Apache server - basics 02

Apache server – the base 02

We activate the configuration by performing a symbolic link and validate the configuration to be certain!

$ cd /etc/apache2/conf-enabled $ sudo ln -s ../conf-available/vhosts_base.conf . $ sudo apachectl configtest Syntax OK

Everything looks good, we can proceed to the configuration of the virtual server. Still according to the structure of Ubuntu we will create the file /etc/apache2/sites-available/siteA.conf, in fact we will modify the already existing file.

Here is the file for siteA and siteC

ServerAdmin webmaster@localhost ServerName www.linux202-siteA.com ServerAlias linux202-siteA.com ServerAlias toto.linux202-siteA.com DocumentRoot /data/vhosts/siteA/docroot/ Options none AllowOverride None Require all granted Options none AllowOverride None Require all granted # Configuration des logs ErrorLog /data/vhosts/siteA/logs/error.log CustomLog /data/vhosts/siteA/logs/access.log combined ServerAdmin webmaster@localhost ServerName www.siteC.com ServerAlias siteC.com DocumentRoot /data/vhosts/siteC/docroot/ Options none AllowOverride None Require all granted Options none AllowOverride None Require all granted # Configuration des logs ErrorLog /data/vhosts/siteC/logs/error.log CustomLog /data/vhosts/siteC/logs/access.log combined

As usual before going further, a configuration validation is a good thing.

$ sudo apachectl configtest Syntax OK

I specifically allow the docroot and uploads directories, the uploads directory is likely to contain images or other document distributed to the public so the authorization is given. Private directories and logs are intended for internal use are not allowed. As you can see we add 2 instructions: ErrorLog and CustomLog take a few minutes to analyze them.

Configuring logs for virtual servers

To do the log management which is an important SUPER point if you want to be able to analyze the traffic of a website or visualize the errors occurred on the site.

We already have a configuration present as default configuration:

$ grep -n ErrorLog /etc/apache2/apache2.conf 122:# ErrorLog: The location of the error log file. 123:# If you do not specify an ErrorLog directive within a 128:ErrorLog ${APACHE_LOG_DIR}/error.log $ egrep 'APACHE_LOG_DIR' -n /etc/apache2/envvars 23:export APACHE_LOG_DIR=/var/log/apache2$SUFFIX

The ErrorLog instruction defines the file that will be used to contain the default error logs, so this file will contain all the startup errors and the error logs of the virtual servers IF you have not redefined this instruction.

As you can see this instruction can only be used in the global configuration of the server AND / OR in a VirtualHost.

By redefining it in the VirtualHost, the logs error file will only contain errors related to VirtualHost you will not have the overall server errors. You will have in the file the errors such as the 404, the error 500 (execution problem), the errors of PHP if you use this language, … This is very very interesting in order to adjust your site in case of problem .

That being said I defined another instruction which is CustomLog, this instruction makes it possible to define the file of log which will contain the information of access to the site, thus WITHOUT the errors.

Just like for the error statement this statement can be defined in the Global file or in a VirtualHost. If we look at the instruction in the file this is composed of 2 part file name and format.

CustomLog /data/vhosts/siteA/logs/access.log combined

So we write the file /data/vhosts/siteA/logs/access.log with the format combined. So let’s talk a little format, 98% (it’s really out of my hat, I have no real statistics: P) you will use the combined training. The available formats are described by the instruction Logformat, let’s look at the pre-defined log formats on the server.

$ grep "LogFormat" -n -R /etc/apache2/apache2.conf 207:LogFormat "%v:%p %h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" vhost_combined 208:LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" combined 209:LogFormat "%h %l %u %t "%r" %>s %O" common 210:LogFormat "%{Referer}i -> %U" referer 211:LogFormat "%{User-agent}i" agent

So we have the formats:

vhost_combined
combined
common

If we look quickly at the instruction Logformat for combined we have the format:

% h: Remote server. Will contain the IP address if the HostnameLookups directive is set to Off
% l: The remote connection name, Displays a dash, unless mod_ident is present
% u: The remote user (from auth; may be false if the return status (% s) is 401).
% t: Date the request was received
% r: The first line of the query
%> s: Status. For internally redirected requests, this is the status of the original — —> s query for the last one.
% O: Number of bytes sent, including headers. May be null in the rare cases where a request is aborted before the response is sent. Requires activation of mod_logio.
% Referer: Reference of the source of the request
% User-Agent: The type of client establishing the connection (Firefox, Chrome, windows, Linux, …)

Here is an example of content in the logs in combined format:

172.17.42.1 - - [26/Feb/2016:08:43:17 -0500] "GET / HTTP/1.1" 200 3594 "-" "Mozilla/5.0 (X11; Linux i686; rv:42.0) Gecko/20100101 Firefox/42.0" 172.17.42.1 - - [26/Feb/2016:08:43:17 -0500] "GET /icons/ubuntu-logo.png HTTP/1.1" 200 3688 "http://172.17.0.10/" "Mozilla/5.0 (X11; Linux i686; rv:42.0) Gecko/20100101 Firefox/42.0"

When do you need to set a log format?!?! In fact it is very rare, usually the need makes it feel if you have a specific information to recover that is not already contained in the combined format. The other more likely situation is when your log processing software and statistics generator ask you for a specific format, this is however rare.

Thanks to these 2 instructions now you offer your “clients” / “users” the possibility of having access to their logs!

Rotating logs for virtual servers

WARNING it is not over, if we leave the configuration as the files error.log and access.log for virtual servers will grow infinitely. Result after 6 months or 1 year the error or access file will make several Gigs result that will be hard to deal with. It is important to put a system of rotation of the logs with a conservation of definite time.

GNU / Linux has the Logrotate system available which is perfect for our needs, it is possible to define a rule for the rotation of your logs. The set of distributions offers rotation mechanism, if we take our machine there is already the set rotation method for the default Apache files is /var/log/apache2/error.log and / var /log/apache2/access.log. Let’s look at the file already in place available: /etc/logrotate.d/apache2

$ cat /etc/logrotate.d/apache2 /var/log/apache2/*.log { weekly missingok rotate 52 compress delaycompress notifempty create 640 root adm sharedscripts postrotate if /etc/init.d/apache2 status > /dev/null ; then /etc/init.d/apache2 reload > /dev/null; fi; endscript prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then run-parts /etc/logrotate.d/httpd-prerotate; fi; endscript }

Let’s take a few minutes to analyze this file because it is composed by experienced people and it is a good source of reference we will be able to inspire for our need.

/var/log/apache2/*.log: This defines the files that will be processed, it is important not to define / var / log / apache2 / * otherwise the files that have been processed in the past will be processed again and this endlessly !
weekly: The rotation here is executed once a week, it is of course possible to set a daily configuration or a month as needed.
missingok: The rotation system will not generate an error if there is no file
rotate 52: The system will keep the files processed for 52 times, as we have defined a weekly rotation this indicates that the apache log files will be kept for 1 year.
compress: Once the log file is processed the latter will be compressed by default with gzip, this saves disk space, because the text compresses it very well
delaycompress: Compression processing can be slow especially if the files are large. The goal of setting up a delay for compression is to make sure that all the files are processed relatively at the same time and that they are compressed later. Result if the access log file is processed first then the error file they will be done at the same time, it will be easier to do a correlation of access / error than if the information is in separate file treat in a different time.
notifyempty: If the file is present but empty an email will be sent to root.
create 640 root adm: The files created by the rotation system will have the permissions User root and group adm with the permissions in octal 640.
sharedscripts: This indicates that there are scripts that must be executed during the rotation, in our case postrotate and prerotate.
postrotate: This defines an instruction that must be executed AFTER the rotation of all files. Let’s read the configuration the valid script that apache is running /etc/init.d/apache2 status if it is running it reloads the apache configuration /etc/init.d/apache2 reload. But why ?!?! When apache starts, it opens a File Descriptor on the file, this is a pointer to the file, when rotating the system logrotate realizes a move of the file. If we do not reload the Apache configuration this would result in apache continuing to write in the original file so that processed by logrotate. The process of reloading the configuration forces apache to redo the connection to the file thus to support the new file created by logrotate.
prerotate: This defines an instruction that must be executed BEFORE the files are rotated, usually we use this mechanism to process the access and error files with a script provided by our statistics processing software. Since our log files are compressed once the rotation is done, it is easier to read the file before compression: D. In this case, the script validates the presence of the /etc/logrotate.d/httpd-prerotate directory and runs all the scripts in the run-parts /etc/logrotate.d/httpd-prerotate directory.

As we can see this gives a very good starting point to start. Now let’s realize our configuration by inspiring ourselves. We will create the file /etc/logrotate.d/vhosts_apache

/data/vhosts/*/logs/*.conf { daily missingok rotate 365 compress delaycompress create 644 root adm sharedscripts postrotate if /etc/init.d/apache2 status > /dev/null ; then /etc/init.d/apache2 reload > /dev/null; fi; endscript }

I will only highlight the changes made to the configurations, compared to the original apache2 file.

/data/vhosts/*/logs/*.conf: I use a wildcard (*) to cover all websites under the / data / vhosts directory, this allows me to set up the rotation regardless of the number of site present and so I am sure not to forget the configuration. Just as for the default configuration I consider in rotation that * .conf files.
daily: Personally, I prefer a daily rotation, especially if you have a lot of traffic.
rotate 365: it’s a lot of files I wanted to keep the logs 1 year, free to you to judge the relevance of the operation.
notifyempty: I disabled this feature because I do not want to know it: P.
create 644 root adm: Here I modify the file permissions to allow ALL to read the content, however ONLY root can write / delete the content. It’s important because I want to give access to the person to access the information, but I do not want anyone to be able to remove information.
prerotate: At this stage of the deployment I did not set up a file processing so I disabled it, if you want to set up a statistical software there is of course google analytic, but the world of free you have piwik of available which is very good.

So now we have a perennial log solution!

Using the private directory

This is a bit out of the scope of the training, this is more oriented on the organization of the website and this programming, however with the importance of security nowadays it is important to quickly cover this point. Even though we have the role of only offering the apache server, in reality we often act as advised on the systems.

We will now see the use of the directory private, how to write our website to take advantage of this directory not accessible from the internet. For the demonstration I will use the programming language php, far from being an expert in this language, however, by the simplicity of the language the demonstration will be easy.

So we will install php and validate its installation

$ sudo apt-get update && sudo apt-get install php5 $ sudo vim /data/vhosts/siteA/docroot/info.php $ cat /data/vhosts/siteA/docroot/info.php $ sudo apachectl configtest && sudo /etc/init.d/apache2 restart * Restarting web server apache2 * ...done.

If we access the site via the URL: http://linux202-sitea.com/info.php we will have the information on the installed php.

So php works, we will be able to continue … with the real objective. I will start by showing the “classic” method that is to include a configuration file directly in the application, I will create 2 file app.php and config.conf. The first will load the second, for php developers I know it’s not very beautiful but it’s not a php course ;-).

$ sudo vim /data/vhosts/siteA/docroot/app.php $ cat /data/vhosts/siteA/docroot/app.php $ sudo vim /data/vhosts/siteA/docroot/config.conf $ cat /data/vhosts/siteA/docroot/config.conf toto=blabla titi=encore

Good with this configuration if you go with your browser on the URL of the application you will have this:

http://linux202-sitea.com/app.php

o the configuration was well loaded, we see the contents of the configuration: D, but er … If I try this

http://linux202-sitea.com/config.conf

oupss, Yep everyone can see this configuration file: P, just know the URL, then config.conf or db.conf it’s not very hard to guess and especially to script to retrieve information from a website. We will probably see later how blocked access to file extensions, there are mechanisms in apache. But if we take the file from the DocumentRoot so root is guaranteed that no one can access the file. Let’s see the other method with the use of the private directory.

$ sudo vim /data/vhosts/siteA/docroot/app_w_priv.php $ cat /data/vhosts/siteA/docroot/app_w_priv.php $ sudo vim /data/vhosts/siteA/privates/config.conf $ cat /data/vhosts/siteA/privates/config.conf private=info super=priv

So this time the include is done by going up a notch (..) and we go to the privates directory.

Result : http://linux202-sitea.com/appwpriv.php

woot it always works: D. Now I am trying to access the configuration file, if I take over the configuration this should be good: http://linux202-sitea.com/../privates/config.conf, I go up a directory and I will in privates.

NOPE impossible, because we can not go back before the DocumentRoot: D, it’s not beautiful that 🙂

Using the configuration overload (htaccess)

I will quickly return to the configuration overload system, we have already discussed the aspect of its use. We talked about the cost in terms of performance and “quickly” security. On the other hand we did not have a clear example of the risks of the overload of the configuration, so it is part for a small demonstration. The majority of public hosts allow you to redefine all configurations via the htaccess system. We will see the possible risk.

I will first modify the configuration of siteA to allow overload:

$ sudo vim /etc/apache2/sites-available/siteA.conf [ ... OUTPUT COUPÉ ...] Options none AllowOverride ALL Require all granted [ ... OUTPUT COUPÉ ...]

If we read the DocumentRoot directory definition I changed the entry for the AllowOverride statement from NONE to ALL, to keep it simple.

We validate the configuration and reload it …

At this point we can redefine the set of apache configurations under the DocumentRoot directory, we will take this opportunity to present the Options statement.

Bon Options is what it allows us to define the features of a directory … Sorry is the description directly from the apache site: P. Basically it allows us to define the behavior of the processing of the requests, for example if there is a symbolic link does it follow it? If there is no index file what to do? … Let’s look at the Arguments available this will clarify the possibilities.

ExecCGI: Allows external script calling such as scripts written in python, perl, even in C. Apache executes the file or binary.
FollowSymLinks: The server will follow symbolic links in the relevant directory.
Indexes: If a required URL corresponds to the directory concerned, and if no DirectoryIndex (for example index.html) is defined for this directory, mod_autoindex module will return a formatted directory listing.
MultiViews: Multiple views (“multiviews”) with content negotiated using the mod_negotiation module are allowed.
SymLinksIfOwnerMatch: The server will only follow symlinks that return to a file or directory whose owner is the same as the link.
ALL / NONE: respectively all the options mentioned above or no options: D.

Good Cool for the moment we do not see the problem or if maybe: P, well go we go with the demonstration. If you look at my previous configurations I always set the Options to None. You will understand why …

I am going to edit the .htaccess file in the DocumentRoot directory of SiteA.

$ sudo vim /data/vhosts/siteA/docroot/.htaccess $ cat /data/vhosts/siteA/docroot/.htaccess Options FollowSymLinks

We will just put FollowSymLinks, we will create a small symbolic link that goes well with :).

$ cd /data/vhosts/siteA/docroot $ sudo ln -s /etc/passwd lst_users $ ls -l lst_users lrwxrwxrwx 1 root root 11 Mar 11 17:24 lst_users -> /etc/passwd

Now let’s go to the URL that’s fine: D: http://linux202-sitea.com/lst_users

Oupss or YEahh as needed: P, yep FollowSymLinks it’s evil: P. Good but it annoys me to make a symbolic link for each file I want to consult no?!?!. We will change the htaccess file a bit, to have even more fun.

$ sudo vim /data/vhosts/siteA/docroot/.htaccess $ cat /data/vhosts/siteA/docroot/.htaccess Options FollowSymLinks Indexes

No need to reload apache, we will just make another symbolic link.

$ cd /data/vhosts/siteA/docroot $ sudo ln -s /etc sys $ ls -l sys lrwxrwxrwx 1 root root 4 Mar 11 17:31 sys -> /etc

It’s part with the URL: D, that fun: http://linux202-sitea.com/sys/

oot, now I can choose which file I want to read in the / etc directory, much easier :). Of course we are limited by the permissions of the Apache user. Indeed the process httpd that reads the file is executed under the user www-data so we are limited by file permissions. Example:

/ etc / passwd: is readable by everyone, so www-data can consult it

$ ls -l /etc/passwd -rw-r--r-- 1 root root 1001 Dec 9 14:09 /etc/passwd

/ etc / shadow: This last one contains the password of the users present on the system is readable only by root and the shadow group like www-data is not member of the group, nor root the reading is impossible.
```
$ ls -l /etc/shadow -rw-r----- 1 root shadow 652 Dec 9 14:09 /etc/shadow
```

I will not continue in more detail, the demonstration of the risk of the overload of the configurations, however for production environments it is necessary to consider the risks that this implies.

Shared content / service (Alias)

It is likely that the websites you host are equivalent content as we speak of images or information content. If we take the example of corporate sites, we can think of the logo of the company, it can be interesting that all the sites uses the same files. The advantage is that if the company logo changes we only have one file to change instead of visiting all the sites and finally find that we have forgotten. If you realized public hosting your reality may be different in terms of shared content however we find a similar need. If you offer a full service with an email service you may want to offer a webmail to the customer. If you install a webmail or a phpmyadmin for each client when an update will be made you will curse the developer for having released this new version! In addition, we want to prevent each client from installing their own application, mainly for security reasons, as it is unlikely that the client will be aware of the risk: P.

We find the option to use Aliases, this allows to define a path that will be usable and point to a directory available to all. This directory may be outside the DocumentRoot directory of the website.

To make a simple use, we will set up a shared directory for images of the company. Let’s start with the directory structure, I personally create a common directory under the vhost directory, which gives:

/data/ /vhost/ /siteA/ /siteB/ /siteC/ /common/ webmail/ phpmyadmin/ images/

In the structure above, I created the directories to host the webmail and phpmyadmin software, for the moment we will only deal with images. However the concept remains the same.

Setting up the configuration, creating the directory and setting up an image:

$ sudo mkdir /data/vhosts/common/ $ sudo mkdir /data/vhosts/common/images /data/vhosts/common/webmail /data/vhosts/common/phpmyadmin $ sudo cp ~/post-it.jpg /data/vhosts/common/images/

So under / data / vhosts / common / images / we have an available image, we will proceed to modify the configuration of site siteA so that it can use this configuration. Editing the /etc/apache2/sites-available/siteA.conf file

[ ... OUTPUT COUPÉ ... ] DocumentRoot /data/vhosts/siteA/docroot/ Alias "/cm-images" "/data/vhosts/common/images" Options none AllowOverride ALL Require all granted [ ... OUTPUT COUPÉ ... ]

I realized the addition of the Alias instruction.

As we can see the configuration of an alias is available for:

The overall configuration of the server
Configuring a Virtual Server (VirtualHost)
A directory.

We validate and reload the configuration

$ sudo apachectl configtest && sudo /etc/init.d/apache2 reload Syntax OK * Reloading web server apache2 *

Access to the site

http://linux202-sitea.com/: OK, no problem the site is still available 🙂 it’s a good start.
http://linux202-sitea.com/cm-images/post-it.jpg : KO , Forbidden You don’t have permission to access.

Why do you think the problem occurs?

A little bit of analysis, it may be subtle, but being comfortable with apache this provides me with information. First, because we have the Forbidden error, I deduce that my instructions are well interpreted. Indeed if I make a mistake in the URL and I write: http://linux202-sitea.com/ko-images/post-it.jpg, I do not have a Forbidden but Not found, so clearly my instruction is interpreted: D.

Now let’s look at the logs: D, as the logs are now generated in the virtual server directory we should no longer look at /var/log/apache2/error.log but /data/vhosts/siteA/logs/error.log.

$ tail /data/vhosts/siteA/logs/error.log [Fri Mar 18 08:49:23.999085 2016] [authz_core:error] [pid 98] [client 172.17.42.1:50796] AH01630: client denied by server configuration: /data/vhosts/common/images/ [Fri Mar 18 08:50:18.929006 2016] [authz_core:error] [pid 99] [client 172.17.42.1:50806] AH01630: client denied by server configuration: /data/vhosts/common/images/post-it.jpg

Following his clues an idea?

The problem is at the level of the permission of the directory, I do not speak file system permissions but permissions in Apache that blocks access to the directory. If we resume the configuration of the directory /, contained in the file: /etc/apache2/apache2.conf

Options FollowSymLinks AllowOverride None Require all denied

The set of undefined directories is denied, so we must allow access to the common directory to allow access to it. To do this we will modify the file /etc/apache2/conf-available/vhosts_base.conf to define the new directory:

Options None AllowOverride None Require all granted

We validate the configuration and reload the configuration:

$ sudo apachectl configtest && sudo /etc/init.d/apache2 reload

It is left http://linux202-sitea.com/cm-images/post-it.jpg. Normally you should see a Mario Bross post-it. If this is not the case, validate your image file, and read the server logs :).

Why set the alias in the VirtualHost instead of the common file?

I tend to generate my configuration files, especially for similar configurations either by script or via configuration tools (puppet, ansible, …), so I see no problem to define additional instructions. Also when defining an alias on them define the local directories of the DocumentRoot, in other words the siteA can no longer use the directory. A small example just to understand.

Let’s create the cm-images directory under the Site A DocumentRoot and an html file.

$ sudo mkdir /data/vhosts/siteA/docroot/cm-images $ sudo vim /data/vhosts/siteA/docroot/cm-images/toto.html $ cat /data/vhosts/siteA/docroot/cm-images/toto.html Toto sous cm-images du site A ... AAaaa :P

If we access the site: http://linux202-sitea.com/cm-images/toto.html, we have a 404 Not Found. If we look in the logs we will have confirmation:

tail /data/vhosts/siteA/logs/access.log

172.17.42.1 - - [21/Mar/2016:08:46:04 -0400] "GET /cm-images/toto.html HTTP/1.1" 404 516 "-" "Mozilla/5.0 (X11; Linux i686; rv:42.0) Gecko/20100101 Firefox/42.0"

For fun we will create the file foo under / data / vhosts / common / images:

$ sudo vim /data/vhosts/common/images/toto.html $ cat /data/vhosts/common/images/toto.html Fichier TOTO sous le common images

Let’s go back to the URL: http://linux202-sitea.com/cm-images/toto.html

As you can see, the alias has priority over the local directories of the website. To go back to the original question why I did not put it in the global configuration precisely to have a more granular configuration. Allow activation by virtual server. This also brings me to stress the importance of choosing the name of the alias, it is would be unwilling to set up an alias images for example, that’s why I had opted for cm-images to limit the risk of conflict with the local directory of the site.

There is also AliasMatch which allows us as Alias to perform an association of a directory outside the DocumentRoot, the advantage of AliasMatch is to allow to include a regular expression as a criterion.

Directory permissions

I might have started with this, but since the server access methods are very varied I did not privilege it. When I talk about server access you can provide ftp access, scp / ssh, webdav, NFS share, …

We will set up a chrooted system with ssh for the use of sftp. We will start by creating a group for virtual server users.

$ sudo addgroup vhosts Adding group `vhosts' (GID 1001) ... Done.

Creation of the user for the siteC:

$ sudo adduser --ingroup vhosts --no-create-home --shell /bin/false --home /data/vhosts/siteC/ usr_sitec Adding user `usr_sitec' ... Adding new user `usr_sitec' (1001) with group `vhosts' ... Not creating home directory `/data/vhosts/siteC/'. Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for usr_sitec Enter the new value, or press ENTER for the default Full Name []: Utilisateur site C Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y $ id usr_sitec uid=1001(usr_sitec) gid=1001(vhosts) groups=1001(vhosts) $ cd /data/vhosts/siteC $ sudo chown usr_sitec -R docroot/ privates/

We will change the server SSH configuration so the file / etc / ssh / sshd_config

We add the following configuration at the end of the file and restart the ssh service:

$ sudo cat /etc/ssh/sshd_config [... OUTPUT coupé ...] Match Group vhosts ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no $ sudo /etc/init.d/ssh restart

It’s time to validate all: D. I’m going to put the file toto in the docroot directory:

$ sftp usr_sitec@172.17.0.1 usr_sitec@172.17.0.1's password: Connected to 172.17.0.1. sftp> ls docroot logs privates uploads sftp> cd docroot/ sftp> ls index.html info.html sftp> put toto Uploading toto to /docroot/toto toto 100% 20 0.0KB/s 00:00 sftp> ls index.html info.html toto sftp>

Reference:

http://askubuntu.com/questions/134425/how-can-i-chroot-sftp-only-ssh-users-into-their-homes

Using apache modules

As mentioned during the introduction apache is a modular software, so we will see what are the modules available with the default installation under Ubuntu and some explanation for using them.

The structure of the files / directories under Debian / Ubuntu, although binding, offers at least the advantage of being clear. So we find the list of available modules in the directory / etc / apache2 / mods-available.

$ ls /etc/apache2/mods-available/*.load access_compat.load authz_user.load ext_filter.load mpm_worker.load sed.load actions.load autoindex.load file_cache.load negotiation.load session.load alias.load buffer.load filter.load php5.load session_cookie.load allowmethods.load cache.load headers.load proxy.load session_crypto.load asis.load cache_disk.load heartbeat.load proxy_ajp.load session_dbd.load auth_basic.load cache_socache.load heartmonitor.load proxy_balancer.load setenvif.load auth_digest.load cgi.load include.load proxy_connect.load slotmem_plain.load auth_form.load cgid.load info.load proxy_express.load slotmem_shm.load authn_anon.load charset_lite.load lbmethod_bybusyness.load proxy_fcgi.load socache_dbm.load authn_core.load data.load lbmethod_byrequests.load proxy_fdpass.load socache_memcache.load authn_dbd.load dav.load lbmethod_bytraffic.load proxy_ftp.load socache_shmcb.load authn_dbm.load dav_fs.load lbmethod_heartbeat.load proxy_html.load speling.load authn_file.load dav_lock.load ldap.load proxy_http.load ssl.load authn_socache.load dbd.load log_debug.load proxy_scgi.load status.load authnz_ldap.load deflate.load log_forensic.load proxy_wstunnel.load substitute.load authz_core.load dialup.load lua.load ratelimit.load suexec.load authz_dbd.load dir.load macro.load reflector.load unique_id.load authz_dbm.load dump_io.load mime.load remoteip.load userdir.load authz_groupfile.load echo.load mime_magic.load reqtimeout.load usertrack.load authz_host.load env.load mpm_event.load request.load vhost_alias.load authz_owner.load expires.load mpm_prefork.load rewrite.load xml2enc.load

As we can see the list is significant, the list of modules activated by default is less voluminous:

$ ls /etc/apache2/mods-enabled/*.load access_compat.load authn_core.load authz_host.load deflate.load filter.load negotiation.load status.load alias.load authn_file.load authz_user.load dir.load mime.load php5.load auth_basic.load authz_core.load autoindex.load env.load mpm_prefork.load setenvif.load

It is of course advisable not to load the unused modules, because in addition to increasing the memory path of apache during its execution, this increases the possibilities of security breach. I will not take the time to name all the modules available, I will leave you the pleasure of doing the research, I will select some one.

Alias: Allows for making directory aliases on the system, as we saw in the section Shared content / service.
auth *: Module related to the authentication system, user validation / password, can be realized with a flat file (as we have seen) or with external services such as ldap.
dir: Allows you to load a defined file from a directory without having to name it. The classic case is the use of the index.html file which is loaded automatically when one goes into a directory.
php: Allows interpretation of php files.
status: we will have the opportunity to see it in the section Performance and analysis, allows us to visualize the use of the server by VirtualHost. This module is very interesting to understand the use of the system.

The nomenclature of Ubuntu / Debian uses 2 files .conf and .load this is purely a convention, it is not mandatory, under CentOs / RedHat the whole is in the same file. I will take as an example the dir module, simple and allows to understand the operation.

dir.load

LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so

dir.conf

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm

As you can see the load file, loads a .so file contained in the / usr / lib / apache2 / modules / directory. It is possible to add modules to apache, however it is important that the module was created for the good version that is in place!

The .conf file, contains the configuration for the module, as you can see there is the IfModule … statement, this validates the presence of a module is to load the configuration only if the module is present. This is even more convenient when you have a large configuration file and you activate or not the modules at the beginning. Because if I take the present case if the instruction DirectoryIndex is defined in the file but the module is not present Apache will not start.

You can use apachectl to know the modules currently loaded by apache. It is possible to include them directly in the apache2 binary, this is done during the compilation of the program.

/ usr / sbin / apachectl -l: list the apache modules compiled in apache.
/ usr / sbin / apachectl -M: list the modules that are loaded at startup.

I will tell you that the whole 99% of the time the modules offered by the pumping system meets the need. Under Debian / Ubuntu you can have the list of apache modules available with the system thanks to the command: apt-cache search libapache2 For people who wants to see how to compile …: D

Setting up a site in httpS

Securing communication is more than critical nowadays, we want non-public information to be readable only by authorized individuals. The HTTP protocol is an unsecured protocol, all network packets are readable (unencrypted), if a person is on your network and can intercept the communications he can read all the traffic. The httpS protocol solves the problem by encrypting communications between the client (browser) and the server (apache), resulting in the traffic can not be read.

Under Ubuntu the ssl module is included during the installation of the apache2 package, under RedHat / CentOS you must install the module mod_ssl specifically. We will take a few minutes to see the theory around the SSL / TLS certificate system, because of experience I found that for many the concept of SSL certificate is fuzzy while all of our communications are provided by this system. Subsequently we will set up the configuration in apache.