Let's take a look at Apache for learning Linuc2. To be honest, I didn't really care about the detailed settings because it can be used by installing with yum. If you edit httpd.conf and check it with apache configtest etc., an error starting with basic AH is displayed, so it is relatively easy to get to.
Personally, I always install only with yum, so please refer to the article below. Config, Compile, Install
You also need to install APR and APR-util to compile from source.
# yum install -y httpd
Directive | Explanation |
---|---|
/etc/httpd/conf/httpd.conf | Main configuration file |
/etc/httpd/conf.d | Directory for storing auxiliary configuration files |
ssl.conf | SSL/TLS settings |
php.conf | PHP module settings |
perl.conf | Perl module settings |
htpd.conf#
--Basic format
Directive name setting value
--When specifying the scope of application
<Files file name> ... </ Files>
<Directory directory name> ... </ Directory>
<LOcation URL>...</Location>
Directive | Explanation |
---|---|
ServerTokens | version information |
ServerRoot | Top directory |
ServerName | hostname |
ServerAdmin | mail address |
StartServers | Number at startup |
MinSpareServers | Minimum number of wait child processes |
MaxSpareServers | Maximum number of wait child processes |
ServerLimits | Maximum number of child processes that can be set |
Timeout | Time when the connection from the client times out |
KeepAlive | Keepalive enabled/Invalid |
KeepAliveRequests | Maximum number of requests per TCP connection |
KeepAliveTimeout | Timeout time for one TCP connection |
Listen | Standby port |
User | Execution user of child process |
Group | Execution group of child process |
DocumentRoot | Document root directory |
UserDir | Public directory for general users |
DirectoryIndex | File name to return as a directory index |
ErrorLog | Log file that records errors |
LogLevel | Error log log level |
LogFormat | Items and formats to log |
CustomLog | access log |
HostnameLookups | Perform reverse DNS lookup and get the host name from the IP address of the access source |
Alias | You will be able to refer to places other than the document root tree. |
ScliptAlias | CGI script directory |
ErrorDocument | Specify what to do if an error occurs |
To use an external file (.htaccess) to override the httpd.conf settings, use the ** AccessFileName ** directory.
httpd.conf
AccessFileName .htaccess
To allow the use of external configuration files, specify in the ** AllowOverride ** directory.
The following example enables authentication and access control in .htaccess.
httpd.conf
AllowOverride AuthConfig Limit
Subcommand | Explanation |
---|---|
AuthConfig | Authentication |
Indexes | DirectoryIndex |
Fileinfo | File type control |
Limit | Order,Allow,Deny |
Options | Options |
None | .Disable changes in htaccess |
All | .Enable all modifiable settings in htaccess |
apachectl#
Subcommand | Explanation |
---|---|
start | Start-up |
stop | Stop |
restart | Reboot |
graceful | Start if stopped, wait for restart if request is restarted |
reload | Read the configuration file |
configtest | Check the syntax of the configuration file |
To load the module, specify:
httpd.conf
LoadModule perl_module modules/mod_perl.so
Use ** apxs ** to install the module after Apache is installed. After that, add it in the LoadModule directory as in ↑. To install apxs, install the httpd-devel package.
# yum install httpd-devel
# apxs -i -c mod_foobar.c
Built-in modules are ** httpd -l ** ** httpd -M ** to see a list of built-in modules and DSO modules and also check the syntax of the config file To use.
# httpd -l
# httpd -M
Let's take a look at php, which is often used as a web application.
# yum install -y php
The /etc/httpd/conf.d/php.conf
file is added.
Create a file like the one below and restart Apache to see it.
/var/www/html/phpinfo.php
<?php
phpinfo();
?>
To use BASIC authentication, add user authentication settings to httpd.conf and prepare a dedicated password file.
Directive | Explanation |
---|---|
AuthType | Basic |
AuthName | Message to be output to the dialog box during authentication |
AuthUserfile | Password file name |
AuthGroupfile | Group file name to authenticate |
require | Accessible users,valid-userIf is specified, users who have an entry in the password file will be allowed access. |
httpd.conf
<Directory "/var/www/html/private-area">
AuthType Basic
AuthName "Please enter your ID and password"
AuthUserfile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>
Use ** htpasswd ** to set the user and password used for authentication.
# htpasswd -c /etc/httpd/conf/htpasswd linuc1
New password:
Re-type new password:
Adding password for user linuc
# cat /etc/httpd/conf/.htpasswd
linuc:$apr1$szHx1lmc$PVMPwHwo/7T0bnlbRhAFP0
To configure BASIC authentication on a group-by-group basis, specify the group password file in AuthGroupfile.
The format of the password file is as follows.
Group name: Username 1 Username 2 ...
Each specified user has a password set with htpasswd.
In require, specify the group name in the following format.
require group group name
Directive | Explanation |
---|---|
AuthType | Digest |
AuthName | Area of authentication |
AuthUserfile | Password file name |
AuthDigestGroupfile | Group file name to authenticate |
require | Accessible users,valid-userIf is specified, users who have an entry in the password file will be allowed access. |
httpd.conf
<Directory "/var/www/html/secret-area">
AuthType Digest
AuthName "secret-area"
AuthUserfile /etc/httpd/conf/.htdigestfile
require valid-user
</Directory>
Use ** htdigest ** to create a user or change a password for digest authentication.
# htdigest -c /etc/httpd/conf/.htdigest secret-area linuc2
Adding password for linuc2 in realm secret-area.
New password:
Re-type new password:
# cat /etc/httpd/conf/.htdigest
linuc2:secret-area:2b2b3ade579cc9e0121b4f1df227db6b
If you want to control access by IP address, host name, domain name, etc., use the ** require ** directive. This feature is provided by ** authz_host_module **.
For example, to deny access from 172.31.0.0/16 and allow access from other hosts, specify:
require all granted
require not ip 172.31.0.0/16
You can manage multiple websites on one host.
Set up one IP address and multiple domains on one host. Describe it in the ** VirtualHost ** directive. With proper DNS settings, each website can operate independently.
<VirtualHost *:80>
ServerName web.example.com
DocumentRoot /var/www/virtual/web
<VirtualHost *:80>
ServerName www.example.net
DocumentRoot /var/www/virtual/example
</VirtualHost>
Set up multiple IP addresses and multiple domains on one host. Describe it in the ** VirtualHost ** directive. Each IP address must be specified in the ** Listen ** directive.
Listen 192.168.1.10:80
Listen 192.168.1.11:80
<VirtualHost 192.168.1.10:80>
ServerName web.example.com
DocumentRoot /var/www/virtual/web
<VirtualHost 192.168.1.11:80>
ServerName www.example.net
DocumentRoot /var/www/virtual/example
</VirtualHost>
** mod_status **: Information about server activity
LoadModule status_module modules/mod_status.so
<Location /server-status>
SetHandler server-status
</Location>
** mod_info **: Information about server settings
LoadModule info_module modules/mod_info.so
<Location /server-info>
SetHandler server-info
</Location>
SSL/TLS##
It supports SSL by using ** mod_ssl **.
You need to get a site certificate from a certificate authority.
① Create a public key and an encryption key. (2) Send the created public key to the certificate authority (CA) together with documents certifying the identity of the user company. ③ CA issues a certificate and returns it. (Using this certificate, the web server identifies itself to the web browser.) ④ Install the sent certificate on the Web server.
Server certificates are issued for IP addresses or domain names. Here, we will take up a self-signed certificate (a method of signing a certificate by the certificate authority with itself as its own certificate authority). In CentOS, a script called CA.sh is prepared in the directory where SSL is installed, so copy it and create it interactively.
# cd /etc/pki/tls/misc
# ./CA -newca
Private key: /etc/pki/CA/private/cakey.pem
Public key: /etc/pki/CA/cacert.pem
Is created like this.
Create the server private key ** server.key ** required to build an SSL-enabled HTTP server.
# openssl genrsa -out server.key 2048
Create a Certificate Issuance Request (CSR) ** server.csr ** that requires the certificate authority to issue a certificate.
# openssl -req -new -key server.key -out server.csr
The certificate signs the certificate issuance request file and creates a server certificate ** server.crt **.
# openssl ca -out server.crt -infiles server.csr
Move the server private key and server certificate to the appropriate directory and put the required settings in httpd.conf.
SSL/TLS related directives | Explanation |
---|---|
SSLEngine | Effectiveness/Invalid |
SSLProtocol | version |
SSLCipherSuite | Cryptographic algorithm |
SSLCertificateFile | Server certificate file |
SSLCertificateKeyFile | Server private key file |
SSLCertificateChainFile | Intermediate CA certificate file |
SSLCACertificateFile | CA certificate issuance file for issuing a client certificate |
SSLCACertificatePAth | CA certificate issuance directory for client certificate issuance |
SSLVerifyClient | Level of client authentication |
LoadModule ssl_module modules/mod_ssl.so
Listen 443 https
<VirtualHost _default_:443>
ServerName www.example.net:443
DocumentRoot "/var/www/html"
ErrorLog logs/ssl_errorlog
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA:!DH
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
</VirtualHost>
/var/log/httpd/access_log
Specify the format with the ** LogFormat ** directive and Associate the log file name with the format with the ** CustomLog ** directive.
httpd.conf
LogFormat
CustomLog logs/access_log combined
/var/log/httpd/error_log
You can specify the log level to record with the LogLevel directive.
httpd.conf
LogLevel
Recommended Posts