Web Servers

To run the httpd service, type the following at a shell prompt as root:

If you want the service to start automatically at boot time, use the following command:

To stop the running httpd service, type the following at a shell prompt as root:

To prevent the service from starting automatically at boot time, type:

There are three different ways to restart a running httpd service:

This stops the running httpd service and immediately starts it again. Use this command after installing or removing a dynamically loaded module such as PHP.

This causes the running httpd service to reload its configuration file. Any requests currently being processed will not be interrupted, so configuration changes will only take effect for new client connections.

To verify that the httpd service is running, type the following at a shell prompt:

The following directives are commonly used in the /etc/httpd/conf/httpd.conf configuration file:

The directory can be either a full path to an existing directory in the local file system, or a wildcard expression.

This directive can be used to configure additional cgi-bin directories for server-side scripts located outside the directory that is specified by ScriptAlias. In this case, the ExecCGI and AddHandler directives must be supplied, and the permissions on the target directory must be set correctly (that is, 0755).

The parameter can be supplied at a shell prompt using the -Dparameter command line option (for example, httpd -DEnableHome). If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the parameter is not specified.

The module can be identified either by its name, or by the file name. If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the module is not loaded.

The url can be either a path relative to the directory specified by the DocumentRoot directive (for example, /server-info), or an external URL such as http://example.com/server-info.

The pattern can be an external URL, or a wildcard expression (for example, http://example.com/*).

The address can be an IP address, a fully qualified domain name, or a special form as described in Available <VirtualHost> options.

The filename is a name of the file to look for in the requested directory. By default, the server looks for .htaccess. For security reasons, the directive is typically followed by the Files tag to prevent the files beginning with .ht from being accessed by web clients. This includes the .htaccess and .htpasswd files.

The content-type has to be a valid MIME type such as text/html, image/png, or application/pdf. The path refers to an existing CGI script, and must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/process-image.cgi).

The description should be a short text enclosed in double quotes (that is, "). The filename can be a full file name, a file extension, or a wildcard expression.

The encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .gz).

This directive is typically used to instruct web browsers to decompress certain file types as they are downloaded.

The handler has to be a name of previously defined handler. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cgi).

This directive is typically used to treat files with the .cgi extension as CGI scripts regardless of the directory they are in. Additionally, it is also commonly used to process server-parsed HTML and image-map files.

The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/folder.png). The pattern can be a file name, a file extension, a wildcard expression, or a special form as described in the following table:

The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/compressed.png). The encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc.

The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/text.png). The content-type has to be either a valid MIME type (for example, text/html or image/png), or a wildcard expression such as text/, image/, etc.

The language has to be a valid MIME language such as cs, en, or fr. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).

This directive is especially useful for web servers that serve content in multiple languages based on the client’s language settings.

The content-type has to be a valid MIME type such as text/html, image/png, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).

The url-path must be relative to the directory specified by the DocumentRoot directive (for example, /images/). The real-path is a full path to a file or directory in the local file system. This directive is typically followed by the Directory tag with additional permissions to access the target directory. By default, the /icons/ alias is created so that the icons from /var/www/icons/ are displayed in server-generated directory listings.

The client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.

The type has to be one of the available grouping options as described in Available AllowOverride options.

The pattern is a regular expression to match the User-Agent HTTP header field. The variable is an environment variable that is set when the header field matches the pattern.

By default, this directive is used to deny connections to specific browsers with known issues, and to disable keepalives and HTTP header flushes for browsers that are known to have problems with these actions.

The time is specified in seconds. The default option is 3600 (that is, one hour).

The path must be relative to the directory specified by the DocumentRoot directive (for example, /files/).

The type has to be a valid cache type as described in Available cache types. The url can be a path relative to the directory specified by the DocumentRoot directive (for example, /images/), a protocol (for example, ftp://), or an external URL such as http://example.com/.

The number is a coefficient to be used to multiply the time that passed since the last modification of the document. The default option is 0.1 (that is, one tenth).

The time is specified in seconds. The default option is 86400 (that is, one day).

The option has to be a valid keyword as described in Available CacheNegotiatedDocs options. Since the content-negotiated documents may change over time or because of the input from the requester, the default option is Off.

The directory must be a full path to an existing directory in the local file system. The default option is /var/cache/mod_proxy/.

The path refers to a log file, and must be relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The format has to be either an explicit format string, or a format name that was previously defined using the LogFormat directive.

The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/unknown.png).

The content-type has to be a valid MIME type such as text/html, image/png, application/pdf, etc.

The client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.

The filename is a name of the file to look for in the requested directory. By default, the server looks for index.html, and index.html.var.

The directory must be a full path to an existing directory in the local file system. The default option is /var/www/html/.

The error-code has to be a valid code such as 403 (Forbidden), 404 (Not Found), or 500 (Internal Server Error). The action can be either a URL (both local and external), or a message string enclosed in double quotes (that is, ").

The path refers to a log file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is logs/error_log

The option has to be a valid keyword as described in Available ExtendedStatus options. The default option is Off.

The group has to be an existing UNIX group. The default option is apache.

Note that Group is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.

The filename is a name of the file to look for in the requested directory. By default, the server looks for HEADER.html.

The option has to be a valid keyword as described in Available HostnameLookups options. To conserve resources on the server, the default option is Off.

Note that when the presence of hostnames is required in server log files, it is often possible to use one of the many log analyzer tools that perform the DNS lookups more efficiently.

The filename can be an absolute path, a path relative to the directory specified by the ServerRoot directive, or a wildcard expression. All configuration files from the /etc/httpd/conf.d/ directory are loaded by default.

The filename option can be either a full file name, or a wildcard expression.

The option has to be a valid keyword as described in Available directory listing options. The default options are Charset=UTF-8, FancyIndexing, HTMLTable, NameWidth=*, and VersionSort.

The option has to be a valid keyword as described in Available KeepAlive options. The default option is Off.

Note that when the persistent connections are enabled, on a busy server, the number of child processes can increase rapidly and eventually reach the maximum limit, slowing down the server significantly. To reduce the risk, it is recommended that you set KeepAliveTimeout to a low number, and monitor the /var/log/httpd/logs/error_log log file carefully.

The time is specified in seconds. The default option is 15.

The language has to be a valid MIME language such as cs, en, or fr.

This directive is especially useful for web servers that serve content in multiple languages based on the client’s language settings.

The ip-address is optional and unless supplied, the server will accept incoming requests on a given port from all IP addresses. Since the protocol is determined automatically from the port number, it can be usually omitted. The default option is to listen to port 80.

Note that if the server is configured to listen to a port under 1024, only superuser will be able to start the httpd service.

The name has to be a valid identifier of the required module. The path refers to an existing module file, and must be relative to the directory in which the libraries are placed (that is, /usr/lib/httpd/ on 32-bit and /usr/lib64/httpd/ on 64-bit systems by default).

See Working with Modules for more information on the Apache HTTP Server’s DSO support.

The format is a string consisting of options as described in Common LogFormat options. The name can be used instead of the format string in the CustomLog directive.

The option has to be a valid keyword as described in Available LogLevel options. The default option is warn.

A high number can improve the performance of the server. Note that using 0 allows unlimited number of requests. The default option is 100.

The ip-address can be either a full IP address, or an asterisk (that is, *) representing all interfaces. Note that IPv6 addresses have to be enclosed in square brackets (that is, [ and ]). The port is optional.

Name-based virtual hosting allows one Apache HTTP Server to serve different domains without using multiple IP addresses.

The option has to be a valid keyword as described in Available server features.

The option has to be a valid keyword as described in Available Order options. The default option is allow,deny.

The path refers to a pid file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is run/httpd.pid.

The option has to be a valid keyword as described in Available ProxyRequests options. The default option is Off.

The filename is a name of the file to look for in the requested directory. By default, the server looks for README.html.

The status is optional, and if provided, it has to be a valid keyword as described in Available status options. The path refers to the old location, and must be relative to the directory specified by the DocumentRoot directive (for example, /docs). The url refers to the current location of the content (for example, http://docs.example.com).

Note that for more advanced redirection techniques, you can use the mod_rewrite module that is part of the Apache HTTP Server installation.

The url-path must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/). The real-path is a full path to a file or directory in the local file system. This directive is typically followed by the Directory tag with additional permissions to access the target directory. By default, the /cgi-bin/ alias is created so that the scripts located in the /var/www/cgi-bin/ are accessible.

The ScriptAlias directive is used for security reasons to prevent CGI scripts from being viewed as ordinary text documents.

The default option is root@localhost.

This directive is commonly set to webmaster@hostname, where hostname is the address of the server. Once set, alias webmaster to the person responsible for the web server in /etc/aliases, and as superuser, run the newaliases command.

The hostname has to be a fully qualified domain name (FQDN) of the server. The port is optional, but when supplied, it has to match the number specified by the Listen directive.

When using this directive, make sure that the IP address and server name pair are included in the /etc/hosts file.

The directory must be a full path to an existing directory in the local file system. The default option is /etc/httpd/.

The option has to be a valid keyword as described in Available ServerSignature options. The default option is On.

The option has to be a valid keyword as described in Available ServerTokens options. The default option is OS.

Note that for security reasons, it is recommended to reveal as little information about the server as possible.

The user has to be an existing user, and the group must be a valid UNIX group.

For security reasons, the CGI scripts should not be run with root privileges. Note that in <VirtualHost>, SuexecUserGroup replaces the User and Group directives.

The time is specified in seconds. The default option is 60.

The path refers to an existing MIME types configuration file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is /etc/mime.types.

Note that instead of editing /etc/mime.types, the recommended way to add MIME type mapping to the Apache HTTP Server is to use the AddType directive.

The option has to be a valid keyword as described in Available UseCanonicalName options. The default option is Off.

The user has to be an existing UNIX user. The default option is apache.

For security reasons, the httpd service should not be run with root privileges. Note that User is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.

The option can be either a name of the directory to look for in user’s home directory (typically public_html), or a valid keyword as described in Available UserDir options. The default option is disabled.

The Secure Sockets Layer (SSL) directives allow you to customize the behavior of the Apache HTTP Secure Server, and in most cases, they are configured appropriately during the installation. Be careful when changing these settings, as incorrect configuration can lead to security vulnerabilities. The following directive is commonly used in /etc/httpd/conf.d/ssl.conf:

The option can be either a HTTP header field, a previously defined environment variable name, or a valid keyword as described in Available SetEnvIf options. The pattern is a regular expression. The variable is an environment variable that is set when the option matches the pattern. If the optional exclamation mark (that is, !) is present, the variable is removed instead of being set.

The SetEnvIf directive is used to disable HTTP keepalives, and to allow SSL to close the connection without a closing notification from the client browser. This is necessary for certain web browsers that do not reliably shut down the SSL connection.

Note that for the /etc/httpd/conf.d/ssl.conf file to be present, the mod_ssl needs to be installed. See Setting Up an SSL Server for more information on how to install and configure an SSL server.

The Multi-Processing Module (MPM) directives allow you to customize the behavior of a particular MPM specific server-pool. Since its characteristics differ depending on which MPM is used, the directives are embedded in IfModule. By default, the server-pool is defined for both the prefork and worker MPMs. The following MPM directives are commonly used in /etc/httpd/conf/httpd.conf:

A high number can improve the performance of the server, although it is not recommended to exceed 256 when using the prefork MPM.

Setting the number to 0 allows unlimited number of requests.

The MaxRequestsPerChild directive is used to prevent long-lived processes from causing memory leaks.

This directive is used by the prefork MPM only.

The number must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild. This directive is used by the worker MPM only.

Note that a high number can create a heavy processing load on the server. This directive is used by the prefork MPM only.

This directive is used by the worker MPM only.

Since the child processes are dynamically created and terminated according to the current traffic load, it is usually not necessary to change this value.

This directive is used by the worker MPM only.

To load a particular DSO module, use the LoadModule directive as described in Common httpd.conf Directives. Note that modules provided by a separate package often have their own configuration file in the /etc/httpd/conf.d/ directory.

Once you are finished, restart the web server to reload the configuration. See Restarting the Service for more information on how to restart the httpd service.

If you intend to create a new DSO module, make sure you have the httpd-devel package installed. To do so, enter the following command as root:

This package contains the include files, the header files, and the APache eXtenSion (apxs) utility required to compile a module.

Once written, you can build the module with the following command:

If the build was successful, you should be able to load the module the same way as any other module that is distributed with the Apache HTTP Server.

Secure communication is based on the use of keys. In conventional or symmetric cryptography, both ends of the transaction have the same key they can use to decode each other’s transmissions. On the other hand, in public or asymmetric cryptography, two keys co-exist: a private key that is kept a secret, and a public key that is usually shared with the public. While the data encoded with the public key can only be decoded with the private key, data encoded with the private key can in turn only be decoded with the public key. To provide secure communications using SSL, an SSL server must use a digital certificate signed by a Certificate Authority (CA). The certificate lists various attributes of the server (that is, the server host name, the name of the company, its location, etc.), and the signature produced using the CA’s private key. This signature ensures that a particular certificate authority has signed the certificate, and that the certificate has not been modified in any way.

When a web browser establishes a new SSL connection, it checks the certificate provided by the web server. If the certificate does not have a signature from a trusted CA, or if the host name listed in the certificate does not match the host name used to establish the connection, it refuses to communicate with the server and usually presents a user with an appropriate error message.

By default, most web browsers are configured to trust a set of widely used certificate authorities. Because of this, an appropriate CA should be chosen when setting up a secure server, so that target users can trust the connection, otherwise they will be presented with an error message, and will have to accept the certificate manually. Since encouraging users to override certificate errors can allow an attacker to intercept the connection, you should use a trusted CA whenever possible. For more information on this, see Information about CA lists used by common web browsers.

When setting up an SSL server, you need to generate a certificate request and a private key, and then send the certificate request, proof of the company’s identity, and payment to a certificate authority. Once the CA verifies the certificate request and your identity, it will send you a signed certificate you can use with your server. Alternatively, you can create a self-signed certificate that does not contain a CA signature, and thus should be used for testing purposes only.

If you intend to set up an SSL server, make sure you have the mod_ssl (the mod_ssl module) and openssl (the OpenSSL toolkit) packages installed. To do so, enter the following command as root:

This will create the mod_ssl configuration file at /etc/httpd/conf.d/ssl.conf, which is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the httpd service as described in Restarting the Service.

To disable and enable specific versions of the SSL and TLS protocol, either do it globally by adding the SSLProtocol directive in the "#\# SSL Global Context" section of the configuration file and removing it everywhere else, or edit the default entry under "\# SSL Protocol support" in all "VirtualHost" sections. If you do not specify it in the per-domain VirtualHost section then it will inherit the settings from the global section. To make sure that a protocol version is being disabled the administrator should either only specify SSLProtocol in the "SSL Global Context" section, or specify it in all per-domain VirtualHost sections.

To disable SSL version 2 and SSL version 3, which implies enabling everything except SSL version 2 and SSL version 3, in all VirtualHost sections, proceed as follows:

This section is within the VirtualHost section.

Repeat this action for all VirtualHost sections.

This step is particularly important if you have more than the one default VirtualHost section.

Note that any sessions will be interrupted.

If you have a previously created key and certificate, you can configure the SSL server to use these files instead of generating new ones. There are only two situations where this is not possible:

Certificates are issued for a particular IP address and domain name pair. If one of these values changes, the certificate becomes invalid.

VeriSign, a widely used certificate authority, issues certificates for a particular software product, IP address, and domain name. Changing the software product renders the certificate invalid.

In either of the above cases, you will need to obtain a new certificate. For more information on this topic, see Generating a New Certificate Using OpenSSL.

If you want to use an existing key and certificate, move the relevant files to the /etc/pki/tls/private/ and /etc/pki/tls/certs/ directories respectively. You can do so by issuing the following commands as root:

Then add the following lines to the /etc/httpd/conf.d/ssl.conf configuration file:

To load the updated configuration, restart the httpd service as described in Restarting the Service.

First, generate the private key. In this example we will use a 2048 RSA key:

Create a Certificate Signing Request(CSR). The Common Name field must be your server’s hostname:

A message digest algorithm like SHA2 or stronger is recommended, but it’s more important for the certificate than for the request. However your CA decides which message digest they use for the certificate.

Now give your CSR to your Certificate Authority(CA) so they can sign your key and give you a certificate:

Once your CA has signed it, they will give you the certificate(.crt file). Now move the private key and the certificate to their respective directories:

The Certificate Signing Request(CSR) can be deleted as it becomes useless once you have obtained your certificate. Alternatively you can put it along your private key:

Set the correct context of these files for SELinux:

The last step is to configure the webserver of your host for the TLS protocol using the key and the certificate files you have just created - see mod_ssl configuration.