Apache HTTP Server

Apache HTTP Server

By | | Comments 0 Comment

Last Updated on 2017-12-19 by Sture

Description

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for various modern desktop and server operating systems, such as UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server which provides HTTP services in sync with the current HTTP standards.

The 2.x branch of Apache Web Server includes several improvements like threading, use of APR, native IPv6 and SSL support, and many more.

WWW: http://httpd.apache.org/.

In order for public access to your website, you must have a valid domain name.

Requirements

The following software must be installed before Apache HTTP Server:

  1. OpenSSL – Open Secure Sockets Layer

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]
N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server! 
[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Search for “apache2” in the remote package repositories with:

[root@server /usr/home/user]# pkg search "apache2" [enter]
apache22-2.2.31_1              Version 2.2.x of Apache web server with prefork MPM
apache22-event-mpm-2.2.31_1    Version 2.2.x of Apache web server with event MPM
apache22-itk-mpm-2.2.31_1      Version 2.2.x of Apache web server with itk MPM
apache22-peruser-mpm-2.2.31_1  Version 2.2.x of Apache web server with peruser MPM
apache22-worker-mpm-2.2.31_1   Version 2.2.x of Apache web server with worker MPM
apache24-2.4.25_1              Version 2.4.x of Apache web server
p5-Apache2-SOAP-0.73_4         Apache2 mod_perl2 SOAP Server
p5-Apache2-SiteControl-1.05_3  Perl web site authentication/authorization system
[root@server /usr/home/user]#

In this example apache24 will be installed.

Install Apache HTTP Server 2.4 with;

[root@server /usr/home/user]# pkg install apache24 [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 5 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	apache24: 2.4.25_1
	libxml2: 2.9.4
	apr: 1.5.2.1.5.4_2
	gdbm: 1.12
	db5: 5.3.28_6

Number of packages to be installed: 5

The process will require 81 MiB more space.
18 MiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching apache24-2.4.25_1.txz: 100%    5 MiB   1.6MB/s    00:03    
Fetching libxml2-2.9.4.txz: 100%  802 KiB 821.6kB/s    00:01    
Fetching apr-1.5.2.1.5.4_2.txz: 100%  410 KiB 419.5kB/s    00:01    
Fetching gdbm-1.12.txz: 100%  145 KiB 148.5kB/s    00:01    
Fetching db5-5.3.28_6.txz: 100%   12 MiB   2.1MB/s    00:06    
Checking integrity... done (0 conflicting)
[1/5] Installing gdbm-1.12...
[1/5] Extracting gdbm-1.12: 100%
[2/5] Installing db5-5.3.28_6...
[2/5] Extracting db5-5.3.28_6: 100%
[3/5] Installing libxml2-2.9.4...
[3/5] Extracting libxml2-2.9.4: 100%
[4/5] Installing apr-1.5.2.1.5.4_2...
[4/5] Extracting apr-1.5.2.1.5.4_2: 100%
[5/5] Installing apache24-2.4.25_1...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[5/5] Extracting apache24-2.4.25_1: 100%
Message from apache24-2.4.25_1:
To run apache www server from startup, add apache24_enable="yes"
in your /etc/rc.conf. Extra options can be found in startup script.

Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch.conf typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

- apache24 default build changed from static MPM to modular MPM
- more modules are now enabled per default in the port
- icons and error pages moved from WWWDIR to DATADIR

   If build with modular MPM and no MPM is activated in
   httpd.conf, then mpm_prefork will be activated as default
   MPM in etc/apache24/modules.d to keep compatibility with
   existing php/perl/python modules!

Please compare the existing httpd.conf with httpd.conf.sample
and merge missing modules/instructions into httpd.conf!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[root@server /usr/home/user]#

Configuration

packet filter (pf)

Access to the Apache service must be enabled in the packet filter (pf) configuration file.

Start editing file /etc/pf.conf with:

[root@server /usr/home/user]# ee /etc/pf.conf [enter]

…and add port information to enable access to the Apache service from clients on the local network as in this example:

.
# Ports:
#  80 TCP       Hypertext Transfer Protocol (HTTP)
# 123 TCP       Network Time Protocol
# 443 TCP       Hypertext Transfer Protocol over TLS/SSL (HTTPS)
# 445 TCP       Microsoft-DS SMB file sharing

tcp_pass="{ 80, 123, 443, 445 }"
.

Check /etc/pf.conf for errors, but do not load ruleset with:

[root@server /usr/home/user]# pfctl -vvnf /etc/pf.conf [enter]

…and then reload /etc/pf.conf with:

[root@server /usr/home/user]# service pf reload [enter]
Reloading pf rules.
[root@server /usr/home/user]#

Service start on Boot

List installed apache services with:

[root@server /usr/home/user]# service -r | grep /apache [enter]
/usr/local/etc/rc.d/apache24
[root@server /usr/home/user]#

Find the rcvar for /usr/local/etc/rc.d/apache24 with:

[root@server /usr/home/user]# /usr/local/etc/rc.d/apache24 rcvar [enter]
# apache24
#
apache24_enable="NO"
#   (default: "")

[root@server /usr/home/user]#

To start the Apache HTTP Server on system boot:

[root@server /usr/home/user]# echo '' >> /etc/rc.conf; echo '# Apache HTTP Server' >> /etc/rc.conf; echo 'apache24_enable="YES"' >> /etc/rc.conf [enter]
[root@server /usr/home/user]#

Rotate Loggfile

To automatically rotate the /var/log/httpd-error.log log file with:

[root@server /usr/home/user]# echo '/var/log/httpd-error.log                600  9   100000 *     Z' >> /etc/newsyslog.conf [enter]
[root@server /usr/home/user]#

Hosts Database Setup

Hostname must be resolvable or Apache might have issues starting depending on the modules you are using.

Edit file /etc/hosts to allow Apache HTTP Server 2.4 to resolve hostname(s):

[root@server /usr/home/user]# ee /etc/hosts

This is a example:

# $FreeBSD: releng/11.1/etc/hosts 109997 2003-01-28 21:29:23Z dbaker $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file.  Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1                     localhost localhost.example.net
127.0.0.1               localhost localhost.example.net
#
# Imaginary network.
#10.0.0.2               myname.my.domain myname
#10.0.0.3               myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
#       10.0.0.0        -   10.255.255.255
#       172.16.0.0      -   172.31.255.255
#       192.168.0.0     -   192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers.  Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#
192.168.1.1     server.exemple.net

Display where the configuration file should be put with:

[root@server /usr/home/user]# grep httpd.conf /usr/local/etc/rc.d/apache24 [enter]
required_files=/usr/local/etc/apache24/httpd.conf
[root@server /usr/home/user]#

‘ServerAdmin’ Email Address

Update ServerAdmin email address in file /usr/local/etc/apache24/httpd.conf as in this example with:

[root@server /usr/home/user]# perl -pi -e 's/admin\@your-domain.com/{your.name}\@{example.net}/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]#

SSL certificates

The server can hold multiple certificates, but only one per listening IP Address. So, if the server is listening on one IP address, only one certificate can be used for the server. All of your virtual domains can share the same certificate, but clients will get warning prompts when they connect to a secure site where the certificate does not match the domain name. If your server is listening on multiple IP addresses, your virtual hosts have to be IP-based — not name-based. This is something to consider when creating your certificate.

In this example we will use be using self signed certificates created with OpenSSL.

Copy the Server Certificate file server.crt and Server Private Key file server.key files into the appropriate directori with:

[root@server /usr/home/user]# cp /usr/local/etc/ssl/*.key /usr/local/etc/apache24/server.key; cp /usr/local/etc/ssl/*.crt /usr/local/etc/apache24/server.crt [enter]
[root@server /usr/home/user]#

Enable use of Certificate files

Update the Apache configuration files /usr/local/etc/apache24/httpd.conf to use Certificate files with:

[root@server /usr/home/user]# perl -pi -e 's/#LoadModule socache_shmcb_module/LoadModule socache_shmcb_module/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]# perl -pi -e 's/#LoadModule ssl_module/LoadModule ssl_module/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]# perl -pi -e 's/Options Indexes FollowSymLinks/Options Indexes Includes FollowSymLinks/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]# perl -pi -e 's/#Include etc\/apache24\/extra\/httpd-ssl.conf/Include etc\/apache24\/extra\/httpd-ssl.conf/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]#

Update ServerName and ServerAdmin in file /usr/local/etc/apache24/extra/httpd-ssl.conf as in this example.

[root@server /usr/home/user]# perl -pi -e 's/www.example.com/{www.example.net}/g' /usr/local/etc/apache24/extra/httpd-ssl.conf [enter]
[root@server /usr/home/user]# perl -pi -e 's/you\@example.com/{your.name}\@{example.net}/g' /usr/local/etc/apache24/extra/httpd-ssl.conf [enter]
[root@server /usr/home/user]#

Update all Certificate names in file /usr/local/etc/apache24/extra/httpd-ssl.conf as in this example.

[root@server /usr/home/user]# perl -pi -e 's/apache24\/server/apache24\/{server}/g' /usr/local/etc/apache24/extra/httpd-ssl.conf [enter]
[root@server /usr/home/user]#

Optional: Virtual Hosts

Please see the documentation at <URL:http://httpd.apache.org/docs/2.4/vhosts/> for further details before you try to setup virtual hosts.

Name-based virtual hosting is usually simpler, since you need only configure your DNS server to map each hostname to the correct IP address and then configure the Apache HTTP Server to recognize the different hostnames. Name-based virtual hosting also eases the demand for scarce IP addresses. Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol.

As the term IP-based indicates, the server must have a different IP address for each IP-based virtual host. This can be achieved by the machine having several physical network connections, or by use of virtual interfaces.

There are two ways of configuring apache to support multiple hosts. Either by running a separate httpd daemon for each hostname, or by running a single daemon which supports all the virtual hosts.

The following example shows how Apache HTTP Server 2.4 can be configured to host the original IP (192.168.1.1) plus two additional domains on additional IPs (192.168.100.1 and 192.168.200.1). For this case, a single httpd will service requests for the main server and all the virtual hosts. This particular example only works on an intranet, because IPs ranging from 192.168.0.0 to 192.168.255.0 are not routed on the Internet.

Once IP aliasing has been set up on the system or the host has been configured with several network cards, Apache HTTP Server 2.4 can be configured. Specify a separate VirtualHost block for every virtual server.

Update the Apache configuration files /usr/local/etc/apache24/httpd.conf to use Virtual Hosts with:

[root@server /usr/home/user]# perl -pi -e 's/#Include etc\/apache24\/extra\/httpd-vhosts.conf/Include etc\/apache24\/extra\/httpd-vhosts.conf/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]#

Then edit file /usr/local/etc/apache24/extra/httpd-vhosts.conf by specify a separate VirtualHost block for every virtual server with:

[root@server /usr/home/user]# ee /usr/local/etc/apache24/extra/httpd-vhosts.conf [enter]

Example:

#
# IP-based Virtual Hosts
#
<VirtualHost 192.168.1.4:80>
  DocumentRoot "/usr/local/www/apache24/data"
  ServerName www.example.net
  <Directory "/usr/local/www/apache24/data">
    AllowOverride All
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

<VirtualHost 192.168.1.4:443>
  DocumentRoot "/usr/local/www/apache24/data"
  ServerName www.example.net
  SSLEngine on
  SSLCertificateFile "/usr/local/etc/apache24/www.crt"
  SSLCertificateKeyFile "/usr/local/etc/apache24/www.key"
  <Directory "/usr/local/www/apache24/data">
    AllowOverride All
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

It is now time to create your own certificate for the virtual host using the OpenSSL utility.

Now, you need to understand that one server can hold multiple certificates, but only one per listening IP address. So, if your server is listening on one IP address, you can only have one certificate for the server. All of your virtual domains can share the same certificate, but clients will get warning prompts when they connect to a secure site where the certificate does not match the domain name. If your server is listening on multiple IP addresses, your virtual hosts have to be IP-based — not name-based. This is something to consider when creating your certificate.

In this example we will use be using self signed certificates created with OpenSSL.

Generate a Private Key for srv with:

[root@server /usr/home/user]# openssl genrsa -out www.key 1024 [enter]
Generating RSA private key, 1024 bit long modulus
...........................................................++++++
...........................++++++
e is 65537 (0x10001)
[root@server /usr/home/user]#

Generating a Self Signed Certificate with:

[root@server /usr/home/user]# openssl req -outform PEM -new -key www.key -x509 -days 1825 -out www.crt [enter]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:SE
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Your City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Organization Name
Organizational Unit Name (eg, section) []:Your Organizational Unit Name
Common Name (eg, YOUR name) []:www.example.net
Email Address []:your.name@example.net
[root@server /usr/home/user]#

N.B.: Set Common Name (eg, YOUR name) to your servers DNS entry in file /etc/hosts!

N.B.: The produced Certificate will be valid for 1825 days, about 5 years.

Copy Server Certificate file www.crt and Server Private Key file www.key files into appropriate directories with:

[root@server /usr/home/user]# cp /usr/home/user/*.key /usr/local/etc/apache24/; cp /usr/home/user/*.crt /usr/local/etc/apache24/ [enter]
[root@server /usr/home/user]#

Verify your virtual host configuration with:

[root@server /usr/home/user]# httpd -S [enter]
VirtualHost configuration:
192.168.1.1:80         www.example.net (/usr/local/etc/apache24/extra/httpd-vhosts.conf:4)
192.168.1.1:443        www.example.net (/usr/local/etc/apache24/extra/httpd-vhosts.conf:15)
*:443                  www.example.net (/usr/local/etc/apache24/extra/httpd-ssl.conf:121)
ServerRoot: "/usr/local"
Main DocumentRoot: "/usr/local/www/apache24/data"
Main ErrorLog: "/var/log/httpd-error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www" id=80
Group: name="www" id=80
[root@server /usr/home/user]#

HTTP Accept Filter

accf_http – buffer incoming connections until a certain complete HTTP requests arrive

Load the kernel modules accf_http at boot by adding the following to file /etc/rc.conf with:

[root@server /usr/home/user]# sysrc kld_list+="accf_http" [enter]
kld_list: ... -> ... accf_http
[root@server /usr/home/user]#

Manually load the HTTP Accept Filter with:

[root@server /usr/home/user]# kldload -v accf_http.ko [enter]
Loaded accf_http.ko, id=21
[root@server /usr/home/user]#

Data Accept Filter

accf_data – buffer incoming connections until data arrives

Load the kernel modules accf_data at boot by adding the following to file /etc/rc.conf with:

[root@server /usr/home/user]# sysrc kld_list+="accf_data" [enter]
kld_list: ... -> ... accf_data
[root@server /usr/home/user]#

Manually load the Data Accept Filter with:

[root@server /usr/home/user]# kldload -v accf_data.ko [enter]
Loaded accf_data.ko, id=22
[root@server /usr/home/user]#

Start Apache HTTP Server

Start Apache HTTP Server with:

[root@server /usr/home/user]# service apache24 start [enter]
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
[root@server /usr/home/user]#

Verify apache24 status with:

[root@server /usr/home/user]# service apache24 status [enter]
apache24 is running as pid 53785.
[root@server /usr/home/user]#

Check the httpd error log for possible errors:

[root@server /usr/home/user]# tail /var/log/httpd-error.log [enter]
[root@server /usr/home/user]#

Optional – Enable Server Side Includes, SSI

Update the Apache configuration files /usr/local/etc/apache24/httpd.conf to use Server Side Includes, SSI, with:

[root@server /usr/home/user]# perl -pi -e 's/#LoadModule include_module/LoadModule include_module/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]# perl -pi -e 's/Options Indexes/Options Indexes Includes/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]# perl -pi -e 's/DirectoryIndex index/DirectoryIndex index.shtml index/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]# perl -pi -e 's/#AddType text\/html .shtml/AddType text\/html .shtml/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]# perl -pi -e 's/#AddOutputFilter INCLUDES .shtml/AddOutputFilter INCLUDES .shtml/g' /usr/local/etc/apache24/httpd.conf [enter]
[root@server /usr/home/user]#

Update the Apache configuration files /usr/local/etc/apache24/extra/httpd-vhosts.conf to use Server Side Includes, SSI, with:

[root@server /usr/home/user]# perl -pi -e 's/Options Indexes/Options Indexes Includes/g' /usr/local/etc/apache24/extra/httpd-vhosts.conf [enter]
[root@server /usr/home/user]#

Restart apache24 with:

[root@server /usr/home/user]# service apache24 restart [enter]
Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 1302.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
[root@server /usr/home/user]#

Test your SSI setup by creating a test file, ssi.shtml, with:

[root@server /usr/home/user]# ee /usr/local/www/apache24/data/ssi.shtml [enter]

Add the following lines:

<html>
<head>
<title>SSI Test Page</title>
</head>
<body>
<h1>Test of Server Side Include, SSI</h1>
<p>Date/Time Format information can be found <a href="http://www.oreilly.com/openbook/cgi/ch05_08.html">here</a></p>
<!--#config timefmt="%A, %e %B %Y, %H:%M %Z"-->
<p>This page was last updated <!--#echo var="last_modified" --></p>
<p>(If no date and time is displayed: Did you miss to restart Apache?)</p>
</body>
</html>

Start your favorite browser and go to the testpage on the server as in this example, http://www.example.net/ssi.shtml

Leave a Reply