Penguin
Note: You are viewing an old revision of this page. View the current version.

Installation

If you're going to compile and install Apache from source, use the Apache Toolbox.

Securing Apache

Apache recently featured in a list of security problems. They generally boil down to configuration mistakes. Points to note when installing, configuring and mantaining Apache include:

CGI scripts

Probably the biggest problem. Upload and CGI directories need to be distinct (so people can't upload "improved" CGI scripts) and as small as possible.

Apache2 makes it easier to run different scripts or even different Virtual Hosts as different users, rather than as the user that Apache is running as.

Chroot prisons

Running in a chroot prison limits the damage than can be done should an application be compromised. See chroot(2) for details. Apache2 has better support for this.

See also:


FireWalling Apache

You probably should FireWall the Apache user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your WebSite. The same idea can be applied to other services.

iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT
iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG

Extra information in directory listings

You can have additional information displayed at the top and bottom of a mod_autoindex directory listing by putting the text in a file called HEADER and README, respectively. Either file can any have FileExtension (or none). To enable this feature, you will need MultiViews on to be in effect for that request.

Apache and IPv6

Tell apache to listen on "::", which is the ipv6 version of 0.0.0.0, on whatever port. Eg, in httpd.conf:

 Listen :::80
 BindAddress ::

If you want a VirtualHost available on both IPv4 and IPv6, then give it a name that resolves to both a v4 and v6 address. It won't work if you give use a name that doesn't have a v6 address, and then try to use ServerName or ServerAlias. Eg:

$ host wlug.org.nz
wlug.org.nz             A       203.97.10.50
$ host -t aaaa wlug.org.nz
wlug.org.nz AAAA record currently not present
$ host -t a www.wlug.org.nz
www.wlug.org.nz         CNAME   hoiho.wlug.org.nz
hoiho.wlug.org.nz       A       203.97.10.50
$ host -t aaaa www.wlug.org.nz
www.wlug.org.nz         CNAME   hoiho.wlug.org.nz
hoiho.wlug.org.nz       AAAA    2002:CB61:A32:0:0:0:0:1

Doesn't Work:

<VirtualHost wlug.org.nz:80>
        ServerName www.wlug.org.nz
        ServerAlias wlug.org.nz
        ServerAlias www2.wlug.org.nz
...

(Apache can't resolve wlug.org.nz to an IPv6 address, so this vhost won't be available via ipv6.)

Does work:

<VirtualHost www.wlug.org.nz:80>
        ServerName www.wlug.org.nz
        ServerAlias wlug.org.nz
        ServerAlias www2.wlug.org.nz
...

Rotating your logs

Want to rotate all of your separate VirtualHost log files without restarting Apache? Use a little-known tool that comes with Apache called rotatelogs(8).

Change your TransferLog lines to:

TransferLog "|/path/to/rotatelogs /your/log/file.log 64800"

Read the ManPage for more information, or replace with CronoLog which has more features.

Errors on log rotation

Some people encounter a problem where apache dies on logrotation. It's not the actual rotation that's the problem, it's the "graceful restart" that the logrotate program sends to apache. This only seems to affect people using Debian Woody, and only with some undetermined set of conditions. Here is our setup:

ii  apache                   1.3.27-0.1.ipv6.r2       Versatile, high-performance HTTP server
ii  apache-common            1.3.27-0.1.ipv6.r2       Support files for all Apache webservers
ii  libapache-auth-ldap      1.6.0-3                  LDAP authentication module for Apache
ii  libapache-mod-gzip       1.3.19.1a-5              HTTP compression module for Apache
ii  libapache-mod-ldap       1.4-3                    Apache authentication via LDAP directory
ii  libapache-mod-perl       1.27-3.ipv6.r1           Integration of perl with the Apache web server
ii  libapache-mod-ruby       0.9.7-2                  Embedding Ruby in the Apache web server
ii  libapache-mod-ssl        2.8.9-2.4                Strong cryptography (HTTPS support) for Apache
ii  libapache-reload-perl    0.07-1                   Reload changed modules in a mod_perl environment

We are using backports of apache 1.3, for IPv6 support. Other possibly relevant info:

ii  php4                     4.1.2-7.0.1
ii  php4-cgi                 4.1.2-7.0.1
ii  php4-ldap                4.1.2-7.0.1
ii  php4-pgsql               4.1.2-4
ii  phppgadmin               2.4.1-2

Also using a 2.6 series Linux Kernel.

When it happens, the following is in /var/log/apache/error.log:

[Wed Feb 23 06:26:00 2005] [notice] SIGUSR1 received.  Doing graceful restart
accept_mutex_on: Identifier removed
[Wed Feb 23 06:26:03 2005] [notice] Apache/1.3.27 (Unix) Debian GNU/Linux PHP/4.1.2 mod_ssl/2.8.9 OpenSSL/0.9.6c mod_perl/1.27 configured
-- resuming normal operations
[Wed Feb 23 06:26:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
[Wed Feb 23 06:26:03 2005] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Wed Feb 23 06:26:03 2005] [alert] Child 6894 returned a Fatal error...
Apache is exiting!

Each time that the reload fails, there is a message about accept_mutex_on or accept_mutex_off: Invalid argument in the error.log file that isn't present when the reload succeeds.

Also note the logrotate runs the 'postrotate' section (in apache's case, the reload) every day, even if it only rotates the log files every week.

Suggested workarounds include:

  • replacing '/etc/init.d/apache reload' in /etc/logrotate.d/apache with '/etc/init.d/apache restart', although that will result in your server being inaccessible for at least several seconds.
  • using cronolog or something else, and remove apache from the logrotate system.
  • use the 'HUP' signal instead of the 'USR1' signal. (See http://httpd.apache.org/docs/stopping.html).

Apache-ssl with AuthUserFile? complains "User not found"

This can occur if you have:

 LoadModule auth_module /usr/lib/apache/1.3/mod_auth_ssl.so
 ...
 LoadModule apache_ssl_module /usr/lib/apache/1.3/libssl.so

The solution is to swap the order so that apache_ssl_module comes first. (obscure!)

See also