Difference between revisions of "Talk:Apache HTTP Server"

From ArchWiki
Jump to navigation Jump to search
(/srv/http and other issues)
(Removal of Create a key and (self-signed) certificate section - add to initial Talk comment)
 
(46 intermediate revisions by 18 users not shown)
Line 1: Line 1:
== /srv/http and other issues ==
+
== PID-errors ==
  
It seems that the latest apache-package doesn't create the /srv/httpd directory anymore.
+
Keep getting PID-errors:
Also I have an question about the chmod's:
 
# chmod o+x /srv/http
 
# chown http:http /srv/http
 
 
 
Or is this better (more secure?):
 
# chown http:http /srv/http
 
# cd /srv/http
 
# chmod 755 /srv/http
 
# find . -type f -exec chmod 644 {} \;
 
# find . -type d -exec chmod 755 {} \;
 
 
 
Also keep getting PID-errors:
 
 
systemd[1]: PID file /run/httpd/httpd.pid not readable (yet?) after start. (even when modules/mod_unique_id.so is disabled)
 
systemd[1]: PID file /run/httpd/httpd.pid not readable (yet?) after start. (even when modules/mod_unique_id.so is disabled)
  
Line 21: Line 9:
  
 
[[User:Beta990|Beta990]] ([[User talk:Beta990|talk]]) 15:14, 16 March 2014 (UTC)
 
[[User:Beta990|Beta990]] ([[User talk:Beta990|talk]]) 15:14, 16 March 2014 (UTC)
 
== <s>allow_url_open</s> ==
 
 
Be advised to set "allow_url_fopen" to "On" in /etc/php/php.ini in order to upgrade/update Wordpress properly from the admin panel. (does this info belong here?) --[[User:Rataxes|Rataxes]] 14:13, 23 July 2009 (EDT)
 
  
 
== unique_id_module ==
 
== unique_id_module ==
Line 32: Line 16:
 
you must uncomment the line: '''LoadModule unique_id_module'''.
 
you must uncomment the line: '''LoadModule unique_id_module'''.
 
Restart httpd and now it should work. --[[User:Nak|Nak]] 17:22, 22 April 2007 (GMT+1)
 
Restart httpd and now it should work. --[[User:Nak|Nak]] 17:22, 22 April 2007 (GMT+1)
 
== <s>mysql location</s> ==
 
 
hmm.. doesnt mysql come in /usr/lib/mysql niot /var/lib/mysql as directed??
 
- ScriptDevil
 
 
== Split this article ==
 
 
I hope this is what the page is for.
 
 
In my opinion setting up LAMP should not contain detailed information about how to set up parts of LAMP. It would be cleaner to only explain how to bring these parts to work together. Especially because of the explanation's integrity. Further more because then users will be able to find a standalone HOWTO for setting up these parts. For example you don't have to read through this page order to get MySQL working. Because of the mentioned integrity I think it would be best to create independent HOWTOs on how to setup MySQL, php and maybe even apache and refer to them from this page.
 
 
I've started with [[MySQL]] because I know how to setup it and because some parts in this HOWTO are not needed any more and because of that are just confusing.
 
 
[[User:Harlekin|harlekin]] 21:13, 13. Mai 2007 (GMT+1)
 
  
 
== Using SSL ==
 
== Using SSL ==
Line 52: Line 21:
 
Could the SSL section be expanded to include how to use .htaccess and mod_rewrite to redirect traffic for certain sections or the whole site? I found [http://blackflag.wordpress.com/2006/06/13/apache2-forcing-all-inbound-traffic-to-ssl/ apache2-forcing-all-inbound-traffic-to-ssl] to be a useful resource in this respect. [[User:Corburn|Corburn]] 13:58, 23 March 2012 (EDT)
 
Could the SSL section be expanded to include how to use .htaccess and mod_rewrite to redirect traffic for certain sections or the whole site? I found [http://blackflag.wordpress.com/2006/06/13/apache2-forcing-all-inbound-traffic-to-ssl/ apache2-forcing-all-inbound-traffic-to-ssl] to be a useful resource in this respect. [[User:Corburn|Corburn]] 13:58, 23 March 2012 (EDT)
  
== <s>PHP: do not use mime type application/x-httpd-php</s> ==
+
== User Directories ==
  
I would recommend deleting this advice from the article:
+
Continuing discussion from the main page, you do '''not''' have to make your home directory ''world-readable'' in order to make your ''public_html'' directory available to the web server. To minimize home directory exposure, I generally set the permission for both ''/home/$USER'' and ''/home/$USER/public_html'' to '''0750''' and change the group ownership to '''http'''. E.g.:
  
"Add this line in /etc/httpd/conf/mime.types:
+
mkdir -p $HOME/public_html
 +
chmod 0750 $HOME $HOME/public_html
 +
chown $USER:http $HOME $HOME/public_html
  
application/x-httpd-php php php5"
+
That way you have given only '''read''' (descend into) permission to the web server user for both your home directory and your userdir. [[User:Drankinatty|David C. Rankin, J.D.,P.E. -- Rankin Law Firm, PLLC]] ([[User talk:Drankinatty|talk]]) 07:22, 25 August 2015 (UTC)
 
 
Isn't the whole point of PHP to run it on the server side and turn it into text/html?  Setting the MIME type as suggested here causes Firefox, for example, to offer to download the file or open it (in Notepad!!), instead of just presenting the HTML page.
 
 
 
--[[User:Gdweber|gdweber]] 2012 June 30
 
 
 
:You are right, I've removed this line. --[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 09:32, 10 March 2014 (UTC)
 
 
 
== <s>Wrong argument order?</s> ==
 
<div style="border-style: dotted;">
 
# usermod -aG http piter
 
</div>
 
Seems like usermod accepts group as first argument and user as second, unlike gpasswd. Please check. [[User:Axper|axper]] ([[User talk:Axper|talk]]) 12:06, 30 August 2013 (UTC)
 
 
 
:I've removed the entire section as it doesn't add anything compared to the other method. --[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 09:33, 10 March 2014 (UTC)
 
  
 
== userdir disable ==
 
== userdir disable ==
Line 82: Line 39:
 
[[User:Jabalv|Jabalv]] ([[User talk:Jabalv|talk]]) 18:48, 25 December 2013 (UTC)
 
[[User:Jabalv|Jabalv]] ([[User talk:Jabalv|talk]]) 18:48, 25 December 2013 (UTC)
  
== apache 2.4 upgrade==
+
:According to [http://httpd.apache.org/docs/2.4/mod/mod_userdir.html]:
 +
:"User directory substitution is not active by default in versions 2.1.4 and later. In earlier versions, UserDir public_html was assumed if no UserDir directive was present."
 +
:So I think it is safe to just not include the conf. --[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 18:20, 23 August 2014 (UTC)
 +
 
 +
== Which MPM to use with php-fpm and mod_proxy_fcgi? ==
 +
 
 +
The section about php-fpm and mod_proxy_fcgi does not say which MPM (event, prefork, worker) is optimal for this configuration. If I understand correctly (but I'm not an expert), the default mpm_event_module would be the best choice. It would be good to document this, because users coming from a mod_php / mpm_prefork_module configuration would need to actively switch back to mpm_event_module. --[[User:Marcvangend|Marcvangend]] ([[User talk:Marcvangend|talk]]) 09:24, 23 November 2015 (UTC)
 +
 
 +
The best MPM to use is to be determined by individual benchmarks. But event MPM should be good as a default.
  
PHP breaks with apache2.4 install due to the PHP not being "threadsafe" by default, and MPM in apache being turned on by default, and is now core apache. PHP_ZTS[https://aur.archlinux.org/packages/php_zts/] in AUR fixes this. this is simply php recompiled.
+
--------------
  
:You can also get PHP to work by using the {{ic|mod_mpm_prefork}} as described in the first note in the PHP configuration section. You are right that you can also create an thread-safe PHP, but this is not recommended by PHP devs.[http://www.php.net/manual/en/install.unix.apache2.php] I think way currently described is the "right" way, but I'm not sure about that. --[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 09:25, 10 March 2014 (UTC)
+
:A good start would be to, at least, describe what MPMs are and what their main use is, since the term is used multiple times in the article. Something like:
 +
:Apache can be configured to use _one_ of several Multi-Processing Modules ([https://httpd.apache.org/docs/2.2/mpm.html MPM]s), which affect performance and the way it allocates resources in response to requests. mpm-prefork: ... mpm-worker: ... mpm-event: ...
 +
:https://tweaked.io/guide/apache2/ has a short summary of MPM specifics; but we should put up something more informative. :--[[User:Nodiscc|Nodiscc]] ([[User talk:Nodiscc|talk]]) 02:54, 18 November 2017 (UTC)
  
== SSL Produces Syntax Errors When Following Guide ==
+
--------------
  
Hi everybody,
+
== Removal of Create a key and (self-signed) certificate section ==
Apache 2.4 sure did a number on a few of my dev servers, but oh well, it's Arch :)
 
  
Anyways, I decided to go back to this guide to see if I could simply remove all related packages to the LAMP server, double check that all old conf files are removed, then I started following this guide again to see if I can get my database server running again. (just in-house tracking of some misc. data, nothing too serious...)
+
At first, I tried following the suggested [[OpenSSL#Certificates]] section instead (as per recommendation in the banner), but found it confusing, at least in the context of setting up an Apache server. After reading [[OpenSSL#Certificates]] I still wasn't sure which output is which, had to go and check with the man pages, Apache docs and search on the internet to be certain (which defeats the purpose of having it on the wiki).  
  
So far, I can make it to the SSL configuration portion of Apache just fine, but once I've generated the keys, uncomment the line "Include conf/extra/httpd-ssl.conf", and restart httpd, I get the following errors regarding syntax issues with SSLChiper every time:
+
On the other hand, examples provided in current [[Apache HTTP Server#Create a key and (self-signed) certificate]] are short and to the point, relevant to Apache server configuration. '''server.key''' and '''server.crt''' output names are self-explanatory. My vote is for this section to stay as it is and provide a link to [[OpenSSL#Certificates]] for further information. [[User:Romstor|Romstor]] ([[User talk:Romstor|talk]]) 13:04, 25 September 2018 (UTC)
  
AH00526: Syntax error on line 51 of /etc/httpd/conf/extra/httpd-ssl.conf:
+
--------------
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a module not included in the server configuration
 
  
I'm not sure if there's another "legacy" portion from the Apache 2.2 that I've since removed, or if there's something that needs fixed on the guide itself. Any advice would be appreciated! :)
+
I do agree with [[User:Romstor|Romstor]] on that point. This section should be kept as is because it really helps saving time for a lot of people. [[User:Aviallon|Aviallon]] ([[User talk:Aviallon|talk]]) 18:34, 21 February 2019 (UTC)
  
Thanks,
+
--------------
[[User:Snellsg|Snellsg]] ([[User talk:Snellsg|talk]]) 18:58, 15 March 2014 (UTC)
 
  
:Hi! You need to install {{pkg|openssl}} and uncomment the following line in {{ic|httpd.conf}}:
+
This section should be kept and information related to obtaining a certificate from, e.g. the CAcert.org website or other legitimate authority should be added. Why? There are many instances where a self-signed certificate is fine for back-office or intra-office use (e.g. an internal fax-server, etc..). Direction should also be provided for obtaining and installing legitimate non-self-signed certificates for internet facing servers. Further the current TLS page where all "certificate" wiki searches link is abysmal. It has very little actual information and is more a collection of links to 3rd-party sites. [[User:Drankinatty|David C. Rankin, J.D.,P.E. -- Rankin Law Firm, PLLC]] ([[User talk:Drankinatty|talk]]) 19:21, 26 March 2019 (UTC)
:{{bc|#LoadModule ssl_module modules/mod_ssl.so}}
 
:This line was uncommented by default in the old config file. I think this was changed with 2.4.
 
:I will add this to the page. --[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 19:56, 15 March 2014 (UTC)
 

Latest revision as of 19:24, 26 March 2019

PID-errors

Keep getting PID-errors: systemd[1]: PID file /run/httpd/httpd.pid not readable (yet?) after start. (even when modules/mod_unique_id.so is disabled)

About the PHP Installation, mod_mpm_prefork seems not the best choice: https://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634 I would vote for mod_proxy_handler

Beta990 (talk) 15:14, 16 March 2014 (UTC)

unique_id_module

If the service httpd don't start, take a look at /var/log/httpd/error_log. If appears this line: -[alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of "myhost" you must uncomment the line: LoadModule unique_id_module. Restart httpd and now it should work. --Nak 17:22, 22 April 2007 (GMT+1)

Using SSL

Could the SSL section be expanded to include how to use .htaccess and mod_rewrite to redirect traffic for certain sections or the whole site? I found apache2-forcing-all-inbound-traffic-to-ssl to be a useful resource in this respect. Corburn 13:58, 23 March 2012 (EDT)

User Directories

Continuing discussion from the main page, you do not have to make your home directory world-readable in order to make your public_html directory available to the web server. To minimize home directory exposure, I generally set the permission for both /home/$USER and /home/$USER/public_html to 0750 and change the group ownership to http. E.g.:

mkdir -p $HOME/public_html
chmod 0750 $HOME $HOME/public_html
chown $USER:http $HOME $HOME/public_html

That way you have given only read (descend into) permission to the web server user for both your home directory and your userdir. David C. Rankin, J.D.,P.E. -- Rankin Law Firm, PLLC (talk) 07:22, 25 August 2015 (UTC)

userdir disable

I think that section need add:

#LoadModule userdir_module modules/mod_userdir.so

to fully disable userdir.

Jabalv (talk) 18:48, 25 December 2013 (UTC)

According to [1]:
"User directory substitution is not active by default in versions 2.1.4 and later. In earlier versions, UserDir public_html was assumed if no UserDir directive was present."
So I think it is safe to just not include the conf. --Lonaowna (talk) 18:20, 23 August 2014 (UTC)

Which MPM to use with php-fpm and mod_proxy_fcgi?

The section about php-fpm and mod_proxy_fcgi does not say which MPM (event, prefork, worker) is optimal for this configuration. If I understand correctly (but I'm not an expert), the default mpm_event_module would be the best choice. It would be good to document this, because users coming from a mod_php / mpm_prefork_module configuration would need to actively switch back to mpm_event_module. --Marcvangend (talk) 09:24, 23 November 2015 (UTC)

The best MPM to use is to be determined by individual benchmarks. But event MPM should be good as a default.


A good start would be to, at least, describe what MPMs are and what their main use is, since the term is used multiple times in the article. Something like:
Apache can be configured to use _one_ of several Multi-Processing Modules (MPMs), which affect performance and the way it allocates resources in response to requests. mpm-prefork: ... mpm-worker: ... mpm-event: ...
https://tweaked.io/guide/apache2/ has a short summary of MPM specifics; but we should put up something more informative. :--Nodiscc (talk) 02:54, 18 November 2017 (UTC)

Removal of Create a key and (self-signed) certificate section

At first, I tried following the suggested OpenSSL#Certificates section instead (as per recommendation in the banner), but found it confusing, at least in the context of setting up an Apache server. After reading OpenSSL#Certificates I still wasn't sure which output is which, had to go and check with the man pages, Apache docs and search on the internet to be certain (which defeats the purpose of having it on the wiki).

On the other hand, examples provided in current Apache HTTP Server#Create a key and (self-signed) certificate are short and to the point, relevant to Apache server configuration. server.key and server.crt output names are self-explanatory. My vote is for this section to stay as it is and provide a link to OpenSSL#Certificates for further information. Romstor (talk) 13:04, 25 September 2018 (UTC)


I do agree with Romstor on that point. This section should be kept as is because it really helps saving time for a lot of people. Aviallon (talk) 18:34, 21 February 2019 (UTC)


This section should be kept and information related to obtaining a certificate from, e.g. the CAcert.org website or other legitimate authority should be added. Why? There are many instances where a self-signed certificate is fine for back-office or intra-office use (e.g. an internal fax-server, etc..). Direction should also be provided for obtaining and installing legitimate non-self-signed certificates for internet facing servers. Further the current TLS page where all "certificate" wiki searches link is abysmal. It has very little actual information and is more a collection of links to 3rd-party sites. David C. Rankin, J.D.,P.E. -- Rankin Law Firm, PLLC (talk) 19:21, 26 March 2019 (UTC)