The Apache server is a versatile package whose primary
function is to deliver web page content (
.html files and
.jpeg image files)
through Port 80 via HTTP (Hypertext Transaction Protocol) to the IP address
making a request. Through modules, which may be compiled in or loaded
dynamically, it can dramatically expand its functionality.
The Apache server is available from the Apache Software
www.Apache.org) as either a binary package (ie Red
Hat Package Manager files --
*.rpm) for a variety of operating
systems and processors or as source code (ie TarBall --
*.tar.gz) which must be compiled on your machine. We will
consider a Linux installation based on the RedHat 7.3 distribution.
Before installing, it is important to make some decisions
about how the server will run. It is possible to compile Apache with the
desired extra functions as part of a large monolithic program. The alternative
is to compile the server to dynamically load modules as needed. The latter
provides a smaller running program but there is generally a small delay as each
module is loaded and initialized. These are accomplished through
AddModule directives. The default
RedHat 7.3 installation, from RPMs, uses dynamic loading of modules.
Current versions of the Apache server use a configuration
/etc/httpd/conf/httpd.conf) which is surprisingly readable.
However, since there are a lot of directives, it seems wise to point out some
of the more interesting ones which may need to be consulted or modified. The
directives are not case sensitive but references to the file system are. They
are presented in the order in which they appear in the default
[NOTE: The location of the configuration file may
vary depending on the distribution of Linux, operating system, or how Apache
was installed. For example, on Knoppix 3.1 (a distribution for Intel-type
processors based on Debian Linux which runs completely from a CD-ROM) the
configuration file is located at
This is the location of the files used by Apache, including the configuration file and symbolic links to the modules and logfiles directories.
This directive is used to identify the port number through
which Apache will listen for HTTP requests. It will supercede the
Port directive if both are present in the
file. The argument of the directive may contain an IP address and port
This is the old way to identify the port number to which Apache will listen for web requests.
User Apache Group Apache
These identify the user name (or UID number) and group name (or GID number) under which Apache will run. In current versions the user and group is "
apache" (UID 48, GID 48). In earlier versions, this was typically the user and group "
nobody" (UID 99, GID 99).
This is the e-mail address of the administrator of the server. On certain Apache-generated error pages, this address will appear so it may be desirable to use a mail alias which is appropriate.
This is the top level of the directory for displaying web pages. On a default Apache installation in Red Hat Linux, the value for
"/var/www/html". However, there are so much activity in this directory that it usually is a good idea to place the web pages in their own partition. Many administrators choose to place this in a separate hard drive partition and use the
/www mount point to contain the disk usage and permit the use of extended attributes on this portion of the filespace. In this case, the
/www/html directory is the location where the actual
.html files and image files are stored. Executables, such as CGI files, are usually located elsewhere in a reasonably-secure system.
<Directory /> Options FollowSymLinks AllowOverride None </Directory>
The purpose of this container is to severly limit the permissions and options for the entire file system with respect to the Apache server's access to it. After the file system is locked down, select portions can be opened as appropriate:
<Directory "/www/html"> Options Indexes Includes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory>
In this container, the web space has additional permissions. These directives use an Apache module called
mod_access to define access privileges based on an IP address.
ScriptAlias /cgi-bin/ "/www/cgi-bin/"
This directive identifies the directory where CGI scripts and other allowed executables may reside. In order to let these programs execute, permissions must be set on the container:
<Directory "/www/cgi-bin"> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> UserDir public_html
This directive identifies a subdirectory within a user's home directory (
/home/username) where they may place web content which is accessed via a URL in the browser's computer with the format:
DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.cgi
This directive identifies a default filename which will be served if no specific filename is provided in the URL. The names are searched from left to right. Hence, if both a file called
index.php reside in a web directory,
index.html will be the default file accessed if no file is specified in the URL.
This defines a file name which the user may place in a portion of the web space to include certain Apache directives. This can allow the user to protect a portion of their web space with the directives included with modules like
mod_auth among many other purposes.
This identifies the location of a file which defines common MIME (Multipurpose Internet Mail Estensions) types. Web pages use
text/html for a MIME type.
AddEncoding x-compress Z AddEncoding x-gzip gz tgz
These directives allow modern browsers to use specific application types on files with particular extensions.
<IfModule mod_php4.c> AddType application/x-httpd-php .php4 .php3 .phtml .php AddType application/x-httpd-php-source .phps </IfModule>
This container (and similar ones) determines if a particular module (
mod_php4) was installed and is available. If so, it sets handlers to cause these special web pages to be executed properly. The second
AddType allows the source code to be displayed as a web page if a copy with the appropriate extension is available in the web space.
AddHandler cgi-script .cgi
This directive identifies files with the extension
.cgi as CGI scripts which may be executed. It is commented out by default.
[NOTE: When working with Perl and other CGI scripts, there are a number of security-related requirements imposed by
suEXEC which is turned on by default on a Red Hat Apache installation. An article on problems and solutions for Perl/CGI scripts is available in the Perl section of http://www.ITeachPHP.com.
AddType text/html .shtml AddHandler server-parsed .shtml
These are used to enable server-side includes, including the ability to place certain dynamic information in web pages (ie server date and time) if the files have the appropriate extension.
ErrorDocument 404 /missing.html
This allows for the definition of custom error pages. In this case, the Error 404 (File Not Found) error will cause a page in the web space called
missing.html to be displayed rather than the server's default page.
These are just some of the many possible Apache directives and containers based on which modules are available and loaded. Many of these directives may be placed inside of a
.htaccess file within the web space to define particular web server behaviors for a directory and its subdirectories. Here is an example of how to set up a simple authentication scheme for a directory in your web space.
For this example, we will assume that the
AccessFileName has been set to "
.htaccess" and that a copy of the following file has been placed with that name in a subdirectory called "secure" in your web space.
AuthName "Name_of_your_domain" AuthType Basic AuthUserFile "/home/username/friends" Require valid-user
valid-user must be in lower case.]
This set of directives (located in a
.htaccess file inside the "
secure" directory within the web space) does several things. It identifies the name of the protected web space, it sets the authentication method as "
Basic" (user name and passwords are transmitted with very limited encryption -- the only method which seems to work with most browsers), and it specifies a file in the filesystem which contains user names and encrypted passwords.
The file called "
friends" is generated in the following way:
cd /home/username htpasswd -c friends username1
-c option is used to create the file and should only be used on the first entry. The user is prompted for a password after this command is entered. Subsequent users are entered with the following:
htpasswd friends username2 htpasswd friends username3
It is possible to generate the user names and passwords from a file. It is important that the passwords not be the same as any login passwords since this protection scheme is not as secure.
[NOTE: When experimenting with this, it is often necessary to quit and restart the web browser since successful connections and resulting web pages are often cached.]
[NOTE: Another caveat to be considered occurs if the operating system has a different version of the
htpasswd command. I ran into this with Unix servers at USC. Their
htpasswd command generated different hash codes than their web browser expected. As a result, none of the generated passwords worked. However, when I generated passwords with the
htpasswd from my home system, it worked.]
It is possible to include the directives mentioned above in the
httpd.conf file. When doing so, it is appropriate to use a
<Location /secure> AuthName "Name_of_your_domain" AuthType Basic AuthUserFile "/home/username/friends" Require valid-user </Location>
It is usually better to use a
<Location> container which applies to relative addresses within the web space rather than a
<Directory> container which refers to the absolute location within the filesystem.