63

Apache Web Server

Apache Web Server

Note: Exercises belonging to some themes are shown in a grey area. These exercises are only good for the SuSE Distribution and the Apache that is provided with it.

1. Introduction of http protocol history

- Document server need with basic formatting and links

- First Web Browsers 'Mosaic': Graphic Oriented

- First Web Server programmed by Tim Berners-Lee at CERN

CERN= Centre Europeen de Recherche Nucleaire, Switzerland

2nd Web Server was made in USA by US. Gov. at NCSA

NCSA= Nastioanl Center for Supercomputing Applications

- Apache was built on collection of code and ideas of most

popular HTTP servers ..... A-Patch!

- First Apache 1994-1995

- Runs on: - Linux(process copies, from Version.2.xx will have threads)

• NT (threaded Daemon, not so secure)

• Windows 98(less stable threads, run from command line)

• Mac OS(from version 1.3.6 on)

• Solaris, AIX, OS/2, 680x0, PowerPC-based Mac, BeOS

- Set-up through Configuration file and its directives

- Modules: Core is small but can contain or load modules

- From version 1.3: dynamic loading of modules

Disadvantage is bigger memory need and slower

- 3^rd party modules are available: mod_fastcgi, mod_perl, etc.

- More Memory the better the performance

2. How to install it

- Via YaST

- 'n' series 'Apache' software

- 'modify config file' START_HTTPD=yes

- Via a downloaded file (http://www.apache.org)

- Uncompress

- Compile with needed features

3. First try of Apache

Use one of the Browsers:

Text Browsers: lynx and w3m

Graphic Browsers: Netscape, Mozilla, Opera, Arena, Konkeror

- http://localhost

- Help on this page (Bottom right)

- Edit the page title a bit and reload the page:

- /usr/local/httpd/htdocs/index.html

'Willkommen bei SuSE Linux'

change to 'Willkommen bei 'Mario' Linux'

- Connect to the other participant's modified pages.

4. HTTP Protocol

4.1 - HTTP Format

Method | URI(Uniform Resource Identifier) | version | headers

Note: Headers can modify the behaviour of the request (the 'what to do')

4.2 - Try a HTTP request by hand:

- use ethereal to capture lo device port 80

In xterm: telnet localhost 80

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

GET / HTTP/1.0 <Enter> <Enter>

HTTP/1.1 200 OK

Date: Fri, 02 Jun 2000 15:53:28 GMT

Server: Apache/1.3.12 (Unix) (SuSE/Linux) DAV/0.9.14 mod_perl/1.21 mod_ssl/2.6.2 OpenSSL/0.9.5

Connection: close

Content-Type: text/html <-----IMPORTANT This line describes the MIME type

<HTML>

<HEAD>

<TITLE>Apache HTTP Server - Beispielseite</TITLE>

</HEAD>

<BODY bgcolor=#ffffff>

<H1> Der Apache WWW Server </H1> <BR>

Diese Seite soll nur als Beispiel dienen.

Die <A HREF="./manual/">Dokumentation zum Apache-Server</A> finden Sie hier.

.........

4.3 - Watch a Netscape generated HTTP request

In Netscape http://localhost <enter>

In ethereal:(capture lo device)

- Stop the capture after Netscape showed response

- Click on a captured Packet from http protocol

- in Menu Tools--->Follow TCP Stream

GET / HTTP/1.0

Connection: Keep-Alive

User-Agent: Mozilla/4.72 [en] (X11; I; Linux 2.2.14 i586)

Host: localhost

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Accept-Encoding: gzip

Accept-Language: en, de

Accept-Charset: iso-8859-1,*,utf-8

4.4 - List of http methods: (See also section 14.5 for <Limit method > Directive)

----- HTTP/0.9 -------- (normally never used)

GET Get a header and resource from the server.

POST Send information<data> to the server

(response can contain confirmation)

------ HTTP/1.0 --------

HEAD Get a header only without resource.

------ HTTP/1.1 --------

OPTIONS Return the list of methods allowed by the server.

TRACE Trace a request to see what the server sees.

DELETE Deletes a resource on the server.

(normally not allowed)

PUT Create or change a file on the server.

CONNECT Enables Proxys to switch to a tunnel mode. For SSL

Use the AllowCONNECT directive to enable it.

Extra Apache methods:

PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOC

Exercise: Methods : Try different methods via telnet

telnet localhost 80

........

HEAD / Http/1.1 + 2 times <Enter> key

OPTIONS / Http/1.1 + 2 times <Enter> key

TRACE / Http/1.1

Host: This Host here + 2 times <Enter> key

4.5 - HTTP Clients: (Browsers)

lynx and w3m (ASCII Only)

Netscape , Mozilla, Opera, konqueror, Nautilus (Graphic)

5. What is URL and URI

Uniform Resource Locator

Uniform Resource Identifier

String identifying a resource by name and possibly including location.

example of URL: http:// www.elop.de /bilder/kopf1.jpg

1 2 3

1: Protocol

2: ServerAddress

3: Location and Resource(URI)

6. Where is what ?

6.1 - Server---- /usr/sbin/httpd

- Server loader script:---------- /sbin/init.d/apache

- Manual loading link :---------- /usr/sbin/rcapache

- Run levels links to /sbin/init.d/apache

---- /etc/init.d/rc3.d and rc5.d

- 'rcapache' parameters:

start|stop : Load / Unload httpd Daemon

restart: Does a start then a stop

reload: Keeps httpd running but re-reads httpd.conf

status: Short status eg. (results)

Checking for service httpd: OK

full-status: Long server status

(same info as http://localhost/server-status)

Note: The server-status must be turned on for localhost to get a result.

6.2 - Configuration files and their order of reading:

- SuSE Distribution

- /etc/httpd/httpd.conf

- /etc/httpd/srm.conf

- /etc/httpd/access.conf

6.3 - Apache Modules

- /usr/lib/apache/xxxxxxxx.so

6.4 - Default Log files (settings in httpd.conf)

- /var/log/httpd/access_log

- /var/log/httpd/referer_log

- /var/log/httpd/error_log

- /var/log/httpd/agent_log

6.5 - Landing zone of httpd (web) clients(DocumentRoot)

- /usr/local/httpd/htdocs

6.6 - Documents and Help files:

Apache Help - /usr/share/doc/packages/apache/manual/index.html

PHP3-Test/Settings/Status - /usr/local/httpd/htdocs/test.php3

CGI-Test/mini settings/Status - /usr/local/httpd/cgi-bin/test.pl

6.7 - Apache Process ID:

- Running Process ID /var/run/httpd.pid

- Killing the httpd process kill 'cat /var/run/httpd.pid'

or killall httpd

7- Apache options (on command line) for all versions of Apache(Linux,Win,etc.)

7.1 - General Options (see man httpd)

Syntax: /usr/sbin/httpd -options

Options:

-D name Defines a name for use in <IfDefine name> directives

<IfDefine name> is used to define different server global settings

and chose which one will be read at start-up of Apache.

-d ServerRootDir Specifies an alternate initial ServerRoot directory.

-f ConfigFile Specifies an alternate configuration file.(ServerConfigFile)

-C Directive Processes this directive before reading config files

-c Directive Processes this directive after reading config files

-v Display Apache's version number

-h List valid command line options

-l (small L) List compiled-in modules

-L List core configuration directives

-S Show virtual hosts settings

-t Run syntax test for configuration files only.

7.2 - For Linux Only:

-X Single process foreground debugging mode

-R specify an alternate location for loadable modules

7.3 - For Window95/98 only:

-k restart or shutdown Start and stop the Apache Server program.

7.4 - WindowNT only:

-i register a service

-u deregister a service

-s do not register a service

8 - Apache Server status and information

8.1 - Server-Status:

• Use: Allows to display the server status on remote browsers.

needs the module: mod_status to be loaded and installed.

Important Note: In SuSE 7.1 the Module must be enabled in:

/etc/rc.config.d/apache.rc.config

HTTPD_SEC_ACCESS_SERVERINFO=yes

• Configuration Directives involved:

ExtendedStatus On (SuSE 7.1 Around line 433)

Around line 1249 (SuSE 7.1) in (/etc/httpd/httpd.conf)

The SetHandler triggers the server-status in the module mod_status when the

Location /server-status is requested.

<Location /server-status>

SetHandler server-status

Order deny,allow

Deny from all

Allow from localhost

</Location>

• How to access:

  From allowed host browser as URL:

http://localhost/server-status Full status page

http://localhost/server-status/?notables Full status page without tables for text browsers

http://localhost/server-status/?refresh Send current status every second to browser.

http://localhost/server-status/?refresh=10 Send current status every 10 second to browser

http://localhost/server-status/?auto Gives short general statistics of server's activities.

• Combination of options:

eg1. http://localhost/server-status/?auto&refresh=10 Gives the statistics every 10 sec.

eg2. http://localhost/server-status/?notables&refresh=10 Gives the server status without tables

every 10 sec.

8.2 - Server Info:

• Use: Gives server's internal structure and module list. Needs the mod_info to be loaded.

• Configuration Directives involved:

(SuSE 7.1 Around line 1261)

The SetHandler triggers the server-info in the module mod_info when the

Location /server-info is requested. It should be inserted in a <Location> as follows:

<Location /server-info>

SetHandler server-info

Order deny,allow

Deny from all

Allow from localhost

</Location>

• How to access: From allowed host browser as URL:

http://localhost/server-info Gives a full detailled information page

• Server Information through PHP3 Page:

http://localhost/test.php3 Gives a very good full long formatted server info.

8.3 - Pearl Info:

• Use: Gives perl module environment status. Needs the mod_perl to be installed (series 'n').

Mod_Perl is a full perl interpreter in integrated a module

• Configuration Directives involved:

(SuSE 7.1 Around line 1261)

• The SetHandler triggers the perl-script

• The Apache::Status is the internal perl routine used to deliver the status when the Location /perl-status is requested.

<IfModule mod_perl.c>

<Location /perl-status>

SetHandler perl-script

PerlHandler Apache::Status

order deny,allow

deny from all

allow from localhost

</Location>

</IfModule>

• How to access: From allowed host browser as URL:

http://localhost/perl-status Gives a full detailled information page

9 - Configuration files:

httpd.conf Standard config file

access.conf Name set by AccessConfig Directive in httpd.conf

srm.conf Name set by ResourceConfig Directive in httpd.conf

Include <Configfile>

This directive allows to include extra config files.

Can be repeated at will in httpd.conf

eg. Include conf/virtualhosts_1

Include conf/virtualhosts_2

Include ..........

Advantage is some program can be written to generate

these included files.

9.1 - Conditional configurations:

Usefullness: - Set temporary testing directives

- Turning ON the mod_status debugging tool

- Switching ON the secure server SSL

- See the SuSE's way of using it in /sbin/init.d/apache

Command line conditions:

httpd -D <configname_1> -D <configname_2>

<IfDefine configname_1>

specific configuration directives

..............

</IfDefine>

Module loading condition:

If a module is loaded then do the enclosed directives

<IfModule modulename.c>

directives ......

</IfModule>

If a module is NOT loaded

<IfModule !modulename.c>

directives ......

</IfModule>

9.2 - Configuration files structure:

• If Apache sees an unrecognisable directive, Apache will refuse to start.

• Comments start with #

• Directives and comments can have spaces or tabs before them

• The configurations are separated into 3 sections each one overriding the one above it:

1. Server Level (they MUST be outside any container to apply globally)

• Server only directives

• Global defaults

2. Container level (selective for each controlled item: dir. files. URL's and Methods)

3. Per directory level (.htaccess files)

10 - Containers

10.1 - Definition:

• Containers allow to limit the scope of the directives enclosed within them.

• Containers Guidelines:

  • All paths that are not having the leading / are assumed to be from the ServerRootDir

• Reading order of directive blocks (Containers) is as follows:

  • <Directory>

  • .htaccess

  • <DirectoryMatch>

  • <Files> and <FilesMatch> as per config file order

  • <Location> <LocationMatch> as per config file order

  • <VirtualHost>

10.2 - Access control containers:

<Directory /dir > Directory and its subdirectories access directives container

./dir must be an absolute Path

<DirectoryMatch "regex" >........... Directory and its subdirectories access directives container with

regular expressions. regex must refer to an absolute path

<Files [path]file(s) >...................... File access directives container.

File(s) without leading '/' in path are relative to DocumentRoot

<FilesMatch "regex" >................... File access directives container with regular matching expressions.

<Location URI >........................... URI access directives container.If dir. then it must be absolute path

- Behaves similarly as <Directory> is not limited to the file system.

- It also does not recognize the Options FollowSymLinks.

- The location (URI) given is relative to the DocumentRoot

- The URI always starts with leading / eg. /docs

<LocationMatch "regex" >........... URI access directives container with regular matching expressions.

<Limit METHOD(s) >...................... HTTP Methods Directive container. Normally used inside other

containers to limit the type of access the client has.

Best use is with authentication.

<LimitExcept METHOD(s) >........... HTTP Methods Directive container for undefined Methods

.htaccess file ................................ Per-Directory access directives stored in the directory affected by the

directives it contains.

Set by AccessFileName directive in httpd.conf

10.3 - Nesting Containers

• Containers of the same type cannot be nested.

• <IfModule> and <IfDefine> can be nested anywhere

• <Files> can be alone or nested inside <Directory> only

• <Limit> and <LimitExcept> can be nested in any other type of container.

11 - Directives

11.1 - Definition:

Keywords placed in a configuration file that affect the functionning of different parts of the Server.

11.2 - Guidelines

1. The directives are either core directives or module directives:

   1. Command httpd -L | less displays all inbuilt core directives compiled with Apache.

   2. file:///usr/share/doc/packages/apache/manual/mod/index.html

2. Shows each module and their directives.

3. The last directive read overrides all previously parsed ones in the configuration file.

4. Directives can exist alone in the configuration file or .htaccess or within a container.

5. Location of Directives:

   1. Not in a container Main server and Global Defaults

   2. In a container Overrides Golbal defaults for the container only.

   3. in .htaccess files Per directory directives (see AllowOverrride directive)

11.3 - Basic Server Directives:

ServerName Name of the local server where Apache runs.

This name must be a recognizable FQDN by a DNS.

Port Default port number for the main server.

Timeout Time between the TCP connection buildup and the first HTTP request allowed before the TCP connection is closed.

MaxClients Max number of simulteaneous active servers serving requests.

MaxRequestsPerChild Max number of requests a server will serve before dying.

KeepAlive on/off If on child servers will wait to serve the client for more requests .

StartServers Number of servers to start at startup(before the first request)

MaxSpareServers Maximum spare servers as they are becoming idle.

MinSpareServers Minimum spare servers to start as the load increase.

KeepAliveTimeout Timeout between last sent response and the next request before the TCP connection is closed.

ServerRoot Defines the base (default) location for : logs, Config files etc.

SuSE has redefined these locations so now the ServerRoot has very little meaning. It can be used as a relative path to declare other config files without giving the path.

DocumentRoot Defines the Landing Zone for all main server http requests.

In SuSE DocumentRoot is defined as /usr/local/httpd/htdocs (SuSE 7.1 line 549)

Take a look via MC.

User & Group Sets the user,and group name which identifies the Apache Child servers within the system for ALL http requests.

Run the following command: ps -fC httpd

See single root process and others belonging to wwwrun

DirectoryIndex List of filenames of pages that will be sent to client automatically when a directory is requested.

See around line 660 in /etc/httpd/httpd.conf

Apache Kurs Übungen vorbereitung

1. In /etc/httpd/httpd.conf ganz am Ende die volgende Zeile eintragen:

   Include /etc/httpd/user.conf

2. /etc/httpd/user.conf Datei erzeugen.

   Befehl: touch /etc/httpd/user.conf

3. Via YaST-1 die /etc/hosts Auto-Änderungen ausschalten

   yast ---> Administration des Systems ---> Konfigurationsdatei verändern

   Parameter : CHECK_ETC_HOSTS = no

4. /www Verzeichnis erzeugen.

   Befehl: mkdir /www

5. /mnt/public7 und /mnt/public8 Verzeichnisse erzeugen.
   Befehle: mkdir /mnt/public7
   mkdir /mnt/public8

6. In /etc/fstab Datei die volgende Eintrage schreiben:

   192.168.xx.yy:/public/public7 /mnt/public7 nfs noauto,user 0 0

   192.168.xx.yy:/public/public8 /mnt/public8 nfs noauto,user 0 0

Bemerkung: 192.168.xx.yy ist die Dozent Rechner Addresse.

1. Icons auf dem KDE Desktop für NFS Verbindung zum Dozent Rechner erzeugen:

   Icon Name: Public7

   Geräte: 192.168.xx.yy:/public/public7

   Mountpunkt: /mnt/public7
   Dateisystem: nfs

Icon Name: Public8

Geräte: 192.168.xx.yy:/public/public8

Mountpunkt: /mnt/public8
Dateisystem: nfs

1. Auf beide Icons (Public7 und Public8) klicken und:

   - /mnt/public7/vncviewv Datei kopieren nach /usr/X11R6/bin/ Verzeichnis.

   - Alle verzeichnisse in /mnt/public8/ Verzeichnis nach /www Verzeichnis kopieren.

2. nedit Program von serien xap installieren.

3. /mnt/public7/.nedit Datei kopieren nach /root/ Verzeichnis.

4. Anwendungen Icons auf Desktop erzeugen:

• Title: USER.CONF (Desktop 1)
  Befehl: nedit /etc/httpd/user.conf

• Title: RELOAD (Desktop 1)

  Befehl: xterm -geometry 60x5 -T RELOAD

• Title: NETSCAPE (Desktop 2)
  Befehl: netscape

• Title: Dozent VNC (Desktop 3)

  Befehl: vncviewv 192.168.xx.yy:1

• Title: ERROR_LOG (Desktop 4)

  Befehl:

xterm -geometry 110x20 -fn 9x15 -T "ERROR_LOG" -e tail -n20 -f /var/log/httpd/error_log

11.3 - Alias:

• Sets a correspondence (shortcut) from anywhere in the file system to a directory relative to DocumentRoot

• It enbles to access resources that are not related to the DocumentRoot

• Advantages over symbolic links:

  - Alias are limited to Apache server they are not accessible from other programs within the system.

• Syntax: Alias Fakename RealPathName

  - e.g. /etc/httpd/susehelp.conf has a lot of alias for suse help

Exercise: Set alias to system /www directory

• in user.conf enter:

alias /www /www

• In Browser:

http://localhost/www/ You get an Index of /www

12 - Options:

Note: The use of + or - leading an option simply adds or subtract the option from the already existing ones (e.g. default). Without any sign the options defined are the only ones set.

All (Default) Almost all options enabled except Multiviews. Same as :

Options ExecCGI Includes FollowSymLinks Indexes

None No options are set.

FollowSymLinks Allows to follow symbolic links. Overrides SymLinksIfOwnerMatch

Exercise: FollowSymLinks: Link from System DocumentRoot to /www

• Create a Symlink /usr/local/httpd/htdocs/www2 pointing to /www

ln -s /www /usr/local/httpd/htdocs/www2

• Try http://localhost/www2/..........NOT ALLOWED

• Add the following entries in user.conf
  <Directory /usr/local/httpd/htdocs>

  options +FollowSymlinks

  </Directory>

• Try http://localhost/www2/..........ALLOWED. Index of /www is shown

• Change the System Access rights and disallow /www to wwwrun
  ('other' access rights) chmod 750 /www

• Try http://localhost/www2/..........NOT ALLOWED again

• Allow the system access rights to wwwrun for /www back to normal.
  chmod 755 /www

SymLinksIfOwnerMatch Follows symbolic links only if destination of link is same owner as link.

Includes Allows Server-Side Includes(SSI) in html

IncludesNOEXEC Allows Server-Side Includes(SSI) in html

but not #exec and #include SSI commands.

Indexes Allows indexes generation if no DirectoryIndex file set or existing in directory.

Exercise: Indexes:Enable/Disable display of Indexes of Directories

1 - Disabling Indexes for /www (accessed via SymLink)

• In user.conf enter:

<Directory /www>

Options -Indexes

</Directory>

• Try http://localhost/www2/ Result:Indexes are still shown

• Modify the <Directory /www> to
  <Directory /usr/local/httpd/htdocs/www2>

• Try http://localhost/www2/ Result: NOT ALLOWED

• Put a # in front of Options -Indexes to reenable the indexes

2 - Compare Disabling Indexes for /www/ (accessed via Alias)

• in user.conf enter:

<Directory /www>

Options -Indexes

</Directory>

• In Browser:

http://localhost/www/................Result: NOT ALLOWED

• Put a # in front of Options -Indexes to reenable the indexes

3 - Disabling Indexes for /www/ (accessed via Alias) using <Location>

• in user.conf enter:

<Location /www>

Options -Indexes

</Location>

• In Browser:

http://localhost/www/................Result: NOT ALLOWED

• Put a # in front of Options -Indexes to reenable the indexes

ExecCGI Allows execution of CGI programs. Almost the same as declaring

ScriptAlias but here only the files with a recognized cgi

extention will be run as CGI.

The ScriptAlias and SetHandler cgi-script are treating all files in the defined directory as CGI programs.

eg. AddHandler cgi-script .cgi directives can be used to

define only the type of files that will be treated as CGI Programs.

(See Running CGI section for more details)

Exercise: ExecCGI: Set the /www/cgitest/ Directory to run the test2.mycgi program.

• In Browser: http://localhost/cgitest/test2.mycgi Source code is shown

• In user.conf:

<Location /www/cgitest>

AddHandler cgi-script .mycgi

</Location>

• In Browser: http://localhost/cgitest/test2.mycgi NOW it runs!

• In user.conf:

<Location /www/cgitest>

AddHandler cgi-script .mycgi

Options -ExecCGI

</Location>

• In Browser: http://localhost/cgitest/test2.mycgi NOT Allowed

Multiviews Content-negotiated views allowed. Guessing what the client wants when the requested URL does not exist. This can be based on the Content-Language value (eg.:de)sent in the http header by the browser in the http request for the page.

See AddLanguage, LanguagePriority and DefaultLanguage.

See Page 142 in Professional Apache Book.

eg.

File requested: index.html (does not exist)

Browser Content-Language de

First file searched to send: index.html.de (if not existing then)

Second file searched to send: index.html.en

(as per LanguagePriority directive) Exercise: Multiviews: Get different pages as per Browser language setting

• Check in httpd.conf approx. line 560 the Options of Directory /

and note the presence of +Multiviews. It is therefore enabled! for the whole system.

• in Browser: http://localhost/www/multi/

We see the main Apache page with Dancing Pinguin

• We change the name of index.html to index.html.orig

• in Browser: http://localhost/www/multi/

  We see an english web page (index.html.en)

• Disable the Multiviews from /www/multi directory

  <Directory /www/multi>

  Options -Multiviews

  </Directory>

  We see an index of the /www/multi directory.

• Enable back the Multiviews

  <Directory /www/multi>

  Options +Multiviews

  </Directory>

• Change the language priority in Browser to fr, de, en

• in Browser: http://localhost/www/multi/

  We see the french page

XBitHack Sets the scope HTML files will be parsed for SSI commands.

on All .html or .htm files with execute

permissions on owner is considered a SSI

file and will be parsed for SSI commands.

off (Default) .html and .htm files will NOT be

parsed by server for SSI commands.

full Complicated...but can be used to control

the caching of proxies making the requests

(See page 161 Apache Server Bible)

13 - Directives

Here are a selection of directives related to specific areas of influence in Apache operation

13.1 - Resource access control Directives

for <Directory>, <Files>, <Location> and <Limit>

(See page 252 of Apache Server Bible)

Default is Allow from all. But ATTENTION: since we might set a deny from all on the / directory for basic security precautions then each requested resource must be explicitly allowed one by one (Directories or Locations or files)

Order is only necessary when both Deny from ...and Allow from ...are used.

Order allow,deny deny rule scope(read last) is overriding conflicting allow ones:

Order deny,allow allow rule scope(read last) is overriding conflicting deny ones:

Note: Please no space between the , and the deny and the allow

Setting of scope:

allow from xxxx xxxx and yyyy can be:

deny from yyyy All Apply to everybody (Default for Allow)

None Apply to Nobody (Default for Deny)

Hostname(s) Apply to this host only(need DNS)

IP Addr.(s) Apply to these IP Addresses only

eg. 192.168.12.30 192.168.30.12

partial Nr.(s) eg. 192.168

IP Range eg. 192.168.10.0/255.255.255.0

or 192.168.10.0/24

NetDomaine Apply to whole domain e.g. .michel.home

env=variable Apply if environment variable matches variable

Eg. For controlling access as per browser

(for example for VBScript Code):

see P.109 of Professional Apache

Exercise:Allow/Deny: Show different ways of access control.

1. Try http://localhost/www/........Index Appear

2. Add the following entries in user.conf

   <Location /www>
   order allow,deny
   Allow from all
   Deny from localhost

   </Location>

3. Try from Dozent http://localhost/www and it is NOT ALLOWED

4. Change the Allow to Dozent IP.Addr. and test again. Only dozent can

5. Change the Allow from localhost to 192.168.xx.0/29 (limiting only a part of class)

6. Check with Browser from some participants

7. Demonstrate the Read Sequence of Containers <Directory> and <Location>
   ## This <Directory> is to show that it has no effect since the <Location> overrides it after

   <Directory /www/selfhtml>

   <Files selfhtml.htm>

   order allow,deny

   deny from all

   </Files>

   </Directory>

   <Location /www/selfhtml/selfhtml.htm>

   order deny,allow

   allow from all

   </Location>

8. Example of limiting access to different Browsers:

BrowserMatch Mozilla Netscape_Browser

BrowserMatch MSIE MS_Browser

<Location /www/mozilla-test>

order deny,allow

deny from all

allow from env=Netscape_Browser

</Location>

<Location /www/MSIE-test>

order deny,allow

deny from all

allow from env=MS_Browser

</Location>

13.2 - ErrorDocument Directive:

This directive allows to change the Server Generated Error pages per error type.

Good for Web sites that uses languages other than english.

When using a filename for the document, the path of the file is RELATIVE to the DocumentRoot of the server. It is also true for a VirtualHost.

Syntax: ErrorDocument errorCode Text|document

eg.

ErrorDocument 500 http://foo.example.com/cgi-bin/tester

ErrorDocument 404 /cgi-bin/bad_urls.pl

ErrorDocument 401 /subscription_info.html

ErrorDocument 403 "Sorry can't allow you access today"

Exercise: ErrorDocument : Change the error document for a directory in
/www/selfhtml.

• Create a log direcetory in /www/selfhtml

mkdir /www/selfhtml/log

• Create 2 error documents:

• /www/selfhtml/DocNotFound.html

• /www/selfhtml/DirNotAllowed.html

• In user.conf:

<Location /www/selfhtml>

ErrorDocument 404 /www/selfhtml/DocNotFound.html

</Location>

<Location /www/selfhtml/log>

order allow,deny

deny from all

ErrorDocument 403 /www/selfhtml/DirNotAllowed.html

</Location>

• In Browser:

http://localhost/www/selfhtml/log/ DirNOTAllowed Message

http://localhost/www/selfhtml/xxx.html DocNOTFound Message

14 - Limiting Access to Directories/Files/URIs and Methods

14.1 - Access control Guidelines:

• The file and directories access attributes for all resources usable by Apache must be set to

  Read(r) for others - for files and Read(r) and Search(x) for directories. chmod 755 <file/dir.name>

• As Default, the access to resources(files,directories, programs(CGI) etc.) from the Apache is granted. The limiting is done by adding Containers and directives accordingly.

• When a directory is limited, all sub-directories are also limited the same way. To change this limitation for a child directory, a new container /directive can be given and then it will apply to all subdirectories of this child.

14.2 - Directories:

Syntax: <Directory abs.DirPath > ...... </Directory>

<DirectoryMatch abs.regex > ...... </DirectoryMatch>

• The processing overriding order for <Directory> is as follows:

• Narrower scopes are processed first and override wider scopes(independent of written order):

  • e.g. <Directory /www/mydir> directives overrides the <Directory /www > directives

• In non-regular expression <Directory> <Files>, wildcards like * and ? can be used

  e.g. <Directory /www/mydirs.*> or <Files /html/seite*.html>

• A good practice is to start with most restrictive Global default directives and then selectively override the restrictions one by one later in the configuration file as needed.

e.g. <Directory / > Most restrictive

Options -FollowSymLinks +Indexes

AllowOverride None

order allow,deny

deny from all

</Directory>

<Directory /home > Allowing for all subdirectories in /home

order deny,allow

allow from all

</Directory>

14.3 - Files:

Syntax: <Files [abs.path/]filename>.....</Files>

<FilesMatch regex>.....</FilesMatch>

• Files must be nested within <Directory> only. They cannot be placed alone or inside a <Location>

• They don't recognize the Options Directive

• They can be selected using wildcards e.g.: * and ?

• The <Directory> where it is used should not conflict with a <Location>. <Location> is read last.

• Can be used inside .htaccess

Exercise:<Files> : Limiting access of a single file.

• In Browser : http://localhost/gif Index of pictures appear

• Click on apache_logo.gif in index and iamge should be shown

• In user.conf <Directory /usr/local/httpd/htdocs/gif>

<Files apache_logo.gif>

Order allow,deny

deny from all

</Files>

</Directory>

• Click on apache_logo.gif in index and it should be NOT allowed now

14.4 - Location (URI):

Format: <Location <relative.URI>.....</Location>

<LocationMatch <relative.regex>.....</LocationMatch>

• Function almost the same as <Directory> but have the following differences

• Locations are URL paths from the browser(extra directory added to the main domain name).

• They are relative to the DocumentRoot directory

• The can refer to:

  • an existing directory. Its path is relative to the DocumentRoot

  • a single file. Its path is relative to DocumentRoot

  • an alias directory declared previously through the Alias Directive

    • e.g. Alias /icons/ /usr/local/apache/icons/

      then the browser document URL can be http://<servername>/icons/myicon.gif

      To control this access to this URL the Location would be:

<Location /icons/myicon.gif>

directives......

</Location>

• Behaves similarly as <Directory> but is not limited to the file system.

• <Location> does not recognize the following:

  • Options FollowSymLinks and SymLinksIfOwnerMatch

  • AllowOverride <overrides....>

  • Nested <Files...>

  • ReadmeName, HeaderName, IndexIgnore

• The URI always starts with leading / eg. /docs

• If a Location refers to a dir. or dir.alias, Options [+]indexes need to be set to get an index of the directory, otherwise Apache tells that it is not permitted....which is not true.

• Location is read AFTER Files and therefore overrides it if pointing to the same item.

Exercise :<Location>: Re-enable the acess of a file that was denied through <Directory><Files>

• In Browser : http://localhost/gif Index of pictures appear

• Click on apache_logo.gif in index and it should be NOT allowed because of <Directory>

• In user.conf:

  <Location /gif/apache_logo.gif>

  order deny,allow

  allow from all

  </Location>

• Now apache_logo.gif is again Accessible because the Location was read after Directory.

14.5 - Limit (METHODS):

Format: <Limit METHOD>.........</Limit> and

<LimitExcept METHOD>.........</LimitExcept>

• Can be nested in any other container

• <Limit> detects the client's request METHOD defined here and decide on what to do

• <LimitExcept> detects the METHODs that are NOT the ones defined here and decide on what to do.

Exercise 1:<Limit>:limiting the access through GET method of the apache*.gif files

• In Browser: http://localhost/gif/ we see the index of /gif dir.

• Click on apache_logo.gif the image is shown

• In user.conf:

  <Location /gif/apache*.gif>

  <Limit GET>

  order allow,deny

  deny from all

  </limit>

  </Location>

• In Browser: http://localhost/gif/ we see the index of /gif dir.

• Click on any gif image starting by apache.... the image is not allowed

Exercise 2:<LimitExcept>:Preventing scripts access from being called by POST method

• Try telnet localhost 80

  • GET /www/cgitest/test1.cgi all ok

  • POST /www/cgitest/test1.cgi all ok

• In user.conf:

<Location /www/cgitest/test1.cgi>

<LimitExcept GET>

order allow,deny

deny from all

</Limit>

</Location>

• Try telnet localhost 80

  • GET /www/cgitest/test1.cgi all ok

  • POST /www/cgitest/test1.cgi NOT ALLOWED and garbage!!

15 - Indexes

15.1 Sequence of events when a Directory is requested from a browser:

1- Is there a DirectoryIndex directive declared for this resource?

If yes: Is the file(s) declared in DirectoryIndex present ?

if yes: Send the first file declared in Directory Index found to Browser.

2 - Is the Options MultiViews turned on for this resource ?

if yes: Is the Browser having any preference of language ?

if yes: Is the file(s) declared in DirectoryIndex with the right extention present ?

if yes: Send the first found file (eg. index.html.en)

if no: Go to Question 3

if no: Set the language preference as per LanguagePriority directive setting.

Is the file(s) declared in DirectoryIndex with the right extention present ?

if yes: Send the first found file (eg. index.html.en)

3 - Is the Options Indexes turned on for the requested resource ?

if yes: Is the FancyIndexing turned on for this resource ?

if yes: Send the Index of the resource according to FancyIndexing's options

if no: Send a Plain index of the resource.

if no: Send ERROR page

DirectoryIndex File name of auto-sending file when accessing this dir. (mod_dir.so)

Tip: To force sending an Index of a page use:

DirectoryIndex dummy (make sure dummy is not present)

Syntax:

DirectoryIndex htmlfile1 htmlfile2 ......

eg. DirectoryIndex index.htm index.html index.php index.php3

Exercise: DirectoryIndex: Assign a specific web page to be sent automatically when a Directory is accessed.

• In Browser: http://localhost/www/selfhtml/ The Index is shown

• Add in user.conf:

<Location /www/selfhtml>

DirectoryIndex selfhtml.htm

</Location>

• In Browser: http://localhost/www/selfhtml/ The selfhtml.htm page is shown

AddDescription Adds a description of file(s) or Directory:

Syntax:

AddDescription "Description" Full/partial_file/dir_name

eg. AddDescription "GiF Format Pictures" .gif

Exercise: AddDescription: Add description for directories and certain files

• In user.conf:

AddDescription "<B>Samba Help Directory</B>" samba

AddDescription "<B>Bash Programming/Reference Directory</B>" bashshell

AddDescription "<B>Deutsche Linux Kurs Verzeichnis</B>" linuxkurs

AddDescription "<B>Apache Reference Documents</B>" manual

AddDescription "<B><I>Deutsche HTML Kurs Verzeichnis</I></B>" selfhtml

AddDescription "<B>Images and Icons Documents</B>" gif

• See changes at bottom of /www/selfhtml directory after entering the following lines.

AddDescription "<B>MS-Word Documents</B>" .doc

AddDescription "<B>WAVE Fromat Sound File</B>" .wav

AddDescription "<B>Web Pages</B>" .html .htm shtml .php3 .php

AddDescription "<B>Java Applet File</B>" .class

• Note: Watch out for files having the same name as the directories

• To Change the size of the Description field to unlimited:

IndexOptions DescriptionWidth=*

AddIcon Associate icons to files with specific extention :

Note: The iconURL is the DocumentRoot relative path of icon filename.

Syntax: AddIcon iconURL Full/partialFile/Dirname(s)

eg. AddIcon /icons/file1.gif .txt .text

Exercise: AddIcon: Adding Icons for the /www Directories

1. Install image Manager from series 'kpa'

2. Check the icons generated by Apache as default Icon for Directories.

   as well as the icons in /www/selfhtml

3. See line 997 of httpd.conf

   AddIcon /icons/folder.gif ^^DIRECTORY^^

   AddIcon /icons/blank.gif ^^BLANKICON^^

4. Add some or all of the following AddIcon directives and try the difference

AddIcon /www/gif/icons/hand.right.gif multi

AddIcon /www/gif/icons/binhex.gif mozilla-test

AddIcon /www/gif/icons/binhex.gif msie-test

AddIcon /www/gif/icons/world1.gif samba

AddIcon /www/gif/icons/continued.gif bashshell

AddIcon /www/gif/icons/generic.gif selfhtml

AddIcon /www/gif/icons/box1.gif webalizer

AddIcon /www/gif/icons/burst.gif gif

AddIcon /www/gif/icons/generic.red.gif .html .htm .php .php3 .shtml

5. See that the cgitest directory has retained its server default AddIcon. of unknown.gif

AddIconByEncoding Assign icons as per recognized Encoding MIME type

AddIconByEncoding /icons/zipfile.gif x-gzip

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType Assign icons by MIME-Type:

AddIconByType (HTML, /icons/htmlfile.gif) text/html

Search for mod_autoindex.c in httpd.conf, there are more examples.

The extentions for the files refered as a certain MIME type are declared in the file /etc/httpd/mime.types

DefaultIcon Sets the default icon if file type is not recognized

Syntax: DefaultIcon iconURL

eg. DefaultIcon /www/gif/icons/a.gif

Exercise: DefaultIcon: Change the default Icon for unknown files.

1. Check the default icon in httpd.conf and change it there to

   DefaultIcon /icons/a.gif

2. Check with browser in /www/selfhtml at bottom.

HeaderName Name of file that is displayed as Header in the directory index.

If the file is an .html it will be formatted accordignly

Note: The Header (Index of /....) produced by Apache will be removed by this directive and replaced by the content of the file.

IMPORTANT: Only works in <Directory> or .htaccess but NOT in <Location>

Exercise: HeaderName: Add a header to the Index of /www/selfhtml dir.

• Create a text file called header.html in /www/selfhtml directory.

• Include some HTML formatting commands

• Add the following in <Directory /www/selfhtml>

  HeaderName header.html

• In Browser: http://localhost/www/selfhtml/

ReadmeName Name of file that is displayed as footer in directory index.
If the file is an .html it will be formatted accordignly
The server generated footer will be replaced by this file.

IMPORTANT: Only works in <Directory> or .htaccess but NOT in <Location>

Exercise: ReadmeName : Add a footer to the Index of /www/selfhtml

• Create a text file called footer.html in /www/selfhtml directory.

• Include some HTML formatting commands

• Add the following in <Directory /www/selfhtml>

  ReadmeName footer.html

• In Browser: http://localhost/www/selfhtml/

IndexIgnore file1 file2 ... Hides certain files from the index listing:
Notes: - The subdirectories of this one will enherit from these attributes.
- If it is set for a directory, it cannot be overriden by .htaccess.

If not then it can be written into the .htaccess if Override is activated with AllowOverride Indexes.

IMPORTANT: Only works in <Directory> or .htaccess but NOT in <Location>

Exercise: IndexIgnore : Hide header.html and footer.html in /www/selfhtml

1. In Netscape: http://localhost/www/selfhtml/

   header.html and footer.html files are displayed

2. add the IndexIgnore in Location:

   <Location /www/selfhtml>

   IndexIgnore header.html footer.html

   ......

   </Location>

3. In Netscape: http://localhost/www/selfhtml/ again

   header.html and footer.html files are not visible.

4. To hide the Item Parent Directory, add '..' in the IndexIngnore list

   IndexIgnore header.html footer.html ..

5. In Netscape: http://localhost/www/selfhtml again

   Parent Directory item is gone.

FancyIndexing On/Off No Parameters. Its presence turns it ON.

Allows to display Fancyier indexes instead of old regular ones.

NOTE: Turning this directive ON/OFF has only an effect if the FancyIndexing Option of IndexOptions (below) has been turn off with the IndexOptions -FancyIndexing

FancyIndexing On

Exercise: FancyIndexing : Turning off the fancy Indexing of /www/selfhtml/

1. Disable the FancyIndexing twice in Location:

   <Location /www/selfhtml>

   FancyIndexing off

   IndexOptions -FancyIndexing

   ......

   </Location>

2. Check with Browser : http://localhost/selfhtml/ No FancyIndexing

IndexOptions Options for Indexing.

IMPORTANT: If used, then set above FancyIndexing off,

Instead use the following indexing options:

Any option can be truned on or off by adding a '+' or '-' before the option.

eg. indexOptions +FancyIndexing -FoldersFirst -IconsAreLinks

FancyIndexing Same effect as above( FancyIndexing on)

DescriptionWidth={n | *} Sets the width in characters for the Index description field.

If * is given then the width is as long as the longest description.

IconsAreLinks Make icons also links

IconHeight=pixels Height of icons

IconWidth=pixels Width of icons

FoldersFirst Displays Folders on top of the Index before the files

NameWidth=n Specifies the width of the File/Directory Name.

If n=* then the width is as long as the longest name.

ScanHTMLTitles Scan HTML files for TITLE tags and uses the values as the file description.

Important: For this function to work it is necessary that no description is given for the .html extention via AddDescription directive.

SuppressColumnSorting Disables the generation of sortable listings.

SuppressDescription Supresses the file description column

SuppressHTMLPreamble Apache will use the HTML header of the HeaderName file instead of it's own generated one if:

• HeaderName directive is specified

• The specified file exists

• It has a valid HTML Header

SuppressLastModified Suppress the last-modified date and time column

SuppressSize Suppress the file size column.

(See page 113 in Professional Apache or page 106 in Apache Server Bible)

Exercise : IndexOptions: Modify the behaviour of Fancy indexing

1. In User.conf:

<Location /www/selfhtml>

FancyIndexing off

IndexOptions +FancyIndexing +ScanHTMLTitles +SuppressLastModified

......

</Location>

2. In Browser:

http://localhost/www/selfhtml

16 - AllowOverride and .htaccess (allowed only in <Directory> container)

• Sets the set of directives that can be overridden by a per-directory access control file (.htaccess)

  The file name of this file can be changed Globaly or per Directory with the AccessFileName directive

  • Parameters are:

    • All (Default) Allows all directives to be overridden by .htaccess - Dangerous !!!

• AuthConfig Allows use of authorization directives:

AuthName Label displayed by browser as authorization title

AuthType Type of authorization mechanism. Available: basic

-Needs AuthUserFile and AuthGroupFile to work

Warning:user and passwd are passed as clear text

AuthUserFile Filename of list of allowed users and passwords

AuthGroupFile Filename of list of allowed groups and passwords

AuthDBMUserFile Filename of list of allowed users and passwords

AuthDBMGroupFile Filename of list of allowed groups and passwords

require Selects users/groups that can access the resource

Users and groups are listed in above files (Auth...)

Satisfy Satisfy the allow/deny or user/group or both when

both access control directives apply to a resource.

Values are:

any any one of allow/deny or Auth.

that is right will do to give access

all both allow/deny and Auth.

must be right to give access

• FileInfo Allow to use directives controlling document MIME-types: (page 116 in Apache Server Bible)

AddEncoding Adds type of encoding recognized by its extention

AddLanguage Adds a language recognized by its file extention

AddType Adds a document type recognized by its extention

DefaultType Selects the type of document assumed as default

if the document type recognition failed.

AddHandler Adds a module handler for a file by its extention

SetHandler Sets a module handler for all files in the directory

ForceType Forces a type of file for all files of the directory

ErrorDocument Name of document that will be sent if error occurs

LanguagePriority Sequence of language choice for Multiviews

• Indexes Allow directives controlling the appearance of directory indexes.

AddDescription Adds a description of a type of file. eg.:

AddDescription "Graphics file" *.gif *.jpg *.bmp

AddIcon Assign icons to files with specific extention : eg.

AddIcon /icons/picture.gif *.gif *.jpg *.bmp

AddIconByEncoding Assign icons as per recognized Encoding type

AddIconByType Assign icons

DefaultIcon Sets the default icon if file type not recognized

DirectoryIndex File name of auto-sending when accessing this dir.

FancyIndexing No Parameters. Its presence turns it ON

HeaderName Name of file that is displayed as Header in dir.index.

ReadmeName Name of file that is displayed as footer in dir.index.

IndexIgnore Hides certain files from the index listing

eg.: IndexIngnore .htaccess *.conf

IndexOptions Options for Indexing. If used the do NOT use above

FancyIndexing directive. Instead use the following

indexing options:

- FancyIndexing Same effect as above

- IconsAreLinks Make icons also links

- IconHeight=pixels Height of icons

- IconWidth=pixels Width of icons

- etc. (See page 20 -21for more options)

• Limit Allow use of directive controlling the hosts access:

order deny,allow (or allow,deny)

allow from xxxx

deny from yyyy

• Options Allow use of options directives in .htaccess for controlling indexes features:

All All options included except for MultiViews.
This is the default setting.

ExecCGI Execution of CGI scripts is permitted.

FollowSymLinks The server will follow symbolic links in this directory.
Note: even though the server follows the symlink it does not change the pathname used to match against other <Directory> sections.
Also this option gets ignored if set inside a <Location> section.

Includes Server Side Includes(SSI) commands are permitted in HTML files.

IncludesNOEXEC Server Side Includes(SSI) are permitted, but the #exec and #include commands are disabled.

Indexes If a URL which maps to a directory is requested, and the there is no DirectoryIndex (e.g., index.html) in that directory, then the server will return a formatted listing(index) of the directory.

MultiViews Content negotiated MultiViews are allowed.
This feature is a mechanism for guessing what the client wants when the URL requested doesn't exist.

SymLinksIfOwnerMatch The server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.

Note: this option gets ignored if set inside a <Location> section.

(see Section 17 - Options below and p.101 Prof. Apache )

Exercise: AllowOverride and .htaccess: Allow controlling of /www/multi/ from .htaccess file.

• Using the Previous Multiviews exercise in the user.conf :

<Directory /www/multi>

Options +Multiviews

AllowOverride Options Indexes

</Directory>

• In Browser: http://localhostwww/multi we get the index.html.xx

• In /www/multi/.htaccess :

Options -Multiviews

AddDescription "Multiviews Document" *.html.*

AddDescription "Powered by Apache Image" apache_pb.gif

IndexIgnore test.php3 robots.txt date.php3

• In Browser: http://localhost/www/multi we get the Index with descriptions

• Click on /gif directory and see that the apache_pb.gif image has the same description as above directory.

17 - Virtual Hosts (IP Based and Name Based)

The next example supports 2 IP addresses(IP Based) for the same ethernet card

and 2 Virtual Hosts per Address(name based). The number of Virtual Hosts per IP address is unlimited....well almost.

The default virtual host for each served IP addr. is taken from the first one read in the Virtual Hosts configurations for this IP Address.

17.1 - Set the Virtual hosts Names in /etc/hosts or in DNS(/var/named/xxx.zone):

e.g. for name based Virtual Host we would enter the following entry in DNS Table.

manual IN A 192.168.10.60

or in /etc/hosts:

192.168.10.60 www.manual.de

Note: If the browser is connecting to the Apache via a Proxy server then the Proxy server will take care of the name resolution(local 'hosts' file or DNS), otherwise the computer where the browser is should resolve the name via local 'hosts' file or via DNS.

17.2 - Viewing the Virtual Host configuration for the server:

/usr/sbin/httpd -S

17.3 - The Listen Directive

The listen directive is used to tell the server to listen to more than one Interface and port.

It is not needed if we are using only the main Host address and port 80. But is is needed for each IPAddr:port combination to be listened to if more than one IP Number or Port are present and NOT all the interfaces in the host are listened to. The recommended syntax is:

Listen IPAddress:Port

eg.

Listen 192.168.10.50:80

So the one of the main rules for listen is:

- If we use only the main address and default port of the server then NO Listen.

- If we are using more than one IP address and want all the network cards to be supported then also NO Listen. The server should listen to all cards (physical or virtual) present in the host.

- If we want the server to listen to all the cards in the host but with other ports number than the standard 80 then we need to use the listen with each port number we want to support, including the standard port 80.

- If we want the server to support only certain network cards and not others then Listen directive is needed to specify which card and which port is listened to.

eg. - Server Listens to all cards in system. NO Listen

- Server Listens to all cards in system. Listen 80

and to port 8000 Listen 8000

- Server Listens to only 2 cards in a 4 card system Listen card1IPAddr:80

Listen card2IPAddr:80

- Server Listens to only 2 cards in a 4 card system Listen card1IPAddr:80

but on the second card at port 8000 Listen card2IPAddr:8000

17.4 - Setting up our first Virtual Host.

Exercise: VirtualHost: Setting-up the Apache Manual as VirtualHost.

• Add the following IP Numbers to /etc/hosts :

192.168.xx.yy manual.linux.local manual apache.linux.local

Note: The 192.168.xx.yy is your own host address.

• Enter the following VirtualHost settings in user.conf

NameVirtualHost 192.168.xx.yy

<VirtualHost 192.168.xx.yy>

ServerName manual.linux.local

ServerAlias manual apache.linux.local

DocumentRoot /www/manual

<Location />

order deny,allow

DirectoryIndex invoking.html

</Location>

TransferLog /www/manual/log/access_log

ErrorLog /www/manual/log/error_log

</VirtualHost>

• Create a /www/manual/log directory:

  mkdir /www/manual/log

• If a proxy is used to to to Internet then make sure in Browser Preferences:

  NoProxy for manual.linux.local

2) Exercise 2 for the students to do alone:

Virtual Host for www.bash.de same IP Address

Web Page Location /www/bashshell/

First Page sent to Browser /www/bashshell/bashref.html

17.5 - Set-up of Virtual interfaces for IP Based Virtual Hosts:

• To support IP Based Virtual Hosts we need to set-up extra either physical or virtual network interfaces.

• For each extra virtual Interface the manual command (which can and should be inserted in a script) looks like this:
  eg. For the extra address 192.168.20.166
  in terminal: ifconfig eth0:1 192.168.20.166

  or in yast Network Configuration ---> other Device: eth0:1
  and IP Number

  (not to forget the rcnetwork restart if yast used)

• then in configuration file NameVirtualHost 192.168.20.166

17.6 - Examples of Virtual Hosts based on a different IP Address and Port:

IMPORTANT NOTE: Always use IP addresses for NameVirtualHost and VirtualHost.

• Exercise-1: VirtualHost : Setting-up virtual Host with extra IP Number.

• in terminal ifconfig eth0:1 192.168.20.166

• in /etc/hosts 192.168.20.166 www.bash.com

• NameVirtualHost 192.168.20.166
  <VirtualHost 192.168.20.166>
  ServerName www.bash.com
  DocumentRoot /www/bashshell/bourne_shell
  </VirtualHost>

• in Browser: http://www.bash.com

• Exercise-2: VirtualHost : Setting-up virtual Host with non- standard port number

• in /etc/hosts 192.168.20.166 www.shell.de

• in config file Listen 80
  Listen 8000
  NameVirtualHost 192.168.20.166:8000
  <VirtualHost 192.168.20.166:8000>
  ServerName www.shell.de
  DocumentRoot /www/bashshell/shell_programming
  </VirtualHost>

• in Browser: http://www.shell.de:8000

17.7 - Automatizing Virtual Hosts settings:

Here is a primitive example of a scrip automatizing the setting-up of one virtual host with one command.

#! /bin/sh

# Script for creation of www clients in /www directory

# Syntax: wwwclient clientname servername localIP

# $0 $1 $2 $3

#

# ----- To do only once by administrator -------------------

# mkdir /www

# chmod 755 /www

# mkdir /etc/dummy

# cp /etc/httpd/httpd.conf /etc/httpd/httpd.conf.orig

#

#----------- Creation of client work space ----------------------

groupadd $1

useradd -mk /etc/dummy -d /www/$1 -g $1 $1

chmod 755 /www/$1

#---- Create a log files directory -only readable from owner -----

mkdir /www/$1/log

chmod 700 /www/$1/log

chown $1.wwwgr /www/$1/log

#----------- Creation of client virtual host ----------------------

echo "#--------- $1 Virtual Host ----------" > /etc/httpd/$1.conf

echo "<VirtualHost $3>" >> /etc/httpd/$1.conf

echo " ServerName $2" >> /etc/httpd/$1.conf

echo " DocumentRoot /www/$1" >> /etc/httpd/$1.conf

echo " ErrorLog /www/$1/log/fehler.log" >> /etc/httpd/$1.conf

echo " TransferLog /www/$1/log/verbindung.log" >> /etc/httpd/$1.conf

echo "</VirtualHost>" >> /etc/httpd/$1.conf

# --------- Write the Include at the end of httpd.conf file ------

echo "Include /etc/httpd/$1.conf" >> /etc/httpd/httpd.conf

#---------- Write the new address and name into /etc/hosts ------

echo "$3 $2" >> /etc/hosts

#-------------- Asking for the password for the www client--------

passwd $1

#-------- Feedback of what we have created in client config file------

echo --------------Virtual Host Configured---------------------------

cat /etc/httpd/$1.conf

echo --------------End of httpd.conf---------------------------

tail -n2 /etc/httpd/httpd.conf

echo ---------------------------------------------------

Exercise-2: VirtualHost : Setting-up multiple virtual Hosts.

• Definition of exercise:

• Transfer and Error logs for every Virtual Hosts in /log directories

• Alias of /apachehelp/ pointing to /www/manual/ who works for all

• Bashshell: Needs - DirectoryIndex (basheref.html)

- Other Names for server : bash

• Linuxkurs: Needs: - Other names (alias) for server.
  linuxkurs and linuxhelp.linux.local

- Force showing an Index.

- Auto Descriptions based on HTML Titles

- block access to /log Directory for all except local Host (192.168.10.60).

• Manual: - Multiple names:

manual apache.linux.local

- Descriptive Index for /images directory.

- Header and footer for the /images index.

Attention: use <Directory /www/manual/images> for

HeaderName, ReadmeName, and IndexIgnore

- Hide the Header and Footer files from Index

- Do not allow windows.html in / to be seen by dozent

• Selfhtml: Needs settings via .htaccess file of:

- DirectoryIndex of selfhtml.htm

- Deny access to xweb.gif (no web image at start page)

• samba: Needs - Another IP Nr.

- port 8000

- deny access to inx.html (index of samba book)

- ErrorDocument for not allowed documents
(error 403) Use the one from selfhtml exercise.

• Solutions of exercise 3:

NameVirtualHost 192.168.10.60

alias /manual/ /www/manual/

<VirtualHost 192.168.10.60>

ServerName bashshell.linux.local

ServerAlias bashshell

DocumentRoot /www/bashshell

<Location />

order deny,allow

allow from all

DirectoryIndex bashref.html

</Location>

TransferLog /www/bashshell/log/access_log

ErrorLog /www/bashshell/log/error_log

</VirtualHost>

<VirtualHost 192.168.10.60>

ServerName linuxkurs.linux.local

ServerAlias linuxkurs linuxhelp.linux.local

DocumentRoot /www/linuxkurs

<Location />

order deny,allow

DirectoryIndex dummy

FancyIndexing off IndexOptions DescriptionWidth=*

IndexOptions +FancyIndexing +ScanHTMLTitles

</Location>

<Location /log>

order deny,allow

deny from all

allow from 192.168.10.60

</Location>

TransferLog /www/linuxkurs/log/access_log

ErrorLog /www/linuxkurs/log/error_log

</VirtualHost>

<VirtualHost 192.168.10.60>

ServerName manual.linux.local

ServerAlias manual apache.linux.local

DocumentRoot /www/manual

<Location />

order deny,allow

DirectoryIndex invoking.html

</Location>

<Directory /www/manual/images>

AddDescription "JPEG Format Image" .jpg
AddDescription "GIF Format Image" .gif
AddDescription "Unknown Text File" .fig
HeaderName header.html

ReadmeName footer.html
IndexIgnore header.html footer.html

</Directory>

<Location /windows.html>
order allow,deny
deny from localhost
</Location>

TransferLog /www/manual/log/access_log

ErrorLog /www/manual/log/error_log

</VirtualHost>

<VirtualHost 192.168.10.60>

ServerName selfhtml.linux.local

ServerAlias selfhtml

DocumentRoot /www/selfhtml

<Directory /www/selfhtml>

order deny,allow

AllowOverride Indexes Limit

</Directory>

TransferLog /www/selfhtml/log/access_log

ErrorLog /www/selfhtml/log/error_log

</VirtualHost>

----------------------------------------------

( The content of /www/selfhtml/.htaccess is)

DirectoryIndex selfhtml.htm

<Files xweb.gif>

order allow,deny

deny from all

</Files>

----- IP: 192.168.10.80 -- Port 8000 -----------------

Listen 80

listen 8000

NameVirtualHost 192.168.10.80:8000

<VirtualHost 192.168.10.80:8000>

ServerName samba.linux.local

ServerAlias samba

DocumentRoot /www/samba

ErrorDocument 403 /DocNotAllowed.html

<Location /inx.html>

order allow,deny

deny from all

</Location>

TransferLog /www/samba/log/access_log

ErrorLog /www/samba/log/error_log

</VirtualHost>

17.8 - Redirection of Virtual Hosts

There is quite a number of different ways a URL can be redirected. It all depends on a few factors like where is the destination URL relative to the given URL. Here are some of the redirecting types:

Definitions: Given_URL: URL given by client Browser

Redir_URL: URL where the given URL should be redirected to.

17.8.1 - Same Server , Same IP for Given_URL and Redir_URL

Redirection Method:

ServerAlias Directive: VirtualHost has 2 names or more.

Syntax:

ServerName Redir_URL

ServerAlias Given_URL

Exercise1: Redirection: www.samba.de has alias as www.linuxkurs.de

• in /etc/hosts
  192.168.xx.yy www.samba.de www.linuxkurs.de

• in user.conf

<VirtualHost 192.168.xx.yy>

Servername www.samba.de

Serveralias www.linuxkurs.de

DocumentRoot /www/samba

</VirtualHost>

• in Browser

  http://www.samba.de

  http://www.linuxkurs.de

17.8.2 - Same Server , different IPs for Given_URL and Redir_URL

Redirection Method:

Same DocumentRoot for both www.linuxkurs.de and www.samba.de

Syntax:

<VirtualHost ....>

ServerName Destination_URL

DocumentRoot Given_URL_DocumentRoot

</VirtualHost>

<VirtualHost ....>

ServerName Given_URL

DocumentRoot Given_URL_DocumentRoot

</VirtualHost>

Exercise2: Redirection:www.linuxkurs.de gets the same resources as www.samba.de

• in /etc/hosts
  192.168.xx.yy www.samba.de

  192.168.xx.zz www.linuxkurs.de

• in user.conf

  <VirtualHost 192.168.222.71>

Servername www.samba.de

DocumentRoot /www/samba <----same DocumentRoot

</VirtualHost>

<VirtualHost 192.168.222.171>

Servername www.linuxkurs.de

DocumentRoot /www/samba <----same DocumentRoot

</VirtualHost>

17.8.3 - Different Server, different IP for Given_URL and Redir_URL

Redirection Method:

Redirect directive. www.linuxkurs.de redirects to www.samba.de

Syntax: Redirect DocumentDir RedirURL

eg. Redirect / http://www.mydocs.com

Details:

In one server:

<VirtualHost ....>

ServerName Destination_URL

DocumentRoot Given_URL_DocumentRoot

</VirtualHost>

In the other server:

<VirtualHost ....>

ServerName Given_URL

DocumentRoot /empty_directory

Redirect / Destination_URL

</VirtualHost>

Note: To achieve a proper redirection from a VirtualHost, make sure that there are no containers inside the Given_URL's VirtualHost refering to the same Directory, neither via <Directory> nor <Location>.

Exercise3: Redirection:www.linuxkurs.de gets the same resources as www.samba.de

• Create an empty directory: /www/umleitung

• In /etc/hosts
  192.168.xx.yy www.samba.de

  192.168.xx.zz www.linuxkurs.de

• In users.conf

<VirtualHost 192.168.222.71>

Servername www.samba.de

DocumentRoot /www/samba

</VirtualHost>

<VirtualHost 192.168.222.171>

Servername www.linuxkurs.de

DocumentRoot /www/umleitung

Redirect / http://www.samba.de

</VirtualHost>

• in Browser

  http://www.samba.de

  http://www.linuxkurs.de

• Redirect Directive effect/functionning:

18 - Running CGI Programs (Common Gateway Interface)

18.1 - Principle:

• CGIs can be of different languages as long as they observe the behavior of standard CGI definitions. The CGI can be compiled programs or interpreted scripts

• The first line of a CGI script must have the path and name of the script interpreter in the following format:

  #!/path/and/filename/of/interpreter parameters

  • e.g.1. #!/bin/sh Shell interpreter

• e.g.2. #!/usr/bin/pearl -w Pearl Interpreter

18.2 - Process of running CGI (GET Method) - typical example of keyword search

• The Browser receives a form with fields to fill in.

• The Client fills in the fields presses on the Search button

• The browser sends the request to run a cgi program with the entered fields values

  e.g. GET http://www.bestsearch.com/cgi-bin/search.cgi?books=law&author=murphy

• The Apache sets the environment variables:

  REQUEST_METHOD = GET

  QUERY_STRING=books=law&author=murphy

• Apache runs the requested CGI program ( /cgi-bin/search.cgi)

• The search.cgi program runs by:

  • Reading the REQUEST_METHOD and see if it is a GET method.

  • If yes then it processes the content of QUERY_STRING

  • When finished it writes the Content-Type (MIME Type) or result to STDOUT

  • Then writes the found result to STDOUT

  • The program search.cgi end its operation...dies!!

• Apache detects the exit of the cgi program

• Apache search the STDOUT to find the Content-Type and produces a HTML Header with the

Content-Type

• Apache reads the STDOUT (rest of cgi result) and send it to the browser

18.3 - Process of running CGI (POST Method) - typical example is keyword search

• The Browser receives a form with fields to fill in.

• The Client fills in the fields presses on the Search button

• The browser sends the request to run a cgi program with the entered fields values

  e.g. POST http://www.bestsearch.com/cgi-bin/search.cgi

  books=law&author=murphy are encoded and sent with the request

• Apache sets the environment variables:

  REQUEST_METHOD = POST

  CONTENT_LENGTH = Data_Length_of_Received_Fields

• Apache decodes the encoded data and send it to the STDIN of the search.cgi program

• Apache runs the requested CGI program ( /cgi-bin/search.cgi)

• The search.cgi program runs by:

  • Reading the REQUEST_METHOD and see if it is a POST method.

  • If yes then it reads the content of STDIN and processes it

  • When finished it writes the Content-Type or result to STDOUT

  • Then writes the found result to STDOUT

  • The program search.cgi end its operation...dies!!

• Apache detects the exit of the cgi program

• Apache search the STDOUT to find the Content-Type and produces a HTML Header with the

  Content-Type

• Apache reads the STDOUT (rest of cgi result) and send it to the browser

18.4 - Apache environment variables passed to CGI programs:

• Valuable info of the Apache environment and settings can be used by any CGI program.

• This information is passed to the CGI programs by setting environment variables for each CGI program before it runs it.

• These environment variables are:(see p.185-191 Apache Server Bible)

  Server Variables

  SERVER_SOFTWARE

  SERVER_ADMIN

  DOCUMENT_ROOT

  Client request information variables

  SERVER_NAME HTTP_HOST HTTP_ACCEPT

  HTTP_ACCEPT_CHARSET HTTP_ACCEPT_LANGUAGE HTTP_USER_AGENT

  HTTP_REFERER HTTP_CONNECTION SERVER_PORT

  REMOTE_HOST REMOTE_PORT REMOTE_ADDR

  REMOTE_USER SERVER_PROTOCOL REQUEST_METHOD

  REQUEST_URI REMOTE_IDENT AUTH_TYPE

  CONTENT_TYPE CONTENT_LENGTH SCRIPT_NAME

  SCRIPT_FILENAME QUERY_STRING PATH_INFO

  PATH_TRANSLATED

18.5 - Running -cgi- Scripts in Virtual hosts

18.5.1 - HTML Forms format for sending data to a CGI

HTML Forms can be run using the HTTP Methods: GET or POST to pass on Data to the CGIs. Appendix -M shows an example of a Form that will send its data via the GET method.

• 18.5.2 - AddHandler and SetHandler Directives

• The AddHandler is used to associate files with specific extentions to certain handlers.

• The SetHandler is used to associate the current scope (Directory or Location) with a specific Server Handler regardless of the files extentions.

• Handlers:

  Here is a list of core handlers already accessible by Default:

  • cgi-script Conternt (HTML Page) generated by a CGI script.

  • default-handler Static web pages generation

  • imap-file ImageMap Rule File

  • perl-script Content generated by a mod_perl script.

  • send-as-is File already includes HTTP Headers and is sent as is

  • server-info Apache generated server information HTML page

  • server-status Apache generated server status HTML page

  • server-parsed Server-Side-Include file

  • type-map Content selection type map.

• 18.5.3 - Mixed CGI-Scripts and HTML files in the same directory

eg. <VirtualHost 192.168.10.166>

DocumentRoot /www/vhost1

ServerName vhost1.michel.home

<Location />

AddHandler cgi-script .cgi

(all .cgi files in this virtual Host will be run as scripts)

</Location>

</VirtualHost>

• 18.5.4 - Exclusive Scripts Directories

Syntax: ScriptAlias <False_Name> <Real_System_Dir_Path>

e.g. <VirtualHost 192.168.10.166>

DocumentRoot /www/vhost1.michel.home

ServerName vhost1.michel.home

ScriptAlias /allcgi/ /www/vhost1.michel.home/cgi-bin/

</VirtualHost>

Note: the ScriptAlias is sufficient to enable the cgi execution of the whole defined resource(directory or file(s)) without the need to add the options ExecCGI and SetHandler cgi-script. These last 2 directives are almost always together.

18.5.4 - Examples of Handlers settings:

--------- ScriptAlias, options ExecCGI, SetHandler --------

The Directive:

ScriptAlias /cgi-bin/ /www/vhost1/cgi-bin/

Is equivalent to:

<Directory /www/vhost1/cgi-bin>

AllowOverride None

options ExecCGI

SetHandler cgi-script

</Directory>

besides being equivalent it adds an alias to the main server

(Default for all VirtualHosts)

------------- options ExecCGI, AddHandler ---------

To declare specific files types as CGI-Script::