Apache Configuration Due Date: Nov 8 Points: 25 Points Objective: To gain experience with configuring the Apache web server Equipment Needed The Ubuntu system that you have already downloaded has the apache daemon along with html files that are needed in this experience. You will also need an Ethernet connection, i.e. a cat 5 cable. Background The Apache HTTP Server, commonly referred to as Apache is a web server notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server to surpass the 100 million web site milestone. The majority of web servers using Apache run the Linux operating system. Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. The application is available for a wide variety of operating systems, including Unix, GNU, FreeBSD, Linux, Solaris, Novell NetWare, Mac OS X, Microsoft Windows, OS/2, TPF, and eComStation. Released under the Apache License, Apache is characterized as open source software. Since April 1996 Apache has been the most popular HTTP server on the World Wide Web. As of September 2009, Apache served over 54.48% of all websites and over 66% of the million busiest. The first version of the Apache web server was created by Robert McCool, who was heavily involved with the National Center for Supercomputing Applications web server, known simply as NCSA HTTPd. When McCool left NCSA in mid-1994, the development of httpd stalled, leaving a variety of patches for improvements circulating through e-mails. These patches were provided by a number of other developers besides McCool: Brian Behlendorf, Roy Fielding, Rob Hartill, David Robinson, Cliff Skolnick, Randy Terbush, Robert S. Thau, Andrew Wilson, Eric Hagberg, Frank Peters and Nicolas Pioch, and they thus helped to form the original "Apache Group". Version 2 of the Apache server was a substantial re-write of much of the Apache 1.x code, with a strong focus on further modularization and the development of a portability layer, the Apache Portable Runtime. The Apache 2.x core has several major enhancements over Apache 1.x. These include UNIX threading, better support for non-Unix platforms (such as Microsoft Windows), a new Apache API, and IPv6 support. The first alpha release of Apache 2 was in March 2000, with the first general availability release on April 6, 2002. Version 2.2 introduced a more flexible authorization API. It also features improved cache modules and proxy modules. See http://en.wikipedia.org/wiki/Apache_server for more information. Procedure 1. Basic Configuration Apache is configured by placing directives in plain text configuration files. The main configuration file is called apache2.conf. In addition, other configuration files may be added using the Include directive, and wildcards can be used to include many configuration files. Any directive may be placed in any of these configuration files. Changes to the main configuration files are only recognized by Apache2 when it is started or restarted. The default Apache2 configuration file is /etc/apache2/apache2.conf . We will be editing this file to configure the Apache2 server. Through modification of apache2.conf one can configure the port number, document root, modules, log files, virtual hosts, etc. The first action to take is to save an original copy of any configuration file. Hence, you will want to $ sudo cp apache2.conf apache2.conf.orig 2. Configuring User Authentication & Access Control and Logging (basic) If you have information on your web site that is sensitive or intended for only a small group of people, these steps will ensure that the people that see those pages are the people that you wanted to see them. You'll need to create a password file. This file should be placed somewhere not accessible from the web (we will violate this rule for this experience). This is so that folks cannot download the password file. To create the password file, type: $ cd /var/www/ $ sudo htpasswd -c /var/www/passwords <your_username> Next, you'll need to configure the server to request a password and tell the server which users are allowed access. You can do this either by editing the httpd.conf file or using an .htaccess file; for this experience we will be using the .htaccess file. If you use the vim editor, in the /var/www/ directory type $ sudo vim .htaccess Type in the following information and save the file: AuthType Basic AuthName "Restricted Files" AuthUserFile /var/www/passwords Require user <your_username> Let's examine each of those directives individually. The AuthType directive selects the method that is used to authenticate the user. The most common method is Basic, and this is the method implemented by mod_auth. It is important to be aware, however, that Basic authentication sends the password from the client to the browser unencrypted. This method should therefore not be used for highly sensitive data. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Only the most recent versions of clients are known to support Digest authentication. The AuthName directive sets the Realm to be used in the authentication. The realm serves two major functions. First, the client often presents this information to the user as part of the password dialog box. Second, it is used by the client to determine what password to send for a given authenticated area. The AuthUserFile directive sets the path to the password file that we just created with htpasswd. If you have a large number of users, it can be quite slow to search through a plain text file to authenticate the user on each request. Apache also has the ability to store user information in fast database files. The mod_auth_dbm module provides the AuthDBMUserFile directive. These files can be created and manipulated with the dbmmanage program. Finally, the Require directive provides the authorization part of the process by setting the user that is allowed to access this region of the server. In the next section, we discuss various ways to use the Require directive. For more information visit http://httpd.apache.org/docs/2.0/howto/auth.html Next, open the virtual hosts file: $ sudo vim /etc/apache2/sites-available/default Find the section that looks similar to below: <Directory /var/www/> ... AllowOverride None ... </Directory> Modify the ‘AllowOverride None’ to ‘AllowOverride All’ and save the file. Next move the ‘passwordProtected.html’ file from the ‘Apache’ directory on your desktop to /var/www/. Lastly, restart apache with: $ sudo /etc/init.d/apache2 restart Open a web browser and enter ‘http://localhost/passwordProtected.html’. You should be prompted for a username/password Enter an INCORRECT password, followed by the correct password. After entering the correct password, you should be allowed access to the webpage Now let’s take a look at the log-file $ sudo vim /var/log/apache2/error.log $ sudo vim /var/log/apache2/access.log What is/was being recorded in each log file? *Do a Print-Screen showing the pertinent sections of each log-file for Reporting* 3. Configuring Per-user Web Directories (intermediate) On systems with multiple users, each user can be permitted to have a web site in their home directory using the UserDir directive. Visitors to a URL http://example.com/~username/ will get content out of the home directory of the user "username", out of the subdirectory specified by the UserDir directive; this is very similar to how department and university web-hosting is handled for employees and students. Remember that we have the user “student” from the Authentication experience. Next we will create a ‘public_html’ directory under student by $ sudo mkdir /home/student/public_html When running a web-server Apache runs as the ‘www-data’ user under the group ‘www-data’ because of this we must give the “www-data” group privileges to read content of the newly added user. If this step is omitted, when accessing the web-page, you will get a ‘Forbidden Error’. $ sudo chgrp www-data /home/student/public_html Next, we must make a few additions to the Apache Configuration File. $ sudo vim /etc/apache2/apache2.conf Add the following lines to the end of apache2.conf <IfModule mod_userdir> UseDir public_html UseDir enabled student <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Options Indexes SymLinksIfOwnerMatch IncludesNoExec </Directory> </IfModule> These are directives to the Apache Server. The <IfModule mod_userdir> stipulates “If user-web directories are enabled, then do the following”. The next line UseDir public_html indicates that only files in the ‘public_html’ directory of the “~user” should be accessed – essentially notifying Apache of the location of the “~user” files. UseDir enabled student The above directive is a security precaution which stipulates to only allow “student” to have a web directory. Any other “~users” will be disallowed. <Directory /…….> The last directive above are other options for files in the user’s public_html directory. For more information on the provided options, “AllowOverride, FileInfo, AuthConfig, Limit” see the extensive Apache Documentation. http://httpd.apache.org/docs/2.2/mod/core.html#allowoverride http://httpd.apache.org/docs/2.2/howto/public_html.html Next, we must enable user-web directories through the userdir module. This will create two new symbolic links in /etc/apache2/mods-enabled: userdir.conf and userdir.load. To do this you should type in a terminal: $ sudo a2enmod userdir Lastly, we must restart the Apache Server for our changes to take effect. $ sudo /etc/init.d/apache2 restart Open a web-browser and enter “http://localhost/~student” as the URL. Voila! * Do a Print-Screen of the Browser include the URL for Reporting* 4.