Certification Objective 9.03-Virtual Hosts

Another useful feature of Apache 2.2 is its ability to manage Web sites using a single IP address. You can do so by creating multiple virtual hosts on the same Web server. You can configure virtual hosts for regular Web sites in the main Apache configuration file, /etc/httpd/conf/httpd.conf. In that way, you can link multiple domain names such as www.example.com and www.mommabears.com to the same IP address on the same Apache server.

On the Job

The example.com, example.org, and example.net domain names cannot be registered and are officially reserved by the Internet society for documentation.

You can also create multiple secure Web sites that conform to the HTTPS protocol by configuring virtual hosts in the /etc/httpd/conf.d/ssl.conf configuration file. While the details vary, the basic directives that you'd use in this file are the same.

Exam Watch

While truly secure HTTPS sites include server certificates, there is no cited requirement in the Red Hat Exam Prep guide or associated RH300 course to create such certificates.

Virtual Hosts

As described earlier, Section 3 of the default httpd.conf includes sample commands that you might use to create one or more virtual hosts. To activate the virtual host feature, you'll first want to activate this directive:

 #NameVirtualHost *:80 

If you're using a name-based host, leave the asterisk after this directive. Otherwise, set the IP address for your interface. It's often more reliable to substitute the IP address, as it avoids the delays sometimes associated with name resolution through a DNS server. However, you may need to create multiple name-based virtual hosts as well.

Exam Watch

If you're required to create a virtual host for a secure Web site, you'll need a second NameVirtualHost directive for the HTTPS port, 443. The other commands come from /etc/httpd/conf.d/ssl.conf and are incorporated through the Include conf.d/*.conf directive. If you prefer, you can include NameVirtualHost *:443 in ssl.conf.

You should already know that TCP/IP port 80 is the default for serving Web pages. If you want to direct all requests on this server via IP address 192.168.30.2 on port 80, you can substitute <VirtualHost 192.168.30.2:80> for the first line. But this defeats the purpose of virtual hosts, as you would need different IP addresses for any additional virtual host Web sites.

 #<VirtualHost *:80> #     ServerAdmin webmaster@dummy-host.example.com #     DocumentRoot /www/docs/dummy-host.example.com #     ServerName dummy-host.example.com #     ErrorLog logs/dummy-host.example.com-error_log #     CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost> 

Don't forget to uncomment the commands shown by removing the # in front of each line. As you can see, this includes a number of directives from the main part of the configuration file. Here are the highlights of this container:

• Error messages are sent to the e-mail address defined by ServerAdmin.

• The Web pages can be stored in the DocumentRoot directory. Check the SELinux security contexts of the DocumentRoot directory you create, as described earlier in the "Apache and Security Arrangements" section. Apply the chcon command as required to make the security contexts match

• Clients can call this Web site through the ServerName.

• The ErrorLog and CustomLog directives use the relative log directory, relative to the ServerRoot. Unless you've created a different ServerRoot for this virtual host, you can find these files in the /etc/httpd/logs directory. As noted earlier, this directory is linked to /var/logs/httpd.

It's easy to create your own virtual host site. Substitute the IP domain names, directories, files, and e-mail addresses of your choice. Create the DocumentRoot directory if required. You can test the syntax of what you've done with the following command:

 # httpd -t 

Apache will verify your configuration or identify specific problems. When you run this command on the default configuration, you'll get the following message:

 Syntax OK 

If you've created multiple virtual hosts, you can check them as well with the following command:

 # httpd -D DUMP_VHOSTS 

The output should list the default and individual virtual hosts. For example, I see the following output from one of my RHEL 5 systems:

 [Fri Dec 16 13:38:14 2007] [warn] _default_ VirtualHost overlap on port 80, the first has precedence VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:443   Enterprise5a.example.net (/etc/httpd/conf.d/ssl.conf:81) *:80            site1.example.net (/etc/httpd/conf/httpd.conf:999) *:80            site2.example.net (/etc/httpd/conf/httpd.conf:1006) Syntax OK 

If you still get a "using 127.0.0.1 for ServerName" error, you haven't assigned a value for the ServerName directive.

Secure Virtual Hosts

If you're configuring a secure Web server that conforms to the HTTPS protocol, Red Hat provides a different configuration file for this purpose: ssl.conf in the /etc/httpd/ conf.d directory. If you don't see this file, you need to install the mod_ssl RPM. Before you begin editing this file, make sure the following Listen directive is active:

 Listen 443 

Later in this file, pay attention to the <VirtualHost _default_:443> container. Make a comparison to the <VirtualHost> container in httpd.conf. You'll need to address at least the same directives as shown in httpd.conf. If you accidentally leave out some of these commands, you'll end up with a nonworking Web server. You can replace _default_ in the VirtualHost container with an asterisk (*).

Follow the same guidelines described earlier for the regular virtual host. Ideally, you should configure a DocumentRoot in a directory other than the default for the Web server-or the virtual host. You'll also need to add an index.html file to this directory. One possible option for DocumentRoot is

 DocumentRoot /www/secure/dummy-host.example.com 

You'll also need to add a ServerName directive, pointing to the secure HTTP port, 443. For the previously noted virtual host domain, that would lead to the following directive:

 ServerName dummy-host.example.com:443 

Add desired error logs. The default options are usually appropriate and should be configured to write to files that are different from the logs for a regular virtual host Web site:

 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn CustomLog logs/ssl_request_log \           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 

A Basic Web Page

You may need to create some index.html files during your exam. Fortunately, the Red Hat exams don't test knowledge of HTML. You could use Apache's default Web page. You can change this or any other Web page with a text- or HTML-specific editor.

You can even save a simple text file as index.html. For example, you might save the following line in the text editor of your choice as index.html. You could then copy it to the appropriate DocumentRoot directory.

 This is a simple Web page 

To see the effect for yourself, create your own index.html file with the text of your choice. Open the file in any browser to see what happens.

Checking Syntax

You can check the work that you've done to create virtual hosts with the following command:

 # httpd -S 

Assuming no problems are found, you should be able to start your Web server and connect to your local service with a browser request.

The beauty of VirtualHost containers is that you can copy virtually the same stanza to create as many Web sites on your Apache server as your computer can handle. All you require is one IP address. When you set up the next VirtualHost container, make sure that you revise at least the ServerName, the locations of the log files, and the DocumentRoot.

Exam Watch

Be prepared to create multiple Web sites on an Apache Web server using virtual hosts. If you're required to do so on your exam, create a separate VirtualHost container for this purpose.

Executable Files in Apache

You can set up Apache resources in many different ways. Some might be available in different languages, different media types, or other variations. When you set up multiple resources, Apache can select the file that is opened based on the browser-supplied preferences for media type, languages, character set, and encoding.

You can use the ScriptAlias directive for directories with executable CGI files. Various Alias directives link files or directories, similar to the ln -s command. The following ScriptAlias directive links the default cgi-bin directory to /var/www/cgi-bin. You can set up CGI scripts in a directory other than /var/www/cgi-bin and change the reference accordingly.

 ScriptAlias /cgi-bin/ "/var/www/cgi-bin" <Directory /var/www/cgi-bin>      AllowOverride None      Options None      Order allow,deny      Allow from all </Directory> 

This excerpt from the default httpd.conf file first identifies the directory with server scripts. Permissions for those other than root are adjusted through the <Directory /var/www/cgi-bin> container. The AllowOverride None command prevents regular users from changing permissions/settings in that directory. Otherwise, smarter users could read the CGI files in your directory, potentially compromising the security of your Web server. The Options None line prevents other users from running CGI scripts in the given directory. The Order allow,deny command sets up authorization checks; Allow from all lets all users run scripts in this directory.

The Alias /icons/ "/var/www/icons" directive identifies a directory for icons on your Web site. If the DocumentRoot is /www.example.com, you can set up the icons in HTML code on your page in the /www.example.com/icons directory. You can then store the icons on your computer in the /var/www/icons directory.

Finally, you can add access control for any other directories available via your Web interface. Just wrap the directory you want to control in a <Directory /path/to/dir>… </Directory> container and set the access restrictions you need. The following stanza limits access based first on the Deny directive:

 <Directory /path/to/your/directory/goes/here/>     Options Indexes FollowSymLinks     Order deny,allow     Deny from .evil.crackers.net     Allow from .yourdomain.net </Directory> 

Apache Log Files

As described earlier, the log files in httpd.conf are configured in the /etc/httpd/logs directory. It's linked to /var/log/httpd. Access to your Web server is logged in the access_log file; errors are recorded in the error_log file. If you want more details about your Web site for tuning or statistical reasons, you can have the Web server generate more information, generate separate log files for each virtual Web site, and create new log files at different frequencies (such as daily, weekly, or monthly).

There are standard Apache log file formats. For more information, take a look at the LogFormat directive in Figure 9-4. Four different formats are shown: combined, common, the referrer (the Web page with the link used to get to your site), and the agent (the user's Web browser). The first two LogFormat lines include a number of percent signs followed by lowercase letters. These directives determine what goes into the log.

Figure 9-4: Customized Apache logs

You then use the CustomLog directive to select a location for the log file (for example, logs/access_log) and which log file format you want to use (for example, common). For more information on log files and formats, refer to http://httpd.apache.org/docs-2.2/logs.html.

On the Job

Some Web log analyzers have specific requirements for log file formats. For example, the popular open source tool awstats (advanced Web Stats) requires the combined log format. It will fail to run if you leave the default common format. Awstats is a great tool for graphically displaying site activity. You can download it from a site such as www.sourceforge.net.

Apache Troubleshooting

When you install the right Apache packages, the default configuration normally creates a running system. But if you're setting up a real Web site, you probably want more than just the test page. Before you start changing the configuration, back up the httpd.conf Apache configuration file. If something goes wrong, you can always start over.

Some Apache errors fall into the following categories:

• Error message about an inability to bind to an address Another network process may already be using the default http port (80). Alternatively, your computer is running httpd as a normal user (not the user apache) with a port below 1024.

• Network addressing or routing errors Double-check your network settings. For more information on configuring your computer for networking, see Chapter 9.

• Apache isn't running Check the error message when you use the apachectl command to start or restart the Apache server. Check the error_log in the /var/log/httpd directory.

• Apache isn't running after a reboot Run chkconfig --list httpd. Make sure Apache (httpd) is set to start at appropriate runlevels during the boot process with the command

   # chkconfig httpd on 

• You need to stop Apache Send the parent process a TERM signal, based on its PID. By default, this is located in /var/run/httpd.pid. You kill Apache with a command such as

   #kill -TERM `cat /var/run/httpd.pid` 

• Alternatively, you can use the apachectl stop command.

Exercise 9-4: Updating a Home Page

In this exercise, you'll update the home page associated with your Web site on the Apache server. You can use these techniques to copy the actual HTML formatted pages for your Web site.

1. Start the Apache Web server with the default configuration. (If you've previously created virtual hosts, comment out those directives. If you've saved the default verison of httpd.conf as suggested in Exercise 9-1, restore it from your home directory.)

2. Copy an HTML file such as /var/www/error/noindex.html to /var/www/html/ index.html.

3. Edit the file /var/www/html/index.html.

4. Change the title of the page to reflect your personal or corporate name; save the changes.

5. Use a Web browser such as Firefox to connect to localhost (or 127.0.0.1).

6. Close the Web browser.

On the Job

Apache administration is a necessary skill for any Linux system administrator. You should develop the ability to install, configure, and troubleshoot Apache quickly. You should also be able to set up and customize virtual Web sites, which will make you a more effective Webmaster. You can test your skills using the Exercise and Labs that follow.

Exercise 9-5: Setting Up a Virtual Web Server

In this exercise, you'll set up a Web server with a virtual Web site. You can use this technique with different directories to set up additional virtual Web sites on the same Apache server.

1. Back up your httpd.conf file.

2. Add a virtual Web site for the fictional company LuvLinex, with a URL of www.example.net. Don't forget to modify the NameVirtualHost directive. Use the sample comments at the end of the httpd.conf file for hints as needed.

3. Assign the DocumentRoot directive to the /luvlinex directory. (Don't forget to create this directory on your system as well.)

4. Open the /luvlinex/index.html file in your text editor. Add a simple line in text format such as:

    This is the placeholder for the LuvLinex Web site. 

5. Save this file.

6. If you've enabled SELinux on this system, you'll have to apply the chcon command to this directory:

    # chcon -R -u system_u /luvlinex/ # chcon -R -t httpd_sys_content_t /luvlinex/ 

7. If you've created a DNS service, as discussed in Chapter 11, update the associated database. Otherwise, update /etc/hosts with www.example.net and the appropriate IP address.

8. If you want to check the syntax, run the httpd -t and httpd -D DUMP_VHOSTS commands.

9. Remember to restart the Apache service; the proper way is with the apachectl restart command.

10. Open the browser of your choice. Test access the configured Web site (www.example.net) and the Web site on the localhost computer.

11. Go to a remote system and repeat steps 7 and 10. When pointing a browser to the Web server's system, use its host name or IP address. Update the remote /etc/hosts if appropriate.

12. Close the browsers on both systems. Restore the original httpd.conf configuration file.

The Red Hat httpd Configuration Tool

Red Hat has its own graphical configuration tool for Apache, system-config-httpd, which you can install from the RPM of the same name. Before using this tool, back up your current /etc/httpd/conf/httpd.conf configuration file. Any changes that you make with this tool overwrite this file.

You will find that system-config-httpd is a straightforward tool, with four different tabs that can help you configure the httpd.conf configuration file. You can also open this tool in the GNOME desktop with the System | Administration | Server Settings | HTTP command (substitute Main Menu for System if you're using KDE). However, as it cannot be used to edit the ssl.conf configuration file, therefore you should not use it to create a secure (HTTPS) Web server.

Exam Watch

I recommend that you do not use the Red Hat GUI HTTPD configuration tool, system-config-httpd, during the Red Hat exams. In my opinion, it is faster to edit the Apache configuration files from the command line interface, using the techniques described earlier in this chapter.

However, it may be useful to practice creating virtual hosts with this utility, so I'll described the tabs shown in Figure 9-5.

• Main The Main tab allows you to set basic parameters for your Apache server, including the Server Name, the Webmaster e-mail address, and the Listen directive.

• Virtual Hosts The Virtual Hosts tab permits you to set the properties for different Web sites that you host on your Apache server. This includes the DocumentRoot, basic HTML file names and locations, SSL support, basic log file configuration, CGI script directives, and default directories.

• Server The Server tab enables you to set the basic lock and PID files, as well as the user and group associated with the httpd service. In most cases, you should not have to change these settings.

• Performance Tuning The Performance Tuning tab allows you to set basic connection parameters.

Figure 9-5: The Apache configuration tool, Main tab

Even if you do master this tool for configuring a regular Web server, you'll need to manually edit the ssl.conf file (in the /etc/httpd/conf.d/ directory) to create a secure Web server. And I believe that it's easier to learn and faster to edit the Apache configuration file, /etc/httpd/conf/httpd.conf, directly in a text editor. Remember that time may be of the essence when you take the RHCE exam.