In this article we are going to look at configuring the Apache web server for; name based virtual hosting, IP (Internet Protocol) based virtual hosting and access control lists. The Apache web server is the most popular web server on the Internet today with a “50.42% market share for top servers across all domains August 1995 – April 2008” (Netcraft, 2008).
Name Based Virtual Host
In this section of the article we will look at setting up a name based virtual host. A name based virtual host is a server that has one designated IP address that can serve multiple sites from a single IP address. For example, you can host two different domains i.e. (www.novell.com and www.example.com) and these two addresses can both resolve to the single IP address of 184.108.40.206. I will assume that you have already installed the Apache web server onto your machine from the SUSE Linux Enterprise Server DVD/CD’s.
The Apache web server configuration files are located within the /etc/apache2 directory, this directory contains multiple configuration files making it easier for you to manage your Apache web server. The SUSE development team did a very good job at sorting the Apache web server configuration files making it much easier and manageable for Linux administrators to manage their servers. Table 1 lists the configuration files that are stored within the /etc/apache2 directory.
|uid.conf||UserID/GroupID to run Apache under.|
|server-tuning.conf||Sizing of the server (how many processes to start, …)|
|sysconfig.d/loadmodule.conf||Modules to be loaded by Apache.|
|listen.conf||IP addresses / ports to listen on.|
|mod_log_config.conf||Define logging formats.|
|sysconfig.d/global.conf||Server-wide general settings.|
|mod_status.conf||Restrict access to mod_status (server monitoring).|
|mod_info.conf||Restrict access to mod_info.|
|mod_usertrack.conf||Defaults for cookie-based user tracking.|
|mod_autoindex-defaults.conf||Defaults for displaying of server-generated directory listings.|
|mod_mime-defaults.conf||Defaults for mod_mime configuration.|
|errors.conf||Customize error responses.|
|ssl-global.conf||SSL conf that applies to default server _and all_ virtual hosts.|
|default-server.conf||Set up the default server that replies to non-virtual-host requests.|
Table 1: /etc/apache2 directory structure.
The configuration file that we will need to edit first is the listen.conf located within the /etc/apache2 directory, this file contains the directive for enabling name based virtual hosting. We will also need to create a virtual host configuration file within the /etc/apache2/vhosts.d directory.
The first step that you need to do to is enable name based virtual hosting by editing the /etc/apache2/listen.conf configuration file. The directive that needs to be uncommented is shown in Figure 1.
... NameVirtualHost *:80 ...
Figure 1: /etc/apache2/listen.conf – enabling a name based virtual host.
Once you have enabled the name based virtual hosting directive in the listen.conf configuration file, you should issue the apache2ctl command followed by the “configtest” qualifier to check to see if the Apache configuration syntax is correct as shown in Figure 1.1.
linux-mw4w:/etc/apache2/vhosts.d # apache2ctl configtest [Mon Apr 21 09:45:51 2008] [warn] NameVirtualHost *:80 has no VirtualHosts Syntax OK
Figure 1.1: Checking the Apache configuration syntax.
As you can see in Figure 1.1 that the syntax is reported as OK, you may also get warnings about there being no virtual hosts, this is OK because we have not created any yet.
The next step is to create a virtual host configuration file which is very simple. There is a virtual host template stored within the /etc/apache2/vhosts.d directory which you can use to help you create a virtual host. If this is your first time setting up named based virtual hosting then I would strongly recommend that you use the template provided, to make a copy of the virtual host configuration file you can use the cp command as shown in Figure 1.2.
Make sure the copy of you’re virtual host ends in .conf
linux-mw4w:/etc/apache2/vhosts.d # cp vhost.template example.com .conf
Figure 1.2: Make a copy of the virtual host template.
Once you have created a copy of the virtual host template you will need to edit the contents of the file, the main directives that need to be edited are listed in Table 2.
|ServerAdmin||This directive should specify the administrators email address.|
|ServerName||This directive should include the URL of the web site excluding the http:// prefix.|
|DocumentRoot||This directive specifies the path to the document root where you’re web pages are located.|
|ErrorLog||This directive specifies the log file which errors should be logged to.|
|CustomLog||This directive specifies where to log the Apache messages and in what format.|
|ScriptAlias||This directive specifies the directory where CGI (Common Gateway Interface) scripts can be executed.|
Table 2: Virtual host directives.
Once you have finished editing each directive you will need to edit two directory block within the virtual host configuration file. The first directory block you need to edit is shown in Figure 1.3.
<Directory "/srv/www/vhosts/example.com/cgi-bin"> ... ... </Directory>
Figure 1.3: CGI directory block.
As you can see from Figure 1.3 this directory block needs to be change, you need to specify the path to your “cgi-bin” directory. The second directory block that needs to be alter is shown in Figure 1.4 this should have the value identical to the “DocumentRoot” directive.
<Directory "/srv/www/vhosts/example.com"> ... ... </Directory>
Figure 1.4: DocumentRoot directory block.
Once you have finish editing the your virtual host configuration file you should issue the apache2ctl command followed by the “configtest” qualifier as shown in Figure 1.1 to make sure the Apache configuration syntax is correct.
Once you have checked the configuration file and the syntax reported no errors you can start the Apache web server by issuing the service command as shown in Figure 1.5 or you can issue the rcapache2 command followed by the keyword “start”.
linux-mw4w:/srv/www/vhosts/example.com # service apache2 start Starting httpd2 (prefork) done
Figure 1.5: Starting the Apache web server.
Once the Apache web server has been started you can test your virtual host by entering the website address in your web browser, you should now be able to see your website. If you follow the same procedure and create another virtual host you will notice that you can access the two different domains which will also resolve to the same IP address.
IP Based Virtual Host
In this section of the article we are going to look at configuring an IP based virtual host. An IP based virtual host means that each domain must have their own IP address, for example if you are serving two websites i.e. (www.novell.com and www.example.com). The www.novell.com must resolve to it’s own designated IP address and should not be the same IP address of www.example.com. In this article we will have two virtual hosts, the first host will have an IP address of 192.168.2.141 which will resolve to www.novell.com and the second virtual host will have an IP address of 192.168.2.142 which will resolve www.example.com.
Creating an IP based virtual host is very similar to creating a named based virtual host, the only difference is you have to designate an IP address to each of the virtual host within the virtual host configuration file.
If previously setup name based virtual hosting please make sure you edit the listen.conf configuration file and comment out the NameVirtualHost directive which was previously uncommented.
The first step is to create a virtual host configuration file within the /etc/apache2/vhosts.d directory, this can be done by making a copy of the “vhost.template” file as shown in Figure 1.2.
Make sure the virtual host configuration file ends in .conf otherwise Apache will ignore it
The virtual host configuration file that we will be using is shown in Figure 2. The only difference between a named based virtual host configuration file and an IP virtual host configuration file is the virtual host declaration at the top of the file has to specify the IP address as shown in Figure 2.1.
<VirtualHost 192.168.2.141:80> ServerAdmin firstname.lastname@example.org ServerName www.example.com DocumentRoot /srv/www/vhosts/example.com # if not specified, the global error log is used ErrorLog /var/log/apache2/example.com-error_log CustomLog /var/log/apache2/example.com-access_log combined # don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts UseCanonicalName Off # configures the footer on server-generated documents ServerSignature On ScriptAlias /cgi-bin/ "/srv/www/vhosts/example.com/cgi-bin/" # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have one, and where ScriptAlias points to. # <Directory "/srv/www/vhosts/example.com/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory> # # This should be changed to whatever you set DocumentRoot to. # <Directory "/srv/www/vhosts/example.com"> Options Indexes FollowSymLinks AllowOverride None # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory> </VirtualHost>
Figure 2: IP based virtual host template.
Figure 2.1: IP based virtual host.
Once you have modified the virtual host configuration file you can save the changes and issue the service command followed by the keywords “apache2 configtest” to check the configuration syntax as shown in Figure 1.1. If the Apache configuration test returns OK you can start the Apache web server by issuing the service command followed by “apache2 start” or by issuing the command rcapache2 start as shown in Figure 2.2.
linux-mw4w:~ # rcapache2 start Starting httpd2 (prefork) done
Figure 2.2: Starting the Apache web server.
Once you have restarted the Apache web server you can type open your web browser and type the IP address for the virtual host or it’s URL address to see if the website is accessible. Once you have it working you can follow the previous steps to create your second virtual host, once you have created your second virtual host you can restart the Apache web server and you should now be able to access both sites.
Access Control and Authentication
In this section of the article we will look at the mod_access module which can be used to restrict access to certain sections of you’re web site, we will also look at configuring authentication for certain sections of you’re website thus making users authenticate before being able to view the websites content.
In the first section of this article we will look at the Allow and Deny directives. In this article we will write our access control lists within the directory block which specifies the document root as shown in Figure 3.
<Directory "/srv/www/vhosts/example.com"> ... # Our rules will go here ... </Directory>
Figure 3: Access Control List section.
As you may have noticed the template which we used to create our virtual hosts contain a simple access rule shown in Figure 3.1 and explained in Table 3.
Order allow,deny Allow from all
Figure 3.1: Simple access control rule.
|Order allow,deny||This section sets the order in which the allow or deny rule will work. This tells Apache to process the Allow directive first and then the deny directive.|
|Allow from all||This allows everyone to connect to the page.|
Table 3: Figure 3.1 explained.
The first rule which we will write is shown in Figure 3.2, this rule will allow access from the IP address of 192.168.2.1 and deny access to all other hosts.
Order allow,deny Allow from 192.168.2.1
Figure 3.2: Allowing the IP address 192.168.2.1 access and deny others.
As you can see in Figure 3.2 you don’t have to specify a deny statement, the reason for this is because an explicit deny is automatically added, this is due to the Order directive. Once you have added the rule to the virtual host you will need to reload the Apache web server, this can be done issuing the service command as shown in Figure 3.3.
linux-mw4w:/etc/apache2/vhosts.d # service apache2 reload Reload httpd2 (graceful restart) done
Figure 3.3: Reloading the Apache configuration files.
Once the Apache web server has been reloaded you can try access the page from your server and you will notice that you get the error code 403 which means you are forbidden. If you try an access the web page from the IP address of 192.168.2.1 you will notice the page loads and your not denied.
In the second example show how the ordering effects the access control list, Figure 3.4 shows the rule which we will be using.
Order deny,allow Deny from 192.168.2.1
Figure 3.4: Denying 192.168.2.1 and allowing all other hosts.
As you can see in Figure 3.4 we have change the ordering around so we deny first then allow thus giving us an explicit allow. The rule in Figure 3.4 will allow all hosts and deny only the host with the IP address of 192.168.2.1.
Hopefully you understand the importance in the ordering. The second keyword is given explicitly to all i.e. (deny,allow gives an explicit allow ALL and allow,deny gives an explicit deny ALL).
Now that you how to control access using the Allow and Deny directives we can look at making users authenticate to you’re server to view certain sections of your website. The first task that needs to be done is adding the authentication directives to the directory block shown in Figure 3, Figure 3.5 shows the authentication directives needed and Table 4 explains each directive.
<Directory "/srv/www/vhosts/example.com"> ... # Access Control List Order allow,deny Allow from all ... AuthType Basic AuthName "Restricted to employee only" AuthUserFile /srv/www/vhosts/.htpasswd Require valid-user </Directory>
Figure 3.5: Authentication directives.
|AuthType||This directive specifies the type of authentication we will use which is basic, it is also possible to choose digest.|
|AuthName||This directive writes a title to the dialog box that appears asking for the username and password.|
|AuthUserFile||This directive specifies where the usernames and passwords are stored.|
|Require valid-user||This directive allows you to specify a group of users, a single user or just a valid user.|
Table 4: Figure 3.5 explained.
Once you have written the authentication directives the to virtual host you will need to reload the Apache web server as shown in Figure 3.3. Once the Apache web server has been restarted you will need to create the text file with all the users you would like to authenticate to this site, this can be done using the htpasswd2 command as shown in Figure 3.6.
linux-mw4w:/etc/apache2/vhosts.d # htpasswd2 -c /srv/www/vhosts/.htpasswd damian New password: Re-type new password: Adding password for user damian
Figure 3.6: Creating a user called: “damian”.
Once you have created the user “damian” you can navigate to the users web page and you should be prompt for a username and password as shown in Figure 3.7.
Figure 3.7: Login prompt.
As you can see from Figure 3.7 the AuthName directive is printed on the login prompt near the top (“Restricted to employee only”). If you want to add more user you can use the htpasswd2 command without the -c qualifier as shown in Figure 3.8.
linux-mw4w:/etc/apache2/vhosts.d # htpasswd2 /srv/www/vhosts/.htpasswd chisa New password: Re-type new password: Adding password for user chisa
Figure 3.8: Adding a new user “chisa”.
Once you have added the user chisa you don’t need to restart the Apache web server, the reason for this is because Apache reads the authentication file each time a new request is made.
With HTTP authentication you need to specify the section of the site you want to protect using the directory directive or using .htaccess, protecting the document root is not a good idea because all preceding directories will be protected i.e. If you protect the /account folder any other directory that follow will be protected i.e. (/account/index.htm /account/damian/index.htm etc).
In this article we look at how simple it is to setup a name based virtual host and an IP based virtual host using SUSE Enterprise Linux 10 SP1, we only looked a few of the basics features that the Apache web server has to offer. I strongly recommend reading the Apache documentation as Apache provides hundreds of modules which you can benefit from.
 Netcraft, http://news.netcraft.com/archives/2008/04/14/april_2008_web_server_survey.html