The Apache Web Server Configuration Basics

by James D. Keeline (


The Apache server is a versatile package whose primary function is to deliver web page content (.html files and .gif, .png, & .jpeg image files) through Port 80 via HTTP (Hypertext Transaction Protocol) to the IP address making a request. Through modules, which may be compiled in or loaded dynamically, it can dramatically expand its functionality.


The Apache server is available from the Apache Software Foundation ( as either a binary package (ie Red Hat Package Manager files -- *.rpm) for a variety of operating systems and processors or as source code (ie TarBall -- *.tar.gz) which must be compiled on your machine. We will consider a Linux installation based on the RedHat 7.3 distribution.

Before installing, it is important to make some decisions about how the server will run. It is possible to compile Apache with the desired extra functions as part of a large monolithic program. The alternative is to compile the server to dynamically load modules as needed. The latter provides a smaller running program but there is generally a small delay as each module is loaded and initialized. These are accomplished through LoadModule and AddModule directives. The default RedHat 7.3 installation, from RPMs, uses dynamic loading of modules.


Current versions of the Apache server use a configuration file (/etc/httpd/conf/httpd.conf) which is surprisingly readable. However, since there are a lot of directives, it seems wise to point out some of the more interesting ones which may need to be consulted or modified. The directives are not case sensitive but references to the file system are. They are presented in the order in which they appear in the default httpd.conf file.

[NOTE: The location of the configuration file may vary depending on the distribution of Linux, operating system, or how Apache was installed. For example, on Knoppix 3.1 (a distribution for Intel-type processors based on Debian Linux which runs completely from a CD-ROM) the configuration file is located at /etc/apache/httpd.conf.]

ServerRoot /etc/httpd

This is the location of the files used by Apache, including the configuration file and symbolic links to the modules and logfiles directories.

Listen 80

This directive is used to identify the port number through which Apache will listen for HTTP requests. It will supercede the Port directive if both are present in the httpd.conf file. The argument of the directive may contain an IP address and port (Listen

Port 80

This is the old way to identify the port number to which Apache will listen for web requests.

User Apache
Group Apache

These identify the user name (or UID number) and group name (or GID number) under which Apache will run. In current versions the user and group is "apache" (UID 48, GID 48). In earlier versions, this was typically the user and group "nobody" (UID 99, GID 99).

ServerAdmin root@localhost

This is the e-mail address of the administrator of the server. On certain Apache-generated error pages, this address will appear so it may be desirable to use a mail alias which is appropriate.

DocoumentRoot "/www/html"

This is the top level of the directory for displaying web pages. On a default Apache installation in Red Hat Linux, the value for DocumentRoot is "/var/www/html". However, there are so much activity in this directory that it usually is a good idea to place the web pages in their own partition. Many administrators choose to place this in a separate hard drive partition and use the /www mount point to contain the disk usage and permit the use of extended attributes on this portion of the filespace. In this case, the /www/html directory is the location where the actual .html files and image files are stored. Executables, such as CGI files, are usually located elsewhere in a reasonably-secure system.

<Directory />
    Options FollowSymLinks
    AllowOverride None

The purpose of this container is to severly limit the permissions and options for the entire file system with respect to the Apache server's access to it. After the file system is locked down, select portions can be opened as appropriate:

<Directory "/www/html">
    Options Indexes Includes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all

In this container, the web space has additional permissions. These directives use an Apache module called mod_access to define access privileges based on an IP address.

ScriptAlias /cgi-bin/ "/www/cgi-bin/"

This directive identifies the directory where CGI scripts and other allowed executables may reside. In order to let these programs execute, permissions must be set on the container:

<Directory "/www/cgi-bin">
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all

UserDir public_html

This directive identifies a subdirectory within a user's home directory (/home/username) where they may place web content which is accessed via a URL in the browser's computer with the format: http://servername/~username/index.html.

DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.cgi

This directive identifies a default filename which will be served if no specific filename is provided in the URL. The names are searched from left to right. Hence, if both a file called index.html and index.php reside in a web directory, index.html will be the default file accessed if no file is specified in the URL.

AccessFileName .htaccess

This defines a file name which the user may place in a portion of the web space to include certain Apache directives. This can allow the user to protect a portion of their web space with the directives included with modules like mod_auth among many other purposes.

TypesConfig /etc/mime.types

This identifies the location of a file which defines common MIME (Multipurpose Internet Mail Estensions) types. Web pages use text/html for a MIME type.

AddEncoding x-compress Z
AddEncoding x-gzip gz tgz

These directives allow modern browsers to use specific application types on files with particular extensions.

<IfModule mod_php4.c>
AddType application/x-httpd-php .php4 .php3 .phtml .php
AddType application/x-httpd-php-source .phps

This container (and similar ones) determines if a particular module (mod_php4) was installed and is available. If so, it sets handlers to cause these special web pages to be executed properly. The second AddType allows the source code to be displayed as a web page if a copy with the appropriate extension is available in the web space.

AddHandler cgi-script .cgi

This directive identifies files with the extension .cgi as CGI scripts which may be executed. It is commented out by default.

[NOTE: When working with Perl and other CGI scripts, there are a number of security-related requirements imposed by suEXEC which is turned on by default on a Red Hat Apache installation. An article on problems and solutions for Perl/CGI scripts is available in the Perl section of

AddType text/html .shtml
AddHandler server-parsed .shtml

These are used to enable server-side includes, including the ability to place certain dynamic information in web pages (ie server date and time) if the files have the appropriate extension.

ErrorDocument 404 /missing.html

This allows for the definition of custom error pages. In this case, the Error 404 (File Not Found) error will cause a page in the web space called missing.html to be displayed rather than the server's default page.

Username and Password Authentication via mod_auth

These are just some of the many possible Apache directives and containers based on which modules are available and loaded. Many of these directives may be placed inside of a .htaccess file within the web space to define particular web server behaviors for a directory and its subdirectories. Here is an example of how to set up a simple authentication scheme for a directory in your web space.

For this example, we will assume that the AccessFileName has been set to ".htaccess" and that a copy of the following file has been placed with that name in a subdirectory called "secure" in your web space.

AuthName  "Name_of_your_domain"
AuthType  Basic
AuthUserFile  "/home/username/friends"
Require valid-user

[NOTE: valid-user must be in lower case.]

This set of directives (located in a .htaccess file inside the "secure" directory within the web space) does several things. It identifies the name of the protected web space, it sets the authentication method as "Basic" (user name and passwords are transmitted with very limited encryption -- the only method which seems to work with most browsers), and it specifies a file in the filesystem which contains user names and encrypted passwords.

The file called "friends" is generated in the following way:

cd /home/username
htpasswd  -c  friends  username1

The -c option is used to create the file and should only be used on the first entry. The user is prompted for a password after this command is entered. Subsequent users are entered with the following:

htpasswd  friends  username2
htpasswd  friends  username3

It is possible to generate the user names and passwords from a file. It is important that the passwords not be the same as any login passwords since this protection scheme is not as secure.

[NOTE: When experimenting with this, it is often necessary to quit and restart the web browser since successful connections and resulting web pages are often cached.]

[NOTE: Another caveat to be considered occurs if the operating system has a different version of the htpasswd command. I ran into this with Unix servers at USC. Their htpasswd command generated different hash codes than their web browser expected. As a result, none of the generated passwords worked. However, when I generated passwords with the htpasswd from my home system, it worked.]

It is possible to include the directives mentioned above in the httpd.conf file. When doing so, it is appropriate to use a <Location> container.

<Location /secure>
    AuthName  "Name_of_your_domain"
    AuthType  Basic
    AuthUserFile  "/home/username/friends"
    Require valid-user

It is usually better to use a <Location> container which applies to relative addresses within the web space rather than a <Directory> container which refers to the absolute location within the filesystem.