Difference between revisions of "Talk:Apache HTTP Server"

From ArchWiki
Jump to: navigation, search
(Convert to systemd)
(SSLCertificateChainFile: new section)
 
(62 intermediate revisions by 17 users not shown)
Line 1: Line 1:
Be advised to set "allow_url_fopen" to "On" in /etc/php/php.ini in order to upgrade/update Wordpress properly from the admin panel. (does this info belong here?) --[[User:Rataxes|Rataxes]] 14:13, 23 July 2009 (EDT)
+
== PID-errors ==
  
----
+
Keep getting PID-errors:
 +
systemd[1]: PID file /run/httpd/httpd.pid not readable (yet?) after start. (even when modules/mod_unique_id.so is disabled)
 +
 
 +
About the PHP Installation, mod_mpm_prefork seems not the best choice:
 +
https://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634
 +
I would vote for mod_proxy_handler
 +
 
 +
[[User:Beta990|Beta990]] ([[User talk:Beta990|talk]]) 15:14, 16 March 2014 (UTC)
 +
 
 +
== unique_id_module ==
  
 
If the service httpd don't start, take a look at '''/var/log/httpd/error_log'''. If appears this line:
 
If the service httpd don't start, take a look at '''/var/log/httpd/error_log'''. If appears this line:
Line 8: Line 17:
 
Restart httpd and now it should work. --[[User:Nak|Nak]] 17:22, 22 April 2007 (GMT+1)
 
Restart httpd and now it should work. --[[User:Nak|Nak]] 17:22, 22 April 2007 (GMT+1)
  
----
+
== Using SSL ==
  
hmm.. doesnt mysql come in /usr/lib/mysql niot /var/lib/mysql as directed??
+
Could the SSL section be expanded to include how to use .htaccess and mod_rewrite to redirect traffic for certain sections or the whole site? I found [http://blackflag.wordpress.com/2006/06/13/apache2-forcing-all-inbound-traffic-to-ssl/ apache2-forcing-all-inbound-traffic-to-ssl] to be a useful resource in this respect. [[User:Corburn|Corburn]] 13:58, 23 March 2012 (EDT)
- ScriptDevil
+
  
== Split this article ==
+
== User Directories ==
  
I hope this is what the page is for.
+
Continuing discussion from the main page, you do '''not''' have to make your home directory ''world-readable'' in order to make your ''public_html'' directory available to the web server. To minimize home directory exposure, I generally set the permission for both ''/home/$USER'' and ''/home/$USER/public_html'' to '''0750''' and change the group ownership to '''http'''. E.g.:
  
In my opinion setting up LAMP should not contain detailed information about how to set up parts of LAMP. It would be cleaner to only explain how to bring these parts to work together. Especially because of the explanation's integrity. Further more because then users will be able to find a standalone HOWTO for setting up these parts. For example you don't have to read through this page order to get MySQL working. Because of the mentioned integrity I think it would be best to create independent HOWTOs on how to setup MySQL, php and maybe even apache and refer to them from this page.
+
mkdir -p $HOME/public_html
 +
chmod 0750 $HOME $HOME/public_html
 +
chown $USER:http $HOME $HOME/public_html
  
I've started with [[MySQL]] because I know how to setup it and because some parts in this HOWTO are not needed any more and because of that are just confusing.
+
That way you have given only '''read''' (descend into) permission to the web server user for both your home directory and your userdir. [[User:Drankinatty|David C. Rankin, J.D.,P.E. -- Rankin Law Firm, PLLC]] ([[User talk:Drankinatty|talk]]) 07:22, 25 August 2015 (UTC)
  
[[User:Harlekin|harlekin]] 21:13, 13. Mai 2007 (GMT+1)
+
== userdir disable ==
  
== SSL Redundant Steps ==
+
I think that section need add:
 +
#LoadModule userdir_module modules/mod_userdir.so
 +
to fully disable userdir.
  
In the steps to creat a self-signed certificate, the process seems to contain unnecessary steps.  Here are the relevant parts of the steps:
+
[[User:Jabalv|Jabalv]] ([[User talk:Jabalv|talk]]) 18:48, 25 December 2013 (UTC)
# The "-des3" option encrypts the key with a passphrase.
+
# The encrypted key is copied to server.key.org.
+
# The passphrase is removed.
+
# The rest of the process goes on to only use the decrypted version of the key, including the setting in httpd-ssl.conf
+
Shouldn't the "-des3" option, the "cp" line, and the line to decrypt be removed?
+
  
Also, 2048 seems to be the minimum standard key length these days. Should that also be changed?
+
:According to [http://httpd.apache.org/docs/2.4/mod/mod_userdir.html]:
 +
:"User directory substitution is not active by default in versions 2.1.4 and later. In earlier versions, UserDir public_html was assumed if no UserDir directive was present."
 +
:So I think it is safe to just not include the conf. --[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 18:20, 23 August 2014 (UTC)
  
It might also be a good idea to mention that any unencrypted version of the key needs to be protected from viewing by other users (setting its permissions correctly).
+
== Which MPM to use with php-fpm and mod_proxy_fcgi? ==
  
--[[User:Mister Magotchi|Mister Magotchi]] 05:07, 17 March 2012 (EDT)
+
The section about php-fpm and mod_proxy_fcgi does not say which MPM (event, prefork, worker) is optimal for this configuration. If I understand correctly (but I'm not an expert), the default mpm_event_module would be the best choice. It would be good to document this, because users coming from a mod_php / mpm_prefork_module configuration would need to actively switch back to mpm_event_module. --[[User:Marcvangend|Marcvangend]] ([[User talk:Marcvangend|talk]]) 09:24, 23 November 2015 (UTC)
  
== Using SSL ==
+
The best MPM to use is to be determined by individual benchmarks. But event MPM should be good as a default.
  
Could the SSL section be expanded to include how to use .htaccess and mod_rewrite to redirect traffic for certain sections or the whole site? I found [http://blackflag.wordpress.com/2006/06/13/apache2-forcing-all-inbound-traffic-to-ssl/ apache2-forcing-all-inbound-traffic-to-ssl] to be a useful resource in this respect. [[User:Corburn|Corburn]] 13:58, 23 March 2012 (EDT)
+
== Shouldn't this page mention the need to disallow access to root directory? ==
  
== PHP: do not use mime type application/x-httpd-php ==
+
Now I'm not an admin of an Apache server, so what I'm saying here is not necessarily correct. I was just browsing through Apache docs, and I found something that might be very interesting here.
  
I would recommend deleting this advice from the article:
+
To be more exact, http://httpd.apache.org/docs/2.4/en/mod/core.html#directory states (in bold) that:
  
"Add this line in /etc/httpd/conf/mime.types:
+
----
  
application/x-httpd-php php php5"
+
Note that the default access for <Directory "/"> is to permit all access. This means that Apache httpd will serve any file mapped from an URL. It is recommended that you change this with a block such as
  
Isn't the whole point of PHP to run it on the server side and turn it into text/html?  Setting the MIME type as suggested here causes Firefox, for example, to offer to download the file or open it (in Notepad!!), instead of just presenting the HTML page.
+
<Directory "/">
 +
  Require all denied
 +
</Directory>
  
--[[User:Gdweber|gdweber]] 2012 June 30
+
and then override this for directories you want accessible. See the Security Tips page for more details.
  
== <s> Convert to systemd </s> ==
+
----
 
+
Since Arch has officially switched to systemd, this article should probably be updated. I don't know enough about it to update the article without the danger of making it inaccurate though
+
  
I guess it's mostly a case of replacing
+
Okay, that sounds serious. Yet this article just claims that "The default configuration file should be fine for a simple setup."
  
rc.d start httpd
+
Am I right in my supposition that this recommendation should be changed to match the recommendation of Apache docs?
  
with
+
{{unsigned|2016-01-03T18:41:59|Kmph}}
  
systemctl start httpd.service
+
:Hi, thanks for you concern.
 +
:The default {{ic|/etc/httpd/conf/httpd.conf}} provided by the Arch {{pkg|apache}} package already contains the following:
 +
{{hc|/etc/httpd/conf/httpd.conf|
 +
#
 +
# Deny access to the entirety of your server's filesystem. You must
 +
# explicitly permit access to web content directories in other
 +
# <Directory> blocks below.
 +
#
 +
<Directory />
 +
    AllowOverride none
 +
    Require all denied
 +
</Directory>
 +
}}
 +
:So, there shouldn't be any issue.
 +
:[[User:Lonaowna|Lonaowna]] ([[User talk:Lonaowna|talk]]) 18:31, 3 January 2016 (UTC)
  
and replacing any references to DAEMONS/rc.conf with
+
== SSLCertificateChainFile ==
  
systemctl enable httpd.service
+
The article says: "After obtaining a key and certificate, make sure the SSLCertificateFile and SSLCertificateKeyFile lines in /etc/httpd/conf/extra/httpd-ssl.conf point to the key and certificate."
  
but additional steps may be required
+
In my experience the SSLCertificateChainFile variable needs also to be defined, at least when using Let's Encrypt. This way I fixed problems at downloading stuff with wget from my server. It also improved SSL rating of my server from B to A (via https://www.ssllabs.com/ssltest/).
  
[[User:Mshenrick|Mshenrick]] ([[User talk:Mshenrick|talk]]) 16:48, 21 October 2012 (UTC)
+
[[User:Fturco|Fturco]] ([[User talk:Fturco|talk]]) 13:35, 18 July 2016 (UTC)
:Converted. Close. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 08:05, 4 February 2013 (UTC)
+

Latest revision as of 13:35, 18 July 2016

PID-errors

Keep getting PID-errors: systemd[1]: PID file /run/httpd/httpd.pid not readable (yet?) after start. (even when modules/mod_unique_id.so is disabled)

About the PHP Installation, mod_mpm_prefork seems not the best choice: https://serverfault.com/questions/383526/how-do-i-select-which-apache-mpm-to-use/383634#383634 I would vote for mod_proxy_handler

Beta990 (talk) 15:14, 16 March 2014 (UTC)

unique_id_module

If the service httpd don't start, take a look at /var/log/httpd/error_log. If appears this line: -[alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of "myhost" you must uncomment the line: LoadModule unique_id_module. Restart httpd and now it should work. --Nak 17:22, 22 April 2007 (GMT+1)

Using SSL

Could the SSL section be expanded to include how to use .htaccess and mod_rewrite to redirect traffic for certain sections or the whole site? I found apache2-forcing-all-inbound-traffic-to-ssl to be a useful resource in this respect. Corburn 13:58, 23 March 2012 (EDT)

User Directories

Continuing discussion from the main page, you do not have to make your home directory world-readable in order to make your public_html directory available to the web server. To minimize home directory exposure, I generally set the permission for both /home/$USER and /home/$USER/public_html to 0750 and change the group ownership to http. E.g.:

mkdir -p $HOME/public_html
chmod 0750 $HOME $HOME/public_html
chown $USER:http $HOME $HOME/public_html

That way you have given only read (descend into) permission to the web server user for both your home directory and your userdir. David C. Rankin, J.D.,P.E. -- Rankin Law Firm, PLLC (talk) 07:22, 25 August 2015 (UTC)

userdir disable

I think that section need add:

#LoadModule userdir_module modules/mod_userdir.so

to fully disable userdir.

Jabalv (talk) 18:48, 25 December 2013 (UTC)

According to [1]:
"User directory substitution is not active by default in versions 2.1.4 and later. In earlier versions, UserDir public_html was assumed if no UserDir directive was present."
So I think it is safe to just not include the conf. --Lonaowna (talk) 18:20, 23 August 2014 (UTC)

Which MPM to use with php-fpm and mod_proxy_fcgi?

The section about php-fpm and mod_proxy_fcgi does not say which MPM (event, prefork, worker) is optimal for this configuration. If I understand correctly (but I'm not an expert), the default mpm_event_module would be the best choice. It would be good to document this, because users coming from a mod_php / mpm_prefork_module configuration would need to actively switch back to mpm_event_module. --Marcvangend (talk) 09:24, 23 November 2015 (UTC)

The best MPM to use is to be determined by individual benchmarks. But event MPM should be good as a default.

Shouldn't this page mention the need to disallow access to root directory?

Now I'm not an admin of an Apache server, so what I'm saying here is not necessarily correct. I was just browsing through Apache docs, and I found something that might be very interesting here.

To be more exact, http://httpd.apache.org/docs/2.4/en/mod/core.html#directory states (in bold) that:


Note that the default access for <Directory "/"> is to permit all access. This means that Apache httpd will serve any file mapped from an URL. It is recommended that you change this with a block such as

<Directory "/">

 Require all denied

</Directory>

and then override this for directories you want accessible. See the Security Tips page for more details.


Okay, that sounds serious. Yet this article just claims that "The default configuration file should be fine for a simple setup."

Am I right in my supposition that this recommendation should be changed to match the recommendation of Apache docs?

—This unsigned comment is by Kmph (talk) 2016-01-03T18:41:59. Please sign your posts with ~~~~!

Hi, thanks for you concern.
The default /etc/httpd/conf/httpd.conf provided by the Arch apache package already contains the following:
/etc/httpd/conf/httpd.conf
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>
So, there shouldn't be any issue.
Lonaowna (talk) 18:31, 3 January 2016 (UTC)

SSLCertificateChainFile

The article says: "After obtaining a key and certificate, make sure the SSLCertificateFile and SSLCertificateKeyFile lines in /etc/httpd/conf/extra/httpd-ssl.conf point to the key and certificate."

In my experience the SSLCertificateChainFile variable needs also to be defined, at least when using Let's Encrypt. This way I fixed problems at downloading stuff with wget from my server. It also improved SSL rating of my server from B to A (via https://www.ssllabs.com/ssltest/).

Fturco (talk) 13:35, 18 July 2016 (UTC)