Apache Server Configuration Full Introduction _ Server

A profile controls all aspects of the server, so the three files need to be set up to run the server properly.

In addition to these three settings files, Apache uses the Mime.types file to identify different files
The corresponding MIME type, the Magic file sets some special identities for different MIME type files, so that the Apache server can judge the MIME type of the document by using these special tags in the contents of the file when it cannot determine the MIME type of the file from the document suffix.

bash-2.02$ ls-l/usr/local/apache/conf
Total 100
-rw-r--r--1 root wheel 348 APR 16:01 access.conf
-rw-r--r--1 root wheel 348 Feb 13:33 Access.conf.default
-rw-r--r--1 root wheel 30331 may 08:55 httpd.conf
-rw-r--r--1 root wheel 29953 Feb 13:33 httpd.conf.default
-rw-r--r--1 root wheel 12441 Apr 15:42 Magic
-rw-r--r--1 root wheel 12441 Feb 13:33 magic.default
-rw-r--r--1 root wheel 7334 Feb 13:33 mime.types
-rw-r--r--1 root wheel 383 17:01 srm.conf
-rw-r--r--1 root Wheel 357 Feb 13:33 Srm.conf.default

In fact, the current version of Apache will originally httpd.conf, All of the configuration parameters in srm.conf and access.conf are placed in a single profile httpd.conf, only three profiles are used for reasons compatible with previous versions (from NCSA-HTTPD in the same way that the three settings files were used). There are no specific settings in the access.conf and srm.conf files provided.

Because in the new version of Apache, all of the settings are placed in the httpd.conf, so you just need to adjust the settings in this file. The following uses the default provided httpd.conf as an example to explain the various settings options for the Apache server. However, you do not have to worry because it provides too many parameters to set, basically these parameters are very clear, you can run the Apache server without changes. However, if you need to adjust the performance of the Apache server and increase support for an attribute, you need to understand what these settings parameters mean.

On the performance of the Apache server, there is a lot of controversy over the internet, basically using Apache users almost do not doubt its excellent performance, Apache also supported many well-known high load of the site, but in the business evaluation, Apache often scored low. Many people point out that in these reviews, commercial Web servers and their operating systems are often performed by engineers of their professional firms, while free operating systems and Web servers often use their default configurations or make only minor changes. It should be noted that, in addition to operating system performance tuning, the Apache server itself's default configuration is not optimized and most efficient, but to adapt to almost all kinds of operating systems, all kinds of hardware settings, multi-platform software is not possible for specific platforms and specific hardware to provide the most optimized default configuration. So when you want to use Apache, performance tuning is essential.

Another fact that has been overlooked in the business evaluation is that the metrics tend to compare different kinds of functions, such as using Apache's standard CGI performance compared to server-side APIs such as ISAPI,NSAPI, in fact the Apache server is Modperl with this comparable functionality, FastCGI, similar to ASP functionality for PHP, and so on, but because of the Apache open mode, these functions are independent development Group, as a stand-alone module to achieve. But in the evaluation, the tester did not add the corresponding module to evaluate its performance.

Operating parameters of the HTTP daemon

Httpd.conf first defines some of the parameters that the httpd daemon needs to run in order to determine its operating mode and operating environment.

ServerType Standalone
ServerType defines how the server starts, the default is standalone STANDALONE,HTTPD the server is started by itself and resides in the host to monitor connection requests. The Web server is automatically started in the startup file/etc/rc.d/rc.local/init.d/apache under Linux, which is the recommended setting.
Another way to start the Apache server is to inet, use the Super server inetd to monitor connection requests and start the server. When you need to use the inetd startup method, you need to change to this setting, mask the/etc/rc.d/rc.local/init.d/apache file, and change the/etc/ Inetd.conf and inetd, then Apache can be launched from the inetd.
The difference between the two approaches is that the server itself manages its own startup process. This allows multiple copies of the server to be started immediately at boot time, with each replica residing in memory, and a connection request that does not require a child process to be processed immediately, responding faster and with higher performance to the client's browser request. The inetd way to start the HTTP server by inetd found that there is a connection request, because inetd to listen to too many ports, so the response is slower, less efficient, but save the connection request when the Web server occupies resources. Therefore, the inetd method is only used on servers that are occasionally accessed and do not require access speed. In fact, the inetd mode is not suitable for the HTTP burst and multiple connection characteristics, because a page may contain multiple images, and each image will cause a connection request, even though the number of visitors to teach less, but a few moments of connection requests, which is limited by inetd performance, It can even affect other server programs that are started by inetd.

ServerRoot "/usr/local"
ServerRoot is used to specify the running directory of the daemon httpd, httpd will automatically change the current directory of the process to this directory after it is started, so if the file or directory specified in the settings file is a relative path, the True path is located under the ServerRoot defined path.
Because the httpd will often do concurrent file operations, you need to use a lock to ensure that the file operation does not conflict, because NFS file system in the file lock ability is limited, so this directory should be a local disk file system, and should not use NFS file system.

#LockFile/var/run/httpd.lock
The Lockfile parameter specifies the lock file for the httpd daemon, which generally does not need to be set, and the Apache server automatically operates in the path below ServerRoot. However, if ServerRoot is an NFS file system, you need to use this parameter to specify the path in the local file system.

Pidfile/var/run/httpd.pid
Pidfile the specified file will record the process number of the httpd daemon, because httpd can automatically replicate itself, so there are multiple httpd processes in the system, but only one process is the first initiated process, it is the parent process for the other process, and sending a signal to the process affects all httpd processes. The process number of the httpd parent process is recorded in the file defined by the Pidfile.

Scoreboardfile/var/run/httpd.scoreboard
HTTPD uses Scoreboardfile to maintain the internal data of the process, so there is usually no need to change this parameter unless the administrator wants to run several Apache servers on a single computer, and each Apache server requires a separate setup file htt Pd.conf, and use a different scoreboardfile.

#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf
These two parameters, ResourceConfig and AccessConfig, are compatible with the old version of Apache that uses srm.conf and access.conf settings files. If there is no compatible need, the corresponding settings file can be specified as/dev/null, which means that no other settings file exists, and that only one file is used httpd.conf to save all of the setup options.

Timeout 300
Timeout defines a time-out interval for client and server connections that will disconnect the client after this interval (in seconds).

KeepAlive on
In HTTP 1.0, a connection can only transmit one HTTP request at a time, and the keepalive parameter is used to support a single connection, multiple transfer features of the HTTP 1.1 version, so that multiple HTTP requests can be delivered in a single connection. Although only newer browsers support this feature, it is still open to use this option.

Maxkeepaliverequests 100
Maxkeepaliverequests the maximum number of requests for HTTP requests that can be made for a single connection. Setting its value to 0 will support an unlimited transmission request within a single connection. In fact, no client program requests too many pages in a single connection, and usually does not reach the upper limit to complete the connection.

KeepAliveTimeout 15
KeepAliveTimeout tests the time between multiple request transfers in a connection, and if the server has completed a request but has not received the next request from the client, the server disconnects after the interval exceeds the value set by this parameter.
Minspareservers 5MaxSpareServers 10
On a Web server that uses a subprocess to process an HTTP request, the response time is slightly delayed because the child process is first built to process the customer's request. However, the Apache server uses a special technique to get rid of the problem, which is that the pre-generated multiple free child processes reside in the system and are immediately processed using these free subprocess once a request arises, so there is no delay caused by the build child process. As the number of client requests increases in the running, the child processes that are started are increased, but the server replicas do not exit immediately after processing an HTTP request, but stay on the computer for the next request. But the free copy of the child process does not increase the light without decreasing, too many free child processes do not process tasks and consume server processing power, so it is also necessary to limit the number of free copies so that they can be kept in a proper amount so that both the customer request and the unnecessary number of processes can be reduced.
Therefore, you can use parameter minspareservers to set the minimum number of free child processes and use parameter maxspareservers to limit the maximum number of free child processes, and redundant server process replicas will exit. Based on the actual situation of the server to set up, if the server performance is high, and is also frequently accessed, you should increase the settings of these two parameters. For a highly loaded professional web site, the two values should be roughly the same and equal to the maximum number of server replicas supported by the system, as well as unnecessary copy exits.

Startservers 5
The Startservers parameter is used to set the number of child process replicas that are started when the httpd is started, and this parameter is related to the minspareservers and maxspareservers parameters defined above and is used to initiate the idle subprocess to increase the server's response speed. This parameter should be set to a numeric value between the first two values, less than minspareservers and greater than maxs pareservers is meaningless.

MaxClients 150
On the other hand, the server's capabilities are limited after all, it is not possible to handle an unlimited number of connection requests at the same time, so the parameter maxclient s is used to specify the maximum number of concurrent clients that the server supports, if this value is set too large, When the system is busy, it has to switch between too many processes to service a large number of customers, which slows down the response to each customer and reduces overall efficiency. If this value is set to a lesser size, some client connection requests will be rejected when the system is busy. When server performance is high, you can increase the setting of this value appropriately. For professional Web sites, you should use a strategy to improve server efficiency, so this parameter cannot exceed the hardware itself, and if frequent denial of access occurs, you need to upgrade the server hardware. For the unprofessional web site, it is not too concerned about the response speed of the client browser, or that the reaction speed is slower than the refusal to connect better, you can also slightly exceed the hardware conditions to set this parameter.
This parameter restricts the minspareservers and maxspareservers settings, and they should not be greater than the setting of this parameter.

Maxrequestsperchild 30
A Web service that uses a subprocess to provide a service is a common way to connect a child process to a single connection, causing the problem that each connection requires a system operation to generate and exit the subprocess, making these additional processes occupy the computer's capacity for processing. So the best way to do this is to have a child process that can request services for multiple connections, this does not require these build, exit process system consumption, Apache in this way, once the connection is over, the child process does not quit, but stay in the system waiting for the next service request, which greatly improve performance.
However, due to the continuous application and release of memory in the process of neutron processing, more times will cause some memory garbage, which will affect the stability of the system and affect the efficient utilization of system resources. Thus, after a certain number of requests have been processed by a copy, a copy of the child process can be exited and a clean copy is replicated from the original httpd process, which can improve the stability of the system. In this way, the number of service requests processed by each subprocess is defined by the Maxre questperchild. The default setting value is 30, which is overly conservative for Linux systems with high stability characteristics, can be set to 1000 or higher, and is set to 0 to support unlimited service processing for each replica.

#Listen 3000
#Listen 12.34.56.78:80
#BindAddress *
The Listen parameter can specify that the server monitors HTTP requests for other ports in addition to the standard 80 ports. Because the FreeBSD system can have multiple IP addresses at the same time, you can also specify that the server listen only for HTTP requests to an IP address of a bindaddress</b>. If this is not configured, the server responds to requests for all IP.
Even if the bindaddress parameter is used, the server responds only to requests for one IP address, but by using the extended listen parameter, the HTTP daemon can still be allowed to respond to requests for other IP addresses. At this point the use of the Listen parameter is the same as the second example above. This more complex usage is primarily used for settings. You can then use the VirtualHost parameter to define the different IP, but this usage is the method set in the earlier HTTP 1.0 standard, each one needs an IP address, in fact, not very useful. In HTTP 1.1, the addition of a single IP address multiple domain name support, so that the settings have greater significance.

LoadModule Mime_magic_module libexec/apache/mod_mime_magic.so
LoadModule Info_module libexec/apache/mod_info.so
LoadModule Speling_module libexec/apache/mod_speling.so
LoadModule Proxy_module libexec/apache/libproxy.so
LoadModule Rewrite_module libexec/apache/mod_rewrite.so
LoadModule Anon_auth_module libexec/apache/mod_auth_anon.so
LoadModule Db_auth_module libexec/apache/mod_auth_db.so
LoadModule Digest_module libexec/apache/mod_digest.so
LoadModule Cern_meta_module libexec/apache/mod_cern_meta.so
LoadModule Expires_module libexec/apache/mod_expires.so
LoadModule Headers_module libexec/apache/mod_headers.so
LoadModule Usertrack_module libexec/apache/mod_usertrack.so
LoadModule Unique_id_module libexec/apache/mod_unique_id.so

Clearmodulelist
Addmodule mod_env.c
Addmodule mod_log_config.c
Addmodule MOD_MIME_MAGIC.C
Addmodule mod_mime.c
Addmodule MOD_NEGOTIATION.C
Addmodule MOD_STATUS.C
Addmodule mod_info.c
Addmodule mod_include.c
Addmodule mod_autoindex.c
Addmodule mod_dir.c
Addmodule MOD_CGI.C
Addmodule MOD_ASIS.C
Addmodule mod_imap.c
Addmodule MOD_ACTIONS.C
Addmodule mod_speling.c
Addmodule mod_userdir.c
Addmodule mod_proxy.c
Addmodule MOD_ALIAS.C
Addmodule mod_rewrite.c
Addmodule MOD_ACCESS.C
Addmodule mod_auth.c
Addmodule MOD_AUTH_ANON.C
Addmodule MOD_AUTH_DB.C
Addmodule mod_digest.c
Addmodule MOD_CERN_META.C
Addmodule MOD_EXPIRES.C
Addmodule MOD_HEADERS.C
Addmodule MOD_USERTRACK.C
Addmodule MOD_UNIQUE_ID.C
Addmodule mod_so.c
Addmodule MOD_SETENVIF.C

An important feature of the Apache server is its modular structure, which not only shows its ability to add new functionality through new modules at compile time, but also shows that its modules can dynamically load into the HTTP service program without loading unwanted modules. Using Apache dynamic loading modules requires only the load module and addmodule parameters to be set, which is the Apache DSO (Dynamic Shared Object) feature, However, to fully use the DSO feature is still not a simple thing, the improper changes in this setting may cause the server can not start normally. So if you're not adding or reducing the functionality that the server provides, don't change the settings here.

The above list shows the Linux default Apache server supported modules, in fact, many modules are not necessary, do not need the module will not be loaded into memory. The module can be statically connected to the Pache server, or it can be dynamically loaded, and the Apache feature is compiled into a dynamic loadable module, rather than the Apache default approach, which offers great flexibility at the expense of very small performance.

So the ability to dynamically load or performance has a slight impact, so you can recompile Apache, the functionality you need to compile into the Apache server inside, you can make the system appear cleaner, the efficiency is slightly improved. It is usually not necessary to recompile Apache for this purpose only, and if additional features are needed to recompile Apache, all modules can be statically connected to the Apache server while additional modules are added. Some users prefer dynamic loading modules, so you may want to use dynamic loading modules all.

These modules are placed under the/usr/local/apache/libexec/directory and each module corresponds to one feature of the Apache server. It takes a considerable amount of space to explain the functionality of each module in detail, and the more important features will be explained in the appropriate place later, and the functionality and usage of each module requires viewing Apache documentation.

#ExtendedStatus on
The Apache server can report its running status through special HTTP requests, and opening this extendedstatus parameter allows the server to report more comprehensive running status information.
Primary server Settings

The Apache server requires a variety of settings to define its own use of parameters to provide Web services. For use, the setting is also the default setting in addition to the settings that are overridden in the definition item (some of the settings must be redefined).

Port 80
Port defines the ports used by the httpd daemon in standalone mode, and the standard port is 80. This option is only valid for servers that start independently, and for servers that start in inetd, define which port to use in inetd.conf.

The use of 80 ports under UNIX requires root permissions, and some administrators, for security reasons, think that the httpd server is unlikely to have no security vulnerabilities, and therefore more willing to use the privileges of ordinary users to start the server, so that you can not use 80 ports and other ports less than 1024, and must use greater than 1024 port to start httpd, typically 8000 or 8080 is also a common port. The Apache httpd server itself can be turned into a normal user identity by opening 80 ports with root privileges, thus reducing the risk, so there is no need to consider this security issue. However, if ordinary users also want to install their own WWW server, they will have to use a port greater than 1024.

User Nobody
Group Nogroup
The user and group configuration is Apache security, and Apache is set to run the user and group permissions set by both options after the port is opened, which reduces the server's risk. This option is also used only for standalone mode, where the inetd mode specifies the user running Apache in inetd.conf. Because the server must perform a setuid () operation that changes identity, the initial process should have root privileges and this configuration will not work if the Aapche is started with a non-root user.
The default setting is nobody and Nogroup, where the user and group do not own files in the system, ensuring that the server itself and the CGI process it starts with do not have permission to change the file system. In some cases, for example, in order to run a CGI-UNIX interaction, you also need to have the server access files on the server, and if you still use nobody and nogroup, then files that belong to nobody will appear in the system, which is bad for system security. Because other programs also perform certain operations with the privileges of nobody and nogroup, it is possible to access the files owned by these nobody, causing security problems. In general, set a specific user and group for the Web service, and change the user and group settings here.

ServerAdmin
What should change in the configuration file may only be serveradmin, which is used to configure the email address of the administrator of the WWW server, which will be returned to the browser under the condition of an error in the HTTP service so that Web users and administrators can contact and report errors. It is customary to use webmaster on the server as the administrator of the WWW server to send e-mail messages sent to webmaster to the real Web administrator through the alias mechanism of the mail server.

#ServerName New.host.name
By default, this servername parameter is not required, and the server automatically obtains its name through the name resolution process, but you can also specify an IP address here if the server has a problem with name resolution (usually incorrect for reverse parsing), or without a formal DNS name. The server does not start properly when the servername is set incorrectly.
Typically a Web server can have multiple names, and the client browser can use all these names or IP addresses to access the server, but in the absence of a definition, the server always responds to the browser with its own official name. ServerName defines the official name that the Web server admits itself, For example, a server name (defined in DNS, a type) for exmaple.org.cn, and for the convenience of memory also defines an alias (CNAME record) for, then Apache automatically parse the name is example.org.cn, so no matter what the client browser to send the request, service The device always tells the client that the program itself is example.org.cn. Although this is not generally a problem, considering that one day the server may migrate to another computer and just want to complete the migration task by changing the WWW alias configuration in DNS, you do not want the customer to use Linux to record the address of this server in their bookmarks. You must use ServerName to reassign the official name of the server.

DocumentRoot "/www/"
DocumentRoot defines the path to this server's external hypertext document, and the client request for your L is mapped to the Web page file in this directory. Subdirectories in this directory, as well as files and directories indicated using symbolic connections, can be accessed by the browser, only using the same relative directory name on the URL.

Note that symbolic connections, although logically located under the root document directory, can actually be located in any directory on the computer, so that clients can access directories outside of the root document directory, which increases flexibility while reducing security. Apache provides the FollowSymLinks option in Directory Access control to turn on or off features that support symbolic connections.
Options FollowSymLinks
AllowOverride None
The Apache server can access control of documents for the directory, but access control can be implemented in two ways, one in the settings file Httpd.conf (or access.conf) is set for each directory, and the other is to set access control files in each directory, usually with the. htaccess name of the access control file. Although these two ways can be used to control browser access, however, the use of the configuration file method requires a reboot after each change httpd daemon, less flexible, so mainly used to configure the server system's overall security control strategy, It is more flexible and convenient to use the. htaccess file in each directory to set access control for a specific directory.
Directory statements are used to define access restrictions for a directory, where you can see the standard syntax for defining access restrictions for a directory. This setting for the previous example is for the root directory of the system, sets the option to allow symbolic connections, and uses allowoverride none to followsymlinks access control files under this directory to change the configuration here. This also means that you do not have to view the corresponding access control files in this directory.
Because Apache access control settings for a directory are able to be inherited by the next level of directory, the settings on the root directory affect its subordinate directory. Note that because of the allowoverride none setting, the Apache server does not need to view access control files under the root directory, nor does it need to view access control files at the following levels of directory until httpd.conf (or access.conf Allows you to view access control files for a directory by specifying the Allow alloworride. Because Apache is the inheritance of Directory access control, if access control files are allowed to be viewed from the root directory, then Apache must view access control files at one level, which can have an impact on system performance. By default, this feature of the root directory is turned off so that Apache searches down from the directory specified in httpd.conf, reducing the number of searches and increasing system performance. Therefore, the system root setting allowoverride None is not only helpful for system security, but also beneficial to system performance.

Options Indexes FollowSymLinks
AllowOverride None
Order Allow,deny
Allow from all
This defines the access settings for the directory where the system publishes the document and sets different allowoverride options to define the relationship between the directory settings in the configuration file and the security control file under the user directory, and the options option is used to define the attributes of the directory.
Access restrictions can be set by configuration files and access control files in each directory. The settings file is set by the administrator, and the access control files in each directory are set by the owner of the directory, so the administrator can specify whether the owner of the directory can overwrite the system's settings in the settings file, which requires Ah, yes. The allowoverride parameter is set, which can usually be set to the following values:
Impact of allowoverride settings on the function of each directory access control file
All defaults to enable access control files to overwrite system configuration
None server ignores settings for access control files
Options allow access control files to define a directory using the option parameter
FileInfo allow access to the control file can be set using AddType parameters
Authconfig allows access to control files using the authentication mechanism for each user, such as Authname,authtype, which enables the directory owner to protect the directory with the password and user name Limit allow restrictions on the IP address and name of the client accessing the directory
Each directory has a certain attribute, you can use the options to control some of the access features in this directory settings, the following are the common feature options:

Options set Server attribute settings
All of the directory attributes are valid, this is the default state
None of the directory attributes are valid
FollowSymLinks allows the use of symbolic connections, which makes it possible for browsers to access documents other than the document root (DocumentRoot) SymLinksIfOwnerMatch only allow access if the purpose of a symbolic connection is owned by the same user as the symbolic connection itself. This setting will add some security
EXECCGI allows a CGI program to be executed in this directory Indexes allows browsers to generate an index of all files in this directory so that when there is no index.html (or other index file) in this directory, you can send a list of files in this directory to the browser
In addition, an order, Allow, and deny parameters are used in the previous example, which is a way to control access based on the domain name and IP address of the browser in the limit statement. Where the order definition deals with allow and deny, while allow, deny access control settings for first name or IP, the example uses Allowfrom all to allow all clients access to the directory without any restrictions.

Userdir public_html
When running the Apache server on a Linux, all users on this computer can have their own page paths, such as using a wavy symbol plus a username to map to the user's own page directory. The mapping directory is a subdirectory under the user's home directory, whose name is defined with the Usedir parameter, and the default is public_html. If you do not want to provide Web services for the official user, use disabled as the Userdir parameter.

#
# allowoverride FileInfo authconfig Limit
# Options MultiViews Indexes symlinksifownermatch includesnoexec
#
# Order Allow,deny
# Allow from all
#
#
# Order Deny,allow
# Deny from all
#
#

Another use of directory is that you can define access control permissions for subdirectories that are distributed in different directories by using a simple pattern-matching approach. This setting requires that the Apache server perform additional processing on each path, thereby reducing the performance of the server, so the default does not open this access limit.