Ensurepass

18. Apache
18.1 Defaults
1. Configuration File: /etc/httpd/conf/httpd.conf
2. Server root: /etc/httpd
3. Document root: /var/www/html
4. Logging location: /var/log/httpd
5. User: apache
6. Group: apache
7. Ports: 80 TCP (HTTP) and 443 TCP (HTTPS)
8. Modules stored in /etc/httpd/modules
9. MinSpareServers 5
10. MaxSpareServers 10
11. StartServers 8
12. MaxClients 150
13. MaxRequestsPerChild 1000
14. Default Pages Served
Whenever a URL is requested that ends in a directory and not a file, a default file within the directory will be loaded. The DirectoryIndex directive is used to specify what this default file or files will be.
DirectoryIndex index.shtml index.htm index.shtml index.php index.php4 index.php3 index.cgi
With the above configuration, if a user were to request the following URL: http://www.somedomain.com, Apache would search it’s document root for the files specified in the DirectoryIndex directive. The files are searched for in the order in which they appear in the directive. So, it first checks to see if a file named index.shtml exists, then index.htm, then index.shtml and so on.
18.2 Resource Control
1. MinSpareServers
Minimum # of idle server processes that must be available to handle incoming requests.
2. MaxSpareServers
Maximum # of idle server processes that wait for client connections.
3. StartServers
Initial # of servers to start when Apache is started.
4. MaxClients
Maximum # of clients that can be served at once. This effectively limits the maximum number of httpd processes started since it requires 1 process per client.
5. MaxRequestsPerChild
Maximum # of requests to handle per child. After this number is attained, the child is killed and a new child process is spawned to replace it. This is used to help prevent memory leaks from eating up system resources.
18.3 Logging
1. Error Log
Use ErrorLog directive to specify. For example:
ErrorLog /var/log/httpd/error_log
2. Access Log
No AccessLog directive. Instead use the CustomLog directive.
CustomLog /var/log/httpd/access_log combined
“combined” is a previously defined log format (defined with LogFormat directive).
“common” is another previously defined log format that logs less information than “combined”.
18.4 User Web Space
1. Specify name of user www directory with UserDir directive:
UserDir public_html
2. User must create a “public_html” directory in their home directory.
3. Anything placed in the public_html directory can be accessed through the web if permissions allow Apache to access it.
4. In order to visit a user’s “public_html” directory, specify ~user after the base URL:
www.somedomain.com/~steve
18.5 Access Restrictions
1. Provides directory and file level access control.
2. Are recursively applied to directories underneath the directory specified unless overridden.
3. / should be configured to be VERY restrictive. Then, start configuring directories from the document root on down.
4. If “AllowOverride” is specified for a directory in the httpd.conf file, then permissions can be overridden by placing a .htaccess file in the directory. Permissions are then specified in the .htaccess file.
5. AllowOverride Options:
o None
Nothing can be overridden.
o Authconfig
Allows use of user/group authorization directives (AuthName, AuthUserFile, AuthGroupFile, Require).
o FileInfo
Allows use of directives controlling document types.
o Indexes
Allows use of directives that control directory indexes.
o Limit
Allow directives that control access based on browser, hostname, and network.
o Options
6. Access Control Setup
o order
1. allow,deny
allow acls processed before deny acls. Default deny – hosts not explicitly allowed are denied.
2. deny,allow
deny acls processed before allow acls. Default allow – hosts not explicitly denied are allowed.
3. mutual-failure
All explicitly allowed hosts that are not also denied are allowed.
o allow from
Specifies which hosts should be allowed access.
o deny from
Specifies which hosts should be denied access.
o Examples
o
o order allow,deny # In this case, no one would be granted access
o allow from 199.151.220 # because denys are processed after allows.
o deny from All
o
o
o order deny,allow # In this case, only those hosts in the 199.151.220.0/24
o allow from 199.151.220 # network will be allowed in.
o deny from All
o
o
18.6 Authentication
1. User/password database
o Use AuthUserFile directive to specify a password file. Can be used in a directive or in an .htaccess file (if “AllowOverride authconfig” is specified for the directory).
o Create the password file and add user “steve” to it:
htpasswd -c /var/www/userpasswd steve
Only use the “-c” option when you create the file. After that, leave it off. Otherwise you will wipe out your existing password file.
2. Authentication Type
Specify an AuthType (Basic or Digest)
3. Realm
Specify a realm using AuthName.
4. Authentication Requirements
Specify authentication requirements using require
5. Example .htaccess file
6. AuthName “My Realm”
7. AuthType Basic
8. AuthUserFile /var/www/passwd
9. require valid-user
The above example allows any valid user (“valid-user” must be in all lower case) to access this directory. Valid meaning that the user is defined in /var/www/passwd.
If only certain users are allowed to access this directory, you can specify them instead of “valid-user”:
require bob sue steve
In this case, only users bob, sue, and steve will be allowed to access this directory.
18.7 CGI
1. Defining a directory for CGI scripts
o ScriptAlias
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
Don’t forget the trailing “/” on both parameters.
This specifies that the /var/www/cgi-bin can contain cgi scripts and it can be reached when a user accesses the web address and appends /cgi-bin/ to the base URL. For example:
http://www.somehost.com/cgi-bin/cgi-test
Would cause the cgi script called cgi-test to be executed if it exists in the /var/www/cgi-bin directory.
o ExecCGI
A directory can also be specified as containing cgi scripts by specifying Options ExecCGI within a directive or an .htaccess file.
o Sample CGI scripts can be found in /usr/share/doc/apache-X.X.XX/cgi-bin.
18.8 Virtual Hosts
1. IP Based
o Requires host to have a separate IP for each virtual host.
o Use directive to specify.
o Must at least specify ServerName.
o Recommend specifying a separate document root, error log, and script alias for each virtual host.
o Example:
o
o ServerName www.somedomain.com
o ServerAdmin webmaster@somedomain.com
o DocumentRoot /var/www/www.somedomain.com/html
o ScriptAlias /cgi-bin/ /var/www/www.somedomain.com/cgi-bin/
o ErrorLog /var/log/httpd/www.somedomain.com/error_log
o CustomLog /var/log/httpd/www.somedomain.com/access_log combined
o
o Options Indexes Includes
o order deny,allow
o Allow from All
o

o

2. Name Based
o Very similar to IP based.
o Must specify IP to use for virtual hosting with the NameVirtualHost directive. All further directives that reference the IP specified by NameVirtualHost automatically become a named based virtual host.
o The first virtual host becomes the default host.
o ServerAlias allows you to specify an alternate name for a name based virtual host.
o Example:
o NameVirtualHost 192.168.1.11
o
o ServerName www.someotherdomain.com
o ServerAlias www1.someotherdomain.com
o ServerAdmin webmaster@someotherdomain.com
o DocumentRoot /var/www/www.someotherdomain.com/html
o ScriptAlias /cgi-bin/ /var/www/www.someotherdomain.com/cgi-bin/
o ErrorLog /var/log/httpd/www.someotherdomain.com/error_log
o CustomLog /var/log/httpd/www.someotherdomain.com/access_log combined
o
o Options Indexes Includes
o order deny,allow
o Allow from All
o

o

3. Troubleshooting
o If accessing any of the defined named based virtual hosts always causes the default virtual host to be viewed, verify that the names specified for each virtual host (ServerName) are correct.
o To view virtual host settings, type:
o httpd -S
o
18.9 SSL
1. mod_ssl
2. Encryption Configuration
o Certificate stored in /etc/httpd/conf/ssl.crt/server.crt
o Private key stored in /etc/httpd/conf/ssl.key/server.key
o Certificate/Key Generation
1. Use openssl
2. RH provided Makefile at /usr/share/ssl/certs/Makefile:
* make testcert – Self-signed certificate
* make certreg – Certificate signature request to get a certificate authority signed certificate.

Download the Ensurepass Latest 2013 RHCE EX300 Practise Test PDF to pass RHCE EX300 exam.

Comments are closed.