Web Server
The Apache HTTP Server
The web server available in Fedora is the Apache HTTP server daemon, httpd
, an open source web server developed by the Apache Software Foundation. In Fedora 19 the Apache server was updated to Apache HTTP Server 2.4. This section describes the basic configuration of the httpd
service, and covers some advanced topics such as adding server modules, setting up virtual hosts, or configuring the secure HTTP server.
There are important differences between the Apache HTTP Server 2.4 and version 2.2, and if you are upgrading from a release prior to Fedora 19, you will need to update the httpd
service configuration accordingly. This section reviews some of the newly added features, outlines important changes, and guides you through the update of older configuration files.
Notable Changes
The Apache HTTP Server version 2.4 has the following changes compared to version 2.2:
- httpd Service Control
-
With the migration away from SysV init scripts, server administrators should switch to using the apachectl and systemctl commands to control the service, in place of the service command. The following examples are specific to the
httpd
service.
The command:
service httpd graceful
is replaced by
apachectl graceful
The systemd
unit file for httpd
has different behavior from the init script as follows:
-
A graceful restart is used by default when the service is reloaded.
-
A graceful stop is used by default when the service is stopped.
The command:
service httpd configtest
is replaced by
apachectl configtest
- Private /tmp
-
To enhance system security, the
systemd
unit file runs thehttpd
daemon using a private/tmp
directory, separate to the system/tmp
directory. - Configuration Layout
-
Configuration files which load modules are now placed in the
/etc/httpd/conf.modules.d
directory. Packages that provide additional loadable modules forhttpd
, such as php, will place a file in this directory. Any configuration files in theconf.modules.d
directory are processed before the main body ofhttpd.conf
. Configuration files in the/etc/httpd/conf.d
directory are now processed after the main body ofhttpd.conf
.
Some additional configuration files are provided by the httpd package itself:
-
/etc/httpd/conf.d/autoindex.conf
— This configures mod_autoindex directory indexing. -
/etc/httpd/conf.d/userdir.conf
— This configures access to user directories, for example,http://example.com/~username/
; such access is disabled by default for security reasons. -
/etc/httpd/conf.d/welcome.conf
— As in previous releases, this configures the welcome page displayed forhttp://localhost/
when no content is present.- Default Configuration
-
A minimal
httpd.conf
file is now provided by default. Many common configuration settings, such asTimeout
orKeepAlive
are no longer explicitly configured in the default configuration; hard-coded settings will be used instead, by default. The hard-coded default settings for all configuration directives are specified in the manual. See Installable Documentation for more information. - Incompatible Syntax Changes
-
If migrating an existing configuration from httpd 2.2 to httpd 2.4, a number of backwards-incompatible changes to the
httpd
configuration syntax were made which will require changes. See the following Apache document for more information on upgrading https://httpd.apache.org/docs/2.4/upgrading.html - Processing Model
-
In previous releases of Fedora, different multi-processing models (MPM) were made available as different
httpd
binaries: the forked model, "prefork", as/usr/sbin/httpd
, and the thread-based model "worker" as/usr/sbin/httpd.worker
.
In 29, only a single httpd
binary is used, and three MPMs are available as loadable modules: worker, prefork (default), and event. Edit the configuration file /etc/httpd/conf.modules.d/00-mpm.conf
as required, by adding and removing the comment character #
so that only one of the three MPM modules is loaded.
- Packaging Changes
-
The LDAP authentication and authorization modules are now provided in a separate sub-package, mod_ldap. The new module mod_session and associated helper modules are provided in a new sub-package, mod_session. The new modules mod_proxy_html and mod_xml2enc are provided in a new sub-package, mod_proxy_html.
- Packaging Filesystem Layout
-
The
/var/cache/mod_proxy/
directory is no longer provided; instead, the/var/cache/httpd/
directory is packaged with aproxy
andssl
subdirectory.
Packaged content provided with httpd
has been moved from /var/www/
to /usr/share/httpd/
:
-
/usr/share/httpd/icons/
— The directory containing a set of icons used with directory indices, previously contained in/var/www/icons/
, has moved to/usr/share/httpd/icons
. Available athttp://localhost/icons/
in the default configuration; the location and the availability of the icons is configurable in the/etc/httpd/conf.d/autoindex.conf
file. -
/usr/share/httpd/manual/
— The/var/www/manual/
has moved to/usr/share/httpd/manual/
. This directory, contained in the httpd-manual package, contains the HTML version of the manual forhttpd
. Available athttp://localhost/manual/
if the package is installed, the location and the availability of the manual is configurable in the/etc/httpd/conf.d/manual.conf
file. -
/usr/share/httpd/error/
— The/var/www/error/
has moved to/usr/share/httpd/error/
. Custom multi-language HTTP error pages. Not configured by default, the example configuration file is provided at/usr/share/doc/httpd-VERSION/httpd-multilang-errordoc.conf
.- Authentication, Authorization and Access Control
-
The configuration directives used to control authentication, authorization and access control have changed significantly. Existing configuration files using the
Order
,Deny
andAllow
directives should be adapted to use the newRequire
syntax. See the following Apache document for more information https://httpd.apache.org/docs/2.4/howto/auth.html - suexec
-
To improve system security, the suexec binary is no longer installed as if by the
root
user; instead, it has file system capability bits set which allow a more restrictive set of permissions. In conjunction with this change, the suexec binary no longer uses the/var/log/httpd/suexec.log
logfile. Instead, log messages are sent to syslog; by default these will appear in the/var/log/secure
log file. - Module Interface
-
Third-party binary modules built against httpd 2.2 are not compatible with httpd 2.4 due to changes to the
httpd
module interface. Such modules will need to be adjusted as necessary for the httpd 2.4 module interface, and then rebuilt. A detailed list of the API changes in version2.4
is available here: https://httpd.apache.org/docs/2.4/developer/new_api_2_4.html.
The apxs binary used to build modules from source has moved from /usr/sbin/apxs
to /usr/bin/apxs
.
- Removed modules
-
List of
httpd
modules removed in 29:- mod_auth_mysql, mod_auth_pgsql
-
httpd 2.4 provides SQL database authentication support internally in the mod_authn_dbd module.
- mod_perl
-
mod_perl is not officially supported with httpd 2.4 by upstream.
- mod_authz_ldap
-
httpd 2.4 provides LDAP support in sub-package mod_ldap using mod_authnz_ldap.
Updating the Configuration
To update the configuration files from the Apache HTTP Server version 2.2, take the following steps:
-
Make sure all module names are correct, since they may have changed. Adjust the
LoadModule
directive for each module that has been renamed. -
Recompile all third party modules before attempting to load them. This typically means authentication and authorization modules.
-
If you use the
mod_userdir
module, make sure theUserDir
directive indicating a directory name (typicallypublic_html
) is provided. -
If you use the Apache HTTP Secure Server, edit the
/etc/httpd/conf.d/ssl.conf
to enable the Secure Sockets Layer (SSL) protocol.
Note that you can check the configuration for possible errors by using the following command:
~]# apachectl configtest Syntax OK
For more information on upgrading the Apache HTTP Server configuration from version 2.2 to 2.4, see https://httpd.apache.org/docs/2.4/upgrading.html.
Running the httpd Service
This section describes how to start, stop, restart, and check the current status of the Apache HTTP Server. To be able to use the httpd
service, make sure you have the httpd installed. You can do so by using the following command:
~]# dnf install httpd
For more information on the concept of targets and how to manage system services in Fedora in general, see Services and Daemons.
Starting the Service
To run the httpd
service, type the following at a shell prompt as root
:
~]# systemctl start httpd.service
If you want the service to start automatically at boot time, use the following command:
~]# systemctl enable httpd.service ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
Using the secure server
If running the Apache HTTP Server as a secure server, a password may be required after the machine boots if using an encrypted private SSL key. |
Stopping the Service
To stop the running httpd
service, type the following at a shell prompt as root
:
~]# systemctl stop httpd.service
To prevent the service from starting automatically at boot time, type:
~]# systemctl disable httpd.service rm '/etc/systemd/system/multi-user.target.wants/httpd.service'
Restarting the Service
There are three different ways to restart a running httpd
service:
-
To restart the service completely, enter the following command as
root
:
~]# systemctl restart httpd.service
This stops the running httpd
service and immediately starts it again. Use this command after installing or removing a dynamically loaded module such as PHP.
-
To only reload the configuration, as
root
, type:
~]# systemctl reload httpd.service
This causes the running httpd
service to reload its configuration file. Any requests currently being processed will be interrupted, which may cause a client browser to display an error message or render a partial page.
-
To reload the configuration without affecting active requests, enter the following command as
root
:
~]# apachectl graceful
This causes the running httpd
service to reload its configuration file. Any requests currently being processed will continue to use the old configuration.
Editing the Configuration Files
When the httpd
service is started, by default, it reads the configuration from locations that are listed in The httpd service configuration files.
Path | Description |
---|---|
|
The main configuration file. |
|
An auxiliary directory for configuration files that are included in the main configuration file. |
Although the default configuration should be suitable for most situations, it is a good idea to become at least familiar with some of the more important configuration options. Note that for any changes to take effect, the web server has to be restarted first. See Restarting the Service for more information on how to restart the httpd
service. To check the configuration for possible errors, type the following at a shell prompt:
~]# apachectl configtest Syntax OK
To make the recovery from mistakes easier, it is recommended that you make a copy of the original file before editing it.
Common httpd.conf Directives
The following directives are commonly used in the /etc/httpd/conf/httpd.conf
configuration file:
-
<Directory>
-
The
<Directory>
directive allows you to apply certain directives to a particular directory only. It takes the following form:
<Directory directory> directive … </Directory>
The directory can be either a full path to an existing directory in the local file system, or a wildcard expression.
This directive can be used to configure additional cgi-bin
directories for server-side scripts located outside the directory that is specified by ScriptAlias
. In this case, the ExecCGI
and AddHandler
directives must be supplied, and the permissions on the target directory must be set correctly (that is, 0755
).
<Directory /var/www/html> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory>
-
<IfDefine>
-
The
IfDefine
directive allows you to use certain directives only when a particular parameter is supplied on the command line. It takes the following form:
<IfDefine !parameter> directive … </IfDefine>
The parameter can be supplied at a shell prompt using the -D
parameter command line option (for example, httpd -DEnableHome). If the optional exclamation mark (that is, !
) is present, the enclosed directives are used only when the parameter is not specified.
<IfDefine EnableHome> UserDir public_html </IfDefine>
-
<IfModule>
-
The
<IfModule>
directive allows you to use certain directive only when a particular module is loaded. It takes the following form:
<IfModule !module> directive … </IfModule>
The module can be identified either by its name, or by the file name. If the optional exclamation mark (that is, !
) is present, the enclosed directives are used only when the module is not loaded.
<IfModule mod_disk_cache.c> CacheEnable disk / CacheRoot /var/cache/mod_proxy </IfModule>
-
<Location>
-
The
<Location>
directive allows you to apply certain directives to a particular URL only. It takes the following form:
<Location url> directive … </Location>
The url can be either a path relative to the directory specified by the DocumentRoot
directive (for example, /server-info
), or an external URL such as http://example.com/server-info
.
<Location /server-info> SetHandler server-info Order deny,allow Deny from all Allow from .example.com </Location>
-
<Proxy>
-
The
<Proxy>
directive allows you to apply certain directives to the proxy server only. It takes the following form:
<Proxy pattern> directive … </Proxy>
The pattern can be an external URL, or a wildcard expression (for example, http://example.com/*
).
<Proxy *> Order deny,allow Deny from all Allow from .example.com </Proxy>
-
<VirtualHost>
-
The
<VirtualHost>
directive allows you apply certain directives to particular virtual hosts only. It takes the following form:
<VirtualHost address:port…> directive … </VirtualHost>
The address can be an IP address, a fully qualified domain name, or a special form as described in Available <VirtualHost> options.
Option | Description |
---|---|
|
Represents all IP addresses. |
|
Represents unmatched IP addresses. |
<VirtualHost *:80> ServerAdmin webmaster@penguin.example.com DocumentRoot /www/docs/penguin.example.com ServerName penguin.example.com ErrorLog logs/penguin.example.com-error_log CustomLog logs/penguin.example.com-access_log common </VirtualHost>
-
AccessFileName
-
The
AccessFileName
directive allows you to specify the file to be used to customize access control information for each directory. It takes the following form:
AccessFileName filename…
The filename is a name of the file to look for in the requested directory. By default, the server looks for .htaccess
. For security reasons, the directive is typically followed by the Files
tag to prevent the files beginning with .ht
from being accessed by web clients. This includes the .htaccess
and .htpasswd
files.
AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files>
-
Action
-
The
Action
directive allows you to specify a CGI script to be executed when a certain media type is requested. It takes the following form:
Action content-type path
The content-type has to be a valid MIME type such as text/html
, image/png
, or application/pdf
. The path refers to an existing CGI script, and must be relative to the directory specified by the DocumentRoot
directive (for example, /cgi-bin/process-image.cgi
).
Action image/png /cgi-bin/process-image.cgi
-
AddDescription
-
The
AddDescription
directive allows you to specify a short description to be displayed in server-generated directory listings for a given file. It takes the following form:
AddDescription "description" filename…
The description should be a short text enclosed in double quotes (that is, "
). The filename can be a full file name, a file extension, or a wildcard expression.
AddDescription "GZIP compressed tar archive" .tgz
-
AddEncoding
-
The
AddEncoding
directive allows you to specify an encoding type for a particular file extension. It takes the following form:
AddEncoding encoding extension…
The encoding has to be a valid MIME encoding such as x-compress
, x-gzip
, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .gz
).
This directive is typically used to instruct web browsers to decompress certain file types as they are downloaded.
AddEncoding x-gzip .gz .tgz
-
AddHandler
-
The
AddHandler
directive allows you to map certain file extensions to a selected handler. It takes the following form:
AddHandler handler extension…
The handler has to be a name of previously defined handler. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cgi
).
This directive is typically used to treat files with the .cgi
extension as CGI scripts regardless of the directory they are in. Additionally, it is also commonly used to process server-parsed HTML and image-map files.
AddHandler cgi-script .cgi
-
AddIcon
-
The
AddIcon
directive allows you to specify an icon to be displayed for a particular file in server-generated directory listings. It takes the following form:
AddIcon path pattern…
The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot
directive (for example, /icons/folder.png
). The pattern can be a file name, a file extension, a wildcard expression, or a special form as described in the following table:
Option | Description |
---|---|
|
Represents a directory. |
|
Represents a blank line. |
AddIcon /icons/text.png .txt README
-
AddIconByEncoding
-
The
AddIconByEncoding
directive allows you to specify an icon to be displayed for a particular encoding type in server-generated directory listings. It takes the following form:
AddIconByEncoding path encoding…
The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot
directive (for example, /icons/compressed.png
). The encoding has to be a valid MIME encoding such as x-compress
, x-gzip
, etc.
AddIconByEncoding /icons/compressed.png x-compress x-gzip
-
AddIconByType
-
The
AddIconByType
directive allows you to specify an icon to be displayed for a particular media type in server-generated directory listings. It takes the following form:
AddIconByType path content-type…
The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot
directive (for example, /icons/text.png
). The content-type has to be either a valid MIME type (for example, text/html
or image/png
), or a wildcard expression such as text/
, image/
, etc.
AddIconByType /icons/video.png video/*
-
AddLanguage
-
The
AddLanguage
directive allows you to associate a file extension with a specific language. It takes the following form:
AddLanguage language extension…
The language has to be a valid MIME language such as cs
, en
, or fr
. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs
).
This directive is especially useful for web servers that serve content in multiple languages based on the client’s language settings.
AddLanguage cs .cs .cz
-
AddType
-
The
AddType
directive allows you to define or override the media type for a particular file extension. It takes the following form:
AddType content-type extension…
The content-type has to be a valid MIME type such as text/html
, image/png
, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs
).
AddType application/x-gzip .gz .tgz
-
Alias
-
The
Alias
directive allows you to refer to files and directories outside the default directory specified by theDocumentRoot
directive. It takes the following form:
Alias url-path real-path
The url-path must be relative to the directory specified by the DocumentRoot
directive (for example, /images/
). The real-path is a full path to a file or directory in the local file system. This directive is typically followed by the Directory
tag with additional permissions to access the target directory. By default, the /icons/
alias is created so that the icons from /var/www/icons/
are displayed in server-generated directory listings.
Alias /icons/ /var/www/icons/ <Directory "/var/www/icons"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all <Directory>
-
Allow
-
The
Allow
directive allows you to specify which clients have permission to access a given directory. It takes the following form:
Allow from client…
The client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all
for all clients.
Allow from 192.168.1.0/255.255.255.0
-
AllowOverride
-
The
AllowOverride
directive allows you to specify which directives in a.htaccess
file can override the default configuration. It takes the following form:
AllowOverride type…
The type has to be one of the available grouping options as described in Available AllowOverride options.
Option | Description |
---|---|
|
All directives in |
|
No directive in |
|
Allows the use of authorization directives such as |
|
Allows the use of file type, metadata, and |
|
Allows the use of directory indexing directives such as |
|
Allows the use of host access directives, that is, |
|
Allows the use of the |
AllowOverride FileInfo AuthConfig Limit
-
BrowserMatch
-
The
BrowserMatch
directive allows you to modify the server behavior based on the client’s web browser type. It takes the following form:
BrowserMatch pattern variable…
The pattern is a regular expression to match the User-Agent HTTP header field. The variable is an environment variable that is set when the header field matches the pattern.
By default, this directive is used to deny connections to specific browsers with known issues, and to disable keepalives and HTTP header flushes for browsers that are known to have problems with these actions.
BrowserMatch "Mozilla/2" nokeepalive
-
CacheDefaultExpire
-
The
CacheDefaultExpire
option allows you to set how long to cache a document that does not have any expiration date or the date of its last modification specified. It takes the following form:
CacheDefaultExpire time
The time is specified in seconds. The default option is 3600
(that is, one hour).
CacheDefaultExpire 3600
-
CacheDisable
-
The
CacheDisable
directive allows you to disable caching of certain URLs. It takes the following form:
CacheDisable path
The path must be relative to the directory specified by the DocumentRoot
directive (for example, /files/
).
CacheDisable /temporary
-
CacheEnable
-
The
CacheEnable
directive allows you to specify a cache type to be used for certain URLs. It takes the following form:
CacheEnable type url
The type has to be a valid cache type as described in Available cache types. The url can be a path relative to the directory specified by the DocumentRoot
directive (for example, /images/
), a protocol (for example, ftp://
), or an external URL such as http://example.com/
.
Type | Description |
---|---|
|
The memory-based storage manager. |
|
The disk-based storage manager. |
|
The file descriptor cache. |
CacheEnable disk /
-
CacheLastModifiedFactor
-
The
CacheLastModifiedFactor
directive allows you to customize how long to cache a document that does not have any expiration date specified, but that provides information about the date of its last modification. It takes the following form:
CacheLastModifiedFactor number
The number is a coefficient to be used to multiply the time that passed since the last modification of the document. The default option is 0.1
(that is, one tenth).
CacheLastModifiedFactor 0.1
-
CacheMaxExpire
-
The
CacheMaxExpire
directive allows you to specify the maximum amount of time to cache a document. It takes the following form:
CacheMaxExpire time
The time is specified in seconds. The default option is 86400
(that is, one day).
CacheMaxExpire 86400
-
CacheNegotiatedDocs
-
The
CacheNegotiatedDocs
directive allows you to enable caching of the documents that were negotiated on the basis of content. It takes the following form:
CacheNegotiatedDocs option
The option has to be a valid keyword as described in Available CacheNegotiatedDocs options. Since the content-negotiated documents may change over time or because of the input from the requester, the default option is Off
.
Option | Description |
---|---|
|
Enables caching the content-negotiated documents. |
|
Disables caching the content-negotiated documents. |
CacheNegotiatedDocs On
-
CacheRoot
-
The
CacheRoot
directive allows you to specify the directory to store cache files in. It takes the following form:
CacheRoot directory
The directory must be a full path to an existing directory in the local file system. The default option is /var/cache/mod_proxy/
.
CacheRoot /var/cache/mod_proxy
-
CustomLog
-
The
CustomLog
directive allows you to specify the log file name and the log file format. It takes the following form:
CustomLog path format
The path refers to a log file, and must be relative to the directory that is specified by the ServerRoot
directive (that is, /etc/httpd/
by default). The format has to be either an explicit format string, or a format name that was previously defined using the LogFormat
directive.
CustomLog logs/access_log combined
-
DefaultIcon
-
The
DefaultIcon
directive allows you to specify an icon to be displayed for a file in server-generated directory listings when no other icon is associated with it. It takes the following form:
DefaultIcon path
The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot
directive (for example, /icons/unknown.png
).
DefaultIcon /icons/unknown.png
-
DefaultType
-
The
DefaultType
directive allows you to specify a media type to be used in case the proper MIME type cannot be determined by the server. It takes the following form:
DefaultType content-type
The content-type has to be a valid MIME type such as text/html
, image/png
, application/pdf
, etc.
DefaultType text/plain
-
Deny
-
The
Deny
directive allows you to specify which clients are denied access to a given directory. It takes the following form:
Deny from client…
The client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all
for all clients.
Deny from 192.168.1.1
-
DirectoryIndex
-
The
DirectoryIndex
directive allows you to specify a document to be served to a client when a directory is requested (that is, when the URL ends with the/
character). It takes the following form:
DirectoryIndex filename…
The filename is a name of the file to look for in the requested directory. By default, the server looks for index.html
, and index.html.var
.
DirectoryIndex index.html index.html.var
-
DocumentRoot
-
The
DocumentRoot
directive allows you to specify the main directory from which the content is served. It takes the following form:
DocumentRoot directory
The directory must be a full path to an existing directory in the local file system. The default option is /var/www/html/
.
DocumentRoot /var/www/html
-
ErrorDocument
-
The
ErrorDocument
directive allows you to specify a document or a message to be displayed as a response to a particular error. It takes the following form:
ErrorDocument error-code action
The error-code has to be a valid code such as 403
(Forbidden), 404
(Not Found), or 500
(Internal Server Error). The action can be either a URL (both local and external), or a message string enclosed in double quotes (that is, "
).
ErrorDocument 403 "Access Denied" ErrorDocument 404 /404-not_found.html
-
ErrorLog
-
The
ErrorLog
directive allows you to specify a file to which the server errors are logged. It takes the following form:
ErrorLog path
The path refers to a log file, and can be either absolute, or relative to the directory that is specified by the ServerRoot
directive (that is, /etc/httpd/
by default). The default option is logs/error_log
ErrorLog logs/error_log
-
ExtendedStatus
-
The
ExtendedStatus
directive allows you to enable detailed server status information. It takes the following form:
ExtendedStatus option
The option has to be a valid keyword as described in Available ExtendedStatus options. The default option is Off
.
Option | Description |
---|---|
|
Enables generating the detailed server status. |
|
Disables generating the detailed server status. |
ExtendedStatus On
-
Group
-
The
Group
directive allows you to specify the group under which thehttpd
service will run. It takes the following form:
Group group
The group has to be an existing UNIX group. The default option is apache
.
Note that Group
is no longer supported inside <VirtualHost>
, and has been replaced by the SuexecUserGroup
directive.
Group apache
-
HeaderName
-
The
HeaderName
directive allows you to specify a file to be prepended to the beginning of the server-generated directory listing. It takes the following form:
HeaderName filename
The filename is a name of the file to look for in the requested directory. By default, the server looks for HEADER.html
.
HeaderName HEADER.html
-
HostnameLookups
-
The
HostnameLookups
directive allows you to enable automatic resolving of IP addresses. It takes the following form:
HostnameLookups option
The option has to be a valid keyword as described in Available HostnameLookups options. To conserve resources on the server, the default option is Off
.
Option | Description |
---|---|
|
Enables resolving the IP address for each connection so that the hostname can be logged. However, this also adds a significant processing overhead. |
|
Enables performing the double-reverse DNS lookup. In comparison to the above option, this adds even more processing overhead. |
|
Disables resolving the IP address for each connection. |
Note that when the presence of hostnames is required in server log files, it is often possible to use one of the many log analyzer tools that perform the DNS lookups more efficiently.
HostnameLookups Off
-
Include
-
The
Include
directive allows you to include other configuration files. It takes the following form:
Include filename
The filename
can be an absolute path, a path relative to the directory specified by the ServerRoot
directive, or a wildcard expression. All configuration files from the /etc/httpd/conf.d/
directory are loaded by default.
Include conf.d/*.conf
-
IndexIgnore
-
The
IndexIgnore
directive allows you to specify a list of file names to be omitted from the server-generated directory listings. It takes the following form:
IndexIgnore filename…
The filename option can be either a full file name, or a wildcard expression.
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
-
IndexOptions
-
The
IndexOptions
directive allows you to customize the behavior of server-generated directory listings. It takes the following form:
IndexOptions option…
The option has to be a valid keyword as described in Available directory listing options. The default options are Charset=UTF-8
, FancyIndexing
, HTMLTable
, NameWidth=*
, and VersionSort
.
Option | Description |
---|---|
|
Specifies the character set of a generated web page. The encoding has to be a valid character set such as |
|
Specifies the media type of a generated web page. The content-type has to be a valid MIME type such as |
|
Specifies the width of the description column. The value can be either a number of characters, or an asterisk (that is, |
|
Enables advanced features such as different icons for certain files or possibility to re-sort a directory listing by clicking on a column header. |
|
Enables listing directories first, always placing them above files. |
|
Enables the use of HTML tables for directory listings. |
|
Enables using the icons as links. |
|
Specifies an icon height. The value is a number of pixels. |
|
Specifies an icon width. The value is a number of pixels. |
|
Enables sorting files and directories in a case-sensitive manner. |
|
Disables accepting query variables from a client. |
|
Specifies the width of the file name column. The value can be either a number of characters, or an asterisk (that is, |
|
Enables parsing the file for a description (that is, the |
|
Enables listing the files with otherwise restricted access. |
|
Disables re-sorting a directory listing by clicking on a column header. |
|
Disables reserving a space for file descriptions. |
|
Disables the use of standard HTML preamble when a file specified by the |
|
Disables the use of icons in directory listings. |
|
Disables displaying the date of the last modification field in directory listings. |
|
Disables the use of horizontal lines in directory listings. |
|
Disables displaying the file size field in directory listings. |
|
Enables returning the |
|
Enables sorting files that contain a version number in the expected manner. |
|
Enables the use of XHTML 1.0 instead of the default HTML 3.2. |
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8
-
KeepAlive
-
The
KeepAlive
directive allows you to enable persistent connections. It takes the following form:
KeepAlive option
The option has to be a valid keyword as described in Available KeepAlive options. The default option is Off
.
Option | Description |
---|---|
|
Enables the persistent connections. In this case, the server will accept more than one request per connection. |
|
Disables the keep-alive connections. |
Note that when the persistent connections are enabled, on a busy server, the number of child processes can increase rapidly and eventually reach the maximum limit, slowing down the server significantly. To reduce the risk, it is recommended that you set KeepAliveTimeout
to a low number, and monitor the /var/log/httpd/logs/error_log
log file carefully.
KeepAlive Off
-
KeepAliveTimeout
-
The
KeepAliveTimeout
directive allows you to specify the amount of time to wait for another request before closing the connection. It takes the following form:
KeepAliveTimeout time
The time is specified in seconds. The default option is 15
.
KeepAliveTimeout 15
-
LanguagePriority
-
The
LanguagePriority
directive allows you to customize the precedence of languages. It takes the following form:
LanguagePriority language…
The language has to be a valid MIME language such as cs
, en
, or fr
.
This directive is especially useful for web servers that serve content in multiple languages based on the client’s language settings.
LanguagePriority sk cs en
-
Listen
-
The Listen directive allows you to specify IP addresses or ports to listen to. It takes the following form:
Listen ip-address:port protocol
The ip-address is optional and unless supplied, the server will accept incoming requests on a given port from all IP addresses. Since the protocol is determined automatically from the port number, it can be usually omitted. The default option is to listen to port 80
.
Note that if the server is configured to listen to a port under 1024, only superuser will be able to start the httpd
service.
Listen 80
-
LoadModule
-
The
LoadModule
directive allows you to load a Dynamic Shared Object (DSO) module. It takes the following form:
LoadModule name path
The name has to be a valid identifier of the required module. The path refers to an existing module file, and must be relative to the directory in which the libraries are placed (that is, /usr/lib/httpd/
on 32-bit and /usr/lib64/httpd/
on 64-bit systems by default).
See Working with Modules for more information on the Apache HTTP Server’s DSO support.
LoadModule php5_module modules/libphp5.so
-
LogFormat
-
The LogFormat directive allows you to specify a log file format. It takes the following form:
LogFormat format name
The format is a string consisting of options as described in Common LogFormat options. The name can be used instead of the format string in the CustomLog
directive.
Option | Description |
---|---|
|
Represents the size of the response in bytes. |
|
Represents the IP address or hostname of a remote client. |
|
Represents the remote log name if supplied. If not, a hyphen (that is, |
|
Represents the first line of the request string as it came from the browser or client. |
|
Represents the status code. |
|
Represents the date and time of the request. |
|
If the authentication is required, it represents the remote user. If not, a hyphen (that is, |
|
Represents the content of the HTTP header field. The common options include |
LogFormat "%h %l %u %t \"%r\" %>s %b" common
-
LogLevel
-
The
LogLevel
directive allows you to customize the verbosity level of the error log. It takes the following form:
LogLevel option
The option has to be a valid keyword as described in Available LogLevel options. The default option is warn
.
Option | Description |
---|---|
|
Only the emergency situations when the server cannot perform its work are logged. |
|
All situations when an immediate action is required are logged. |
|
All critical conditions are logged. |
|
All error messages are logged. |
|
All warning messages are logged. |
|
Even normal, but still significant situations are logged. |
|
Various informational messages are logged. |
|
Various debugging messages are logged. |
LogLevel warn
-
MaxKeepAliveRequests
-
The
MaxKeepAliveRequests
directive allows you to specify the maximum number of requests for a persistent connection. It takes the following form:
MaxKeepAliveRequests number
A high number can improve the performance of the server. Note that using 0
allows unlimited number of requests. The default option is 100
.
MaxKeepAliveRequests 100
-
NameVirtualHost
-
The
NameVirtualHost
directive allows you to specify the IP address and port number for a name-based virtual host. It takes the following form:
NameVirtualHost ip-address:port
The ip-address can be either a full IP address, or an asterisk (that is, *
) representing all interfaces. Note that IPv6 addresses have to be enclosed in square brackets (that is, [
and ]
). The port is optional.
Name-based virtual hosting allows one Apache HTTP Server to serve different domains without using multiple IP addresses.
Using secure HTTP connections
Name-based virtual hosts only work with non-secure HTTP connections. If using virtual hosts with a secure server, use IP address-based virtual hosts instead. |
NameVirtualHost *:80
-
Options
-
The
Options
directive allows you to specify which server features are available in a particular directory. It takes the following form:
Options option…
The option has to be a valid keyword as described in Available server features.
Option | Description |
---|---|
|
Enables the execution of CGI scripts. |
|
Enables following symbolic links in the directory. |
|
Enables server-side includes. |
|
Enables server-side includes, but does not allow the execution of commands. |
|
Enables server-generated directory listings. |
|
Enables content-negotiated "MultiViews". |
|
Enables following symbolic links in the directory when both the link and the target file have the same owner. |
|
Enables all of the features above with the exception of |
|
Disables all of the features above. |
Options Indexes FollowSymLinks
-
Order
-
The
Order
directive allows you to specify the order in which theAllow
andDeny
directives are evaluated. It takes the following form:
Order option
The option has to be a valid keyword as described in Available Order options. The default option is allow,deny
.
Option | Description |
---|---|
|
|
|
|
Order allow,deny
-
PidFile
-
The
PidFile
directive allows you to specify a file to which the process ID (PID) of the server is stored. It takes the following form:
PidFile path
The path refers to a pid file, and can be either absolute, or relative to the directory that is specified by the ServerRoot
directive (that is, /etc/httpd/
by default). The default option is run/httpd.pid
.
PidFile run/httpd.pid
-
ProxyRequests
-
The
ProxyRequests
directive allows you to enable forward proxy requests. It takes the following form:
ProxyRequests option
The option has to be a valid keyword as described in Available ProxyRequests options. The default option is Off
.
Option | Description |
---|---|
|
Enables forward proxy requests. |
|
Disables forward proxy requests. |
ProxyRequests On
-
ReadmeName
-
The
ReadmeName
directive allows you to specify a file to be appended to the end of the server-generated directory listing. It takes the following form:
ReadmeName filename
The filename is a name of the file to look for in the requested directory. By default, the server looks for README.html
.
ReadmeName README.html
-
Redirect
-
The
Redirect
directive allows you to redirect a client to another URL. It takes the following form:
Redirect status path url
The status is optional, and if provided, it has to be a valid keyword as described in Available status options. The path refers to the old location, and must be relative to the directory specified by the DocumentRoot
directive (for example, /docs
). The url refers to the current location of the content (for example, http://docs.example.com
).
Status | Description |
---|---|
|
Indicates that the requested resource has been moved permanently. The |
|
Indicates that the requested resource has been moved only temporarily. The |
|
Indicates that the requested resource has been replaced. The |
|
Indicates that the requested resource has been removed permanently. The |
Note that for more advanced redirection techniques, you can use the mod_rewrite
module that is part of the Apache HTTP Server installation.
Redirect permanent /docs http://docs.example.com
-
ScriptAlias
-
The
ScriptAlias
directive allows you to specify the location of CGI scripts. It takes the following form:
ScriptAlias url-path real-path
The url-path must be relative to the directory specified by the DocumentRoot
directive (for example, /cgi-bin/
). The real-path is a full path to a file or directory in the local file system. This directive is typically followed by the Directory
tag with additional permissions to access the target directory. By default, the /cgi-bin/
alias is created so that the scripts located in the /var/www/cgi-bin/
are accessible.
The ScriptAlias
directive is used for security reasons to prevent CGI scripts from being viewed as ordinary text documents.
ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory "/var/www/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory>
-
ServerAdmin
-
The
ServerAdmin
directive allows you to specify the email address of the server administrator to be displayed in server-generated web pages. It takes the following form:
ServerAdmin email
The default option is root@localhost
.
This directive is commonly set to webmaster@hostname
, where hostname is the address of the server. Once set, alias webmaster
to the person responsible for the web server in /etc/aliases
, and as superuser, run the newaliases command.
ServerAdmin webmaster@penguin.example.com
-
ServerName
-
The
ServerName
directive allows you to specify the hostname and the port number of a web server. It takes the following form:
ServerName hostname:port
The hostname has to be a fully qualified domain name (FQDN) of the server. The port is optional, but when supplied, it has to match the number specified by the Listen
directive.
When using this directive, make sure that the IP address and server name pair are included in the /etc/hosts
file.
ServerName penguin.example.com:80
-
ServerRoot
-
The
ServerRoot
directive allows you to specify the directory in which the server operates. It takes the following form:
ServerRoot directory
The directory must be a full path to an existing directory in the local file system. The default option is /etc/httpd/
.
ServerRoot /etc/httpd
-
ServerSignature
-
The
ServerSignature
directive allows you to enable displaying information about the server on server-generated documents. It takes the following form:
ServerSignature option
The option has to be a valid keyword as described in Available ServerSignature options. The default option is On
.
Option | Description |
---|---|
|
Enables appending the server name and version to server-generated pages. |
|
Disables appending the server name and version to server-generated pages. |
|
Enables appending the server name, version, and the email address of the system administrator as specified by the |
ServerSignature On
-
ServerTokens
-
The
ServerTokens
directive allows you to customize what information are included in the Server response header. It takes the following form:
ServerTokens option
The option has to be a valid keyword as described in Available ServerTokens options. The default option is OS
.
Option | Description |
---|---|
|
Includes the product name only (that is, |
|
Includes the product name and the major version of the server (for example, |
|
Includes the product name and the minor version of the server (for example, |
|
Includes the product name and the minimal version of the server (for example, |
|
Includes the product name, the minimal version of the server, and the type of the operating system it is running on (for example, |
|
Includes all the information above along with the list of loaded modules. |
Note that for security reasons, it is recommended to reveal as little information about the server as possible.
ServerTokens Prod
-
SuexecUserGroup
-
The
SuexecUserGroup
directive allows you to specify the user and group under which the CGI scripts will be run. It takes the following form:
SuexecUserGroup user group
The user has to be an existing user, and the group must be a valid UNIX group.
For security reasons, the CGI scripts should not be run with root
privileges. Note that in <VirtualHost>
, SuexecUserGroup
replaces the User
and Group
directives.
SuexecUserGroup apache apache
-
Timeout
-
The
Timeout
directive allows you to specify the amount of time to wait for an event before closing a connection. It takes the following form:
Timeout time
The time is specified in seconds. The default option is 60
.
Timeout 60
-
TypesConfig
-
The
TypesConfig
allows you to specify the location of the MIME types configuration file. It takes the following form:
TypesConfig path
The path refers to an existing MIME types configuration file, and can be either absolute, or relative to the directory that is specified by the ServerRoot
directive (that is, /etc/httpd/
by default). The default option is /etc/mime.types
.
Note that instead of editing /etc/mime.types
, the recommended way to add MIME type mapping to the Apache HTTP Server is to use the AddType
directive.
TypesConfig /etc/mime.types
-
UseCanonicalName
-
The
UseCanonicalName
allows you to specify the way the server refers to itself. It takes the following form:
UseCanonicalName option
The option has to be a valid keyword as described in Available UseCanonicalName options. The default option is Off
.
Option | Description |
---|---|
|
Enables the use of the name that is specified by the |
|
Disables the use of the name that is specified by the |
|
Disables the use of the name that is specified by the |
UseCanonicalName Off
-
User
-
The
User
directive allows you to specify the user under which thehttpd
service will run. It takes the following form:
User user
The user has to be an existing UNIX user. The default option is apache
.
For security reasons, the httpd
service should not be run with root
privileges. Note that User
is no longer supported inside <VirtualHost>
, and has been replaced by the SuexecUserGroup
directive.
User apache
-
UserDir
-
The
UserDir
directive allows you to enable serving content from users' home directories. It takes the following form:
UserDir option
The option can be either a name of the directory to look for in user’s home directory (typically public_html
), or a valid keyword as described in Available UserDir options. The default option is disabled
.
Option | Description |
---|---|
|
Enables serving content from home directories of given users. |
|
Disables serving content from home directories, either for all users, or, if a space separated list of users is supplied, for given users only. |
Set the correct permissions
In order for the web server to access the content, the permissions on relevant directories and files must be set correctly. Make sure that all users are able to access the home directories, and that they can access and read the content of the directory specified by the ~]# chmod a+x /home/joe/ ~]# chmod a+rx /home/joe/public_html/ All files in this directory must be set accordingly. |
UserDir public_html
Common ssl.conf Directives
The Secure Sockets Layer (SSL) directives allow you to customize the behavior of the Apache HTTP Secure Server, and in most cases, they are configured appropriately during the installation. Be careful when changing these settings, as incorrect configuration can lead to security vulnerabilities. The following directive is commonly used in /etc/httpd/conf.d/ssl.conf
:
-
SetEnvIf
-
The
SetEnvIf
directive allows you to set environment variables based on the headers of incoming connections. It takes the following form:
SetEnvIf option pattern !variable=value…
The option can be either a HTTP header field, a previously defined environment variable name, or a valid keyword as described in Available SetEnvIf options. The pattern is a regular expression. The variable is an environment variable that is set when the option matches the pattern. If the optional exclamation mark (that is, !
) is present, the variable is removed instead of being set.
Option | Description |
---|---|
|
Refers to the client’s hostname. |
|
Refers to the client’s IP address. |
|
Refers to the server’s IP address. |
|
Refers to the request method (for example, |
|
Refers to the protocol name and version (for example, |
|
Refers to the requested resource. |
The SetEnvIf
directive is used to disable HTTP keepalives, and to allow SSL to close the connection without a closing notification from the client browser. This is necessary for certain web browsers that do not reliably shut down the SSL connection.
SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0
Note that for the /etc/httpd/conf.d/ssl.conf
file to be present, the mod_ssl needs to be installed. See Setting Up an SSL Server for more information on how to install and configure an SSL server.
Common Multi-Processing Module Directives
The Multi-Processing Module (MPM) directives allow you to customize the behavior of a particular MPM specific server-pool. Since its characteristics differ depending on which MPM is used, the directives are embedded in IfModule
. By default, the server-pool is defined for both the prefork
and worker
MPMs. The following MPM directives are commonly used in /etc/httpd/conf/httpd.conf
:
-
MaxClients
-
The
MaxClients
directive allows you to specify the maximum number of simultaneously connected clients to process at one time. It takes the following form:
MaxClients number
A high number can improve the performance of the server, although it is not recommended to exceed 256
when using the prefork
MPM.
MaxClients 256
-
MaxRequestsPerChild
-
The
MaxRequestsPerChild
directive allows you to specify the maximum number of request a child process can serve before it dies. It takes the following form:
MaxRequestsPerChild number
Setting the number to 0
allows unlimited number of requests.
The MaxRequestsPerChild
directive is used to prevent long-lived processes from causing memory leaks.
MaxRequestsPerChild 4000
-
MaxSpareServers
-
The
MaxSpareServers
directive allows you to specify the maximum number of spare child processes. It takes the following form:
MaxSpareServers number
This directive is used by the prefork
MPM only.
MaxSpareServers 20
-
MaxSpareThreads
-
The
MaxSpareThreads
directive allows you to specify the maximum number of spare server threads. It takes the following form:
MaxSpareThreads number
The number must be greater than or equal to the sum of MinSpareThreads
and ThreadsPerChild
. This directive is used by the worker
MPM only.
MaxSpareThreads 75
-
MinSpareServers
-
The
MinSpareServers
directive allows you to specify the minimum number of spare child processes. It takes the following form:
MinSpareServers number
Note that a high number can create a heavy processing load on the server. This directive is used by the prefork
MPM only.
MinSpareServers 5
-
MinSpareThreads
-
The
MinSpareThreads
directive allows you to specify the minimum number of spare server threads. It takes the following form:
MinSpareThreads number
This directive is used by the worker
MPM only.
MinSpareThreads 75
-
StartServers
-
The
StartServers
directive allows you to specify the number of child processes to create when the service is started. It takes the following form:
StartServers number
Since the child processes are dynamically created and terminated according to the current traffic load, it is usually not necessary to change this value.
StartServers 8
-
ThreadsPerChild
-
The
ThreadsPerChild
directive allows you to specify the number of threads a child process can create. It takes the following form:
ThreadsPerChild number
This directive is used by the worker
MPM only.
ThreadsPerChild 25
Working with Modules
Being a modular application, the httpd
service is distributed along with a number of Dynamic Shared Objects (DSOs), which can be dynamically loaded or unloaded at runtime as necessary. By default, these modules are located in /usr/lib/httpd/modules/
on 32-bit and in /usr/lib64/httpd/modules/
on 64-bit systems.
Loading a Module
To load a particular DSO module, use the LoadModule
directive as described in Common httpd.conf Directives. Note that modules provided by a separate package often have their own configuration file in the /etc/httpd/conf.d/
directory.
LoadModule ssl_module modules/mod_ssl.so
Once you are finished, restart the web server to reload the configuration. See Restarting the Service for more information on how to restart the httpd
service.
Writing a Module
If you intend to create a new DSO module, make sure you have the httpd-devel package installed. To do so, enter the following command as root
:
~]# dnf install httpd-devel
This package contains the include files, the header files, and the APache eXtenSion (apxs) utility required to compile a module.
Once written, you can build the module with the following command:
~]# apxs -i -a -c module_name.c
If the build was successful, you should be able to load the module the same way as any other module that is distributed with the Apache HTTP Server.
Setting Up Virtual Hosts
The Apache HTTP Server’s built in virtual hosting allows the server to provide different information based on which IP address, host name, or port is being requested.
To create a name-based virtual host, copy the example configuration file /usr/share/doc/httpd-VERSION/httpd-vhosts.conf
into the /etc/httpd/conf.d/
directory, and replace the @@Port@@
and @@ServerRoot@@
placeholder values. Customize the options according to your requirements as shown in Example virtual host configuration.
<VirtualHost *:80> ServerAdmin webmaster@penguin.example.com DocumentRoot "/www/docs/penguin.example.com" ServerName penguin.example.com ServerAlias www.penguin.example.com ErrorLog "/var/log/httpd/dummy-host.example.com-error_log" CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common </VirtualHost>
Note that ServerName
must be a valid DNS name assigned to the machine. The <VirtualHost>
container is highly customizable, and accepts most of the directives available within the main server configuration. Directives that are not supported within this container include User
and Group
, which were replaced by SuexecUserGroup
.
Changing the port number
If you configure a virtual host to listen on a non-default port, make sure you update the |
To activate a newly created virtual host, the web server has to be restarted first. See Restarting the Service for more information on how to restart the httpd
service.
Setting Up an SSL Server
Secure Sockets Layer (SSL) is a cryptographic protocol that allows a server and a client to communicate securely. Along with its extended and improved version called Transport Layer Security (TLS), it ensures both privacy and data integrity. The Apache HTTP Server in combination with mod_ssl
, a module that uses the OpenSSL toolkit to provide the SSL/TLS support, is commonly referred to as the SSL server.
Unlike a regular HTTP connection that can be read and possibly modified by anybody who is able to intercept it, the use of mod_ssl
prevents any inspection or modification of the transmitted content. This section provides basic information on how to enable this module in the Apache HTTP Server configuration, and guides you through the process of generating private keys and self-signed certificates.
An Overview of Certificates and Security
Secure communication is based on the use of keys. In conventional or symmetric cryptography, both ends of the transaction have the same key they can use to decode each other’s transmissions. On the other hand, in public or asymmetric cryptography, two keys co-exist: a private key that is kept a secret, and a public key that is usually shared with the public. While the data encoded with the public key can only be decoded with the private key, data encoded with the private key can in turn only be decoded with the public key. To provide secure communications using SSL, an SSL server must use a digital certificate signed by a Certificate Authority (CA). The certificate lists various attributes of the server (that is, the server host name, the name of the company, its location, etc.), and the signature produced using the CA’s private key. This signature ensures that a particular certificate authority has signed the certificate, and that the certificate has not been modified in any way.
When a web browser establishes a new SSL connection, it checks the certificate provided by the web server. If the certificate does not have a signature from a trusted CA, or if the host name listed in the certificate does not match the host name used to establish the connection, it refuses to communicate with the server and usually presents a user with an appropriate error message.
By default, most web browsers are configured to trust a set of widely used certificate authorities. Because of this, an appropriate CA should be chosen when setting up a secure server, so that target users can trust the connection, otherwise they will be presented with an error message, and will have to accept the certificate manually. Since encouraging users to override certificate errors can allow an attacker to intercept the connection, you should use a trusted CA whenever possible. For more information on this, see Information about CA lists used by common web browsers.
Web Browser | Link |
---|---|
Mozilla Firefox |
|
Opera |
|
Internet Explorer |
|
Chromium |
Information on root certificates used by the Chromium project. |
When setting up an SSL server, you need to generate a certificate request and a private key, and then send the certificate request, proof of the company’s identity, and payment to a certificate authority. Once the CA verifies the certificate request and your identity, it will send you a signed certificate you can use with your server. Alternatively, you can create a self-signed certificate that does not contain a CA signature, and thus should be used for testing purposes only.
Enabling the mod_ssl Module
If you intend to set up an SSL server, make sure you have the mod_ssl (the mod_ssl
module) and openssl (the OpenSSL toolkit) packages installed. To do so, enter the following command as root
:
~]# dnf install mod_ssl openssl
This will create the mod_ssl
configuration file at /etc/httpd/conf.d/ssl.conf
, which is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the httpd
service as described in Restarting the Service.
Due to the SSL3.0 protocol vulnerability CVE-2014-3566, described in SSL 3.0 Protocol Vulnerability and POODLE Attack, it is recommended to disable |
Enabling and Disabling SSL and TLS in mod_ssl
To disable and enable specific versions of the SSL and TLS protocol, either do it globally by adding the SSLProtocol directive in the "#\# SSL Global Context" section of the configuration file and removing it everywhere else, or edit the default entry under "\# SSL Protocol support" in all "VirtualHost" sections. If you do not specify it in the per-domain VirtualHost section then it will inherit the settings from the global section. To make sure that a protocol version is being disabled the administrator should either only specify SSLProtocol in the "SSL Global Context" section, or specify it in all per-domain VirtualHost sections.
To disable SSL version 2 and SSL version 3, which implies enabling everything except SSL version 2 and SSL version 3, in all VirtualHost sections, proceed as follows:
-
As
root
, open the/etc/httpd/conf.d/ssl.conf
file and search for all instances of the SSLProtocol directive. By default, the configuration file contains one section that looks as follows:
~]# vi /etc/httpd/conf.d/ssl.conf # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: SSLProtocol all -SSLv2
This section is within the VirtualHost section.
-
Edit the SSLProtocol line as follows:
# SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: SSLProtocol All -SSLv2 -SSLv3
Repeat this action for all VirtualHost sections.
-
Verify that all occurrences of the SSLProtocol directive have been changed as follows:
~]# grep SSLProtocol /etc/httpd/conf.d/ssl.conf SSLProtocol all -SSLv2 -SSLv3
This step is particularly important if you have more than the one default VirtualHost section.
-
Restart the Apache daemon as follows:
~]# service httpd restart
Note that any sessions will be interrupted.
Using an Existing Key and Certificate
If you have a previously created key and certificate, you can configure the SSL server to use these files instead of generating new ones. There are only two situations where this is not possible:
-
You are changing the IP address or domain name.
Certificates are issued for a particular IP address and domain name pair. If one of these values changes, the certificate becomes invalid.
-
You have a certificate from VeriSign, and you are changing the server software.
VeriSign, a widely used certificate authority, issues certificates for a particular software product, IP address, and domain name. Changing the software product renders the certificate invalid.
In either of the above cases, you will need to obtain a new certificate. For more information on this topic, see Generating a New Key and Certificate.
If you want to use an existing key and certificate, move the relevant files to the /etc/pki/tls/private/
and /etc/pki/tls/certs/
directories respectively. You can do so by issuing the following commands as root
:
~]# mvkey_file.key
/etc/pki/tls/private/hostname.key
~]# mvcertificate.crt
/etc/pki/tls/certs/hostname.crt
Then add the following lines to the /etc/httpd/conf.d/ssl.conf
configuration file:
SSLCertificateFile /etc/pki/tls/certs/hostname.crt SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
To load the updated configuration, restart the httpd
service as described in Restarting the Service.
~]# mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key ~]# mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt
Generating a New Key and Certificate
In order to generate a new key and certificate pair, the crypto-utils package must be installed on the system. To install it, enter the following command as root
:
~]# dnf install crypto-utils
This package provides a set of tools to generate and manage SSL certificates and private keys, and includes genkey, the Red Hat Keypair Generation utility that will guide you through the key generation process.
Replacing an existing certificate
If the server already has a valid certificate and you are replacing it with a new one, specify a different serial number. This ensures that client browsers are notified of this change, update to this new certificate as expected, and do not fail to access the page. To create a new certificate with a custom serial number, use the following command instead of genkey: ~]# openssl req -x509 -new -set_serial number -key hostname.key -out hostname.crt |
Remove a previously created key
If there already is a key file for a particular host name in your system, genkey will refuse to start. In this case, remove the existing file using the following command as ~]# rm /etc/pki/tls/private/hostname.key |
To run the utility enter the genkey command as root
, followed by the appropriate host name (for example, penguin.example.com
):
~]# genkey hostname
To complete the key and certificate creation, take the following steps:
-
Review the target locations in which the key and certificate will be stored.
Use the Tab key to select the Next button, and press Enter to proceed to the next screen.
-
Using the up and down arrow keys, select a suitable key size. Note that while a larger key increases the security, it also increases the response time of your server. The NIST recommends using
2048 bits
. See NIST Special Publication 800-131A Revision 1.
Once finished, use the Tab key to select the Next button, and press Enter to initiate the random bits generation process. Depending on the selected key size, this may take some time.
-
Decide whether you want to send a certificate request to a certificate authority.
Use the Tab key to select Yes to compose a certificate request, or No to generate a self-signed certificate. Then press Enter to confirm your choice.
-
Using the Spacebar key, enable (
[*]
) or disable ([ ]
) the encryption of the private key.
Use the Tab key to select the Next button, and press Enter to proceed to the next screen.
-
If you have enabled the private key encryption, enter an adequate passphrase. Note that for security reasons, it is not displayed as you type, and it must be at least five characters long.
Use the Tab key to select the Next button, and press Enter to proceed to the next screen.
Do not forget the passphrase
Entering the correct passphrase is required in order for the server to start. If you lose it, you will need to generate a new key and certificate. |
-
Customize the certificate details.
Use the Tab key to select the Next button, and press Enter to finish the key generation.
-
If you have previously enabled the certificate request generation, you will be prompted to send it to a certificate authority.
Press Enter to return to a shell prompt.
Once generated, add the key and certificate locations to the /etc/httpd/conf.d/ssl.conf
configuration file:
SSLCertificateFile /etc/pki/tls/certs/hostname.crt SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
Finally, restart the httpd
service as described in Restarting the Service, so that the updated configuration is loaded.
Additional Resources
To learn more about the Apache HTTP Server, see the following resources.
-
httpd(8)
— The manual page for thehttpd
service containing the complete list of its command-line options. -
genkey(1)
— The manual page for genkey utility, provided by the crypto-utils package. -
apachectl(8)
— The manual page for the Apache HTTP Server Control Interface.
-
http://localhost/manual/ — The official documentation for the Apache HTTP Server with the full description of its directives and available modules. Note that in order to access this documentation, you must have the httpd-manual package installed, and the web server must be running.
Before accessing the documentation, issue the following commands as root
:
~]# dnf install httpd-manual ~]# apachectl graceful
-
https://httpd.apache.org/ — The official website for the Apache HTTP Server with documentation on all the directives and default modules.
-
http://www.modssl.org/ — The official website for the mod_ssl module.
-
https://www.openssl.org/ — The OpenSSL home page containing further documentation, frequently asked questions, links to the mailing lists, and other useful resources.
Want to help? Learn how to contribute to Fedora Docs ›