Page 157
| you specify correspond to the user and group you want, and that they are preceded by the pound (#) symbol. | ||
| Here's how these directives would look if specified by name: | ||
| User nobody | ||
| Group nogroup | ||
| Here's the same specification, but by UID and GID: | ||
| User #-1 | ||
| Group #-1 | ||
| ServerName | The ServerName directive sets the hostname the server will return. Set it to a fully qualified domain name (fqdn). If this value is not set, the server will try to figure out the name by itself and set it to its canonical name. However, you might want the server to return a friendlier address such as www.your.domain. Whatever you do, ServerName should be a real Domain Name System (DNS) name for your network. If you are administering your own DNS, remember to add a CNAME alias for your host. If someone else manages the DNS for you, ask that person to set this name for you. | |
| Your ServerName entry should look like this: | ||
| ServerName www.your.domain |
| TIP |
If you want to install a Web server for test purposes on a standalone machine, you can do so by specifying a ServerName of localhost. You can then access the server as http://www.localhost from within the standalone machine. This approach can be useful for trying new configurations or Internet Web servers. |
| ServerRoot | This directive sets the absolute path to your server directory. This directive tells the server where to find all the resources and configuration files. Many of these resources are specified in the configuration files relative to the ServerRoot directory. |
| Your ServerRoot directive should read: | |
| ServerRoot /etc/httpd |
Page 158
The srm.conf file is the resource configuration file. It controls settings related to the location of your Web document tree, the CGI program directories, and other resource configuration issues that affect your Web site. I kept most of the defaults found on my srm.conf file. The most important directives on this configuration file are as follow:
| DocumentRoot | Set this directive to the absolute path of your document tree. Your document tree is the top directory from which Apache will serve files. By default, it is set to /home/httpd/html. |
| UserDir | This directive defines the directory relative to a local user's home directory where that user will put public HTML documents. It's relative because each user will have his or her own HTML directory. The default setting for this directive is public_html, so each user will be able to create a directory called public_html under his or her home directory, and HTML documents placed in that directory will be available as http://servername/~username, where username is the username of the particular user. |
Allowing individual users to put Web content on your server poses several important security considerations. If you are operating a Web server on the Internet rather than on a private network, you should read the WWW Security FAQ by Lincoln Stein. You can find a copy at http://www.genome.wi.mit.edu/WWW/faqs/www-security-faq.html
A copy of the boilerplate conf/srm.conf file has been included at the end of this chapter in Listing 9.2.
access.conf is the global access control file; it configures the type of access users have to your site and the documents you make available, as well as security issues defining the extent to which users can alter the security settings you might have defined. The default configuration provides unrestricted access to documents in your DocumentRoot. I kept all the defaults found in my access.conf file.
If you want to provide a more restrictive site, you might want to verify that all <Directory path> sections match the directories they list in your installation. The Directory sections specify a set of options, usually involving security issues, on a per-directory basis. In particular, you might want to remove the Indexes option that follows the Options directive on the section that looks like this:
Page 159
<Directory /home/httpd/cgi-bin> Options Indexes FollowSymLinks </Directory>
Actually, the example given here is a very bad one because it turns on two options for the cgi-bin directory that no decent system administrator would ever allow. The Indexes option allows for server-generated directory listings. You probably don't want anyone peeking at the contents of your cgi-bin directories. The FollowSymLinks directive allows the Web server to follow symbolic links to other directories. This directive is a potential security problem because it could allow the server to "escape" from the server directories and could potentially allow users to access files that you do not want them to see.
Options that you implement on your global configuration files can be overridden by the use of an .htaccess file. .htaccess files allow you to set server directives on a per-directory basis. This capability is particularly useful for user directories, where the user does not have access to the main server configuration files. You can disable all .htaccess overrides by setting the directive AllowOverride to None, as follows. This directive is, by default, set to allow all overrides.
AllowOverride None
Normally, Apache runs in standalone mode or daemon mode. How it is run by the system depends on how it is configured by the ServerType directive in conf/httpd.conf.
A standalone server offers superior performance over inetd-run servers because usually a server process is ready to serve a request. When run under inetd (the Internet daemon), a new server is started every time a request is received on the HTTP port. A considerable amount of overhead is involved in starting a new server process with each new request.
The default setting for ServerType is standalone; unless you have an extremely light traffic site, you should stick with this setting. inetd servers are good for information you want to make available but for which you don't want to dedicate a computer.
| TIP |
An inetd server is great for testing configuration settings because the server rereads all its settings every time it receives a request. On a standalone server, you need to restart the server manually before it sees any changes you made to the configuration files. |
To run a server from inetd, you need to modify conf/httpd.conf once more and change the ServerType directive from standalone to inetd, as follows:
ServerType inetd