Apache configuration details (best Apache configuration tutorial)

Configuration of the primary site (basic configuration)
(1) Basic Configuration:
Serverroot "/mnt/software/apache2" # location of your Apache software installation. If no absolute path is specified for other specified directories, the directory is relative to this directory.
Pidfile logs/httpd. pid # the location of the Process number file of the first HTTPd process (parent process of all other processes.
Listen 80 # Port Number of the server listener.
Servername www.jb51.net: 80 # main site name (website host name ).
Serveradmin admin@jb51.net # administrator email address.
DocumentRoot "/mnt/web/clusting" # webpage storage location of the primary site.

access control for the Directory of the main site is as follows:

options followsymlinks
AllowOverride none
order allow, deny
allow from all

in the preceding Directory attribute configuration, the following options are available:
options: common values and basic meanings of configuration features used in a specific directory are as follows:
execcgi: CGI scripts can be executed in this directory.
followsymlinks: in this directory, the file system can be connected using symbols.
indexes: if the user cannot find the main page file specified by directoryindex(for example, index.html), the list of files in the directory is returned to the user.
symlinksifownermatch: a symbolic connection is accessible only when the owner of the symbolic connection is the same as the owner of the actual file.
for other available values and meanings, see: http://www.jb51.net/Apache/ApacheManual/mod/core.html#options

AllowOverride: allowed to exist in. command type in the htaccess file (. the htaccess file name can be changed. The file name is determined by the accessfilename command.):
none: When AllowOverride is set to none. Do not search for. htaccess files in this directory (you can reduce the server overhead ).
All: All commands can be used in the. htaccess file.
other available values and meanings (such as: Options fileinfo authconfig limit), see: http://www.jb51.net/Apache/ApacheManual/mod/core.html#AllowOverride
order: control which of the allow and deny access rules takes precedence during access:
allow: List of allowed hosts (available domain names or subnets, for example, allow from 192.168.0.0/16 ).
deny: List of Access Denied hosts.
for more detailed usage, see: http://www.jb51.net/Apache/ApacheManual/mod/mod_access.html#order
directoryindex index.html index.htm index. PHP # settings of the home page file (in this example, the home page file is set to: index.html, index.htm, and index. PHP)

(2) server optimization (MPM: Multi-processing modules)
the main advantage of apache2 is its better support for multi-processors, during compilation, the -- with-MPM option is used to determine the working mode of apache2. If you know the working mechanism used by apache2, you can use the httpd-l command to list all modules of Apache. The working method is as follows:
prefork: if httpd-l lists prefork. c, you need to configure the following segments:

startservers 5 # Number of httpd processes started when Apache is started.
minspareservers 5 # minimum number of idle processes maintained by the server.
maxspareservers 10 # maximum number of idle processes maintained by the server.
maxclients 150 # maximum number of concurrent connections.
maxrequestsperchild 1000 # the number of times each sub-process is killed after it is requested for service. 0 indicates no restriction. We recommend that you set it to 1000.

In this mode, five httpd processes are started after the server is started (six parent processes are added, which can be seen through the PS-ax | grep httpd command ). When a user connects, Apache uses an idle process to serve the connection, and the parent process fork a sub-process. Until the idle process in the memory reaches maxspareservers. This mode is used to be compatible with earlier versions.Program. My default options during compilation.
WORKER: If httpd-l lists worker. C, you need to configure the following sections:
<Ifmodule worker. c>
Startservers 2 # Number of httpd processes started when Apache is started.
Maxclients 150 # maximum number of concurrent connections.
Minsparethreads 25 # minimum number of Idle threads maintained by the server.
Maxsparethreads 75 # maximum number of Idle threads maintained by the server.
Threadsperchild 25 # Number of threads produced by each sub-process.
Maxrequestsperchild 0 # the number of times each sub-process is killed after it is requested for service. 0 indicates no restriction. We recommend that you set it to 1000.
</Ifmodule>

This mode is used by threads to listen to customer connections. When a new client connects, one of the Idle threads accepts the connection. The server starts two processes at startup. The number of threads produced by each process is fixed (determined by threadsperchild). Therefore, there are 50 threads at startup. When 50 threads are insufficient, the server automatically forks a process and generates 25 more threads.

perchild: If httpd-l lists perchild. c, you need to configure the following segments:

numservers 5 # Number of sub-processes started at server startup
startthreads 5 # Number of threads started at each sub-process
minsparethreads 5 # minimum in memory number of Idle threads
maxsparethreads 10 # maximum number of Idle threads
maxthreadsperchild 2000 # maximum number of requests per Thread before exiting. 0 is not restricted.
maxrequestsperchild 10000 # the number of times each sub-process service is fork again. 0 indicates no restriction.

In this mode, the number of sub-processes is fixed and the number of threads is not limited. When the client is connected to the server, Idle threads provide services. If the number of Idle threads is insufficient, the child process automatically generates threads to serve the new connection. This mode is used for multi-site servers.
(3) HTTP return header configuration:
ServerTokens prod # This parameter sets the apache version information returned by the HTTP header. The available values and meanings are as follows:
prod: only the software name, for example, apache
Major: including the main version number, for example, Apache/2
minor: including the minor version number, for example: apache/2.0
min: only the complete apache version number, for example, Apache/2.0.54
OS: including the operating system type, for example, Apache/2.0.54 (UNIX)
full: including the modules and module versions supported by Apache, such as Apache/2.0.54 (UNIX) mod_ssl/2.0.54 OpenSSL/0.9.7g
serversignature off # Check whether the server version information is displayed when an error occurs on the page. Recommended to off

(4) persistent connection settings
Keepalive on # enable the persistent connection function. That is, when the client connects to the server, the connection status remains unchanged after the data is downloaded.
Maxkeepaliverequests 100 # maximum number of requests for a connection service.
Keepalivetimeout 30 # How long does the connection last? If no data is requested for the connection, the connection is closed. The default value is 15 seconds.
Alias settings
For pages that are not in the directory specified by DocumentRoot, you can use a symbolic connection or an alias. The alias settings are as follows:
Alias/download/"/var/www/download/" # You can enter: http://www.jb51.net/download/ when accessing
<Directory "/var/www/download"> # Set access control for this directory
Options indexes Multiviews
AllowOverride authconfig
Order allow, deny
Allow from all
</Directory>

CGI settings
ScriptAlias/cgi-bin/"/mnt/software/apache2/cgi-bin/" # access can be: http://www.jb51.net/cgi-bin. However, the CGI script file in this directory must have the executable permission!
<Directory "/usr/local/apache2/cgi-bin"> # Set Directory Properties
AllowOverride none
Options none
Order allow, deny
Allow from all
</Directory>

personal homepage settings (public_html)
userdir public_html (the user's home page is stored in the public_html directory under the user's home directory URL http://www.jb51.net /~ Bearzhang/file.html will read the/home/bearzhang/public_html/file.html file)
chmod 755/home/bearzhang # allows other users to read the file.
userdir/var/html (the URL http://www.jb51.net /~ Bearzhang/file.html will read/var/html/bearzhang/file.html)
userdir/var/www/*/Docs (the URL http://www.jb51.net /~ Bearzhang/file.html will read/var/www/bearzhang/docs/file.html)
Log Settings
(1) error Log Settings
errorlog logs/error_log # log storage location
loglevel warn # log level
display format:
[Mon Oct 10 15:54:29 2005] [Error] [client 192.168.10.22] access to/download/failed, reason: user admin not allowed access
(2) access Log Settings
the default log formats are as follows:
logformat "% H % L % u % t" % R "%> S % B" % {Referer} I "" % {User-Agent} I "combined
logformat "% H % L % u % t" % R "%> S % B" common # common is the log format name
logformat "% {Referer} I -> % u "Referer
logformat" % {User-Agent} I "Agent
customlog logs/access_log common

parameters in the format are as follows:
% H -- IP address or host name of the client
% L -- the ID of RFC 1413 determined by the client identd, the "-" symbol in the output indicates that the information here is invalid.
% u -- Name of the customer accessing the webpage obtained by the HTTP Authentication System. Valid only when authentication is available. The "-" symbol in the output indicates that the information here is invalid.
% t -- time when the server completes processing the request.
"% R" -- the quotation marks indicate the request content sent by the customer that contains many useful information.
%> S -- the status code returned by the server to the client.
% B -- the last value is the number of bytes that are returned to the client, excluding the response header.
"% {Referer} I" -- this item indicates the webpage from which the request was submitted.
"% {User-Agent} I" -- this item is the browser identification information provided by the customer's browser.
The following is an example of an access log:
192.168.10.22-bearzhang [10/OCT/2005: 16: 53: 06 + 0800] "Get/download/HTTP/1.1" 200 1228
192.168.10.22--[10/OCT/2005: 16: 53: 06 + 0800] "Get/icons/blank.gif HTTP/1.1" 304-
192.168.10.22--[10/OCT/2005: 16: 53: 06 + 0800] "Get/icons/back.gif HTTP/1.1" 304-
detailed explanations of parameters, see: http://www.jb51.net/Apache/ApacheManual/logs.html

User Authentication Configuration
(1) In the httpd. conf:
Accessfilename. htaccess
.........
Alias/download/"/var/www/download /"
<Directory "/var/www/download">
Options Indexes
AllowOverride authconfig
</Directory>
(2) create a password file:
/Usr/local/apache2/bin/htpasswd-C/var/httpuser/passwords bearzhang
(3) onfigure the server to request a password and tell the server which users are allowed access.
VI/var/www/download/. htaccess:
Authtype basic
Authname "restricted files"
Authuserfile/var/httpuser/passwords
Require user bearzhang
# Require valid-user # all valid user
Virtual Host Configuration
(1) ip address-based Virtual Host Configuration
Listen 80
<Virtualhost 172.20.30.40>
DocumentRoot/www/example1
Servername www.example1.com
</Virtualhost>
<Virtualhost 172.20.30.50>
DocumentRoot/www/example2
Servername www.example2.org
</Virtualhost>

(2) IP-based and multi-port Virtual Host Configuration
Listen 172.20.30.40: 80
Listen 172.000030.40: 8080
Listen 172.20.30.50: 80
Listen 172.20.30.50: 8080
<Virtualhost 172.20.30.40: 80>
DocumentRoot/www/example1-80
Servername www.example1.com
</Virtualhost>
<Virtualhost 172.20.30.40: 8080>
DocumentRoot/www/example1-8080
Servername www.example1.com
</Virtualhost>
<Virtualhost 172.20.30.50: 80>
DocumentRoot/www/example2-80
Servername www.example1.org
</Virtualhost>
<Virtualhost 172.20.30.50: 8080>
DocumentRoot/www/example2-8080
Servername www.example2.org
</Virtualhost>
(3) domain name-based VM configuration on a server with a single IP Address:
# Ensure that Apache listens on port 80
Listen 80
# Listen for virtual host requests on all IP addresses
Namevirtualhost *: 80
<Virtualhost *: 80>
DocumentRoot/www/example1
Servername www.example1.com
Serveralias example1.com. * .example1.com
# Other directives here
</Virtualhost>
<Virtualhost *: 80>
DocumentRoot/www/example2
Servername www.example2.org
# Other directives here
</Virtualhost>
(4) configure a domain name-based VM on a server with multiple IP addresses:
Listen 80
# This is the "Main" server running on 172.20.30.40
Servername server.domain.com
DocumentRoot/www/mainserver
# This is the other address
Namevirtualhost 172.20.30.50
<Virtualhost 172.20.30.50>
DocumentRoot/www/example1
Servername www.example1.com
# Other directives here...
</Virtualhost>
<Virtualhost 172.20.30.50>
DocumentRoot/www/example2
Servername www.example2.org
# Other directives here...
</Virtualhost>
(5) run different sites on different ports (configure a domain name-based virtual host on a multi-port server ):
Listen 80
Listen 8080.
Namevirtualhost 172.20.30.40: 80
Namevirtualhost 172.000030.40: 8080
<Virtualhost 172.20.30.40: 80>
Servername www.example1.com
DocumentRoot/www/domain-80
</Virtualhost>
<Virtualhost 172.20.30.40: 8080>
Servername www.example1.com
DocumentRoot/www/domain-8080
</Virtualhost>
<Virtualhost 172.20.30.40: 80>
Servername www.example2.org
DocumentRoot/www/otherdomain-80
</Virtualhost>
<Virtualhost 172.20.30.40: 8080>
Servername www.example2.org
DocumentRoot/www/otherdomain-8080
</Virtualhost>
(6) configuration of domain name-based and IP-based Hybrid Virtual Hosts:
Listen 80
Namevirtualhost 172.20.30.40
<Virtualhost 172.20.30.40>
DocumentRoot/www/example1
Servername www.example1.com
</Virtualhost>
<Virtualhost 172.20.30.40>
DocumentRoot/www/example2
Servername www.example2.org
</Virtualhost>
<Virtualhost 172.20.30.40>
DocumentRoot/www/example3
Servername www.example3.net
</Virtualhost>

SSL encryption Configuration
First, you should first understand some basic concepts before configuring:
Certificate concept: First, you must have a root certificate, and then use the root certificate to issue the server certificate and customer certificate. Generally, the server certificate and customer certificate are in a hierarchical relationship. Server certificates must be installed for SSL authentication. Therefore, in this environment, you must have at least three certificates: Root Certificate, server certificate, and client certificate. Before a certificate is generated, a private key is usually used to generate a certificate request with the private key, and then use the root certificate of the Certificate Server to issue the certificate.
Certificates used by SSL can be generated by yourself or signed by a commercial ca such as Verisign or thawte.
Question about issuing a certificate: if you are using a commercial certificate, please refer to the instructions of the relevant vendors for specific signing methods; if you are a friend-issued certificate, you can use the CA that comes with OpenSSL. sh script tool.
If a certificate is not issued for a separate client, the client certificate does not need to be generated. The client and the server use the same certificate.
(1) The main parameter configurations in the conf/SSL. conf configuration file are as follows:
Listen 443.
Sslpassphrasedialog buildin
# Sslpassphrasedialog Exec:/path/to/Program
Sslsessioncache DBM:/usr/local/apache2/logs/ssl_scache
Sslsessioncachetimeout 300
Sslmutex file:/usr/local/apache2/logs/ssl_mutex
<Virtualhost _ default _: 443>
# General setup for the Virtual Host
DocumentRoot "/usr/local/apache2/htdocs"
Servername www.example.com: 443
Serveradmin you@example.com
Errorlog/usr/local/apache2/logs/error_log
Transferlog/usr/local/apache2/logs/access_log
Sslengine on
Sslciphersuite all :! ADH :! Export56: RC4 + RSA: + high: + medium: + low: + SSLv2: + exp: + enull
Sslcertificatefile/usr/local/apache2/CONF/SSL. CRT/server. CRT
Sslcertificatekeyfile/usr/local/apache2/CONF/SSL. Key/server. Key
Customlog/usr/local/apache2/logs/ssl_request_log "% T % H % {ssl_protocol} X % {ssl_cipher} X" % R "% B"
</Virtualhost>
(2) create and use self-signed certificates:
A. Create a RSA private key for your Apache server
/Usr/local/OpenSSL/bin/OpenSSL genrsa-des3-out/usr/local/apache2/CONF/SSL. Key/server. Key 1024
B. Create a Certificate Signing Request (CSR)
/Usr/local/OpenSSL/bin/OpenSSL req-New-key/usr/local/apache2/CONF/SSL. key/server. key-out/usr/local/apache2/CONF/SSL. key/server. CSR
C. Create a self-Signed CA certificate (X509 structure) with the RSA key of the CA
/Usr/local/OpenSSL/bin/OpenSSL req-X509-days 365-key/usr/local/apache2/CONF/SSL. key/server. key-in/usr/local/apache2/CONF/SSL. key/server. CSR-out/usr/local/apache2/CONF/SSL. CRT/server. CRT
/Usr/local/OpenSSL/bin/OpenSSL genrsa 1024-out server. Key
/Usr/local/OpenSSL/bin/OpenSSL req-New-key server. Key-out server. CSR
/Usr/local/OpenSSL/bin/OpenSSL req-X509-days 365-key server. Key-in server. CSR-out server. CRT
(3) create your own Ca (certificate) and use the CA to sign the server certificate.
Mkdir/CA
CD/CA
CP openssl-0.9.7g/apps/CA. sh/CA
./CA. Sh-newca
OpenSSL genrsa-des3-out server. Key 1024
OpenSSL req-New-key server. Key-out server. CSR
CP server. CSR newreq. pem
./CA. Sh-sign
CP newcert. PEM/usr/local/apache2/CONF/SSL. CRT/server. CRT
CP server. Key/usr/local/apache2/CONF/SSL. Key/