Apache Server Configuration Raiders 2_ server

Source: Internet
Author: User

Apache Server Configuration Full Introduction (III)
Primary server Settings
The Apache server requires a variety of settings to define its own use of parameters to provide Web services. For use of a virtual host, the setting is also the default setting for the virtual host, in addition to the settings that are overridden in the virtual host's definition (some of the settings must be redefined).
Port 80
Port defines the ports used by the httpd daemon in standalone mode, and the standard port is 80. This option is only valid for servers that start independently, and for servers that start in inetd, define which port to use in inetd.conf.
The use of 80 ports under UNIX requires root permissions, and some administrators, for security reasons, think that the httpd server is unlikely to have no security vulnerabilities, and therefore more willing to use the privileges of ordinary users to start the server, so that you can not use 80 ports and other ports less than 1024, and must use greater than 1024 port to start httpd, typically 8000 or 8080 is also a common port. The Apache httpd server itself can be turned into a normal user identity by opening 80 ports with root privileges, thus reducing the risk, so there is no need to consider this security issue. However, if ordinary users also want to install their own WWW server, they will have to use a port greater than 1024.
User Nobody
Group Nogroup
The user and group configuration is Apache security, and Apache is set to run the user and group permissions set by both options after the port is opened, which reduces the server's risk. This option is also used only for standalone mode, where the inetd mode specifies the user running Apache in inetd.conf. Because the server must perform a setuid () operation that changes identity, the initial process should have root privileges and this configuration will not work if the Aapche is started with a non-root user.
The default setting is nobody and Nogroup, where the user and group do not own files in the system, ensuring that the server itself and the CGI process it starts with do not have permission to change the file system. In some cases, for example, in order to run a CGI-UNIX interaction, you also need to have the server access files on the server, and if you still use nobody and nogroup, then files that belong to nobody will appear in the system, which is bad for system security. Because other programs also perform certain operations with the privileges of nobody and nogroup, it is possible to access the files owned by these nobody, causing security problems. In general, set a specific user and group for the Web service, and change the user and group settings here.
ServerAdmin you@your.address
What should change in the configuration file may only be serveradmin, which is used to configure the email address of the administrator of the WWW server, which will be returned to the browser under the condition of an error in the HTTP service so that Web users and administrators can contact and report errors. It is customary to use webmaster on the server as the administrator of the WWW server to send e-mail messages sent to webmaster to the real Web administrator through the alias mechanism of the mail server.

#ServerName New.host.name
By default, this servername parameter is not required, and the server automatically obtains its name through the name resolution process, but you can also specify an IP address here if the server has a problem with name resolution (usually incorrect for reverse parsing), or without a formal DNS name. The server does not start properly when the servername is set incorrectly.
Typically a Web server can have multiple names, and the client browser can use all these names or IP addresses to access the server, but in the absence of a virtual host defined, the server always responds to the browser with its own official name. ServerName defines the official name that the Web server admits itself, For example, a server name (defined in DNS, a type) for exmaple.org.cn, and for convenience of memory also defines an alias (CNAME record) for www.exmaple.org.cn, then Apache automatically parse the name is example.org.cn, so no matter The client browser uses which name to send the request, the server always tells the client the program itself is example.org.cn. Although this is not generally a problem, considering that one day the server may migrate to another computer and just want to complete the migration task by changing the WWW alias configuration in DNS, you do not want the customer to use Linux to record the address of this server in their bookmarks. You must use ServerName to reassign the official name of the server.
DocumentRoot "/www/"
DocumentRoot defines the path to this server's external hypertext document, and the client request for your L is mapped to the Web page file in this directory. Subdirectories in this directory, as well as files and directories indicated using symbolic connections, can be accessed by the browser, only using the same relative directory name on the URL.
Note that symbolic connections, although logically located under the root document directory, can actually be located in any directory on the computer, so that clients can access directories outside of the root document directory, which increases flexibility while reducing security. Apache provides the FollowSymLinks option in Directory Access control to turn on or off features that support symbolic connections.

Apache Server Configuration Full Introduction (iv)
Options FollowSymLinks
AllowOverride None
The Apache server can access control of documents for the directory, but access control can be implemented in two ways, one in the settings file Httpd.conf (or access.conf) is set for each directory, and the other is to set access control files in each directory, usually with the. htaccess name of the access control file. Although these two ways can be used to control browser access, however, the use of the configuration file method requires a reboot after each change httpd daemon, less flexible, so mainly used to configure the server system's overall security control strategy, It is more flexible and convenient to use the. htaccess file in each directory to set access control for a specific directory.
Directory statements are used to define access restrictions for a directory, where you can see the standard syntax for defining access restrictions for a directory. This setting for the previous example is for the root directory of the system, sets the option to allow symbolic connections, and uses allowoverride none to followsymlinks access control files under this directory to change the configuration here. This also means that you do not have to view the corresponding access control files in this directory.
Because Apache access control settings for a directory are able to be inherited by the next level of directory, the settings on the root directory affect its subordinate directory. Note that because of the allowoverride none setting, the Apache server does not need to view access control files under the root directory, nor does it need to view access control files at the following levels of directory until httpd.conf (or access.conf Allows you to view access control files for a directory by specifying the Allow alloworride. Because Apache is the inheritance of Directory access control, if access control files are allowed to be viewed from the root directory, then Apache must view access control files at one level, which can have an impact on system performance. By default, this feature of the root directory is turned off so that Apache searches down from the directory specified in httpd.conf, reducing the number of searches and increasing system performance. Therefore, the system root setting allowoverride None is not only helpful for system security, but also beneficial to system performance.
Options Indexes FollowSymLinks
AllowOverride None
Order Allow,deny
Allow from all
This defines the access settings for the directory where the system publishes the document and sets different allowoverride options to define the relationship between the directory settings in the configuration file and the security control file under the user directory, and the options option is used to define the attributes of the directory.
Access restrictions can be set by configuration files and access control files in each directory. The settings file is set by the administrator, and the access control files in each directory are set by the owner of the directory, so the administrator can specify whether the owner of the directory can overwrite the system's settings in the settings file, which requires Ah, yes. The allowoverride parameter is set, which can usually be set to the following values:
Impact of allowoverride settings on the function of each directory access control file
All defaults to enable access control files to overwrite system configuration
None server ignores settings for access control files
Options allow access control files to define a directory using the option parameter
FileInfo allow access to the control file can be set using AddType parameters
Authconfig allows access to control files using Authname,authtype, and so on for each user's authentication mechanism, which allows the directory owner to protect the directory with the password and user name Limit allow the IP address and name of the client accessing the directory to be restricted. Each directory has certain attributes, You can use options to control some of the access feature settings in this directory, and the following are common feature options:
Options set Server attribute settings
All of the directory attributes are valid, this is the default state
None of the directory attributes are valid
FollowSymLinks allows the use of symbolic connections, which makes it possible for browsers to access documents other than the document root (DocumentRoot) SymLinksIfOwnerMatch only allow access if the purpose of a symbolic connection is owned by the same user as the symbolic connection itself. This setting will add some security execcgi allow this directory to execute CGI programs Indexes allow browsers to generate indexes for all files in this directory, Allows you to send a list of files in this directory to the browser when there is no index.html (or other index file) in this directory
In addition, an order, Allow, and deny parameters are used in the previous example, which is a way to control access based on the domain name and IP address of the browser in the limit statement. Where the order definition deals with allow and deny, while allow, deny access control settings for first name or IP, the example uses Allowfrom all to allow all clients access to the directory without any restrictions.
Userdir public_html
When running the Apache server on a Linux, all users on this computer can have their own page paths, shaped like http://example.org.cn/~user, which can be mapped to the user's own page directory using a wavy symbol plus a username. The mapping directory is a subdirectory under the user's home directory, whose name is defined with the Usedir parameter, and the default is public_html. If you do not want to provide Web services for the official user, use disabled as the Userdir parameter.
# allowoverride FileInfo authconfig Limit
# Options MultiViews Indexes symlinksifownermatch includesnoexec
# Order Allow,deny
# Allow from all
# Order Deny,allow
# Deny from all
Another use of directory is that you can define access control permissions for subdirectories that are distributed in different directories by using a simple pattern-matching approach. This setting requires that the Apache server perform additional processing on each path, thereby reducing the performance of the server, so the default does not open this access limit.

Apache Server Configuration Full Introduction (v)
Here you can see another statement limit,limit statement is used for specific request methods to set access control, which can use the GET, post and other server-supported request methods to do limit parameters, to set the access restrictions on different request methods. It is generally possible to turn on the get, POST, and head three request methods, while shielding other request methods to increase security. In limit statements, you can use matching methods in order, Allow, Deny,allow, and Deny to restrict domain names and IP, except that the domain name matches backwards and forwards the IP address in the past.
DirectoryIndex index.html
In many cases, the name of the document is not specified in the URL, but only a directory name is given. Then the Apache server will automatically return to the directory defined by DirectoryIndex files, of course, can specify multiple file names, the system will be in order to search the directory. When all files specified by DirectoryIndex do not exist, the Apache server can generate a list of all the files in this directory based on system settings, providing user selection. The Indexes option (Options Indexes) in the access control options for this directory must be turned on so that the server can generate a directory list, or Apache will deny access.
Accessfilename. htaccess
Accessfilename defines the file name of the access control file under each directory, and by default. htaccess, you can change the access control restrictions for different directories by changing this file.
Order Allow,deny
Deny from all
In addition to access control for the directory, you can set access control based on the file, which is the task of the file statement. With the file statement, you must accept the appropriate access control, regardless of the directory in which the files are located, as long as the names match. This statement is important for system security, such as the previous example will block all users from accessing the. htaccess file, so that the key security information in the htaccess is not captured by the customer.
By default, if the proxy server and the Apache server negotiate whether to cache their Web pages, Apache gives a negative answer and does not want its web page to be cached by the proxy server. However, this will not effectively take advantage of the proxy server, so you can set the Cachenegotiatiedocs option so that the proxy server can cache the Web page. However, even if you do not set this option, some proxy server (or by adjusting settings) can also cache the Web page.
Usecanonicalname on
Opening this usecanonicalname is a standard practice for Web servers, because most requests sent by customers are references to the server, so that the server can build the full URL using the settings of the ServerName and port options and respond to customers Allows the browser to get the canonical URL. If this parameter is set to OFF, Apache will rebuild the URL by using the server's name and port value from the client request (this information will be available in the request to the customer that supports HTTP 1.1).
Typeconfig is used to set file names that hold different MIME type data, and the default setting for Linux is/usr/local/apache/etc/mime.types.
DefaultType Text/plain
If the Web server cannot determine the default type of a document, which usually means that the document uses a nonstandard suffix, the server sends the document to the client browser using the MIME type defined by DefaultType. The problem with setting this to Text/plain is that if the server cannot determine the mime of the document, then most of the document is a binary document, but sent back using the Text/plain format, the browser will open it internally without prompting for saving. It is therefore recommended that you change this setting to Application/octet-stream so that the browser prompts the user to save it.
In addition to judging the MIME type of the file from the suffix of the file, Apache can further analyze some of the features of the file to determine the true MIME type of the file. This feature is implemented by the Mod_mime_magic module, which requires a file that records various MIME type features for analysis and judgment. The above setting is a conditional statement, and if you load the module, you must specify the location of the corresponding flag file magic.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.