Apache: Difference between revisions
mNo edit summary |
m (→FAQ) |
||
(51 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
From the [http://httpd.apache.org/ apache homepage]: | From the [http://httpd.apache.org/ apache homepage]: | ||
<blockquote>The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.</blockquote> | <blockquote>The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.</blockquote> | ||
= Links = | = Links = | ||
{| style="width:600px | |||
{| style="width:600px" border="0" | |||
|- | |||
| colspan="2" | '''Documentation''' | | colspan="2" | '''Documentation''' | ||
|- | |- | ||
| [http://httpd.apache.org/ http://httpd.apache.org/] | | [http://httpd.apache.org/ http://httpd.apache.org/] | ||
| Apache homepage | |||
|- | |- | ||
| [http://httpd.apache.org/docs/2.2/ http://httpd.apache.org/docs/2.2/] | | [http://httpd.apache.org/docs/2.2/ http://httpd.apache.org/docs/2.2/] | ||
| 2.2 Reference | |||
|- | |- | ||
| [http://httpd.apache.org/docs/2.0/ http://httpd.apache.org/docs/2.0/] | | [http://httpd.apache.org/docs/2.0/ http://httpd.apache.org/docs/2.0/] | ||
| 2.0 Reference | |||
|- | |- | ||
| [http://httpd.apache.org/docs/1.3/ http://httpd.apache.org/docs/1.3/] | | [http://httpd.apache.org/docs/1.3/ http://httpd.apache.org/docs/1.3/] | ||
| 1.3 Reference | |||
|- | |- | ||
| [http://www.tuxick.net/docs/apache_ssl.html Apache and SSL] | | [http://www.tuxick.net/docs/apache_ssl.html Apache and SSL] | ||
Line 26: | Line 33: | ||
| colspan="2" | '''Tools''' | | colspan="2" | '''Tools''' | ||
|- | |- | ||
| [http://awstats.sourceforge.net/ http://awstats.sourceforge.net/] | | [http://awstats.sourceforge.net/ http://awstats.sourceforge.net/] | ||
| Apache log analyzer | |||
|} | |} | ||
*[http://mod-qos.sourceforge.net/ QoS for Apache] | |||
*[https://github.com/alecthomas/geoip/blob/master/GeoIPCountryWhois.csv GeoIPCountryWhois.csv] | |||
=Documentation= | |||
==Virtual hosts== | |||
*[http://mysqlresources.com/cgi-bin/article.cgi?article_id=68 Apache Virtual Hosting] | |||
= Application & modules = | = Application & modules = | ||
== [ | |||
=Log analyzers= | |||
*[[awstats]] | |||
*piwik | |||
*[[webalizer]] | |||
*[[urchin]] | |||
* zapache | |||
===Notes=== | |||
* Don't use the CGI to present the data unless it is protected. Best use '''awstats_buildstaticpages.pl''' to build the static pages and present those. Save resources and is more secure. | * Don't use the CGI to present the data unless it is protected. Best use '''awstats_buildstaticpages.pl''' to build the static pages and present those. Save resources and is more secure. | ||
Line 43: | Line 67: | ||
==FAQ== | =HOWTO= | ||
===Authentication== | ==Log SSL protocols== | ||
Read [http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html Apache Authentication in htaccess] | CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" | ||
= FAQ = | |||
==Modules== | |||
== Enable module == | |||
===On Debian=== | |||
a2enmod | |||
===On RedHat=== | |||
=== List active modules=== | |||
apachectl -t -D DUMP_MODULES | |||
==Enable HSTS== | |||
a2enmod headers | |||
and in config | |||
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" | |||
== [core:emerg] [pid 3317] (28)No space left on device: AH00023: Couldn't create the rewrite-map mutex == | |||
Check | |||
ipcs -s | |||
| |||
==Check which MPM is running ( prefork or worker) == | |||
httpd -V | grep MPM | |||
or more modern | |||
apache2ctl -t -D DUMP_MODULES | grep mpm | |||
== NameVirtualHost *:80 has no VirtualHosts == | |||
This means you're using <VirtualHost *> instead of <VirtualHost *:80> Or you have multiple declarations of NameVirtualHost *:80 | |||
== Telnet session to webserver == | |||
telnet www.example.com 80 | |||
get / HTTP/1.1 | |||
<enter> | |||
<enter> | |||
For a virtual also pass host: | |||
get / HTTP/1.1 | |||
host: virtual.host.com | |||
<enter> | |||
| |||
== Apache memory usage == | |||
ps aux|grep http|awk '{sum+=$4} END {print sum}' | |||
| |||
== Authentication == | |||
Read: | |||
*[http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html Apache Authentication in htaccess] | |||
*[http://weavervsworld.com/docs/other/passprotect.html Password Protection with .htaccess & .htpasswd] | |||
*[http://httpd.apache.org/docs/2.2/howto/auth.html http://httpd.apache.org/docs/2.2/howto/auth.html] | |||
*[https://httpd.apache.org/docs/2.4/howto/auth.html https://httpd.apache.org/docs/2.4/howto/auth.html] | |||
In .htaccess or </Directory> section put: | |||
Authtype Basic | Authtype Basic | ||
AuthUserFile /etc/apache/htusers | AuthUserFile /etc/apache/htusers | ||
Line 53: | Line 144: | ||
AuthName "Protected" | AuthName "Protected" | ||
== Hide directories == | |||
RedirectMatch 404 /\.svn(/|$) | RedirectMatch 404 /\.svn(/|$) | ||
or | |||
<DirectoryMatch "^/.*/\.git/"> | |||
Require all denied | |||
</DirectoryMatch> | |||
== Deny access to files == | |||
<FilesMatch \.(?i:gif|jpe?g|png)$> | <FilesMatch \.(?i:gif|jpe?g|png)$> | ||
Require all denied | |||
</FilesMatch> | |||
| |||
== Strange hang and not restarting == | |||
ipcs -s|grep apache | |||
for i in `ipcs -s|grep apache|awk {'print $2'}`;do ipcrm sem $i;done; | |||
== Get core dumps == | |||
*[http://wiki.apache.org/httpd/CoreDump http://wiki.apache.org/httpd/CoreDump] | |||
*/usr/share/doc/apache2.2-common/README.backtrace | |||
*[http://www.cyberciti.biz/tips/configure-apache-web-server-for-core-dump.html http://www.cyberciti.biz/tips/configure-apache-web-server-for-core-dump.html] | |||
In apache configuration: | |||
CoreDumpDirectory /tmp/apache2-gdb-dump (make sure to have proper rights) | |||
=== On freebsd === | |||
Set apache22limits_enable="YES in /etc/rc.conf | |||
In apache configuration: | |||
CoreDumpDirectory /tmp/apache2-gdb-dump (make sure to have proper rights) | |||
Other stuff to try | |||
sysctl kern.sugid_coredump=1 | |||
sysctl kern.coredumps=1 | |||
=== On Debian === | |||
sysctl fs.suid_dumpable=2 ? | |||
ulimit -c unlimited ? | |||
== Socket is not connected: core_output_filter: writing data to the network == | |||
Bug in some versions? | |||
== Connection refused: connect to listener on 0.0.0.0:80 == | |||
Seems a jail problem, try setting | |||
Listen 12.33.44.55:80 | |||
| |||
== No such file or directory: Failed to enable the 'httpready' Accept Filter == | |||
In /boot/loader.conf | |||
accf_data_load="YES" | |||
accf_http_load="YES" | |||
| |||
== sorting apache logs == | |||
[http://jehiah.cz/archive/sorting-apache-logs http://jehiah.cz/archive/sorting-apache-logs] | |||
| |||
== unable to include potential exec == | |||
== Rewriting and redirecting == | |||
[http://www.aitechsolutions.net/apacheredirect.html http://www.aitechsolutions.net/apacheredirect.html] | |||
=== redirect http to https === | |||
#this usually does the trick | |||
Redirect permanent / [https://foo.com https://foo.com] | |||
*[https://httpd.apache.org/docs/current/rewrite/avoid.html#redirect Use redirect instead of rewrite] | |||
== debugging rewrites == | |||
== status codes == | |||
*[http://www.w3.org/Protocols/HTTP/HTRESP.html http://www.w3.org/Protocols/HTTP/HTRESP.html] | |||
| |||
== client denied by server configuration == | |||
That's the Deny/Allow bits in config | |||
| |||
== server-status: ERROR 500: Internal Server Error== | |||
?? | |||
==Error messages== | |||
=== AH00162: server seems busy === | |||
maybe it's busy | |||
=== AH01630: client denied by server configuration === | |||
Probably using 2.2 config on 2.4, change | |||
Order allow,deny | |||
Allow from all | |||
to | |||
Require all granted | |||
=== AH00179: changing ServerLimit to 700 from original value of 512 not allowed during restart === | |||
Needs a real restart | |||
===AH02282: No slotmem from mod_heartmonitor=== | |||
?? |
Latest revision as of 13:55, 9 August 2024
From the apache homepage:
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
Links
Documentation | |
http://httpd.apache.org/ | Apache homepage |
http://httpd.apache.org/docs/2.2/ | 2.2 Reference |
http://httpd.apache.org/docs/2.0/ | 2.0 Reference |
http://httpd.apache.org/docs/1.3/ | 1.3 Reference |
Apache and SSL | |
Apache2, Debian and SSL | |
More Apache and SSL | |
Articles | |
vhosts explained | "Simplify Your Life with Apache Virtual Hosts" Russell Dyer 07/24/2003 |
Tools | |
http://awstats.sourceforge.net/ | Apache log analyzer |
Documentation
Virtual hosts
Application & modules
Log analyzers
Notes
- Don't use the CGI to present the data unless it is protected. Best use awstats_buildstaticpages.pl to build the static pages and present those. Save resources and is more secure.
Related Items
Web-based Single Sign-On
Applications
Comparisons
- http://www.jisc.ac.uk/uploaded_documents/CMSS-Gilmore.pdf
- http://www.umich.edu/~umweb/downloads/WebSSOImplementationComparision.pdf
HOWTO
Log SSL protocols
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
FAQ
Modules
Enable module
On Debian
a2enmod
On RedHat
List active modules
apachectl -t -D DUMP_MODULES
Enable HSTS
a2enmod headers
and in config
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
[core:emerg] [pid 3317] (28)No space left on device: AH00023: Couldn't create the rewrite-map mutex
Check
ipcs -s
Check which MPM is running ( prefork or worker)
httpd -V | grep MPM
or more modern
apache2ctl -t -D DUMP_MODULES | grep mpm
NameVirtualHost *:80 has no VirtualHosts
This means you're using <VirtualHost *> instead of <VirtualHost *:80> Or you have multiple declarations of NameVirtualHost *:80
Telnet session to webserver
telnet www.example.com 80 get / HTTP/1.1 <enter> <enter>
For a virtual also pass host:
get / HTTP/1.1 host: virtual.host.com <enter>
Apache memory usage
ps aux|grep http|awk '{sum+=$4} END {print sum}'
Authentication
Read:
- Apache Authentication in htaccess
- Password Protection with .htaccess & .htpasswd
- http://httpd.apache.org/docs/2.2/howto/auth.html
- https://httpd.apache.org/docs/2.4/howto/auth.html
In .htaccess or </Directory> section put:
Authtype Basic AuthUserFile /etc/apache/htusers Require valid-user AuthName "Protected"
Hide directories
RedirectMatch 404 /\.svn(/|$)
or
<DirectoryMatch "^/.*/\.git/"> Require all denied </DirectoryMatch>
Deny access to files
<FilesMatch \.(?i:gif|jpe?g|png)$> Require all denied </FilesMatch>
Strange hang and not restarting
ipcs -s|grep apache for i in `ipcs -s|grep apache|awk {'print $2'}`;do ipcrm sem $i;done;
Get core dumps
- http://wiki.apache.org/httpd/CoreDump
- /usr/share/doc/apache2.2-common/README.backtrace
In apache configuration:
CoreDumpDirectory /tmp/apache2-gdb-dump (make sure to have proper rights)
On freebsd
Set apache22limits_enable="YES in /etc/rc.conf
In apache configuration:
CoreDumpDirectory /tmp/apache2-gdb-dump (make sure to have proper rights)
Other stuff to try
sysctl kern.sugid_coredump=1 sysctl kern.coredumps=1
On Debian
sysctl fs.suid_dumpable=2 ? ulimit -c unlimited ?
Socket is not connected: core_output_filter: writing data to the network
Bug in some versions?
Connection refused: connect to listener on 0.0.0.0:80
Seems a jail problem, try setting
Listen 12.33.44.55:80
No such file or directory: Failed to enable the 'httpready' Accept Filter
In /boot/loader.conf
accf_data_load="YES" accf_http_load="YES"
sorting apache logs
http://jehiah.cz/archive/sorting-apache-logs
unable to include potential exec
Rewriting and redirecting
http://www.aitechsolutions.net/apacheredirect.html
redirect http to https
#this usually does the trick Redirect permanent / https://foo.com
debugging rewrites
status codes
client denied by server configuration
That's the Deny/Allow bits in config
server-status: ERROR 500: Internal Server Error
??
Error messages
AH00162: server seems busy
maybe it's busy
AH01630: client denied by server configuration
Probably using 2.2 config on 2.4, change
Order allow,deny Allow from all
to
Require all granted
AH00179: changing ServerLimit to 700 from original value of 512 not allowed during restart
Needs a real restart
AH02282: No slotmem from mod_heartmonitor
??