Transcript ntcap.nic.in

INSTALLATION &
CONFIGURATION of
HTTPD / APACHE
Web Server
Index

















What is apache httpd server ?
What is PHP ?
Installing apache web server
Verify installed apache web server.
Installing PHP5
Manage Apache Web Server
Configuration file of Apache Web Server
Type of Virtual Hosting in Apache Web Server
Name Based Virtual Hosting
IP Based Virtual Hosting
Log file location of Apache Web Server
Verify PHP integration with Apache Web Server
SSL with Apache Web Server
Access Control in Apache Web Server
User Based Access Control in Apache Web Server
Add module in working Apache Web Server
Fine-tune the PHP
What is apache httpd server?
Apache HTTPD provides the service with
which the client Web browsers communicate.
The daemon runs in the background on your
server and waits for requests from clients. Web
browsers connect to the HTTP daemon and
send requests, which the daemon interprets,
sending back the appropriate data .

What is PHP ?

PHP Hypertext Preprocessor (PHP). PHP is a
programming language that was developed specifically for
use in Web scripts. It is preferred by many developers
because it’s designed to be embedded within HTML
documents, making it simpler to manage Web content and
scripts within a single file.
Installing Apache

Yum install httpd
OR

Rpm -ivh httpd-2.2.3-6.el5.rpm
Note: yum only work when you have registered
with redhat and also connected to internet.
Verify Installed HTTPD/Apache

Rpm -q httpd
OR

Rpm -qa | grep httpd
Installaing PHP

yum install php5
OR

Rpm -ivh php-5.1.6-5.el5.rpm
Note: yum only work when you have registered
with redhat and also
connected to internet.
Start / Stop / Restart HTTPD / Apache

service httpd start

Service httpd stop

Service httpd restart
HTTPD Config File

/etc/httpd/conf/httpd.conf
## Configuration file of HTTPD Server.

/etc/httpd/conf.d
## Config Folder for squirrelmail ,
phpmyadmin. If you install
via rpms.

/var/www/html
web
found
## Defines the directory in which the
pages for the site can be
General Settings

Listen 80

ServerRoot "/etc/httpd"

server can be
DocumentRoot "/var/www/html"

ServerName www.example.com








Include conf.d/*.conf
DirectoryIndex index.html welcome.html
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
## Define the port no. for the httpd web
server.
## Defines the directory in which the
configuration of httpd web
found
## Defines the directory in which the web
pages for the site can be found
## Defines the name of the website managed
by the <VirtualHost> container.
## Load config files from the config directory.
## sets the file that Apache will serve
if a directory is requested.
General Settings








Redirect permanent /google http://www.google.com/
## now you can access
google.com via 192.168.1.1/google
Alias /data/ "/data/"
## Now you can access data folder, which is exist in / via http://localhost/data .
ErrorDocument 404 /error/error404.html
## Define your own error Messages.
ServerTokens Prod
##This directive configures what you return as the Server HTTP response
Header. The default is 'Full' which sends information about the OS-Type
and compiled in modules. Set to one of: Full | OS | Minor | Minimal | Major | Prod.
where Full conveys the most information, and Prod the least.
LoadModule auth_basic_module modules/mod_auth_basic.so
# LoadModule auth_basic_module modules/mod_auth_basic.so
## To Make any module disable, add the # sign in front of line.
To Make any module enable, remove the # sign in front of line, if available there.
Note: Please disable all non-requred modules in HTTPD web server. Because it is
vulnerability and also slow down the performance of HTTPD Web Server.
General Settings


Options Indexes FollowSymLinks
## If a URL that maps to a directory is requested and there is
noDirectoryIndex (for example, index.html) in that directory, then the
server returns a formatted listing of the directory.
<Directory /www/myclient/public/htdocs >
Options -Indexes MultiViews
</Directory>
##
Note: Remove the indexes from options directive, If really no need.
Type of Virtual Hosting

Name Based Virtual Hosting

IP Based Virtual Hosting
Name Base Virtual Hosting

NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /www/domain
ServerName www.domain.tld
...
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /www/subdomain
ServerName www.sub.domain.tld
...
</VirtualHost>
Note: For Name Based Virtual Hosting, you also required configured
dns server. So that it can easily translate IP Address to FQDN.
IP Based Virtual Hosting

<VirtualHost 192.168.1.110:80>
DocumentRoot /var/www/html/otherdomain
ServerName www.otherdomain.tld
...
</VirtualHost>
Httpd Log Files Location



/var/log/httpd
Access log file of HTTPD
/var/log/httpd/access.log
Error log file of HTTPD
/var/log/httpd/error.log
Note: To check the logs, use command “ tail
/var/log/httpd/access.log ” .
Verify PHP integration with HTTPD


Cat > /var/www/html/info.php
<?php
phpinfo();
?>
^D
Chmod 644 /var/www/html/info.php
Note: After everything test & working should remove the
info.php file so that it can't be used by potential attacker to
gather specific about your system.

Output of http://localhost/info.php
create a self-signed SSL Certificate







# yum install openssl
# rpm -ivh openssl-0.9.8b-8.3.el5
# to install the OpenSSL Package
mkdir /etc/httpd/conf/ssl.key && cd /etc/httpd/conf/ssl.key/
Generate a Private Key
openssl genrsa -des3 -out server.key 1024
Generate a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr
Remove Passphrase from Key
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Generating a Self-Signed Certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Installing the Private Key and Certificate
chmod 755 /etc/httpd/conf/ssl.crt/server.crt
chmod 755 /etc/httpd/conf/ssl.key/server.key

Configuring SSL Enabled Virtual Hosts
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
Add an SSL-enabled virtual host to your Apache configuration files. Using the earlier virtual host as an
example, your configuration will look something like this:
Listen *:443
<VirtualHost <your server ip address>:443>
ServerName
secure.example.org
DocumentRoot
/home/username/public_html/
DirectoryIndex index.php index.html index.htm
SSLEngine
On
SSLCertificateKeyFile /etc/apache/ssl.key/server.key
SSLCertificateFile /etc/apache/ssl.crt/server.crt
</VirtualHost>


Test the configuration
apachectl configtest
Restart Apache and Test
/etc/init./apache2 restart
## Add this line after Listen *:80
Modifying httpd.conf file
Search For /Redirect Tag And Type Shown Below
vi /etc/httpd/conf/http.conf
Redirect /
https://FQDN/pathofthefile
Start The Apache Service
Access The Application Using https://FQDN
/etc/httpd/logs/ssl_access_log
Setting Up User Based Access Control








htpasswd -c /etc/http-passwd user-name
htpasswd -c /etc/http-passwd second-user
<Directory /srv/www/htdocs/private>
AuthType Basic
AuthName “Restricted Directory”
AuthUserFile /etc/http-passwd
Require user paul
</Directory>
Add Module in working HTTP server





Build and install a third-party Apache module, say
mod_foo.c, into its own DSO mod_foo.so outside of
the Apache source tree using apxs (Apache
Extension):
$ cd /path/to/3rdparty
$ apxs -c mod_foo.c
$ apxs -i -a -n foo mod_foo.la
vi httpd.conf
LoadModule mymodule
/usr/lib/httpd/modules/mymodule.so
Controlling Apache processes






StartServers
## initial number of server processes to start.
MaxClients
## maximum number of simultaneous client connections.
MinSpareThreads
## minimum number of worker threads which are kept spare.
MaxRequestsPerChild
## maximum number of worker threads which are kept spare.
ThreadsPerChild
## constant number of worker threads in each server process.
MaxRequestsPerChild
## maximum number of requests a server process serves.
Fine-tune the PHP






Four important settings control how much system resources PHP can consume
Setting
Description
Recommended value
max_execution_time How many CPU-seconds a script can consume
30
max_input_time How long (seconds) a script can wait for input data
60
memory_limit
How much memory (bytes) a script can consume before being killed 32M
output_buffering How much data (bytes) to buffer before sending out to the client
4096
LAB

Demonstration of hosting a website by using
APACHE.
What is performance tuning
• Utilizing resources as efficiently as possible
– Not always speed!
• It’s not always a good idea
– Use with care: It can break things
– Buy more hardware instead
• Helps against bottlenecks, not underpowered
systems as a whole
Tuning Apache (1)
Make Apache do less
• Disable unused processing (pre and post):
– mod_includes
– ExtendedStatus
• Disable DNS and User lookups
• Avoid disk operations:
– AllowOverride
– FollowSymlinks
• mod_disallow_uid for security
Example
HostNameLookups off
UserDir /home/*/WWW
AllowOverride None
Options FollowSymlinks
DisallowUid 0
DisallowGid 0
Tuning Apache (2)
Make Apache wait less
• Tune process model
– MinSpareServers
– MaxSpareServers
– StartServers
– MaxClients
– MaxRequestsPerChild
Tuning Apache (3)
• Avoid running other applications on the
same servers
• Do not run out of memory
– Swapping kills performance
• Offload functionality
– Use a frontproxy to serve static data
– Use a frontproxy or similar to handle SSL
Tuning Apache (4)
Make Apache work smartly
• Compress data
– mod_gzip or mod_compress
• Throttle popular sites or directories
– By OS, or mod_bandwidth or mod_throttle
• For mass virtualhosting, use mod_rewrite or
mod_vhost_alias
• Write site-specific modules, or adapt existing
ones
Tuning Apache (5)
KeepAlive Requests
• Persistent connections
• Multiple requests over one TCP socket
• Directives:
– KeepAlive
– MaxKeepAliveRequests
– KeepAliveTimeout
Example
mod_gzip_enable Yes
mod_gzip_item_include mime text/.*
mod_gzip_item_exclude mime text/compressed
BandwidthModule On
<Directory /home>
Bandwidth 194.109.0.0/23 0
Bandwidth all 1024
MinBandwidth -1
</Directory>
XS4ALLUserDir WWW
Tuning Applications
• Optimize your scripts/programs
• Use a language specific interpreter-module
–
–
–
–
–
mod_perl
mod_python, mod_snake
mod_dtcl, NeoScript, many more
mod_php
mod_ruby
• Use FastCGI
• Rewrite C programs directly into Apache as a
module
Tuning the Operating System
•
•
•
•
Free up memory
Raise process limits (for Apache)
Disable process accounting
Tune the kernel (maxproc, shmem, maxfd,
TCP stack)
• When possible, disable ‘atime’ updates
• Choose the best accept-serializing strategy
(in Apache 2.0, choose the best MPM)
Troubleshooting
Common pitfalls
and their solutions
Check your error_log
• The first place to look
• Increase the LogLevel if needed
– Make sure to turn it back down (but not off) in
production
Check Apache Health
• server-status
– ExtendedStatus
(see next slide)
• Verify “httpd -V”
• ps -elf | grep httpd | wc -l
– How many httpd processes are running?
server-status Example
Other Possibilities
• Set up a staging environment
• Set up duplicate hardware
• Check for known bugs
– http://nagoya.apache.org/bugzilla/
Common Bottlenecks
•
•
•
•
•
No more File Descriptors
Sockets stuck in TIME_WAIT
High Memory Use (swapping)
CPU Overload
Interrupt (IRQ) Overload
File Descriptors
• Symptoms
– entry in error_log
– new httpd children fail to start
– fork() failing across the system
• Solutions
– Increase system-wide limits
– Increase ulimit settings in apachectl
TIME_WAIT
• Symptoms
–
–
–
–
Unable to accept new connections
CPU under-utilized, httpd processes sit idle
Not Swapping
netstat shows huge numbers of sockets in TIME_WAIT
• Many TIME_WAIT are to be expected
• Only when new connections are failing is it a problem
– Decrease system-wide TCP/IP FIN timeout
Memory Overload, Swapping
• Symptoms
–
–
–
–
–
Ignore system free memory, it is misleading!
Lots of Disk Activity
top/free show high swap usage
Load gradually increasing
ps shows processes blocking on Disk I/O
• Solutions
– Add more memory
– Use less dynamic content, cache as much as possible
– Try the Worker MPM
How much free memory
do I really have?
•
•
•
•
Output from top/free is misleading.
Kernels use buffers
File I/O uses cache
Programs share memory
– Explicit shared memory
– Copy-On-Write after fork()
• The only time you can be sure is when it
starts swapping.
CPU Overload
• Symptoms
–
–
–
–
–
top shows little or no idle CPU time
System is not Swapping
High system load
System feels sluggish
Much of the CPU time is spent in userspace
• Solutions
– Add another CPU, get a faster machine
– Use less dynamic content, cache as much as possible
Interrupt (IRQ) Overload
• Symptoms
–
–
–
–
Frequent on big machines (8-CPUs and above)
Not Swapping
One or two CPUs are busy, the rest are idle
Low overall system load
• Solutions
– Add another NIC
• bind it to the first or use two IP addresses in Apache
• put NICs on different PCI busses if possible
Questions ?