Differences between version 22 and predecessor to the previous major change of ApacheNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 22 | Last edited on Wednesday, February 23, 2005 12:21:19 pm | by JohnMcPherson | Revert |
| Older page: | version 18 | Last edited on Monday, October 4, 2004 4:47:56 pm | by AristotlePagaltzis | Revert |
@@ -1,19 +1,9 @@
!!! Installation
If you're going to compile and install [Apache] from source, use the [Apache Toolbox | http://www.apachetoolbox.com/].
-!!! Rotating your logs
-Want to rotate all of your separate ~VirtualHost log files without restarting [Apache]? Use a little-known tool that comes with [Apache] called rotatelogs(8).
-
-Change your ~TransferLog lines to:
-
-<verbatim>
-TransferLog "|/path/to/rotatelogs /your/log/file.log 64800"
-</verbatim>
-
-Read the ManPage for more information, or replace with ~CronoLog which has more features.
!!! Securing [Apache]
[Apache] recently featured in a [list of security problems | http://isc.sans.org/top20.html]. They generally boil down to configuration mistakes. Points to note when installing, configuring and mantaining [Apache] include: <br> <br> :
@@ -26,11 +16,8 @@
__Chroot prisons__:
Running in a chroot prison limits the damage than can be done should an application be compromised. See [chroot(2)] for details. Apache2 has better support for this.
See also:
- * [HowToSecureProgramsHOWTO]
- * [HowToSecurityQuickstartHOWTO]
- * [HowToSecurityHOWTO]
* [http://httpd.apache.org/docs/misc/security_tips.html]
<br>
__FireWall~ing [Apache]__:
@@ -43,9 +30,118 @@
!!! Extra information in directory listings
You can have additional information displayed at the top and bottom of a <tt>mod_autoindex</tt> directory listing by putting the text in a file called <tt>HEADER</tt> and <tt>README</tt>, respectively. Either file can any have FileExtension (or none). To enable this feature, you will need <tt>~MultiViews on</tt> to be in effect for that request.
+
+
+!!! Apache and [IPv6]
+Tell apache to listen on "::", which is the ipv6 version of 0.0.0.0, on whatever port. Eg, in httpd.conf:
+<verbatim>
+ Listen :::80
+ BindAddress ::
+</verbatim>
+
+If you want a ~VirtualHost available on both IPv4 and IPv6, then give it a name that resolves to both a v4 and v6 address. It won't work if you give use a name that doesn't have a v6 address, and then try to use ~ServerName or ~ServerAlias. Eg:
+
+<verbatim>
+$ host wlug.org.nz
+wlug.org.nz A 203.97.10.50
+$ host -t aaaa wlug.org.nz
+wlug.org.nz AAAA record currently not present
+$ host -t a www.wlug.org.nz
+www.wlug.org.nz CNAME hoiho.wlug.org.nz
+hoiho.wlug.org.nz A 203.97.10.50
+$ host -t aaaa www.wlug.org.nz
+www.wlug.org.nz CNAME hoiho.wlug.org.nz
+hoiho.wlug.org.nz AAAA 2002:CB61:A32:0:0:0:0:1
+</verbatim>
+
+!Doesn't Work:
+<verbatim>
+<VirtualHost wlug.org.nz:80>
+ ServerName www.wlug.org.nz
+ ServerAlias wlug.org.nz
+ ServerAlias www2.wlug.org.nz
+...
+</verbatim>
+
+(Apache can't resolve wlug.org.nz to an IPv6 address, so this vhost won't be available via ipv6.)
+
+!Does work:
+
+<verbatim>
+<VirtualHost www.wlug.org.nz:80>
+ ServerName www.wlug.org.nz
+ ServerAlias wlug.org.nz
+ ServerAlias www2.wlug.org.nz
+...
+</verbatim>
+
+
+!!! Rotating your logs
+
+Want to rotate all of your separate ~VirtualHost log files without restarting [Apache]? Use a little-known tool that comes with [Apache] called rotatelogs(8).
+
+Change your ~TransferLog lines to:
+
+<verbatim>
+TransferLog "|/path/to/rotatelogs /your/log/file.log 64800"
+</verbatim>
+
+Read the ManPage for more information, or replace with ~CronoLog which has more features.
+
+!! Errors on log rotation
+Some people encounter a problem where apache dies on logrotation.
+It's not the actual rotation that's the problem, it's the "graceful
+restart" that the logrotate program sends to apache. This only seems
+to affect people using Debian Woody, and only with some undetermined
+set of conditions. Here is our setup:
+<verbatim>
+ii apache 1.3.27-0.1.ipv6.r2 Versatile, high-performance HTTP server
+ii apache-common 1.3.27-0.1.ipv6.r2 Support files for all Apache webservers
+ii libapache-auth-ldap 1.6.0-3 LDAP authentication module for Apache
+ii libapache-mod-gzip 1.3.19.1a-5 HTTP compression module for Apache
+ii libapache-mod-ldap 1.4-3 Apache authentication via LDAP directory
+ii libapache-mod-perl 1.27-3.ipv6.r1 Integration of perl with the Apache web server
+ii libapache-mod-ruby 0.9.7-2 Embedding Ruby in the Apache web server
+ii libapache-mod-ssl 2.8.9-2.4 Strong cryptography (HTTPS support) for Apache
+ii libapache-reload-perl 0.07-1 Reload changed modules in a mod_perl environment
+</verbatim>
+We are using backports of apache 1.3, for [IPv6] support.
+Other possibly relevant info:
+<verbatim>
+ii php4 4.1.2-7.0.1
+ii php4-cgi 4.1.2-7.0.1
+ii php4-ldap 4.1.2-7.0.1
+ii php4-pgsql 4.1.2-4
+ii phppgadmin 2.4.1-2
+</verbatim>
+Also using a 2.6 series Linux Kernel.
+
+When it happens, the following is in /var/log/apache/error.log:
+<verbatim>
+[Wed Feb 23 06:26:00 2005] [notice] SIGUSR1 received. Doing graceful restart
+accept_mutex_on: Identifier removed
+[Wed Feb 23 06:26:03 2005] [notice] Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.1.2 mod_ssl/2.8.9 OpenSSL/0.9.6c mod_perl/1.27 configured
+-- resuming normal operations
+[Wed Feb 23 06:26:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
+[Wed Feb 23 06:26:03 2005] [notice] Accept mutex: sysvsem (Default: sysvsem)
+[Wed Feb 23 06:26:03 2005] [alert] Child 6894 returned a Fatal error...
+Apache is exiting!
+</verbatim>
+
+Each time that the reload fails, there is a message about __accept_mutex_on__ or __accept_mutex_off: Invalid argument__ in the
+error.log file that isn't present when the reload succeeds.
+
+Also note the logrotate runs the 'postrotate' section (in apache's case, the reload) every day, even if it only rotates the log files every week.
+
+Suggested workarounds include:
+* replacing '/etc/init.d/apache reload' in /etc/logrotate.d/apache with '/etc/init.d/apache restart', although that will result in your server being inaccessible for at least several seconds.
+* using cronolog or something else, and remove apache from the logrotate system.
+* use the 'HUP' signal instead of the 'USR1' signal. (See http://httpd.apache.org/docs/stopping.html).
+
+
!!! See also
* NameVirtualHosting
* ModBackhand
