Image

Apache

Apache configuration files

By  •  Apache

httpd.conf is Apache‘s main configuration file by default. It will then call out other files and directories via Include and IncludeOptional directives which is meant to simplify the main configuration file, and the structure wildly varies between platforms.

httpd.conf itself is located differently between platforms. These are some of the known locations;

Platform Location
xampp {installation directory}/apache/conf/httpd.conf
macOS /private/etc/apache2/httpd.conf
homebrew /usr/local/etc/apache2/2.4/httpd.conf
Debian/Ubuntu /etc/apache2/httpd.conf
RedHat/CentOS/Fedora /etc/httpd/conf/httpd.conf

If your platform of choice is not on the list, simply run httpd -V from the terminal and look for SERVER_CONFIG_FILE.

# httpd -V
Server version: Apache/2.4.25 (Unix)
Server built:   Feb  6 2017 20:02:10
Server's Module Magic Number: 20120211:67
Server loaded:  APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_FLOCK_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/usr"
 -D SUEXEC_BIN="/usr/bin/suexec"
 -D DEFAULT_PIDLOG="/private/var/run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/private/etc/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/private/etc/apache2/httpd.conf"

Different platform might use different binary names such as apache, apache2, apachectl or apache2ctl

Use grep to get only the relevant line.

# httpd -V | grep SERVER_CONFIG_FILE
 -D SERVER_CONFIG_FILE="/private/etc/apache2/httpd.conf"

Combine the output for both HTTPD_ROOT and SERVER_CONFIG_FILE If the output doesn’t provide absolute full path of the configuration file.

How to configure Apache reverse proxy

By  •  Apache

Apache‘s reverse proxy is an act of an Apache webserver providing content from other webserver transparently. This is useful in many instances such as caching and mirroring, but it’s mostly used to serve websites that are hosted behind NAT or a firewall. A reverse proxy server routes connection addressed to the internal server, and the client sees the reverse proxy server itself as the origin server.

For example, Apache can be configured to serve URL‘s such as http://www.example.com/webapp to actually get the content from http://192.168.0.10/myapp, which is hosted from an internal network. This happens transparently and the user initially requesting http://www.example.com/webapp need not to be aware of what happens in the background.

How to disable directory listing in Apache

By  •  Apache

If no DirectoryIndex (normally configured as index.html, index.htm, index.php, welcome.html) present in a directory, and if mod_autoindex is enabled (which by default is normally enabled), Apache would list the directory contents, as the following;

While useful for some cases, you would want to disable this feature (perhaps for security reason). There are few ways to do this.

How to restart Apache service

By  •  Apache

There are many ways to restart Apache service and this depends on your platform of choice and personal preferences

Platform Command
Ubuntu 16.10 and later, RedHat/CentOS 7 and later, Fedora and other platform with systemd
# systemctl restart httpd.service
Platforms with service command. Normally a wrapper to System V init scripts or systemd commands.
# service httpd restart
Older platforms with System V init scripts
# /etc/init.d/apache2 restart
Apache’s built-in command
# httpd -k restart

Different platform might use different binary/script names such as apache, apache2, apachectl or apache2ctl

How to test Apache configuration without restarting the service

By  •  Apache

It’s always a good idea to test your newly updated Apache config file before restarting the service itself. This will help avoid downtime due to Apache refusing to start due to misconfiguration. You can use apachectl, httpd or equivalent binaries as in the examples below;

Different platform might use different binary names such as apache, apache2 or apache2ctl

  1. httpd

    # httpd -t
    AH00112: Warning: DocumentRoot [/var/www/mywebsite] does not exist
    AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
    Syntax OK
  2. apachectl

    # apachectl configtest
    AH00112: Warning: DocumentRoot [/var/www/mywebsite] does not exist
    AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
    Syntax OK

What happens is that the programs will try to parse the configuration files without implementing any of your changes. Once you get Syntax OK at the end of the output and are satisfied with all the warnings (if any), you could confidently restart your Apache service.

How to analyze Apache log for security with Scalp

By  •  Apache

Scalp! is a log analyzer for the Apache web server that looks for security problems. It reads the Apache log and perform log analysis for possible attacks against rulesets provided by PHP-IDS project. It is available for download from GitHub.

Scalp! is currently written in Python though the writer claims he’s now working on C++ version of it. Current Python can only analyze a maximum of 10000 lines of log, and seems to be a bit slow. The C++ version is aimed to overcome the problems.

When being run without any parameters, Scalp will look for access_log and default_filter.xml files in the current directory, and produce the report to the standard output. access_log is the Apache log file, and default_filter.xml is the filter rules available from the PHPIDS project. Running the program as the following will use the Apache log file at /var/log/apache2/access.log and the PHPIDS ruleset from ~/default_filter.xml;

$ python scalp.py --log /var/log/apache2/access.log --filters ~/default_filter.xml

To overcome the 10000 lines limitation of the program, a Linux program called split can be run as in the example below as a log splitter, and Scalp! is then run against all the splitted log;

$ split -l 10000  /var/log/apache2/access.log

How to redirect non-www URL to www in Apache

By  •  Apache

If both www and non www domain of your website (http://example.com and http://www.example.com) serve the same website, and you want people going to http://example.com to automatically be redirected to http://www.example.com, there’s a few way that you can do so with Apache

How to change Apache user and group

By  •  Apache

Apache normally runs as an unprivileged user without shell access in most platforms. This is for security reason as a poorly written script or configuration if exploited will not escalate and cause much harm to the system.

If you’re running a development environment and know exactly what you’re doing, you can change the user and group that the Apache process runs as with these simple steps;

  1. Find User and Group directives in Apache‘s configuration file.

  2. Set the user and group that you want Apache process to run as. The following example is to run it as root.

    User root
    Group root

    This could be a big security risk, especially to run it as root.

    Make sure the user and group has appropriate permission to DocumentRoot and related files and folders.

  3. Check if the changes was successful

    $ ps aux | grep apache2
    root      1188  0.0  0.1 162184  6664 ?        Ss   Mar29   0:02 /usr/sbin/apache2 -k start
    root  1197  0.0  0.1 162184  5668 ?        S    Mar29   0:00 /usr/sbin/apache2 -k start
    root  1198  0.0  0.1 162184  5916 ?        S    Mar29   0:00 /usr/sbin/apache2 -k start
    root  1200  0.0  0.1 162184  5684 ?        S    Mar29   0:00 /usr/sbin/apache2 -k start
    root  1201  0.0  0.1 162184  5684 ?        S    Mar29   0:00 /usr/sbin/apache2 -k start
    root  1202  0.0  0.1 162184  5684 ?        S    Mar29   0:00 /usr/sbin/apache2 -k start

    In some distributions the Apache binary could be named httpd instead of apache2.

Top