None No options are allowed. Every one of the nifty features discussed here will not work. SymLinksIfOwnerMatch The server will use symlinks if the owner of the symlink is the owner of the file that the symlink points to. This means, in English, that a user can use symlinks to point to her own documents. AllowOverride If you allow override, users can alter the options permitted in a directory. When you allow override, Apache checks each directory for a file called .htaccess, and processes the contents as additional server configuration info. This allows Web developers to both handle much routine configuration themselves and to install insecure CGI scripts in random locations. You’ll need to decide whether to permit the use of .htaccess overrides. If you’re running a corporate Web server, and your Web developer pretty much gets what he wants anyway, there’s no reason not to allow whatever override he desires. If, on the other hand, you’re running a public or ISP Web server, and you don’t allow a certain group of clients to use CGI scripts, you should be sure to disallow certain overrides. These are the valid AllowOverride statements; all allow the user to override anything with an .htaccess entry. AuthConfig allows you to password-protect directories. This is a pretty safe option, and it is generally expected on server farms where any idiot with a credit card can get an account. FileInfo allows users to insert their own MIME information for a directory. While it’s generally better to add this sort of information to the server’s mime.types file, there will be occasions where people need this for example, when they upload a file that’s used only within their company, and they need to tell the browsers what to expect. Indexes allows the user to control how indexing is handled, including setting a new default document, controlling how icons appear in server-generated indexes, and so on. Limit allows the user to use the Allow, Deny, and Order keywords. This option is also quite safe. None means that the user can make no changes. This is a good option to use as a default, but it’s a little too restrictive for most applications. Options allows the user to set any of the options described here. This is good if you know and trust the Web developers, or if you don’t care if someone uploads an insecure program and the server is compromised. With the foregoing in mind, a reasonable set of user defaults is ………………………………………………………………………………………. AllowOverride Limit, AuthConfig, Indexes, FileInfo ………………………………………………………………………………………. Controlling HTTP Requests An HTTP method is a command sent by a browser to a server. you’ve probably heard of the HTTP methods GET and POST. These tell the server to transmit a particular page and to process a list of uploaded information, respectively. There’s a whole list of methods, however, each with a separate 348
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
Options ExecCGI,MultiViews ………………………………………………………………………………………. Now, let’s examine the standard options. All The All option is the Apache server’s built-in default. If you have an empty httpd.conf, the Apache server lets almost any Apache function work in the directory. If a user uploads a password-protection script to keep people out of the directory, it will work. If a user uploads a CGI script that exploits a local system flaw to start a root shell on a high-numbered TCP port, giving anyone in the world a backdoor into your system, it will work too. The All option allows every single Apache option except MultiViews (described shortly). The sample httpd.conf file shipped with Apache specifically sets Options None in the ServerRoot directory, which means that the Apache program’s built-in permissive default is turned off by the sample configuration. If you’re using the sample httpd.conf as a base (as you should), the All option is explicitly shut off, and you will need to specifically enable options in any directory in which you wish to use them. ExecCGI CGI scripts that are in a directory with this option set can run. FollowSymLinks You can use symlinks (or symbolic links, or aliases, as discussed in ln(1)) to point to other files on the server. A user could symlink to just about any file on the server, and that file would be visible (if the file permissions allow it, of course). Includes Server-side includes (SSI HTML files that include shell commands) and CGI scripts will work in a directory with this option set, but both can be a security risk unless defensively programmed. After all, you’re allowing anyone who can call up your Web site to run the command you use in your HTML page. With a bit of conniving, many intruders can make a command do things the Web designer never intended. (Search the Web on server-side includes and security, and You’ll find many different security problems described.) If you don’t know how to use SSI safely, don’t enable this! IncludesNOEXEC This allows server-side includes, but disables the #exec SSI feature and the include function of CGI scripts. Without the #exec feature, HTML code cannot run just any command, and SSI commands must be written within a carefully restricted range. Basically, this allows simple server-side includes and CGI scripts, while eliminating the most common security holes. Again, check Google for many different descriptions of the thousands of security issues caused by sloppy server-side includes. Indexes If a directory doesn’t contain an index document (such as Directory Index), the server will return a prettily formatted list of the directory contents. You might consider this a security problem, depending on the contents of your directory. For example, if someone browses the directory of my personal Web page, I don’t care, but if they browse a directory that contains private code, I care a great deal. MultiViews The server can handle documents that are written to be viewed in multiple languages. For example, a Web developer could write a single HTML document that contains text in English, Chinese, and Spanish. With MultiViews enabled, Apache will send the client the page in the language the Web browser uses. 347
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services
Note that Apache gets the hostnames from reverse DNS. Because, in many cases, it’s trivial for an administrator to change the reverse DNS hostname, you’re safer using IP addresses, or even blocks of IP addresses, to control access. All of the following are legitimate types of IP address and IP address block arguments for an Allow or Deny statement. ………………………………………………………………………………………. 192.168.0.1,192.168.0.2,192.168.0.3 192.168 192.168.0.0/16 192.168.0.0/255.255.0.0 ………………………………………………………………………………………. The first line here controls a series of three IP addresses. The last three lines mean exactly the same thing as each other, and are simply three different ways of expressing all IP addresses beginning with 192.168. You can easily restrict access to your internal Web site to only company IP addresses by doing something like this: ………………………………………………………………………………………. Order allow,deny Allow from 192.168.1/24 Deny from all ………………………………………………………………………………………. (This, of course, assumes that your company firewall is configured to block spoofed traffic.) Httpd.conf Options Options are general server features that can be enabled and disabled on a directory-by-directory basis. They allow a Web developer to do all sorts of nifty tricks, such as execute programs on the server, enable and disable password protection on directories, and change language handling. These options give the Web developer a lot of power, and they can also generate a lot of support calls, so you need to know what each is and how it works. You specify options inside a directory with the Options keyword. For example, to enable the ExecCGI option for the directory /usr/local/www/data/catalog, you would use the following configuration: ………………………………………………………………………………………. Options ExecCGI ………………………………………………………………………………………. You can also specify multiple options on a single line: ………………………………………………………………………………………. 346
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Linux Web Hosting services
………………………………………………………………………………………. Options FollowSymLinks AllowOverride None ………………………………………………………………………………………. Apache allows users to upload their own configuration files to change the server’s behavior in short, to let users specify their own options, password protection, MIME types, and so on. The AllowOverride None line shown in the preceding example means that users can’t set these options on a directory unless we say so. And yes, that slash (/) represents the ServerRoot directory, as specified in the systemwide options. Unless specified otherwise, every directory on the server has these permissions, though you can override these settings on particular directories. (We’ll briefly discuss the various permission options in “Directory Configuration,” later in this chapter; for now, just realize that nobody does diddly without our say-so.) To loosen permissions on a directory-by-directory basis, have a look at the default httpd.conf, where You’ll find a set of looser permissions set on various directories. Directory Features Now that we’ve disallowed every feature Apache offers, we can explicitly enable the features we’d like to have. They will allow your Web designers to do many different things, but as an administrator you need to know what each one does. Here are some of the features you might set on a directory. Controlling Access with IP Addresses and Netblocks The Allow and Deny options control which IP addresses and hostnames are permitted to access content in a directory. Browser clients are compared against the “allow” and “deny” lists in the order given in the Order statement. Apache then permits or rejects access depending on the results. When Order is deny, allow, the default is to allow access unless prohibited by a Deny statement. When Order is allow,deny, the default is to deny access unless permitted by an Allow statement. You allow and deny hosts by IP address and hostnames. Every attempted connection is compared against these descriptions, and is treated appropriately. Every attempted connection is part of a special group, All. Much like with TCP Wrappers, you can use the All group and more specific client identification to allow and exclude particular hosts. Confused? Let’s walk through a sample. ………………………………………………………………………………………. Order allow,deny Allow from all Deny from *.AbsoluteBSD.com ………………………………………………………………………………………. I’m browsing to a site from an http://absolutebsd.com/ machine. Apache first checks the Order list (because this is the first statement it encounters), and is told to look at the Allow list and then the Deny list. Since http://absolutebsd.com/ is part of all, I’m allowed in at first. But then Apache checks the deny list and, whoops, I’m cut off. 345
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
Error Document ………………………………………………………………………………………. ErrorDocument 404 /missing.html ………………………………………………………………………………………. When a browser requests a document that’s not on the server, the server returns an error. You can create a custom error page with the ErrorDocument directive. Include ………………………………………………………………………………………. Include /usr/local/etc/apache/vhosts.conf ………………………………………………………………………………………. The httpd.conf file can include other files, a feature that can be useful when you have several subsystems maintained by different people. This can also be useful if you want to make your configuration easier to digest. For example, many add-on Apache modules have their own bits of configuration code. It’s simpler to give each model its own configuration file and include it than to pile it on the main httpd.conf file. Similarly, if you have a person whose job it is to maintain virtual hosts, you can create a virtual hosts file with permissions that allow that person (or group of people) to maintain it (see Chapter 
. Directory Configuration Apache has many nifty features, but it’s not a good idea to enable everything everywhere a bit of sloppy programming can result in your giving out too much information from your Web site, or even letting someone break in. Permissions to access Apache functions are set on a directory-by-directory basis. The configuration looks much like XML: You have a Directory label in angle brackets, a list of permissions and settings, and then a closing directory entry with a backslash. Any options or settings between the opening and closing Directory statements affect that directory. Here’s the basic format: ………………………………………………………………………………………. …options and settings here ………………………………………………………………………………………. By default, Apache uses very restrictive permissions and settings. For example, You’ll see the following entry right at the top of the directory listings in httpd.conf: 344
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services
The LogFormat statement controls the data logged by the server. There are several different default LogFormat settings established for your convenience: The “common” format logs the IP address of the client, the time of the request, the file requested, and a few other basic things. The “referrer” format logs the site that referred the client meaning, another Web page with a link to yours. The “agent” format records the Web browser used. The “combined” format logs all of the above. (This can generate very large logs, so be sure you have lots of disk space.) Note If you dig through the Apache documentation, you can write your own LogFormat statements easily enough. The formats mentioned here are understood by all the popular Web log analysis programs, however, so don’t change them arbitrarily Custom Logs ………………………………………………………………………………………. CustomLog /var/log/httpd-access.log combined ………………………………………………………………………………………. The CustomLog statement controls the name of the log file and the format used. In the preceding example, the main Web site logs to /var/log/httpd-access.log in the “combined” format. You can have several CustomLog statements for different purposes. For example, if you’re using an Apache module that provides special functionality that you want logged, but you don’t want to break the WebTrends product being used by your clients, you can use multiple CustomLog statements to write to two separate log files. Aliases ………………………………………………………………………………………. Alias /icons/ “/usr/local/www/icons/” ………………………………………………………………………………………. Use the Alias statement to provide aliases for directories on your Web site, much like a symlink. In the preceding example, someone looking at http://www.AbsoluteBSD.com/icons/ would actually be pulling files from the directory /usr/local/www/icons/. 343
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Linux Web Hosting services
The default httpd.conf file has a fairly complicated set of rules for determining the DirectoryIndex setting. This is an excellent example of a conditional setting that is based on the modules loaded. You can strip out all that and replace it with a simple one-line entry, if you’re not using any of these advanced modules. Hostname Lookup for Logs ………………………………………………………………………………………. HostnameLookups Off ………………………………………………………………………………………. This setting controls whether Apache saves IP addresses or hostnames to its logs. Enabling this makes your logs look nicer, with computer names instead of IP addresses, but you should leave it off as a general rule. Turning it on will simply add load to your server, and most log-file analysis programs can do this lookup on their own. Error Log Location ………………………………………………………………………………………. ErrorLog /var/log/httpd-error.log ………………………………………………………………………………………. This is the location of the error log. Logging Level ………………………………………………………………………………………. LogLevel warn ………………………………………………………………………………………. The LogLevel statement controls the amount of data logged. Valid labels are debug, info, notice, warn, error, crit, alert, and emerg. The system logger uses these labels to determine the amount of data logged. The warn setting is a good, median level. Log Format ………………………………………………………………………………………. LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i”" combined ………………………………………………………………………………………. 342
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services
User www Group www ………………………………………………………………………………………. These options specify the UNIX user and group that Apache runs as. Just as you can log into your FreeBSD system and start a program that runs with your permissions, the Apache Web server expects to be started by a particular user and use that user’s permissions. Recent FreeBSD systems ship with the user www and group www, generic accounts with no privileges that are intended for use by the Web server. (You can’t log in as www.) While You’ll sometimes see a document that suggests running Apache as root, don’t run the Web server as root, whatever you do; if an intruder breaks into your Web server, they’ll get root on your system as a side benefit! Administrator Email Address ………………………………………………………………………………………. ServerAdmin webmaster@AbsoluteBSD.com ………………………………………………………………………………………. This setting specifies the email address of the person who runs the server. If someone notices a problem with your server, this is where he will be told to send email. Server Name ………………………………………………………………………………………. ServerName www.AbsoluteBSD.com ………………………………………………………………………………………. This is a name of the Web site. It must be a real hostname, and whatever name you give must have a DNS entry or Apache won’t start. For testing purposes, though, you can use an entry in /etc/hosts instead of an actual DNS entry. Directory Index The DirectoryIndex statement gives the name of the default document in a directory. When a client calls up a directory, rather than a filename, Apache checks for files with this name, in order. ………………………………………………………………………………………. DirectoryIndex index.php index.html ………………………………………………………………………………………. Here, if a Web browser calls up http://www.AbsoluteBSD.com/refunds/, Apache checks for index.php and then index.html, and returns the first it finds. 341
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
………………………………………………………………………………………. Listen 88 ………………………………………………………………………………………. You can use multiple Listen statements to make Apache available on any port or IP address on your system. BindAddress ………………………………………………………………………………………. BindAddress * ………………………………………………………………………………………. Much like the Listen statement, BindAddress controls which IP address Apache attaches to. By default, Apache attaches to every port on the system, but you can restrict it to a single IP address with this option. BindAddress is basically identical to Listen. Modules ………………………………………………………………………………………. LoadModule AddModule ………………………………………………………………………………………. You can add functions to Apache with these modules. The modules listed in the base configuration provide basic Apache functionality, so don’t alter the existing LoadModule and AddModule statements unless you know exactly what you’re doing. (We’ll discuss Apache modules in more detail in the “Apache Modules” section later in the chapter.) Port ………………………………………………………………………………………. Port 80 ………………………………………………………………………………………. This is the TCP port that Apache listens on. You can use multiple Port statements. User and Group ………………………………………………………………………………………. 340
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services
………………………………………………………………………………………. MaxClients specifies the maximum number of httpd processes that Apache is allowed to run at one time, and when this limit is reached, the Web server might appear to be unavailable. This limit is designed for older systems, and can easily be increased on more modern computers. Experiment to see how many httpd processes your system needs. Note You can see how many httpd processes are running at any given time by running ps -ax | grep httpd | wc -l. Maximum Httpd Requests Each httpd process that starts answers requests and then hangs around waiting for the next request. If you have a fancy Web program that leaks memory, making each httpd process use more and more memory, You’ll see the size of each httpd process increase when you run top. If you have this memory usage problem, you can set MaxRequestsPerChild to shut down a process after it handles a set number of requests. Setting this to 0 means that each process can handle an unlimited number of requests: ………………………………………………………………………………………. MaxRequestsPerChild 0 ………………………………………………………………………………………. Most FreeBSD systems run just fine with this set to 0, but you can change this option if you find that you have many httpd processes using a lot of memory. If that’s the case, the problem is usually due to some Web application. Listen ………………………………………………………………………………………. Listen 80 ………………………………………………………………………………………. The Listen option controls which TCP ports or IP addresses Apache will bind to. You can specify individual IP addresses like this: ………………………………………………………………………………………. Listen 192.168.8.44 ………………………………………………………………………………………. Then combine this with a port number to run Apache on an unusual port: ………………………………………………………………………………………. Listen 192.168.8.44:88 ………………………………………………………………………………………. Or, you can listen on all the IP addresses on the system, on an unusual port: 339
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services