Running in a chroot prison limits the damage than can be done should an application be compromised. See chroot(2) for details. Apache2 has better support for this.
Can't get much better than this! From the Ubuntu forums:
apt-get install apache2 apache2-ssl-certificate -days 3650
and answer the questions. It will default to 30 days if you don't specify your own number!
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl a2ensite ssl
"/etc/apache2/sites-enabled/ssl" should look like this:
NameVirtualHost *:443 <VirtualHost *:443> (... configure the directories too...)
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem
/etc/init.d/apache2 force-reload and you're away.
You can have additional information displayed at the top and bottom of a mod_autoindex directory listing by putting the text in a file called HEADER and README, respectively. Either file can any have FileExtension (or none). To enable this feature, you will need MultiViews on to be in effect for that request.
Listen :::80 BindAddress ::
If you want a VirtualHost available on both IPv4 and IPv6, then give it a name that resolves to both a v4 and v6 address. It won't work if you give use a name that doesn't have a v6 address, and then try to use ServerName or ServerAlias. Eg:
$ host wlug.org.nz wlug.org.nz A 220.127.116.11 $ host -t aaaa wlug.org.nz wlug.org.nz AAAA record currently not present $ host -t a www.wlug.org.nz www.wlug.org.nz CNAME hoiho.wlug.org.nz hoiho.wlug.org.nz A 18.104.22.168 $ host -t aaaa www.wlug.org.nz www.wlug.org.nz CNAME hoiho.wlug.org.nz hoiho.wlug.org.nz AAAA 2002:CB61:A32:0:0:0:0:1
<VirtualHost wlug.org.nz:80> ServerName www.wlug.org.nz ServerAlias wlug.org.nz ServerAlias www2.wlug.org.nz ...
(Apache can't resolve wlug.org.nz to an IPv6 address, so this vhost won't be available via ipv6.)
<VirtualHost www.wlug.org.nz:80> ServerName www.wlug.org.nz ServerAlias wlug.org.nz ServerAlias www2.wlug.org.nz ...
Change your TransferLog lines to:
TransferLog "|/path/to/rotatelogs /your/log/file.log 64800"
Read the ManPage for more information, or replace with CronoLog which has more features.
ii apache 1.3.27-0.1.ipv6.r2 Versatile, high-performance HTTP server ii apache-common 1.3.27-0.1.ipv6.r2 Support files for all Apache webservers ii libapache-auth-ldap 1.6.0-3 LDAP authentication module for Apache ii libapache-mod-gzip 22.214.171.124a-5 HTTP compression module for Apache ii libapache-mod-ldap 1.4-3 Apache authentication via LDAP directory ii libapache-mod-perl 1.27-3.ipv6.r1 Integration of perl with the Apache web server ii libapache-mod-ruby 0.9.7-2 Embedding Ruby in the Apache web server ii libapache-mod-ssl 2.8.9-2.4 Strong cryptography (HTTPS support) for Apache ii libapache-reload-perl 0.07-1 Reload changed modules in a mod_perl environment
ii php4 4.1.2-7.0.1 ii php4-cgi 4.1.2-7.0.1 ii php4-ldap 4.1.2-7.0.1 ii php4-pgsql 4.1.2-4 ii phppgadmin 2.4.1-2
Also using a 2.6 series Linux Kernel.
[Wed Feb 23 06:26:00 2005] [notice] SIGUSR1 received. Doing graceful restart accept_mutex_on: Identifier removed [Wed Feb 23 06:26:03 2005] [notice] Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.1.2 mod_ssl/2.8.9 OpenSSL/0.9.6c mod_perl/1.27 configured -- resuming normal operations [Wed Feb 23 06:26:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec) [Wed Feb 23 06:26:03 2005] [notice] Accept mutex: sysvsem (Default: sysvsem) [Wed Feb 23 06:26:03 2005] [alert] Child 6894 returned a Fatal error... Apache is exiting!
Each time that the reload fails, there is a message about accept_mutex_on or accept_mutex_off: Invalid argument in the error.log file that isn't present when the reload succeeds.
Also note the logrotate runs the 'postrotate' section (in apache's case, the reload) every day, even if it only rotates the log files every week.
LoadModule auth_module /usr/lib/apache/1.3/mod_auth_ssl.so ... LoadModule apache_ssl_module /usr/lib/apache/1.3/libssl.so
The solution is to turn off SSLFakeBasicAuth.
LDAPTrustedCA <CA CERT FILE> LDAPTrustedCAType BASE64_FILE
[notice] LDAP: Built with OpenLDAP LDAP SDK [notice] LDAP: SSL support available
<Location /path/to/auth/stuff> AuthType Basic AuthName "MyAuthArea" AuthLDAPURL "ldaps://<HOST>/ou=People,<BASEDN>?uid" Require valid-user </Location>