.php list of timezones])
+
{{hc|/etc/httpd/conf/extra/php-fpm.conf|<nowiki>
{{bc|1=date.timezone = Europe/Berlin}}
+
<FilesMatch \.php$>
 +
    SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"
 +
</FilesMatch>
 +
</nowiki>}}
  
* If you want to display errors to debug your php code, change {{ic|display_errors}} to {{ic|On}} in {{ic|/etc/php/php.ini}}:
+
And include it at the bottom of {{ic|/etc/httpd/conf/httpd.conf}}:
  display_errors=On
+
  Include conf/extra/php-fpm.conf
  
* If you want the libGD module, install {{Pkg|php-gd}} and uncomment {{ic|1=extension=gd.so}} in {{ic|/etc/php/php.ini}}:
+
{{Note|The pipe between {{ic|sock}} and {{ic|fcgi}} is not allowed to be surrounded by a space! {{ic|localhost}} can be replaced by any string. More [https://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html here]}}
{{Note|php-gd requires libpng, libjpeg, and freetype2}}
+
extension=gd.so
+
{{Note|Pay attention to which extension you uncomment, as this extension is sometimes mentioned in an explanatory comment before the actual line you want to uncomment.}}
+
  
* If you want the mcrypt module, install {{Pkg|php-mcrypt}} and uncomment {{ic|1=extension=mcrypt.so}} in {{ic|/etc/php/php.ini}}:
+
You can configure PHP-FPM in {{ic|/etc/php/php-fpm.d/www.conf}}, but the default setup should work fine.
extension=mcrypt.so
+
  
* Remember to add a file handler for .phtml if you need it in {{ic|/etc/httpd/conf/extra/php5_module.conf}}:
+
{{Note|
  DirectoryIndex index.php index.phtml index.html
+
If you have added the following lines to {{ic|httpd.conf}}, remove them, as they are no longer needed:
 +
  LoadModule php7_module modules/libphp7.so
 +
Include conf/extra/php7_module.conf
 +
}}
  
==== Using php5 with apache2-mpm-worker and mod_fcgid ====
+
[[Restart]] {{ic|httpd.service}} and {{ic|php-fpm.service}}.
Uncomment following in {{ic|/etc/conf.d/apache}}:
+
 
HTTPD=/usr/sbin/httpd.worker
+
==== Using apache2-mpm-worker and mod_fcgid ====
Uncomment following in {{ic|/etc/httpd/conf/httpd.conf}}:
+
[[Install]] the {{pkg|mod_fcgid}} and {{Pkg|php-cgi}} packages.
  Include conf/extra/httpd-mpm.conf
+
 
Install mod_fcgid and php-cgi packages:
+
Create the needed directory and symlink it for the PHP wrapper:
  # pacman -S mod_fcgid php-cgi
+
  # mkdir /srv/http/fcgid-bin
Create {{ic|/etc/httpd/conf/extra/php5_fcgid.conf}} with following content:
+
  # ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper
{{bc|1=
+
 
 +
Create {{ic|/etc/httpd/conf/extra/php-fcgid.conf}} with the following content:
 +
{{hc|/etc/httpd/conf/extra/php-fcgid.conf|<nowiki>
 
# Required modules: fcgid_module
 
# Required modules: fcgid_module
  
 
<IfModule fcgid_module>
 
<IfModule fcgid_module>
AddHandler php-fcgid .php
+
    AddHandler php-fcgid .php
AddType application/x-httpd-php .php
+
    AddType application/x-httpd-php .php
Action php-fcgid /fcgid-bin/php-fcgid-wrapper
+
    Action php-fcgid /fcgid-bin/php-fcgid-wrapper
ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/
+
    ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/
SocketPath /var/run/httpd/fcgidsock
+
    SocketPath /var/run/httpd/fcgidsock
SharememPath /var/run/httpd/fcgid_shm
+
    SharememPath /var/run/httpd/fcgid_shm
 
         # If you don't allow bigger requests many applications may fail (such as WordPress login)
 
         # If you don't allow bigger requests many applications may fail (such as WordPress login)
 
         FcgidMaxRequestLen 536870912
 
         FcgidMaxRequestLen 536870912
        PHP_Fix_Pathinfo_Enable 1
 
 
         # Path to php.ini – defaults to /etc/phpX/cgi
 
         # Path to php.ini – defaults to /etc/phpX/cgi
 
         DefaultInitEnv PHPRC=/etc/php/
 
         DefaultInitEnv PHPRC=/etc/php/
Line 282: Line 293:
 
         #DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000
 
         #DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000
 
         <Location /fcgid-bin/>
 
         <Location /fcgid-bin/>
SetHandler fcgid-script
+
        SetHandler fcgid-script
Options +ExecCGI
+
        Options +ExecCGI
</Location>
+
    </Location>
 
</IfModule>
 
</IfModule>
}}
+
</nowiki>}}
  
Create needed directory and symlink for php wrapper:
+
Edit {{ic|/etc/httpd/conf/httpd.conf}}, enabling the actions module:
# mkdir /srv/http/fcgid-bin
+
  LoadModule actions_module modules/mod_actions.so
  # ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper
+
  
Edit {{ic|/etc/httpd/conf/httpd.conf}}:
+
And add the following lines:
#LoadModule php5_module modules/libphp5.so
+
 
  LoadModule fcgid_module modules/mod_fcgid.so
 
  LoadModule fcgid_module modules/mod_fcgid.so
  Include conf/extra/php5_fcgid.conf
+
  Include conf/extra/httpd-mpm.conf
Make sure {{ic|/etc/php/php.ini}} has the directive enabled:
+
Include conf/extra/php-fcgid.conf
cgi.fix_pathinfo=1
+
and [[systemd#Using_units|restart]] '''httpd'''.
+
  
{{Note|1=As of Apache 2.4 (available as [http://aur.archlinux.org/packages.php?ID=60719 AUR package]) you can now use [http://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html mod_proxy_fcgi] (part of the official distribution) with PHP-FPM (and the new event MPM). See [http://wiki.apache.org/httpd/PHP-FPM configuration example]}}
+
{{Note|
 +
If you have added the following lines to {{ic|httpd.conf}}, remove them, as they are no longer needed:
 +
LoadModule php7_module modules/libphp7.so
 +
  Include conf/extra/php7_module.conf
 +
}}
  
===MySQL===
+
[[Restart]] {{ic|httpd.service}}.
* Configure MySQL as described in [[MySQL]].
+
  
* Uncomment the following lines in {{ic|/etc/php/php.ini}} (''by removing {{ic|;}}''):
+
==== MySQL/MariaDB ====
  ;extension=mysqli.so
+
  ;extension=mysql.so
+
  
* You can add minor privileged users for your web scripts by editing the tables found in the {{ic|mysql}} database. You have to restart MySQL for changes to take effect. Do not forget to check the {{ic|mysql.user}} table: {{ic|select User,Password from mysql.user;}}. If there is a second entry for root and your hostname is left with no password set, everybody from your host probably could gain full access. Perhaps see next section for these jobs.
+
Follow the instructions in [[PHP#MySQL/MariaDB]].
  
* [[Systemd#Using units|Restart]] '''httpd'''.
+
When configuration is complete, [[restart]] {{ic|httpd.service}} to apply all the changes.
  
* You might want to edit {{ic|/etc/mysql/my.cnf}} and uncomment the {{ic|skip-networking}} line so the MySQL server is only accessible by the localhost.
+
=== HTTP2 ===
 +
 
 +
To enable HTTP/2 support, install the {{Pkg|nghttp2}} package.
 +
 
 +
Then uncomment the following line in {{ic|httpd.conf}}:
 +
LoadModule http2_module modules/mod_http2.so
 +
 
 +
And add the following line:
 +
Protocols h2 http/1.1
 +
 
 +
For more information, see the [https://httpd.apache.org/docs/2.4/mod/mod_http2.html mod_http2] documentation.
 +
 
 +
== Troubleshooting ==
 +
 
 +
=== Apache Status and Logs ===
 +
 
 +
See the status of the Apache daemon with [[systemctl]].
 +
 
 +
Apache logs can be found in  {{ic|/var/log/httpd/}}
 +
 
 +
=== Error: PID file /run/httpd/httpd.pid not readable (yet?) after start ===
 +
 
 +
Comment out the {{ic|unique_id_module}} line in {{ic|httpd.conf}}: {{ic|#LoadModule unique_id_module modules/mod_unique_id.so}}
 +
 
 +
=== Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. ===
 +
 
 +
If when loading {{ic|php7_module}} the {{ic|httpd.service}} fails, and you get an error like this in the journal:
 +
 
 +
Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.  You need to recompile PHP.
 +
 
 +
you need to replace {{ic|mpm_event_module}} with {{ic|mpm_prefork_module}}:
 +
 
 +
{{hc|/etc/httpd/conf/httpd.conf|
 +
<s>LoadModule mpm_event_module modules/mod_mpm_event.so</s>
 +
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
 +
}}
 +
 
 +
and restart {{ic|httpd.service}}.
 +
 
 +
=== AH00534: httpd: Configuration error: No MPM loaded. ===
 +
 
 +
You might encounter this error after a recent upgrade. This is only the result of a recent change in {{ic|httpd.conf}} that you might not have reproduced in your local configuration.
 +
To fix it, uncomment the following line.
 +
 
 +
{{hc|/etc/httpd/conf/httpd.conf|
 +
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
 +
}}
 +
 
 +
Also check [[#Apache_is_running_a_threaded_MPM.2C_but_your_PHP_Module_is_not_compiled_to_be_threadsafe.|the above]] if more errors occur afterwards.
 +
 
 +
=== Changing the max_execution_time in php.ini has no effect ===
 +
 
 +
If you changed the {{ic|max_execution_time}} in {{ic|php.ini}} to a value greater than 30 (seconds), you may still get a {{ic|503 Service Unavailable}} response from Apache after 30 seconds. To solve this, add a {{ic|ProxyTimeout}} directive to your http configuration right before the {{ic|<FilesMatch \.php$>}} block:
 +
 
 +
{{hc|/etc/httpd/conf/httpd.conf|
 +
ProxyTimeout 300
 +
}}
  
{{Tip|You may want to install [[PhpMyAdmin|phpmyadmin]], {{AUR|mysql-workbench}} or [[Adminer|adminer]] to work with your databases.}}
+
and restart {{ic|httpd.service}}.
  
==See also==
+
== See also ==
* [[MySQL]] - Article for MySQL
+
* [[PhpMyAdmin]] - Web frontend for MySQL typically found in LAMP environments
+
* [[Adminer]] - A full-featured database management tool which is available for MySQL, PostgreSQL, SQLite, MS SQL and Oracle
+
* [[Xampp]] - Self contained web-server that supports PHP, Perl, and MySQL
+
* [[mod_perl]] - Apache + Perl
+
  
==External links==
+
* [http://www.apache.org/ Apache Official Website]
* http://www.apache.org/
+
* [http://www.akadia.com/services/ssh_test_certificate.html Tutorial for creating self-signed certificates]
* http://www.php.net/
+
* [http://wiki.apache.org/httpd/CommonMisconfigurations Apache Wiki Troubleshooting]
* http://www.mysql.com/
+
* http://www.akadia.com/services/ssh_test_certificate.html
+
* http://wiki.apache.org/httpd/CommonMisconfigurations
+

Latest revision as of 16:43, 22 September 2016

The Apache HTTP Server, or Apache for short, is a very popular web server, developed by the Apache Software Foundation.

Apache is often used together with a scripting language such as PHP and database such as MySQL. This combination is often referred to as a LAMP stack (Linux, Apache, MySQL, PHP). This article describes how to set up Apache and how to optionally integrate it with PHP and MySQL.

Installation

Install the apache package.

Configuration

Apache configuration files are located in /etc/httpd/conf. The main configuration file is /etc/httpd/conf/httpd.conf, which includes various other configuration files. The default configuration file should be fine for a simple setup. By default, it will serve the directory /srv/http to anyone who visits your website.

To start Apache, start httpd.service using systemd.

Apache should now be running. Test by visiting http://localhost/ in a web browser. It should display a simple index page.

For optional further configuration, see the following sections.

Advanced options

These options in /etc/httpd/conf/httpd.conf might be interesting for you:

User http
For security reasons, as soon as Apache is started by the root user (directly or via startup scripts) it switches to this UID. The default user is http, which is created automatically during installation.
Listen 80
This is the port Apache will listen to. For Internet-access with router, you have to forward the port.
If you want to setup Apache for local development you may want it to be only accessible from your computer. Then change this line to Listen 127.0.0.1:80.
ServerAdmin you@example.com
This is the admin's email address which can be found on e.g. error pages.
DocumentRoot "/srv/http"
This is the directory where you should put your web pages.
Change it, if you want to, but do not forget to also change <Directory "/srv/http"> to whatever you changed your DocumentRoot to, or you will likely get a 403 Error (lack of privileges) when you try to access the new document root. Do not forget to change the Require all denied line to Require all granted, otherwise you will get a 403 Error. Remember that the DocumentRoot directory and its parent folders must allow execution permission to others (can be set with chmod o+x /path/to/DocumentRoot), otherwise you will get a 403 Error.
AllowOverride None
This directive in <Directory> sections causes Apache to completely ignore .htaccess files. Note that this is now the default for Apache 2.4, so you need to explicitly allow overrides if you plan to use .htaccess files. If you intend to use mod_rewrite or other settings in .htaccess files, you can allow which directives declared in that file can override server configuration. For more info refer to the Apache documentation.
Tip: If you have issues with your configuration you can have Apache check the configuration with: apachectl configtest

More settings can be found in /etc/httpd/conf/extra/httpd-default.conf:

To turn off your server's signature:

ServerSignature Off

To hide server information like Apache and PHP versions:

ServerTokens Prod

User directories

User directories are available by default through http://localhost/~yourusername/ and show the contents of ~/public_html (this can be changed in /etc/httpd/conf/extra/httpd-userdir.conf).

If you do not want user directories to be available on the web, comment out the following line in /etc/httpd/conf/httpd.conf:

Include conf/extra/httpd-userdir.conf

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: It is not necessary to set +x for every users, setting it only for the webserver via ACLs suffices (see Access Control Lists#Granting execution permissions for private files to a Web Server). (Discuss in Talk:Apache HTTP Server#)

You must make sure that your home directory permissions are set properly so that Apache can get there. Your home directory and ~/public_html must be executable for others ("rest of the world"):

$ chmod o+x ~
$ chmod o+x ~/public_html
$ chmod -R o+r ~/public_html

Restart httpd.service to apply any changes. See also Umask#Set the mask value.

TLS/SSL

Warning: If you plan on implementing SSL/TLS, know that some variations and implementations are still vulnerable to attack. For details on these current vulnerabilities within SSL/TLS and how to apply appropriate changes to the web server, visit http://disablessl3.com/ and https://weakdh.org/sysadmin.html

openssl provides TLS/SSL support and is installed by default on Arch installations.

In /etc/httpd/conf/httpd.conf, uncomment the following three lines:

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf

Don't forget to add Port 443 to your listen ports in /etc/httpd/conf/httpd.conf

Listen 443

For TLS/SSL, you will need a key and certificate. If you own a public domain, you can use Let's Encrypt to obtain a certificate for free, otherwise follow #Create a key and (self-signed) certificate.

After obtaining a key and certificate, make sure the SSLCertificateFile and SSLCertificateKeyFile lines in /etc/httpd/conf/extra/httpd-ssl.conf point to the key and certificate.

Finally, restart httpd.service to apply any changes.

Tip: Mozilla has a useful SSL/TLS article which includes Apache specific configuration guidelines as well as an automated tool to help create a more secure configuration.

Create a key and (self-signed) certificate

Create a private key and self-signed certificate. This is adequate for most installations that do not require a CSR:

# cd /etc/httpd/conf
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095
# chmod 400 server.key
Note: The -days switch is optional and RSA keysize can be as low as 2048 (default).

If you need to create a CSR, follow these keygen instructions instead of the above:

# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key
# chmod 400 server.key
# openssl req -new -sha256 -key server.key -out server.csr
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt
Note: For more openssl options, read the man page or peruse openssl's extensive documentation.

Virtual hosts

Note: You will need to add a separate <VirtualHost dommainame:443> section for virtual host SSL support. See #Managing many virtual hosts for an example file.

If you want to have more than one host, uncomment the following line in /etc/httpd/conf/httpd.conf:

Include conf/extra/httpd-vhosts.conf

In /etc/httpd/conf/extra/httpd-vhosts.conf set your virtual hosts. The default file contains an elaborate example that should help you get started.

To test the virtual hosts on you local machine, add the virtual names to your /etc/hosts file:

127.0.0.1 domainname1.dom 
127.0.0.1 domainname2.dom

Restart httpd.service to apply any changes.

Managing many virtual hosts

If you have a huge amount of virtual hosts, you may want to easily disable and enable them. It is recommended to create one configuration file per virtual host and store them all in one folder, eg: /etc/httpd/conf/vhosts.

First create the folder:

# mkdir /etc/httpd/conf/vhosts

Then place the single configuration files in it:

# nano /etc/httpd/conf/vhosts/domainname1.dom
# nano /etc/httpd/conf/vhosts/domainname2.dom
...

In the last step, Include the single configurations in your /etc/httpd/conf/httpd.conf:

#Enabled Vhosts:
Include conf/vhosts/domainname1.dom
Include conf/vhosts/domainname2.dom

You can enable and disable single virtual hosts by commenting or uncommenting them.

A very basic vhost file will look like this:

/etc/httpd/conf/vhosts/domainname1.dom
<VirtualHost domainname1.dom:80>
    ServerAdmin webmaster@domainname1.dom
    DocumentRoot "/home/user/http/domainname1.dom"
    ServerName domainname1.dom
    ServerAlias domainname1.dom
    ErrorLog "/var/log/httpd/domainname1.dom-error_log"
    CustomLog "/var/log/httpd/domainname1.dom-access_log" common

    <Directory "/home/user/http/domainname1.dom">
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost domainname1.dom:443>
    ServerAdmin webmaster@domainname1.dom
    DocumentRoot "/home/user/http/domainname1.dom"
    ServerName domainname1.dom:443
    ServerAlias domainname1.dom:443
    ErrorLog "/var/log/httpd/domainname1.dom-error_log"
    CustomLog "/var/log/httpd/domainname1.dom-access_log" common

    <Directory "/home/user/http/domainname1.dom">
        Require all granted
    </Directory>
    
    SSLEngine on
    SSLCertificateFile "/etc/httpd/conf/apache.crt"
    SSLCertificateKeyFile "/etc/httpd/conf/apache.key"
</VirtualHost>

Extensions

PHP

To install PHP, first install the php and php-apache packages.

In /etc/httpd/conf/httpd.conf, comment the line:

#LoadModule mpm_event_module modules/mod_mpm_event.so

and uncomment the line:

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
Note: The above is required, because libphp7.so included with php-apache does not work with mod_mpm_event, but will only work mod_mpm_prefork instead. (FS#39218)

Otherwise you will get the following error:

Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.  You need to recompile PHP.
AH00013: Pre-configuration failed
httpd.service: control process exited, code=exited status=1
As an alternative, you can use mod_proxy_fcgi (see #Using php-fpm and mod_proxy_fcgi below).

To enable PHP, add these lines to /etc/httpd/conf/httpd.conf:

  • Place this in the LoadModule list anywhere after LoadModule dir_module modules/mod_dir.so:
LoadModule php7_module modules/libphp7.so
  • Place this at the end of the Include list:
Include conf/extra/php7_module.conf
  • And the handler at the end of the LoadModule:
AddHandler php7-script php

Restart httpd.service using systemd

To test whether PHP was correctly configured: create a file called test.php in your Apache DocumentRoot directory (e.g. /srv/http/ or ~/public_html) with the following contents:

<?php phpinfo(); ?>

To see if it works go to: http://localhost/test.php or http://localhost/~myname/test.php

For advanced configuration and extensions, please read PHP.

Using php-fpm and mod_proxy_fcgi

Note: Unlike the widespread setup with ProxyPass, the proxy configuration with SetHandler respects other Apache directives like DirectoryIndex. This ensures a better compatibility with software designed for libphp7, mod_fastcgi and mod_fcgid. If you still want to try ProxyPass, experiment with a line like this:
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/srv/http/$1

Install the php-fpm package.

Enable proxy modules:

/etc/httpd/conf/httpd.conf
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so

Create /etc/httpd/conf/extra/php-fpm.conf with the following content:

/etc/httpd/conf/extra/php-fpm.conf
<FilesMatch \.php$>
    SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost/"
</FilesMatch>

And include it at the bottom of /etc/httpd/conf/httpd.conf:

Include conf/extra/php-fpm.conf
Note: The pipe between sock and fcgi is not allowed to be surrounded by a space! localhost can be replaced by any string. More here

You can configure PHP-FPM in /etc/php/php-fpm.d/www.conf, but the default setup should work fine.

Note:

If you have added the following lines to httpd.conf, remove them, as they are no longer needed:

LoadModule php7_module modules/libphp7.so
Include conf/extra/php7_module.conf

Restart httpd.service and php-fpm.service.

Using apache2-mpm-worker and mod_fcgid

Install the mod_fcgid and php-cgi packages.

Create the needed directory and symlink it for the PHP wrapper:

# mkdir /srv/http/fcgid-bin
# ln -s /usr/bin/php-cgi /srv/http/fcgid-bin/php-fcgid-wrapper

Create /etc/httpd/conf/extra/php-fcgid.conf with the following content:

/etc/httpd/conf/extra/php-fcgid.conf
# Required modules: fcgid_module

<IfModule fcgid_module>
    AddHandler php-fcgid .php
    AddType application/x-httpd-php .php
    Action php-fcgid /fcgid-bin/php-fcgid-wrapper
    ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/
    SocketPath /var/run/httpd/fcgidsock
    SharememPath /var/run/httpd/fcgid_shm
        # If you don't allow bigger requests many applications may fail (such as WordPress login)
        FcgidMaxRequestLen 536870912
        # Path to php.ini – defaults to /etc/phpX/cgi
        DefaultInitEnv PHPRC=/etc/php/
        # Number of PHP childs that will be launched. Leave undefined to let PHP decide.
        #DefaultInitEnv PHP_FCGI_CHILDREN 3
        # Maximum requests before a process is stopped and a new one is launched
        #DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000
        <Location /fcgid-bin/>
        SetHandler fcgid-script
        Options +ExecCGI
    </Location>
</IfModule>

Edit /etc/httpd/conf/httpd.conf, enabling the actions module:

LoadModule actions_module modules/mod_actions.so

And add the following lines:

LoadModule fcgid_module modules/mod_fcgid.so
Include conf/extra/httpd-mpm.conf
Include conf/extra/php-fcgid.conf
Note:

If you have added the following lines to httpd.conf, remove them, as they are no longer needed:

LoadModule php7_module modules/libphp7.so
Include conf/extra/php7_module.conf

Restart httpd.service.

MySQL/MariaDB

Follow the instructions in PHP#MySQL/MariaDB.

When configuration is complete, restart httpd.service to apply all the changes.

HTTP2

To enable HTTP/2 support, install the nghttp2 package.

Then uncomment the following line in httpd.conf:

LoadModule http2_module modules/mod_http2.so

And add the following line:

Protocols h2 http/1.1

For more information, see the mod_http2 documentation.

Troubleshooting

Apache Status and Logs

See the status of the Apache daemon with systemctl.

Apache logs can be found in /var/log/httpd/

Error: PID file /run/httpd/httpd.pid not readable (yet?) after start

Comment out the unique_id_module line in httpd.conf: #LoadModule unique_id_module modules/mod_unique_id.so

Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.

If when loading php7_module the httpd.service fails, and you get an error like this in the journal:

Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe.  You need to recompile PHP.

you need to replace mpm_event_module with mpm_prefork_module:

/etc/httpd/conf/httpd.conf
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

and restart httpd.service.

AH00534: httpd: Configuration error: No MPM loaded.

You might encounter this error after a recent upgrade. This is only the result of a recent change in httpd.conf that you might not have reproduced in your local configuration. To fix it, uncomment the following line.

/etc/httpd/conf/httpd.conf
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

Also check the above if more errors occur afterwards.

Changing the max_execution_time in php.ini has no effect

If you changed the max_execution_time in php.ini to a value greater than 30 (seconds), you may still get a 503 Service Unavailable response from Apache after 30 seconds. To solve this, add a ProxyTimeout directive to your http configuration right before the <FilesMatch \.php$> block:

/etc/httpd/conf/httpd.conf
ProxyTimeout 300

and restart httpd.service.

See also