[R]/usr/share/doc/apache2/readme.debian.gz

Contents
==========

Apache2 configuration under Debian GNU/Linux
Files And Directories In '/etc/apache2'
Tools

Using mod_cache_disk

SSL
Enabling SSL
Creating Self-signed certificates
SSL workaround for MSIE

Suexec

Documentation

Upgrades

Common Problems

For developers

Apache2 configuration under Debian GNU/Linux
========================================================== ====

Debian's default apache2 installation attempts to make adding and
Removing modules, virtual hosts, and extra configuration directives
Flexible as possible, in order to make automating the changes and
Administering the server as easy as possible.

Please be aware that this layout is quite different from the standard
Apache configuration. Due to the use of environment variables, apache2
Needs to be started/stopped with '/etc/init. d/apache2', apachectl, or
Apache2ctl. Calling '/usr/bin/apache2' directly will not work with
Default Configuration. To call apache2 with specific command line
Arguments, just call apache2ctl with the same arguments.

Files And Directories In '/etc/apache2 ':
---------------------------------------

Apache2.conf

This is the main configuration file. It does not include any
Actual configuration we recommend CT to be adapted on your site, so
Where possible please do not touch it. This file is
Foundation stone of the Apache configuration in Debian and shocould
Be up to date after upgrades to make sure all configuration pieces
Are properly encoded ded.

If you want to extend the global configuration, you can customize
The Apache Web server by including configuration files through
Conf-available mechanic. To change listening ports and Socket
Configuration use ports. conf (see below ).

Ports. conf

Configuration ctictives for which ports and IP addresses
Listen.

Magic

Patterns for mod_mime_magic. This is not compatible with the format
Used by current versions of the file/libmagic packages.

Envvars

This contains environment variables that may be used in
Configuration. Some settings, like user and PID file, need
Go in here so that other scripts can use them. It can also
Be used to change some default settings used by apache2ctl,
Including the ulimit value for the maximum number of open files.
The default lang = C setting is also here, and can be changed to
Different language.

Conf-available/

Files in this directory are encoded in the global server scope
This line in apache2.conf:

# Include generic snippets of statements
Includeoptional conf-enabled/*. conf

This is a good place to add additional Configuration
Directives. All configuration snippets need a'. conf' suffix to be
Included as actual configuration. The local administrator shocould
Use file names starting with 'local-'to avoid name clashes
Files installed by packages.

Configuration snippets can be enabled and disabled by using
A2enconf and a2disconf executables. This works similarly to
Approach used for modules and sites below.

Configuration snippets can of course also be encoded in individual
Virtual Hosts.

Conf-enabled/

Like mod-enabled/and sites-enabled/, a piece of configuration is
Enabled by symlinking a file from conf-available/into this
Directory. The a2enconf helper is provided to assist this task.

Mod-available/

This directory contains a series of. Load and. conf files.
The. Load files contain the Apache configuration Directive
Necessary to load the module in question. The corresponding
. Conf files contain configuration directives necessary
Utilize the module in question.

Mod-enabled/

To actually enable a module for apache2, it is necessary
Create a symlink in this directory to The. Load (and. conf, if
It exists) files associated with the module in
Mod-available/. For example:

CGI. Load->/etc/apache2/mod-available/cgi. Load

The a2enmod helper can be used to enable a module.

Sites-available/

Like mod-available/, cannot that it contains configuration
Directives for different virtual hosts that might be used
Apache2. note that the hostname doesn't have to correspond
Exactly with the filename. '000-default. conf' is the default
Host which is provided by Debian.

Sites-enabled/

Similar in functionality to mod-enabled/, sites-Enabled
Contains symlinks to sites in sites-available/that
Administrator wishes to enable.

Apache uses the first virtualhost that matches the IP/Port
As default for named Virtual Hosts. Therefore the 'default'
Site shoshould be called '000-default' to make sure it sorts before
Other sites.

Example:
Dedasys. conf->/etc/apache2/sites-available/dedasys. conf

The a2ensite helper can be used to enable a site.

The include directives ignore files with names that do not end with
. Conf suffix. This behavior has changed from previous releases!

In some cases you may want to enable a specific piece of Configuration
(Think of files shipped in conf-available/) for a participant virtual
Host only and not globally as is our default. In such cases you can
Disable the configuration at a global scope for example by doing

A2disconf some-Configuration

Then it can be encoded in a particle virtual host within a file in
Sites-enabled/. You may want to add

Include conf-available/some-configuration.conf

In that site configuration. However, be careful, as this may not work
Some invocations, depending on the context and implications of some
Directives.

Tools
-----

A2enmod and a2dismod are available for enabling and disabling modules utilizing
The above Configuration System.

A2ensite and a2dissite do essential the same thing as the above tools,
For sites rather than modules. Finally a2enconf and a2disconf are
Corresponding tools for configuration snippets.

A2query is a helper script providing runtime information about the running
Server instance. For example it can be used to query enabled modules,
Selected mpm, and other information. This tool is primarily meant for Package
Maintainers who need to interact with the Apache packages to activate
Their Configurations upon package installation, but it can be used by users
As well.

Apxs2-A/-A is modified to use a2enmod to activate newly installed modules.

Using mod_cache_disk
================================

To ensure that the disk cache does not grow indefinitely, htcacheclean is
Started when mod_cache_disk is enabled. Both daemon and cron (daily) Mode
Are supported. The configuration (run mode, cache size, etc.) is in
'/Etc/default/apache2 '.

Normally, htcacheclean is automatically started and stopped
'/Etc/init. d/apache2'. However, if you change the state of mod_cache_disk or
The configuration of htcacheclean while apache2 is running, you may need
Manually start/stop htcacheclean with "/etc/init. d/apache2 start-htcacheclean"
Or "/etc/init. d/apache2 stop-htcacheclean ".

Note that mod_cache_disk was named mod_disk_cache in versions 2.2 and earlier.

SSL
===

Enabling SSL
------------

To enable SSL, type (as user root ):

A2ensite default-SSL
A2enmod SSL

If you want to use self-signed certificates, you should install the SSL-Cert
Package (see below). Otherwise, just adjust the sslcertificatekeyfile and
Sslcertificatefile ctictives in '/etc/apache2/sites-available/default-ssl.conf'
To point to your SSL certificate. Then restart Apache:

Service apache2 restart

The SSL key file shocould only be readable by root; the Certificate file may be
Globally readable. These files are read by the Apache parent process which runs
As root, and it is therefore not necessary to make the files readable by
WWW-data user.

Creating Self-signed certificates
---------------------------------

If you install the SSL-Cert package, a self-signed certificate will be
Automatically created using the hostname currently configured on your computer.
You can recreate that certificate (e.g. After you have changed '/etc/hosts' or
DNS to give the correct hostname) as user root:

Make-SSL-Cert generate-default-Snail keoil -- force-overwrite

To create more certificates with different host names, you can use

Make-SSL-Cert/usr/share/SSL-Cert/ssleay. CNF/path/to/cert-file.crt

This will ask you for the hostname and place both SSL Key and Certificate in
The file '/path/to/cert-file.crt'. Use this file with the sslcertificatefile
Directive in the Apache config (you don't need the sslcertificatekeyfile in
This case as it also contains the key). The file '/path/to/cert-file.crt'
Shocould only be readable by root. A good directory to use for the additional
Certificates/keys is '/etc/SSL/private '.

SSL workaround for MSIE
-----------------------

The SSL workaround for MS Internet Explorer needs to be added to your SSL
Virtualhost section (it was previusly in SSL. conf but caused keepalive to be
Disabled even for non-SSL connections ):

Browsermatch "MSIE [2-6]" \
Nokeepalive SSL-unclean-Shutdown \
Downgrade-1.0 force-response-1.0
Browsermatch "MSIE [17-9]" SSL-unclean-Shutdown

The default SSL virtual host in '/etc/apache2/sites-available/default-ssl.conf'
Already contains this workaround.

Suexec
======

Debian ships two version of The suexec helper program required
Mod_suexec. It is not installed by default, to avoid possible security
The package apache2-suexec-pristine contains the standard version
That works only with document root/var/WWW, userdir suffix public_html,
And Apache run user www-data. The package apache2-suexec-custom contains
Customizable version that can be configured with a config file to use
Different settings (like/srv/WWW as document root). For more information
See the suexec (8) man page in the apache2-suexec-custom package.

Since apache2-suexec-custom has passed ed less testing and might be slightly
Slower, apache2-suexec is the recommended version unless you need the features
From apache2-suexec-custom.

Starting with Apache 2.4 Both alternatives can be installed at the same
Time and the default suexec mechanic can be picked by using
Update-Alternatives (8) system.

Unicode file name Normalization
====================================

Using Apache with the document root on a file system that does Unicode
Normalization on the filenames can cause security issues. In Debian,
This affects ZFS with the non-default option to enable filename normalization,
And HFS +. It is strongly recommended not to use Apache with such file systems.
More information about this issue can be found by searching the web
CVE-2013-0966.

Documentation
==================

The full Apache 2 documentation can be found on the web

Http://httpd.apache.org/docs/2.4/

Or, if you have installed the apache2-doc package, in

/Usr/share/doc/apache2-doc/manual/

Or

Http: // localhost/manual/

There is also a wiki that contains useful information:

Http://wiki.apache.org/httpd/

Some hints about securing Apache 2 On Debian are available

Http://wiki.debian.org/Apache/Hardening

Upgrades
==========

Changes in the Apache packages that require manual configuration adjustments
Are announced in news. Debian. Installing the apt-listchanges package is
Recommended. It will display the relevant news. Debian sections before
Upgrades.

Multiple instances
============================

There is some support for running multiple instances of apache2 on the same
Machine. See '/usr/share/doc/apache2/readme. Multiple-instances' for more
Information.

Common Problems
====================

1) error message "cocould not reliably determine the server's fully qualified
Domain Name, using 127.0.0.1 for servername "During Start

This can be usually be ignored but it means that Apache httpd was unable to obtain
A fully-qualified hostname by doing a reverse lookup on your server's IP
Address. You may want to add the fully-qualified hostname to '/etc/hosts '.
An alternative is to specify "servername 127.0.0.1" in the global server
Context of the configuration, e.g. In
'/Etc/apache2/conf-enabled/abled '.

2) error message "mod_rewrite: cocould not create rewrite_log_lock"

This probably means that there are some stale sysv semaphores around. This
Usually happens after apache2 has been killed with kill-9 (sigkill). You can
Clean up the semaphores:

IPCS-S | grep www-data | awk '{print $2}' | xargs ipcrm SEM

3) message "file does not exist:/etc/apache2/htdocs" in error log

In most cases this means that no matching virtualhost definition cocould be
Found for an incoming request. Check that the target IP Address/port and
Name in the Host: header of the request actually match one of the virtual
Hosts.

4) message "couldn't create pollset in child; check user or system limits" in
Error Log

On linux kernels since 2.6.27.8, the value in

/Proc/sys/fs/epoll/max_user_instances

Needs to be larger

For prefork/Itk MPM: 2 * maxclients
For worker/event MPM: maxclients + maxclients/threadsperchild

It can be set on boot by adding a line like

FS. epoll. max_user_instances = 1024

To '/etc/sysctl. conf '.

There are several other error messages related to creating a pollset that can
Appear for the same reason.

On the other hand, errors about adding to a pollset are related to the setting
FS. epoll. max_user_watches. On most systems, max_user_watches shoshould be high
Enough by default.

5) message "server shocould be SSL-aware but has no certificate configured" in
Error Log

Since 2.2.12, Apache is stricter about certain misconfigurations concerning
Name based SSL virtual hosts. See news.debian.gz for more details.

6) Apache does not pass Authorization header to CGI scripts

This is intentional to avoid security holes. If you really want to change it,
You can use mod_rewrite:

Rewritecond % {http: Authorization }(.*)
Rewriterule.-[ENV = http_authorization: % 1]

7) mod_dav is behaving strangely

In general, if you use mod_dav_fs, You need to disable Multiviews and script
Execution for that directory. For example:

<Directory/var/www/Dav>
Dav on
Options-Multiviews-execcgi
Sethandler none
<Ifmodule mod_php5.c>
Php_admin_value engine off
</Ifmodule>
</Directory>

8) message "apache2: Bad user name $ {apache_run_user}" when starting apache2
Directly

Use apache2ctl (it accepts all the same options as apache2 ).

9) A put with mod_dav_fs fails with "unable to put new contents /...
[403, #0] "even if Apache has permission to write the file.

Apache also needs write permission to the directory containing the file, in
Order to replace it atomically.

10) when starting/reloading Apache, there is the error message
"Ulimit: open files: cannot modify limit: operation not permitted"

If you are running Apache in a vserver environment, the start script may not
Be allowed to set the maximum number of open files. You shoshould adjust
Apache_ulimit_max_files in/etc/apache2/envvars to your setup. You can
Disable Changing the limits by setting apache_ulimit_max_files = true.

For developers
====================

The Apache 2 web server package provides several helpers to assist
Packagers to interact with the Web server for both, build and Installation
Time. Please refer to the packaging file in The apache2 package
Detailed information.

[R]/usr/share/doc/apache2/readme.debian.gz