Tweet
Bookmark this on Delicious
This Apache tutorial - perhaps the most important one in our Apache series - aims to teach you how to configure your Apache server. A prerequisite will be, of course, that you installed an Apache server on your Linux operating system. If that's not the case, please refer to our tutorials on how to install an Apache server for Linux. Please also make sure that your Apache server functions correctly prior to tweaking its configuration.
Before running an Apache server, it might be a good idea to give it a Linux user account of its own rather than using the nobody user that often comes by default. This is because in case your Apache server is hacked, you don't want hackers to get all the privileges that come with the nobody user. In order to know which user account is currently used by Apache, run the command:
ps -Al
and look for the httpd process. You will then be able to look up the privileges of this "Apache" user by looking at the usr/passwd file. In my case, the Apache user's (called daemon) home directory was usr/sbin and its shell was /bin/sh:
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
We will restrict the Apache user's rights by creating a new group Apache and a new user Apache:
groupadd Apache
useradd Apache -g Apache -d /dev/null -s /sbin/nologin
Now you can add the following lines to your httpd.conf (sometimes called differently, for instance apache.conf, depending on your Linux distribution or on the LAMP package you are using):
User Apache
Group Apache
If you now run the ps -Al command again after restarting your Apache server, you will see that "Apache" is the new Apache user. Its privileges are strictly limited.
Note that, despite the fact that you created the "Apache" user to run the process, you do not want this user to have writing privileges on your Apache folder (this is because Apache must be started by root in order to listen on port 80, therefore edition of the httpd binary by a hacker would mean that the server could launch with a trojan the next time it is started by root - the root user will believe it's starting a clean httpd but will unknowingly unleash a trojan -). Let's make sure that only root has writing privileges on your Apache folder, and that only root can read or write the configuration files and the logs:
chown -R root:root /path/to/apache
find /usr/local/apache -type d | xargs chmod 755
find /usr/local/apache -type f | xargs chmod 644
chmod -R go-r /usr/local/apache/logs
chmod -R go-r /usr/local/apache/conf
Configuring your Apache server will involve editing its httpd.conf file. In the httpd.conf file, you will be able to use directives that will configure various modules of Apache - the core module and other optional modules. It is important to keep the Apache configuration file clean enough in order to avoid configuration errors and Apache security vulnerabilities.
Going through all the directives of the core Apache module shows that there are fewer than 100 core directives, among which roughly 50 core directives are important to configure with particular attention: we'll try to explain the usefulness of these directives below and we will propose for each of them an acceptable configuration setup.
In order to configure your Apache server, you can decide to start with a clear http.conf file and follow the instructions below, or you can choose to modify your httpd.conf file directly and add/edit directives when necessary.
Next tutorial: Apache server configuration on Linux - Files served by Apache
Back to computer forums
Bookmark this on Delicious
Apache server configuration on Linux - Prerequisites
This Apache tutorial - perhaps the most important one in our Apache series - aims to teach you how to configure your Apache server. A prerequisite will be, of course, that you installed an Apache server on your Linux operating system. If that's not the case, please refer to our tutorials on how to install an Apache server for Linux. Please also make sure that your Apache server functions correctly prior to tweaking its configuration.
Apache server configuration on Linux - Apache server user account
Before running an Apache server, it might be a good idea to give it a Linux user account of its own rather than using the nobody user that often comes by default. This is because in case your Apache server is hacked, you don't want hackers to get all the privileges that come with the nobody user. In order to know which user account is currently used by Apache, run the command:
ps -Al
and look for the httpd process. You will then be able to look up the privileges of this "Apache" user by looking at the usr/passwd file. In my case, the Apache user's (called daemon) home directory was usr/sbin and its shell was /bin/sh:
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
We will restrict the Apache user's rights by creating a new group Apache and a new user Apache:
groupadd Apache
useradd Apache -g Apache -d /dev/null -s /sbin/nologin
Now you can add the following lines to your httpd.conf (sometimes called differently, for instance apache.conf, depending on your Linux distribution or on the LAMP package you are using):
User Apache
Group Apache
If you now run the ps -Al command again after restarting your Apache server, you will see that "Apache" is the new Apache user. Its privileges are strictly limited.
Note that, despite the fact that you created the "Apache" user to run the process, you do not want this user to have writing privileges on your Apache folder (this is because Apache must be started by root in order to listen on port 80, therefore edition of the httpd binary by a hacker would mean that the server could launch with a trojan the next time it is started by root - the root user will believe it's starting a clean httpd but will unknowingly unleash a trojan -). Let's make sure that only root has writing privileges on your Apache folder, and that only root can read or write the configuration files and the logs:
chown -R root:root /path/to/apache
find /usr/local/apache -type d | xargs chmod 755
find /usr/local/apache -type f | xargs chmod 644
chmod -R go-r /usr/local/apache/logs
chmod -R go-r /usr/local/apache/conf
Apache server configuration on Linux - General Apache core module directives
Configuring your Apache server will involve editing its httpd.conf file. In the httpd.conf file, you will be able to use directives that will configure various modules of Apache - the core module and other optional modules. It is important to keep the Apache configuration file clean enough in order to avoid configuration errors and Apache security vulnerabilities.
Going through all the directives of the core Apache module shows that there are fewer than 100 core directives, among which roughly 50 core directives are important to configure with particular attention: we'll try to explain the usefulness of these directives below and we will propose for each of them an acceptable configuration setup.
In order to configure your Apache server, you can decide to start with a clear http.conf file and follow the instructions below, or you can choose to modify your httpd.conf file directly and add/edit directives when necessary.
Next tutorial: Apache server configuration on Linux - Files served by Apache
Back to computer forums