Certification Objective 9.01-The Apache Web Server | Linux Patch Management: Keeping Linux Systems Up To Date

Apache is by far the most popular Web server in use today. Based on the HTTP daemon (httpd), Apache provides simple and secure access to all types of content using the regular HTTP protocol as well as its secure cousin, HTTPS.

Apache was developed from the server code created by the National Center for Supercomputing Applications (NCSA). It included so many patches that it became known as "a patchy" server. The Apache Web server continues to advance the art of the Web and provides one of the most stable, secure, robust, and reliable Web servers available. This server is under constant development by the Apache Software Foundation (www.apache.org).

Inside the Exam

This chapter directly addresses two items in the Red Hat Exam Prep guide. This is the first chapter to focus on network services, as required of RHCE candidates. Per the latest Exam Prep guide, RHCT candidates do not need to be too concerned with this chapter. As noted in the Exam Prep guide, RHCE candidates "must be capable of configuring the following network services" during the Installation and Configuration portion of that exam:

HTTP/HTTPS
Web Proxy

Although you can use a number of different packages to configure HTTP, HTTPS, and Web Proxy services, the publicly available RH300 course outline focuses these services on Apache as a regular and secure Web server, and Squid as the Web Proxy server. The Exam Prep guide also notes that RHCEs should be able to

Diagnose and correct problems with network services.
Diagnose and correct networking services problems where SELinux contexts are interfering with proper operation.

This includes those services listed in the Installation and Configuration portion of the RHCE exam. For every network service, you also need to

Install the packages needed to provide the service.
Configure SELinux to support the service.
Configure the service to start when the system is booted.
Configure the service for basic operation.
Configure host-based and user-based security for the service.

Installing the required packages is trivial. You'll make sure the service is started when the system is booted with the appropriate chkconfig commands. Most of this chapter is dedicated to configuring the service for basic operation. Some services support host-based and user-based security in their configuration files; others support it with the tools described in Chapter 15. SELinux is also most easily configured using the SELinux Management tool described in Chapter 15.

While there are numerous other Web servers available, Apache is the only Web service described in the current RH300 course outline.

Apache is a service; basic Apache clients are Web browsers. Therefore, only those concerned with the RHCE need to read this chapter. This provides the briefest of overviews on Apache. For more information, read the documentation online at http://httpd.apache.org/docs-2.2.

Apache 2.2

Red Hat Enterprise Linux includes the latest major release of Apache, which is 2.2.x as of this writing. While there are major differences from previous versions of Apache (1.3.x, 2.0.x), if you're a Web administrator or developer, the differences with respect to the RHCE exam are fairly straightforward. The current version supports virtual hosts and access control, as well as secure (HTTPS) Web services. If you're interested in more, a full list of new features is available from http://httpd.apache.org/docs/2.2/new_features_2_2.html.

The following cites a few of the major changes:

New packages If you're installing Apache from the Red Hat Installation RPMs, all the package names have changed. As you'll see in the following section, most start with httpd. Strangely enough, the username associated with Apache services is now apache.
Modular directive files Basic directives, such as those based on Perl, PHP, or the Secure Socket Layer, are now configured separately in the /etc/httpd/conf.d directory. They are automatically included in the Apache configuration with the following directive in /etc/httpd/conf/httpd.conf:
```
 Include conf.d/*.conf 
```
Revised directives Some directives have changed in the httpd.conf configuration file. For example, Apache listens for computers that are looking for Web pages on port 80. You can now change that port with the Listen directive.
Virtual hosts Apache configuration is now normally based on virtual hosts, which allows you to host multiple Web sites on the same Apache server, using a single IP address.
Larger files Apache now supports files greater than 2GB.
Encryption Apache now supports encrypted authentication, as well as LDAP.

You may see some of these characteristics if you use Apache 1.3.x, as many of these features have been "backported" from current versions of Apache.

Installation

The RPM packages required by Apache are included in the Web Server package group. If required on the Installation and Configuration portion of the exam, you should install Apache during the installation process. But mistakes happen. Just remember that the simplest way to install Apache after installation is with the following command:

 # yum install httpd

Alternatively, if you need the Red Hat GUI Apache Management tool, run the following command, which also installs the Apache httpd RPM as a dependency:

 # yum install system-config-httpd

Another option is to just install the default packages associated with the entire Web Server package group with the following command:

 # yum groupinstall web-server

If you don't remember the names of available groups, run the yum grouplist command. From the output, you should see "Web Server"; in other words, the following command also works:

 # yum groupinstall "Web Server"

If your exam instructions require the installation of other packages such as mod_ssl (required for secure Web sites) and Squid, you can combine their installation in the same command:

 # yum install mod_ssl squid

If in doubt about package names, you can find them in the Web Server package group, as documented on the first installation CD in the Server/repodatata/comps-rhel5-server-core.xml file. If you're working with the RHEL 5 desktop, substitute Client for Server (upper- and lowercase). Once you've connected to a repository such as the RHN, the same information should be available in comps.xml in the /var/cache/yum/rhel-i386-server-5 directory. If you're working a different architecture and a client, substitute accordingly.

Starting on Reboot

Once Apache is installed, you'll want to make sure it starts the next time you boot Linux. If it doesn't start when the person who grades your Red Hat exam reboots your computer, you may not get credit for your work on the Apache service.

The most straightforward way to make sure Apache starts the next time you boot Linux is with the chkconfig command. You'll need to set it to start in at least runlevels 3 and 5, with a command such as:

 # chkconfig --level 35 httpd on

Alternatively, you can configure it to start in all standard runlevels (2, 3, 4, and 5) with the following command:

 # chkconfig httpd on

To determine whether the chkconfig command worked, use the --list switch:

 # chkconfig --list httpd

Normally to start services, it's best to use the associated script in the /etc/init.d directory, which contains an httpd script. However, Apache often starts and stops more gracefully with the following commands:

 # apachectl stop # apachectl start

Exam Watch

If you see "The 'links' package is required for this functionality" error message, you'll need to install the elinks RPM.

On the Job

If you're administering a currently running Web server, any restart may disconnect users from the server and make it appear that the server is down for some period of time. However, a service httpd reload command allows the server to continue to run, while reading any changes you've made to the configuration files. With Apache, the control script is apachectl, which substitutes for service httpd in most control scripts.

Once you've got Apache running, start a Web browser and enter a URL of http://localhost. If Apache installation is successful, you should see the screen in Figure 9-1.

image from book
Figure 9-1: The default Apache Web page

Read the screen and you will see that RHEL looks for Web page files in the /var/www/html directory. You can verify this with the DocumentRoot directive in the main Apache configuration file. If you want to create a custom error page, you can set it in the /etc/httpd/conf.d/welcome.conf file.

Exercise 9-1: Installing the Apache Server

In this exercise, you'll be installing all of the packages generally associated with the Apache server. Then you'll test and activate the result so that the Apache daemon, httpd, is active the next time you reboot Linux. The twist here is that you'll do it all from the command line interface. This assumes you've already registered with the Red Hat Network; if you haven't done so, you'll do so here as part of the process.

If you're in the GUI, open a command line console. Press ALT-F1 and log in as the root user.
Review the comps.xml file in the /usr/share/comps/i386 directory, and navigate to the Web Server package group. (If your computer uses another architecture, the directory may vary; however, the Red Hat exams are given on i386 systems.)
Make notes on the packages of interest.
Run the following command to review available groups. You should see "Web Server" near the end of the list.
```
 # yum groupinfo 
```
You can install all default packages in the "Web Server" package group with the following command:
```
 # yum groupinstall "Web Server" 
```
Back in the command line window, run the following command to see if Apache is already configured to start in any runlevels:
```
 # chkconfig --list httpd 
```
Now use the following command to make sure Apache starts in runlevels 3 and 5 the next time you boot Linux:
```
 # chkconfig --level 35 httpd on 
```
Start the Apache service with the following command:
```
 # apachectl start 
```
Install a text-based Web browser. As you may not have access to the GUI during the Red Hat exams, you need to know how to use text-based browsers. The standard is elinks, which you can install with the following command:
```
 # yum install elinks 
```
Now start the elinks browser, pointing to the local system, with the following command:
```
 # elinks 127.0.0.1 
```
Review the result. Do you see the Apache test page?
Exit from ELinks. Press Q, and when the Exit ELinks text menu appears, confirm that you really want to exit Elinks.
Back up the default httpd.conf configuration file; a logical location is your home directory.

The Apache Configuration Files

There are two key configuration files for the Apache Web server: httpd.conf in the /etc/httpd/conf directory and ssl.conf in the /etc/httpd/conf.d directory. The default versions of these files create a generic Web server service you can further customize and optimize, as desired. There are other configuration files in two directories: /etc/httpd/conf and /etc/httpd/conf.d. They're illustrated in Figure 9-2.

image from book
Figure 9-2: Apache configuration files

On the Job

Previous versions of Apache-1.3.x and earlier-required two other Apache configuration files in the same directory: access.conf and srm.conf. Even though these files were essentially blank in later versions of Apache 1.3.x, they were still required. These files are no longer required in any way in Apache 2.x.

You need to know the httpd.conf file in the /etc/httpd/conf directory well. If you're required to configure a secure Web server during the RHCE exam, you'll also need to configure the ssl.conf configuration file in the /etc/httpd/conf.d directory.

Analyzing the Default Apache Configuration

Apache comes with a well-commented set of default configuration files. In this section, you'll look at the key commands in the httpd.conf configuration file, in the /etc/httpd/conf directory. Browse through this file in your favorite text editor or using a command such as less. Before beginning this analysis, keep two things in mind:

If you configure Apache with the Red Hat HTTP tool (system-config-httpd), it overwrites any changes that you may have made with a text editor.
The main Apache configuration file incorporates the files in the /etc/httpd/conf.d directory with the following directive:
```
 Include conf.d/*.conf 
```

There are a couple of basic constructs in httpd.conf. First, directories, files, and modules are configured in "containers." The beginning of the container starts with the name of the directory, file, or module to be configured, contained in directional brackets (< >). Examples of this include:

 <Directory "/var/www/icons"> <Files ~ "^\.ht"> <IfModule mod_mime_magic.c>

The end of the container starts with a forward slash (/). For the same examples, the ends of the containers would look like:

 </Directory> </Files> </IfModule>

Next, Apache includes a substantial number of directives-commands that Apache can understand that have some resemblance to English. For example, the ExecCGI directive allows executable CGI scripts.

As the RHCE course divides the discussion of Apache into different units, I do the same here. However, the following sections, with the exception of secure virtual hosts, are based on the same httpd.conf file in the /etc/httpd/conf/ directory.

While this provides an overview, the devil is often in the details, which are analyzed (briefly) in the next section. For detailed information, see the Apache Web site at http://httpd.apache.org.

Analyzing httpd.conf

This section examines the default Apache configuration file, httpd.conf. If you want to follow along, open it on your system. Only the default active directives in that file are discussed here. Read the comments; they include more information and options.

For detailed information on each directive, see http://httpd.apache.org/docs/2.2/mod/quickreference.html. The default directives are summarized in the following three tables. Table 9-1 specifies directives associated with Section 1: Global Environment.

Table 9-1: Global Environment Directives
Directive	Description
ServerTokens	Specifies the response code at the bottom of error pages; if you're interested, see what happens when you change the values between OS, Prod, Major, Minor, Min, and Full.
ServerRoot	Sets the default directory; other directives are subdirectories.
PidFile	Names the file with the Process ID (and locks the service).
Timeout	Limits access time for both sent and received messages.
KeepAlive	Supports persistent connections.
MaxKeepAliveRequests	Limits requests during persistent connections (unless set to 0, which is no limit).
KeepAliveTimeout	Sets a time limit, in seconds, before a connection is closed.
StartServers	Adds child Apache processes; normally set to 8, which means 9 Apache processes run upon startup.
MinSpareServers	Specifies a minimum number of idle child servers.
MaxSpareServers	Specifies a maximum number of idle child servers; always at least +1 greater than MinSpareServers.
ServerLimit	Sets a limit on configurable processes; cannot exceed 20000.
MaxClients	Limits the number of simultaneous requests; other requests to the server just have to wait.
MaxRequestsPerChild	Limits the requests per child server process.
MinSpareThreads	Specifies the minimum number of spare threads to handle additional requests.
MaxSpareThreads	Specifies the maximum number of available idle threads to handle additional requests.
ThreadsPerChild	Sets the number of threads per child server process.
Listen	Specifies a port and possibly an IP address (for multihomed systems) to listen for requests.
LoadModule	Loads various modular components, such as authentication, user tracking, executable files, and more.
Include	Adds the content of other configuration files.
User	Specifies the username run by Apache on the local system.
Group	Specifies the group name run by Apache on the local system.

In all three tables, directives are listed in the order shown in the default version of httpd.conf. If you want to experiment with different values for each directive, save the change and then use apachectl restart to restart the Apache daemon. If not defined in these tables, directives are described, later in this chapter, as they appear in the configuration file.

Table 9-2 specifies directives associated with Section 2: Main Server Configuration.

Table 9-2: Main Server Configuration Directives
Directive	Description
ServerAdmin	Sets the administrative e-mail address; may be shown (or linked to) on default error pages.
UseCanonicalName	Supports the use of ServerName as the referenced URL.
DocumentRoot	Assigns the root directory for Web site files.
Options	Specifies features associated with Web directories, such as ExecCGI, FollowSymLinks, Includes, Indexes, MultiViews, and SymLinksIfOwnerMatch.
AllowOverride	Supports overriding of previous directives from .htaccess files.
Order	Sets the sequence for evaluating Allow and Deny directives.
Allow	Configures host computers that are allowed access.
Deny	Configures host computers that are denied access.
UserDir	Specifies location of user directories; can be set to enable or disable for all or specified users.
DirectoryIndex	Specifies files to look for when navigating to a directory; set to index.html by default.
AccessFileName	Sets a filename within a directory for more directives; normally looks for .htaccess.
TypesConfig	Locates mime.types, which specifies file types associated with extensions.
DefaultType	Sets a default file type if not found in mime.types.
MIMEMagicFile	Normally looks to /etc/httpd/conf/magic to look inside a file for its MIME type.
HostNameLookups	Requires URL lookups for IP addresses; results are logged.
ErrorLog	Locates the error log file, relative to ServerRoot.
LogLevel	Specifies the level of log messages.
LogFormat	Sets the information included in log files.
CustomLog	Creates a customized log file, in a different format, with a location relative to ServerRoot.
ServerSignature	Adds a list with server version and possibly ServerAdmin e-mail address to error pages and file lists; can be set to On, OFF, or EMail.
Alias	Configures a directory location; similar to a soft link.
DAVLockDB	Specifies the path to the lock file for the WebDAV (Web-based Distributed Authoring and Versioning) database.
ScriptAlias	Similar to Alias; for scripts.
IndexOptions	Specifies how files are listed from a DirectoryIndex.
AddIconByEncoding	Assigns an icon for a file by MIME encoding.
AddIconByType	Assigns an icon for a file by MIME type.
AddIcon	Assigns an icon for a file by extension.
DefaultIcon	Sets a default icon for files not otherwise configured.
ReadmeName	Configures a location for a README file to go with a directory list.
HeaderName	Configures a location for a HEADER file to go with a directory list.
IndexIgnore	Adds files that are not included in a directory list.
AddLanguage	Assigns a language for file name extensions.
LanguagePriority	Sets a priority of languages if not configured in client browsers.
ForceLanguagePriority	Specifies action if a Web page in the preferred language is not found.
AddDefaultCharset	Sets a default character set; you may need to change it for different languages.
AddType	Maps file name extensions to a specified content type.
AddHandler	Maps file name extensions to a specified handler; commonly used for scripts or multiple languages.
AddOutputFilter	Maps file name extensions to a specified filter.
BrowserMatch	Customizes responses to different browser clients.

Table 9-3 specifies directives associated with Section 3: Virtual Hosts. While virtual host directives are disabled by default, I include those directives in the commented example near the end of the default httpd.conf file. While these directives were already used in other sections, you can-and should-customize them for individual virtual hosts to support different Web sites on the same Apache server.

Table 9-3: Virtual Host Configuration Directives
Directive	Description
NameVirtualHost	Specifies an IP address for multiple virtual hosts.
ServerAdmin	Assigns an e-mail address for the specified virtual host.
DocumentRoot	Sets a root directory for the virtual host.
ServerName	Names the URL for the virtual host.
ErrorLog	Creates an error log; the location is based on the DocumentRoot.
CustomLog	Creates an custom log; the location is based on the DocumentRoot.

Basic Apache Configuration for a Simple Web Server

As described earlier, Apache looks for Web pages in the directory specified by the DocumentRoot directive. In the default httpd.conf file, this directive points to the /var/www/html directory.

In other words, all you need to get your Web server up and running is to transfer Web pages to the /var/www/html directory.

The default DirectoryIndex directive looks for an index.html Web page file in this directory. You can test this for yourself by copying the default Firefox home page file, index.html, from the /usr/share/doc/HTML directory.

The base location of configuration and log files is determined by the ServerRoot directive. The default value from httpd.conf is

 ServerRoot "/etc/httpd"

You'll note that the main configuration files are stored in the conf and conf.d subdirectories of the ServerRoot. If you run the ls -l /etc/httpd command, you'll find that Red Hat links /etc/httpd/logs to the directory with the actual log files, /var/log/httpd.