# The ExtendedStatusOnbrApache server can report its own running status through special HTTP requests. enabling this brExtendedStatus parameter allows the server to report more comprehensive running status information. The configuration of the brApache server on the br master server requires various settings to define that you use various parameters to provide Web services. For Apache
# ExtendedStatus On
The Apache server can report its running status through a special HTTP request.
The ExtendedStatus parameter allows the server to report more comprehensive running status information.
Master server settings
The Apache server requires various settings to define its own use of various parameters to provide Web services. When a VM is used, in addition to the settings covered in the definition items of the VM (some settings must be redefined), the settings here are also the default settings of the VM.
Port 80
Port defines the Port used by the httpd daemon in Standalone mode. The standard Port is 80. This option is only valid for servers started in an independent mode. for servers started in inetd mode, define the port used in inetd. conf.
Root permission is required to use port 80 in Unix. for security reasons, some administrators believe that the httpd server cannot have security vulnerabilities. Therefore, they prefer to use the permissions of common users to start the server, in this way, port 80 and other ports smaller than 1024 cannot be used, but Port greater than 1024 must be used to start httpd. generally, port 8000 or 8080 is also a common port. The Apache httpd server can be run as a common user after port 80 is opened with the root permission. this reduces the risk and thus does not need to be considered. However, if you want to install and configure your own WWW server, you have to use a port greater than 1024.
User nobody
Group nogroup
User and Group configurations are the security guarantee of Apache. After Apache opens the port, it sets itself as the User and Group permissions set for these two options to run, this reduces the risk of servers. This option is only used in Standalone mode. the inetd mode specifies the user that runs Apache in inetd. conf. Because the server must perform the setuid () operation to change the identity, the initial process should have root permissions. if a non-root user is used to start Aapche, this configuration will not work.
The default value is nobody and nogroup. this user and group do not have files in the system, which ensures that the server itself and the CGI process started by it do not have the permission to change the file system. In some cases, for example, to run CGI and Unix interaction, you also need to have the server access the files on the server. if nobody and nogroup are still used, in this case, files belonging to the nobody will appear in the system, which is detrimental to system security because other programs will execute some operations with the nobody and nogroup permissions, it is possible to access the files owned by these nobodies, resulting in security problems. Generally, you need to set a specific user and group for the Web service, and change the user and group settings here.
ServerAdmin you@your.address
Only ServerAdmin should be changed in the configuration file. this item is used to configure the email address of the administrator of the WWW Server. this will be returned to the browser when an HTTP service error occurs, this allows the Web user to contact the administrator to report errors. Traditionally, webmaster on the server is used as the administrator of the WWW Server. through the alias mechanism of the mail server, emails sent to webmaster are sent to the real Web administrator.
# ServerName new. host. name
By default, the ServerName parameter is not required.
The parsing process is used to obtain your own name, but if there is a problem with the name resolution of the server (usually the reverse resolution is not
Correct), or there is no formal DNS name, you can also specify an IP address here. When ServerName is set
When the configuration is incorrect, the server cannot start normally.
Generally, a Web server can have multiple names. the client browser can use all these names or IP addresses to access the server. However, if no virtual host is defined, the server always responds to the browser with its own official name. ServerName defines the formal name recognized by the Web server. for example, if the name of A server (A type is defined in DNS) is exmaple.org.cn, at the same time, an alias (CNAME record) is also defined as www.exmaple.org.cn for convenience of memory, so the name automatically parsed by Apache is example.org.cn, so no matter which name the client browser uses to send requests, the server always tells the customer that the program is example.org.cn. Although this generally does not cause any problems, considering that the server may be migrated to another computer one day, the migration task is completed only by changing the www alias configuration in DNS, therefore, if you do not want to use Linux to record the address of the server in their bookmarks, you must use ServerName to re-specify the official name of the server.
DocumentRoot "/www /"
DocumentRoot defines the path for storing hypertext files released by the server. The ur l requested by the client program is mapped to the webpage files under this directory. Sub-directories under this directory, and use
The file and directory indicated by the symbolic connection can be accessed by the browser, but the same relative directory name must be used on the URL.
Note: Although the symbolic connection is logically located under the root document directory, it can actually be located in a computer
Therefore, the client program can access directories outside the root document directory.
Increased flexibility while reducing security. Apache provides the FollowSymLinks option in directory access control to enable or disable the feature that supports symbolic connections.
Options FollowSymLinks
AllowOverride None
The Apache server can control document access to directories. However
In the httpd. conf file (or access. conf ).
Set the access control file in each directory.
The name is. htaccess. Although both methods can be used to control browser access, the configuration file method requires that the httpd daemon be restarted after each change, which is not flexible, therefore, it is mainly used to configure the overall security control policy of the server system and use. it is more flexible and convenient to set access control for specific directories in the htaccess file.
The Directory statement is used to define the access restriction of a Directory. here we can see its standard syntax, which defines the access restriction for a Directory. In the preceding example, this setting is for the root directory of the system. The FollowSymLinks option is set to allow symbolic connections, and use AllowOverride None to indicate that the access control file in this directory is not allowed to change the configuration here, which means that you do not need to view the corresponding access control file in this directory.
Because Apache's access control settings for a directory can be inherited by the next-level Directory
The setting of the root directory affects its sub-directory. Note that due to the setting of AllowOverride None
The Apache server does not need to view the access control file under the root directory, or view the following levels
Directory until a directory is specified in httpd. conf (or access. conf ).
Allows Alloworride to view access control files. Because Apache uses the inheritance method for directory access control, if you can view the access control file from the root directory, Apache must view the access control file at the first level, this will affect system performance. By default, the root directory feature is disabled, which enables Apache to search down from the specific directory specified in httpd. conf, reducing the search level and increasing system performance. Therefore, setting AllowOverride None in the system root directory is not only helpful to system security, but also beneficial to system performance.
Options Indexes FollowSymLinks
AllowOverride None
Order allow, deny
Allow from all
Here, we define access settings for directories in the system's external release documents, and set different AllowOverride options to define the relationship between directory settings in the configuration file and security control files in the user directory, the Options option defines the features of this directory.
You can set access restrictions for the configuration file and the access control file in each directory.
Set by the administrator, and the access control files under each directory are set by the owner of the Directory. therefore
You can specify whether the directory owner can overwrite the system settings in the setting file. you need to use the AllowOverride parameter to set it. Generally, the value can be set:
The impact of AllowOverride settings on the role of access control files in each directory
The default value of All enables the access control file to overwrite the system configuration.
None server ignores access control file settings
Options allows the access control file to use the Options parameter to define the directory Options.
FileInfo allows parameters such as AddType in the access control file.
AuthConfig allows access control files to use authentication mechanisms such as AuthName and AuthType for each user, this allows the directory owner to use passwords and user names to protect the directory Limit and restrict the IP addresses and names of clients accessing the directory.
Each directory has certain attributes. you can use Options to control some access feature settings in this directory. The following are common feature Options:
Options Settings server feature settings
All Directory features are valid, which is the default status
None. all Directory features are invalid.
FollowSymLinks allows symbolic connections, which makes it possible for the browser to access documents outside the document root directory (DocumentRoot) SymLinksIfOwnerMatch only when the purpose of the symbolic connection and the symbolic connection itself are owned by the same user, access is allowed. this setting adds security.
ExecCGI allows you to execute the CGI program Indexes in this directory to allow the browser to send a list of files in this directory when no index.html (or other index files) exists in this directory.
In addition, parameters such as Order, Allow, and Deny are used in the preceding example. this is a method used to control access based on the browser domain name and IP address in the Limit statement. Here, Order defines the Order in which Allow and Deny are processed, while Allow and Deny set access control for the name or IP address. in the above example, allowfrom all is used to Allow all clients to access this directory, without any restrictions.
UserDir public_html
When running Apache on a Linux server, all users on this computer can have their own web path, like http://example.org.cn /~ User. you can map the user to the user's webpage directory by adding the user name to the tilde symbol. The ing directory is a sub-directory in the user's home directory. Its name is defined using the UseDir parameter. the default value is public_html. If you do not want to provide webpage services for official users, use DISABLED as the UserDir parameter.
#
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#
# Order allow, deny
# Allow from all
#
#
# Order deny, allow
# Deny from all
#
#
Here we can see another usage of Directory, that is, you can use a simple pattern matching method to define access control permissions for subdirectories distributed in different directories. In this way, the Apache server needs to perform additional processing on each path, which reduces the server performance. Therefore, this access restriction is not enabled by default.
Here we can see another statement, Limit, which is used to set access control for specific request methods, you can use GET, POST, and other server-supported request methods as Limit parameters to set access restrictions for different request methods. Generally, you can open the GET, POST, and HEAD request methods, and shield other request methods to increase security. In the Limit statement, you can use the Order, Allow, Deny, Allow, and Deny methods to restrict domain names and IP addresses, except that the domain names are matched forward and backward, the IP address is matched from the front to the back.
DirectoryIndex index.html
In many cases, the document name is not specified in the URL, but a directory name is provided. The Apache server will automatically return the files defined by DirectoryIndex in this directory. of course, multiple file names can be specified, and the system will search in this directory in sequence. If all the files specified by DirectoryIndex do not exist, the Apache server can generate a list of all the files in this directory based on the system settings. In this case, the Indexes option (Options Indexes) in the access control option of the directory must be enabled so that the server can generate a directory list. otherwise, Apache rejects access.
AccessFileName. htaccess
AccessFileName defines the name of the access control file under each directory. the default value is. htaccess. you can change this file to change the access control restrictions of different directories.
Order allow, deny
Deny from all
In addition to directory access control, you can also set access control based on files.
Is the task of the File statement. When using the File statement, no matter which Directory the File is in, the corresponding access control must be accepted as long as the name matches. This statement is important to system security. for example, in the above example, all users will be blocked from accessing the. htaccess file, so that key security information in. htaccess will not be obtained by the customer.
# CacheNegotiatedDocs
By default, if the proxy server and Apache server negotiate whether to cache their web pages
In a negative response, you do not want your webpage to be cached by the proxy server. However, this method cannot effectively take advantage of the proxy server. Therefore, you can set the CacheNegotiatieDocs option to enable the proxy server to cache webpages. However, even if this option is not set, some proxy servers (or by adjusting the settings) can cache webpages.
UseCanonicalName On
Enabling this UseCanonicalName is the standard practice of the Web server, because most of the requests sent by the client are referenced by the server, so that the server can use the ServerName and Port options to build a complete URL, and respond to the customer so that the browser can get a standard URL. If this parameter is set to Off, Apache will obtain the server name and Port value from the customer request (this information will be available in requests of customers that support HTTP 1.1 ), rebuild the URL.
TypesConfig/usr/local/apache/etc/mime. types
TypeConfig is used to set the file name for storing data of different MIME types. in Linux, it is set to/usr/local/apache/etc/mime. types by default.
DefaultType text/plain
If the Web server cannot determine the default type of a document, which usually indicates that the document uses a non-standard suffix, the server uses the MIME type defined by DefaultType to send the document to the client browser. The setting here is text/plain. The problem with this setting is that if the server cannot determine the MIME of the document, this document is a binary document in most cases, however, if you use the text/plain format to send it back, the browser will open it internally without prompting to save it. Therefore, we recommend that you change this setting
Application/octet-stream, so that the browser will prompt the user to save.
MIMEMagicFile/usr/local/apache/etc/magic
In addition to determining the MIME type of a file based on the file suffix, Apache can further split
Analyzes the characteristics of a file to determine the actual MIME type of the file. This function is implemented by the mod_mime_magic module. it requires a file that records various MIME-type features for analysis and judgment. The above setting is a condition statement. if this module is loaded, you must specify the location of the magic mark file.
Normally, the server can only obtain the IP address of the client.
Host Name for logging and providing it to CGI programs. you need to use this HostnameLookups option and set it to On to enable the DNS lookup function. However, this causes the server to perform DNS queries for each customer request, increasing system overhead and slowing down the response. Therefore, this option is disabled by default. After the option is disabled, the server will not obtain the host name of the client, but can only use IP addresses to record the client.
ErrorLog/var/log/httpd-error.log
LogLevel warn
LogFormat "% h % l % u % t" % r "%> s % B" % {Referer} I "" % {User-Agent} "" combined
LogFormat "% h % l % u % t" % r "%> s % B" common
LogFormat "% {Referer} I-> % U" referer
LogFormat "% {User-agent} I" agent
# CustomLog/var/log/httpd-access.log common
# CustomLog/var/log/httpd-referer.log referer
# CustomLog/var/log/httpd-agent.log agent
CustomLog/var/log/httpd-access.log combined
The system log format is defined here. For server error records, ErrorLog and LogLevel define different error log files and their recorded content.
For system access logs, the CustomLog parameter is used by default to define the log location, and the combined parameter is used by default to specify to put all access logs in one file, however, you can also store different types of access logs in different log records by specifying different record types in CustomLog. Common indicates the access record of a single page request, and referer indicates the reference record of each page. the number of requests contained in a page can be seen, and agent indicates the type record of the client, obviously, you can comment out the existing configuration lines defined by combined, and use common, referer, and agent as the CustomLog parameters to specify log records for different types of logs.
Obviously, LogFormat is used to define different types of logs for recording. here
The macro definition starting with % is used to record different contents.
If the files specified by these parameters use relative paths
Path.
ServerSignature On
In some cases, for example, when the requested webpage does not exist, the server will generate an error document,
By default, because the ServerSignature option is enabled, the last line of the error document contains the server name, Apache version, and other information. Some administrators prefer not to display this information externally.
You can set this parameter to Off or Email. The last line will be replaced with the Email prompt for ServerAdmin.
Alias/icons/"/www/icons /"
Options Indexes MultiViews
AllowOverride None
Order allow, deny
Allow from all
The Alias parameter is used to directly map the URL to the real location in the server file system.
The document will be queried in DocumentRoot, but the path defined by Alias will be mapped directly to
Instead of querying under DocumentRoot. Therefore, Alias can be used to map some
Public file path. for example, the icons path of common icons is saved. In this way, in addition to using symbolic connections, directories outside the document root directory (DocumentRoot) can also be accessed by using Alias ING.
After defining the ing path, you must use the Directory statement to set access restrictions.
ScriptAlias/cgi-bin/"/www/cgi-bin /"
AllowOverride None
Options None
Order allow, deny
Allow from all
ScriptAlias is also used for URL path ing, but unlike Alias, ScriptAlias is used to map the path of CGI programs. all files in this path are defined as CGI programs, execute them to get the results, instead of directly returning the content by the server. By default, the CGI program uses the cgi-bin directory as the virtual path.
# Redirect old-URI new-URL
The Redirect parameter is used to override the URL. when the browser accesses a nonexistent resource on the server, the server returns a new URL to the browser, telling the browser to obtain the resource from the URL. This is mainly used for files originally stored on the server. after the location is changed, it is expected to be accessible using the old URL to maintain compatibility with the previous URL.