ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 28. The Apache HTTP Server</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.reference.services.html" title="Part V. Services"><link rel="prev" href="cha.samba.html" title="Chapter 27. Samba"><link rel="next" href="cha.ftp.html" title="Chapter 29. Setting up an FTP server with YaST"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.opensuse.reference.html">Reference</a><span class="breadcrumbs-sep"> > </span><a href="part.reference.services.html">Services</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 27. Samba" href="cha.samba.html"><span>◀</span></a> <a accesskey="n" title="Chapter 29. Setting up an FTP server with YaST" href="cha.ftp.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 28. The Apache HTTP Server"><div class="titlepage"><div><div><h2 class="title"><a name="cha.apache2"></a>Chapter 28. The Apache HTTP Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.apache2">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.quickstart">28.1. Quick Start</a></span></dt><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.configuration">28.2. Configuring Apache</a></span></dt><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.start_stop">28.3. Starting and Stopping Apache</a></span></dt><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.modules">28.4. Installing, Activating, and Configuring Modules</a></span></dt><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.cgi">28.5. Getting CGI Scripts to Work</a></span></dt><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.ssl">28.6. Setting Up a Secure Web Server with SSL</a></span></dt><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.security">28.7. Avoiding Security Problems</a></span></dt><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.troubleeshooting">28.8. Troubleshooting</a></span></dt><dt><span class="sect1"><a href="cha.apache2.html#sec.apache2.more_information">28.9. For More Information</a></span></dt></dl></div><a class="indexterm" name="idx.apache2"></a><div class="abstract" title="Abstract"><p class="title"><b>Abstract</b></p><p>
With a share of more than 50%, the Apache HTTP Server (Apache) is the
world's most widely-used Web server according to the survey from
<a class="ulink" href="http://www.netcraft.com/" target="_top">http://www.netcraft.com/</a>. Apache, developed by the
Apache Software Foundation (<a class="ulink" href="http://www.apache.org/" target="_top">http://www.apache.org/</a>), is
available for most operating systems. openSUSE® includes Apache
version 2.2. In this chapter, learn how to install, configure and set up
a Web server; how to use SSL, CGI, and additional modules; and how to
troubleshoot Apache.
</p></div><div class="sect1" title="28.1. Quick Start"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.quickstart"></a>28.1. Quick Start<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.quickstart">¶</a></span></h2></div></div></div><a class="indexterm" name="id494140"></a><p>
With the help of this section, quickly set up and start Apache. You must
be <code class="systemitem">root</code> to install and configure Apache.
</p><div class="sect2" title="28.1.1. Requirements"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache.quickstart.requirements"></a>28.1.1. Requirements<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache.quickstart.requirements">¶</a></span></h3></div></div></div><p>
Make sure the following requirements are met before trying to set up the
Apache Web server:
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li><p>
The machine's network is configured properly. For more information
about this topic, refer to <a class="xref" href="cha.basicnet.html" title="Chapter 21. Basic Networking">Chapter 21, <i>Basic Networking</i></a>.
</p></li><li><p>
The machine's exact system time is maintained by synchronizing with a
time server. This is necessary because parts of the HTTP protocol
depend on the correct time. See <a class="xref" href="cha.netz.xntp.html" title="Chapter 25. Time Synchronization with NTP">Chapter 25, <i>Time Synchronization with NTP</i></a>
to learn more about this topic.
</p></li><li><p>
The latest security updates are installed. If in doubt, run a YaST
Online Update.
</p></li><li><p>
The default Web server port (<code class="literal">80</code>) is opened in the
firewall. For this, configure the SUSEFirewall2 to allow the service
<span class="guimenu">HTTP Server</span> in the external zone. This can be done
using YaST. See
Section “Configuring the Firewall with YaST” (Chapter 14, <i>Masquerading and Firewalls</i>, ↑Security Guide) for details.
</p></li></ol></div></div><div class="sect2" title="28.1.2. Installation"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.quickstart.installation"></a>28.1.2. Installation<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.quickstart.installation">¶</a></span></h3></div></div></div><a class="indexterm" name="id494247"></a><p>
Apache on openSUSE is not installed by default. To install it with
a standard, predefined configuration that runs <span class="quote">“<span class="quote">out of the
box</span>”</span>, proceed as follows:
</p><div class="procedure" title="Procedure 28.1. Installing Apache with the Default Configuration"><a name="id494267"></a><p class="title"><b>Procedure 28.1. Installing Apache with the Default Configuration</b></p><ol class="procedure" type="1"><li><p>
Start YaST and select <span class="guimenu">Software</span>+<span class="guimenu">Software Management</span>.
</p></li><li><p>
Choose <span class="guimenu">Filter</span>+<span class="guimenu">Patterns</span> and select <span class="guimenu">Web and
LAMP Server</span> int <span class="guimenu">Server Functions</span>.
</p></li><li><p>
Confirm the installation of the dependent packages to finish the
installation process.
</p></li></ol></div><p>
The installation includes the multiprocessing module
<code class="systemitem">apache2-prefork</code> as well as the PHP5 module.
Refer to <a class="xref" href="cha.apache2.html#sec.apache2.modules" title="28.4. Installing, Activating, and Configuring Modules">Section 28.4, “Installing, Activating, and Configuring Modules”</a> for more information
about modules.
</p></div><div class="sect2" title="28.1.3. Start"><div class="titlepage"><div><div><h3 class="title"><a name="sect.apache.quickstart.start"></a>28.1.3. Start<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sect.apache.quickstart.start">¶</a></span></h3></div></div></div><p>
You can make Apache start automatically at boot time or you can start it
manually.
</p><div class="procedure" title="Procedure 28.2. Starting Apache Automatically"><a name="id494364"></a><p class="title"><b>Procedure 28.2. Starting Apache Automatically</b></p><ol class="procedure" type="1"><li><p>
To make sure that Apache is automatically started during boot in
runlevels <code class="literal">3</code> and <code class="literal">5</code>, execute the
following command:
</p><pre class="screen">chkconfig -a apache2</pre></li><li><p>
Alternatively, start YaST and select <span class="guimenu">System</span>+<span class="guimenu">System Services
(Runlevel)</span>.
</p></li><li><p>
Search for <span class="emphasis"><em>apache2</em></span> and <span class="guimenu">Enable</span>
the service.
</p><p>
The Web server starts immediately.
</p></li><li><p>
Save your changes with <span class="guimenu">Finish</span>.
</p><p>
The system is configured to automatically start Apache in runlevels
<code class="literal">3</code> and <code class="literal">5</code> during boot.
</p></li></ol></div><p>
For more information about the runlevels in openSUSE and a
description of the YaST runlevel editor, refer to
<a class="xref" href="cha.boot.html#sec.boot.runlevel.edit" title="16.2.3. Configuring System Services (Runlevel) with YaST">Section 16.2.3, “Configuring System Services (Runlevel) with YaST”</a>.
</p><p>
To manually start Apache using the shell, run <span class="command"><strong>rcapache2
start</strong></span>.
</p><div class="procedure" title="Procedure 28.3. Checking if Apache is Running"><a name="id494481"></a><p class="title"><b>Procedure 28.3. Checking if Apache is Running</b></p><p>
If you do not receive error messages when starting Apache, this usually
indicates that the Web server is running. To test this:
</p><ol class="procedure" type="1"><li><p>
Start a browser and open <a class="ulink" href="http://localhost/" target="_top">http://localhost/</a>.
</p><p>
If Apache is up and running, you get a test page stating <span class="quote">“<span class="quote">It
works!</span>”</span>.
</p></li><li><p>
If you do not see this page, refer to
<a class="xref" href="cha.apache2.html#sec.apache2.troubleeshooting" title="28.8. Troubleshooting">Section 28.8, “Troubleshooting”</a>.
</p></li></ol></div><p>
Now that the Web server is running, you can add your own documents,
adjust the configuration according to your needs, or add functionality
by installing modules.
</p></div></div><div class="sect1" title="28.2. Configuring Apache"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.configuration"></a>28.2. Configuring Apache<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration">¶</a></span></h2></div></div></div><a class="indexterm" name="id494547"></a><p>
openSUSE offers two configuration options:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually" title="28.2.2. Configuring Apache Manually">Configuring Apache Manually</a>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast" title="28.2.3. Configuring Apache with YaST">Configuring Apache with YaST</a>
</p></li></ul></div><p>
Manual configuration offers a higher level of detail, but lacks the
convenience of the YaST GUI.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Reload or Restart Apache After Configuration Changes"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Reload or Restart Apache After Configuration Changes</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Most configuration changes require a reload (some also a restart) of
Apache to take effect. Manually reload Apache with
<span class="command"><strong>rcapache2 <code class="option">reload</code></strong></span> or use one of
the restart options as described in
<a class="xref" href="cha.apache2.html#sec.apache2.start_stop" title="28.3. Starting and Stopping Apache">Section 28.3, “Starting and Stopping Apache”</a>.
</p><p>
If you configure Apache with YaST, this can be taken care of
automatically if you set <span class="guimenu">HTTP Service</span> to
<span class="guimenu">Enabled</span> as described in
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.server_configuration" title="28.2.3.2. HTTP Server Configuration">Section 28.2.3.2, “HTTP Server Configuration”</a>.
</p></td></tr></table></div><div class="sect2" title="28.2.1. Apache Configuration Files"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.configuration.manually.configfiles"></a>28.2.1. Apache Configuration Files<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.manually.configfiles">¶</a></span></h3></div></div></div><a class="indexterm" name="id494655"></a><p>
This section gives an overview of the Apache configuration files. If you
decide to use YaST for configuration, you will not need to touch these
files—however, the information might be useful for you if you want
to switch to manual configuration later on.
</p><p>
Apache configuration files can be found in two different locations:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.configfiles.etc_sysconfig_apache2" title="28.2.1.1. /etc/sysconfig/apache2"><code class="filename">/etc/sysconfig/apache2</code></a>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.configfiles.etc_apache2" title="28.2.1.2. /etc/apache2/"><code class="filename">/etc/apache2/</code></a>
</p></li></ul></div><div class="sect3" title="28.2.1.1. /etc/sysconfig/apache2"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.configuration.manually.configfiles.etc_sysconfig_apache2"></a>28.2.1.1. <code class="filename">/etc/sysconfig/apache2</code><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.manually.configfiles.etc_sysconfig_apache2">¶</a></span></h4></div></div></div><p>
<code class="filename">/etc/sysconfig/apache2</code> controls some global
settings of Apache, like modules to load, additional configuration
files to include, flags with which the server should be started, and
flags that should be added to the command line. Every configuration
option in this file is extensively documented and therefore not
mentioned here. For a general-purpose Web server, the settings in
<code class="filename">/etc/sysconfig/apache2</code> should be sufficient for
any configuration needs.
</p></div><div class="sect3" title="28.2.1.2. /etc/apache2/"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.configuration.manually.configfiles.etc_apache2"></a>28.2.1.2. <code class="filename">/etc/apache2/</code><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.manually.configfiles.etc_apache2">¶</a></span></h4></div></div></div><p>
<code class="filename">/etc/apache2/</code> hosts all configuration files for
Apache. In the following, the purpose of each file is explained. Each
file includes several configuration options (also referred to as
<span class="emphasis"><em>directives</em></span>). Every configuration option in these
files is extensively documented and therefore not mentioned here.
</p><p>
The Apache configuration files are organized as follows:
</p><pre class="screen">/etc/apache2/
|
|- charset.conv
|- conf.d/
| |
| |- *.conf
|
|- default-server.conf
|- errors.conf
|- httpd.conf
|- listen.conf
|- magic
|- mime.types
|- mod_*.conf
|- server-tuning.conf
|- ssl.*
|- ssl-global.conf
|- sysconfig.d
| |
| |- global.conf
| |- include.conf
| |- loadmodule.conf . .
|
|- uid.conf
|- vhosts.d
| |- *.conf</pre><div class="variablelist" title="Apache Configuration Files in /etc/apache2/"><p class="title"><b>Apache Configuration Files in /etc/apache2/</b></p><dl><dt><span class="term"><code class="filename">charset.conv</code>
</span></dt><dd><p>
Specifies which character sets to use for different languages. Do
not edit this file.
</p></dd><dt><span class="term"><code class="filename">conf.d/*.conf</code>
</span></dt><dd><p>
Configuration files added by other modules. These configuration
files can be included into your virtual host configuration where
needed. See <code class="filename">vhosts.d/vhost.template</code> for
examples. By doing so, you can provide different module sets for
different virtual hosts.
</p></dd><dt><span class="term"><code class="filename">default-server.conf</code>
</span></dt><dd><p>
Global configuration for all virtual hosts with reasonable defaults.
Instead of changing the values, overwrite them with a virtual host
configuration.
</p></dd><dt><span class="term"><code class="filename">errors.conf</code>
</span></dt><dd><p>
Defines how Apache responds to errors. To customize these messages
for all virtual hosts, edit this file. Otherwise overwrite these
directives in your virtual host configurations.
</p></dd><dt><span class="term"><code class="filename">httpd.conf</code>
</span></dt><dd><p>
The main Apache server configuration file. Avoid changing this file.
It primarily contains include statements and global settings.
Overwrite global settings in the pertinent configuration files
listed here. Change host-specific settings (such as document root)
in your virtual host configuration.
</p></dd><dt><span class="term"><code class="filename">listen.conf</code>
</span></dt><dd><p>
Binds Apache to specific IP addresses and ports. Name-based virtual
hosting is also configured here. For details, see
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.vhost.named_vhosts" title="28.2.2.1.1. Name-Based Virtual Hosts">Section 28.2.2.1.1, “Name-Based Virtual Hosts”</a>.
</p></dd><dt><span class="term"><code class="filename">magic</code>
</span></dt><dd><p>
Data for the mime_magic module that helps Apache automatically
determine the MIME type of an unknown file. Do not change this file.
</p></dd><dt><span class="term"><code class="filename">mime.types</code>
</span></dt><dd><p>
MIME types known by the system (this actually is a link to
<code class="filename">/etc/mime.types</code>). Do not edit this file. If you
need to add MIME types not listed here, add them to
<code class="filename">mod_mime-defaults.conf</code>.
</p></dd><dt><span class="term"><code class="filename">mod_*.conf</code>
</span></dt><dd><p>
Configuration files for the modules that are installed by default.
Refer to <a class="xref" href="cha.apache2.html#sec.apache2.modules" title="28.4. Installing, Activating, and Configuring Modules">Section 28.4, “Installing, Activating, and Configuring Modules”</a> for details.
Note that configuration files for optional modules reside in the
directory <code class="filename">conf.d</code>.
</p></dd><dt><span class="term"><code class="filename">server-tuning.conf</code>
</span></dt><dd><p>
Contains configuration directives for the different MPMs (see
<a class="xref" href="cha.apache2.html#sec.apache2.modules.mpm" title="28.4.4. Multiprocessing Modules">Section 28.4.4, “Multiprocessing Modules”</a>) as well as general
configuration options that control Apache's performance. Properly
test your Web server when making changes here.
</p></dd><dt><span class="term"><code class="filename">ssl-global.conf</code> and <code class="filename">ssl.*</code>
</span></dt><dd><p>
Global SSL configuration and SSL certificate data. Refer to
<a class="xref" href="cha.apache2.html#sec.apache2.ssl" title="28.6. Setting Up a Secure Web Server with SSL">Section 28.6, “Setting Up a Secure Web Server with SSL”</a> for details.
</p></dd><dt><span class="term"><code class="filename">sysconfig.d/*.conf</code>
</span></dt><dd><p>
Configuration files automatically generated from
<code class="filename">/etc/sysconfig/apache2</code>. Do not change any of
these files—edit <code class="filename">/etc/sysconfig/apache2</code>
instead. Do not put other configuration files in this directory.
</p></dd><dt><span class="term"><code class="filename">uid.conf</code>
</span></dt><dd><p>
Specifies under which user and group ID Apache runs. Do not change
this file.
</p></dd><dt><span class="term"><code class="filename">vhosts.d/*.conf</code>
</span></dt><dd><p>
Your virtual host configuration should be here. The directory
contains template files for virtual hosts with and without SSL.
Every file in this directory ending with <code class="filename">.conf</code>
is automatically included in the Apache configuration. Refer to
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.vhost" title="28.2.2.1. Virtual Host Configuration">Section 28.2.2.1, “Virtual Host Configuration”</a> for
details.
</p></dd></dl></div></div></div><div class="sect2" title="28.2.2. Configuring Apache Manually"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.configuration.manually"></a>28.2.2. Configuring Apache Manually<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.manually">¶</a></span></h3></div></div></div><a class="indexterm" name="idx.apache2.configuration.manually"></a><p>
Configuring Apache manually involves editing plain text configuration
files as user <code class="systemitem">root</code>.
</p><div class="sect3" title="28.2.2.1. Virtual Host Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.configuration.manually.vhost"></a>28.2.2.1. Virtual Host Configuration<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.manually.vhost">¶</a></span></h4></div></div></div><a class="indexterm" name="id495156"></a><p>
The term <span class="emphasis"><em>virtual host</em></span> refers to Apache's ability
to serve multiple universal resource identifiers (URIs) from the same
physical machine. This means that several domains, such as www.example.com
and www.example.net, are run by a single Web server on one physical machine.
</p><p>
It is common practice to use virtual hosts to save administrative
effort (only a single Web server needs to be maintained) and hardware
expenses (each domain does not require a dedicated server). Virtual
hosts can be name based, IP based, or port based.
</p><p>
To list all existing virtual hosts, use the command <span class="command"><strong>httpd2
<code class="option">-S</code></strong></span>. This outputs a list showing the default
server and all virtual hosts together with their IP addresses and
listening ports. Furthermore, the list also contains an entry for each
virtual host showing its location in the configuration files.
</p><p>
Virtual hosts can be configured via YaST as described in
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.wizard.virtual_hosts" title="28.2.3.1.4. Virtual Hosts">Section 28.2.3.1.4, “Virtual Hosts”</a>
or by manually editing a configuration file. By default, Apache in
openSUSE is prepared for one configuration file per virtual host
in <code class="filename">/etc/apache2/vhosts.d/</code>. All files in this
directory with the extension <code class="filename">.conf</code> are
automatically included to the configuration. A basic template for a
virtual host is provided in this directory
(<code class="filename">vhost.template</code> or
<code class="filename">vhost-ssl.template</code> for a virtual host with SSL
support).
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: Always Create a Virtual Host Configuration"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">Always Create a Virtual Host Configuration</th></tr><tr><td colspan="2" align="left" valign="top"><p>
It is recommended to always create a virtual host configuration file,
even if your Web server only hosts one domain. By doing so, you not
only have the domain-specific configuration in one file, but you can
always fall back to a working basic configuration by simply moving,
deleting, or renaming the configuration file for the virtual host. For
the same reason, you should also create separate configuration files
for each virtual host.
</p><p>
When using name-based virtual hosts it is recommended to set up a
default configuration that will be used when a domain name does not
match a virtual host configuration. The default virtual host is the
one whose configuration is loaded first. Since the order of the
configuration files is determined by filename, start the filename of
the default virtual host configuration with an underscore character
(<code class="literal">_</code>) to make sure it is loaded first (for example:
<code class="filename">_default_vhost.conf</code>).
</p></td></tr></table></div><p>
The
<code class="systemitem"><VirtualHost></code><code class="systemitem"></VirtualHost></code>
block holds the information that applies to a particular domain. When
Apache receives a client request for a defined virtual host, it uses
the directives enclosed in this section. Almost all directives can be
used in a virtual host context. See
<a class="ulink" href="http://httpd.apache.org/docs/2.2/mod/quickreference.html" target="_top">http://httpd.apache.org/docs/2.2/mod/quickreference.html</a>
for further information about Apache's configuration directives.
</p><div class="sect4" title="28.2.2.1.1. Name-Based Virtual Hosts"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.manually.vhost.named_vhosts"></a>28.2.2.1.1. Name-Based Virtual Hosts<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.manually.vhost.named_vhosts">¶</a></span></h5></div></div></div><p>
With name-based virtual hosts, more than one Web site is served per IP
address. Apache uses the host field in the HTTP header that is sent by
the client to connect the request to a matching
<code class="systemitem">ServerName</code> entry of one of the virtual host
declarations. If no matching <code class="systemitem">ServerName</code> is
found, the first specified virtual host is used as a default.
</p><p>
The directive <code class="systemitem">NameVirtualHost</code> tells Apache on
which IP address and, optionally, which port it should listen to for
requests by clients containing the domain name in the HTTP header.
This option is configured in the configuration file
<code class="filename">/etc/apache2/listen.conf</code>.
</p><p>
The first argument can be a fully qualified domain name, but it is
recommended to use the IP address. The second argument is the port and
is optional. By default, port <code class="systemitem">80</code> is used and
is configured via the <code class="systemitem">Listen</code> directive.
</p><p>
The wild card <code class="literal">*</code> can be used for both the IP address
and the port number to receive requests on all interfaces. IPv6
addresses must be enclosed in square brackets.
</p><div class="example"><a name="ex.apache2.virtual_hosts.name_based"></a><p class="title"><b>Example 28.1. Variations of Name-Based <code class="systemitem">VirtualHost</code> Entries</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.apache2.virtual_hosts.name_based">¶</a></span></p><div class="example-contents"><pre class="screen"># NameVirtualHost <em class="replaceable"><code>IP-address</code></em><em class="replaceable"><code>[:Port]</code></em>
NameVirtualHost 192.168.3.100:80
NameVirtualHost 192.168.3.100
NameVirtualHost *:80
NameVirtualHost *
NameVirtualHost [2002:c0a8:364::]:80</pre></div></div><br class="example-break"><p>
The opening <code class="systemitem">VirtualHost</code> tag takes the IP
address (or fully qualified domain name) previously declared with the
<code class="systemitem">NameVirtualHost</code> as an argument in a
name-based virtual host configuration. A port number previously
declared with the <code class="systemitem">NameVirtualHost</code> directive
is optional.
</p><p>
The wild card <span class="emphasis"><em>*</em></span> is also allowed as a substitute
for the IP address. This syntax is only valid in combination with the
wild card usage in <code class="systemitem">NameVirtualHost *</code> . When
using IPv6 addresses, the address must be included in square brackets.
</p><div class="example"><a name="ex.apache.directives.virtualhost.name_based"></a><p class="title"><b>Example 28.2. Name-Based <code class="systemitem">VirtualHost</code> Directives</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.apache.directives.virtualhost.name_based">¶</a></span></p><div class="example-contents"><pre class="screen"><VirtualHost 192.168.3.100:80>
...
</VirtualHost>
<VirtualHost 192.168.3.100>
...
</VirtualHost>
<VirtualHost *:80>
...
</VirtualHost>
<VirtualHost *>
...
</VirtualHost>
<VirtualHost [2002:c0a8:364::]>
...
</VirtualHost></pre></div></div><br class="example-break"></div><div class="sect4" title="28.2.2.1.2. IP-Based Virtual Hosts"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.manually.vhost.ip_vhosts"></a>28.2.2.1.2. IP-Based Virtual Hosts<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.manually.vhost.ip_vhosts">¶</a></span></h5></div></div></div><p>
This alternative virtual host configuration requires the setup of
multiple IPs for a machine. One instance of Apache hosts several
domains, each of which is assigned a different IP.
</p><p>
The physical server must have one IP address for each IP-based virtual
host. If the machine does not have multiple network cards, virtual
network interfaces (IP aliasing) can also be used.
</p><p>
The following example shows Apache running on a machine with the IP
<code class="systemitem">192.168.3.100</code>, hosting two
domains on the additional IPs
<code class="systemitem">192.168.3.101</code> and
<code class="systemitem">192.168.3.102</code>. A separate
<code class="systemitem">VirtualHost</code> block is needed for every virtual
server.
</p><div class="example"><a name="ex.apache.directives.virtualhost.ip_based"></a><p class="title"><b>Example 28.3. IP-Based <code class="systemitem">VirtualHost</code> Directives</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.apache.directives.virtualhost.ip_based">¶</a></span></p><div class="example-contents"><pre class="screen"><VirtualHost 192.168.3.101>
...
</VirtualHost>
<VirtualHost 192.168.3.102>
...
</VirtualHost></pre></div></div><br class="example-break"><p>
Here, <code class="systemitem">VirtualHost</code> directives are only
specified for interfaces other than <code class="systemitem">192.168.3.100</code>.
When a <code class="systemitem">Listen</code> directive is also configured
for <code class="systemitem">192.168.3.100</code>, a separate IP-based virtual host
must be created to answer HTTP requests to that
interface—otherwise the directives found in the default server
configuration (<code class="filename">/etc/apache2/default-server.conf</code>)
are applied.
</p></div><div class="sect4" title="28.2.2.1.3. Basic Virtual Host Configuration"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.manually.vhost.basic_configuration"></a>28.2.2.1.3. Basic Virtual Host Configuration<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.manually.vhost.basic_configuration">¶</a></span></h5></div></div></div><p>
At least the following directives should be present in each virtual
host configuration in order to set up a virtual host. See
<code class="filename">/etc/apache2/vhosts.d/vhost.template</code> for more
options.
</p><div class="variablelist"><dl><dt><span class="term"><code class="systemitem">ServerName</code>
</span></dt><dd><p>
The fully qualified domain name under which the host should be
addressed.
</p></dd><dt><span class="term"><code class="systemitem">DocumentRoot</code>
</span></dt><dd><p>
Path to the directory from which Apache should serve files for this
host. For security reasons, access to the entire file system is
forbidden by default, so you must explicitly unlock this directory
within a <code class="systemitem">Directory</code> container.
</p></dd><dt><span class="term"><code class="systemitem">ServerAdmin</code>
</span></dt><dd><p>
E-mail address of the server administrator. This address is, for
example, shown on error pages Apache creates.
</p></dd><dt><span class="term"><code class="systemitem">ErrorLog</code>
</span></dt><dd><p>
The error log file for this virtual host. Although it is not
necessary to create separate error log files for each virtual host,
it is common practice to do so, because it makes the debugging of
errors much easier. <code class="filename">/var/log/apache2/</code> is the
default directory for Apache's log files.
</p></dd><dt><span class="term"><code class="systemitem">CustomLog</code>
</span></dt><dd><p>
The access log file for this virtual host. Although it is not
necessary to create separate access log files for each virtual
host, it is common practice to do so, because it allows the
separate analysis of access statistics for each host.
<code class="filename">/var/log/apache2/</code> is the default directory for
Apache's log files.
</p></dd></dl></div><p>
As mentioned above, access to the whole file system is forbidden by
default for security reasons. Therefore, explicitly unlock the
directories in which you have placed the files Apache should
serve—for example the <code class="systemitem">DocumentRoot</code>:
</p><pre class="screen"><Directory "/srv/www/www.example.com/htdocs">
Order allow,deny
Allow from all
</Directory></pre><p>
The complete configuration file looks like this:
</p><div class="example"><a name="ex.apache.directives.virtualhost.basic_configuration"></a><p class="title"><b>Example 28.4. Basic <code class="systemitem">VirtualHost</code> Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.apache.directives.virtualhost.basic_configuration">¶</a></span></p><div class="example-contents"><pre class="screen"><VirtualHost 192.168.3.100>
ServerName www.example.com
DocumentRoot /srv/www/www.example.com/htdocs
ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/www.example.com_log
CustomLog /var/log/apache2/www.example.com-access_log common
<Directory "/srv/www/www.example.com/htdocs">
Order allow,deny
Allow from all
</Directory>
</VirtualHost></pre></div></div><br class="example-break"><a class="indexterm" name="id495672"></a></div></div></div><div class="sect2" title="28.2.3. Configuring Apache with YaST"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.configuration.yast"></a>28.2.3. Configuring Apache with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast">¶</a></span></h3></div></div></div><a class="indexterm" name="idx.apache2.configuration.yast"></a><p>
To configure your Web server with YaST, start YaST and select
<span class="guimenu">Network Services</span>+<span class="guimenu">HTTP
Server</span>. When starting the module for the first
time, the <span class="guimenu">HTTP Server Wizard</span> starts, prompting you to
make a few basic decisions concerning administration of the server. After
having finished the wizard, the <span class="guimenu">HTTP Server
Configuration</span> dialog starts each time you call the <span class="guimenu">HTTP
Server</span> module. For more information, see
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.server_configuration" title="28.2.3.2. HTTP Server Configuration">Section 28.2.3.2, “HTTP Server Configuration”</a>.
</p><div class="sect3" title="28.2.3.1. HTTP Server Wizard"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.configuration.yast.wizard"></a>28.2.3.1. HTTP Server Wizard<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.wizard">¶</a></span></h4></div></div></div><p>
The HTTP Server Wizard consists of five steps. In the last step of the
dialog, you are given the opportunity to enter the expert configuration
mode to make even more specific settings.
</p><div class="sect4" title="28.2.3.1.1. Network Device Selection"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.yast.wizard.network_device"></a>28.2.3.1.1. Network Device Selection<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.wizard.network_device">¶</a></span></h5></div></div></div><p>
Here, specify the network interfaces and ports Apache uses to listen for
incoming requests. You can select any combination of existing network
interfaces and their respective IP addresses. Ports from all three
ranges (well-known ports, registered ports, and dynamic or private
ports) that are not reserved by other services can be used. The default
setting is to listen on all network interfaces (IP addresses) on port
<code class="systemitem">80</code>.
</p><p>
Check <span class="guimenu">Open Port In Firewall</span> to open the ports in the
firewall that the Web server listens on. This is necessary to make the
Web server available on the network, which can be a LAN, WAN, or the
public Internet. Keeping the port closed is only useful in test
situations where no external access to the Web server is necessary. If
you have multiple network interfaces, click <span class="guimenu">Firewall
Details...</span> to specify on which interface(s) the port(s) should
be opened.
</p><p>
Click <span class="guimenu">Next</span> to continue with the configuration.
</p></div><div class="sect4" title="28.2.3.1.2. Modules"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.yast.wizard.modules"></a>28.2.3.1.2. Modules<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.wizard.modules">¶</a></span></h5></div></div></div><p>
The <span class="guimenu">Modules</span> configuration option allows for the
activation or deactivation of the script languages that the Web server
should support. For the activation or deactivation of other modules,
refer to
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.server_configuration.modules" title="28.2.3.2.2. Server Modules">Section 28.2.3.2.2, “Server Modules”</a>.
Click <span class="guimenu">Next</span> to advance to the next dialog.
</p></div><div class="sect4" title="28.2.3.1.3. Default Host"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.yast.wizard.default_host"></a>28.2.3.1.3. Default Host<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.wizard.default_host">¶</a></span></h5></div></div></div><p>
This option pertains to the default Web server. As explained in
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.vhost" title="28.2.2.1. Virtual Host Configuration">Section 28.2.2.1, “Virtual Host Configuration”</a>, Apache can
serve multiple virtual hosts from a single physical machine. The first
declared virtual host in the configuration file is commonly referred to
as the <span class="emphasis"><em>default host</em></span>. Each virtual host inherits the
default host's configuration.
</p><p>
To edit the host settings (also called <span class="emphasis"><em>directives</em></span>),
choose the appropriate entry in the table then click
<span class="guimenu">Edit</span>. To add new directives, click
<span class="guimenu">Add</span>. To delete a directive, select it and click
<span class="guimenu">Delete</span>.
</p><div class="figure"><a name="fig.apache2.configuration.yast.host"></a><p class="title"><b>Figure 28.1. HTTP Server Wizard: Default Host</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.apache2.configuration.yast.host">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><img src="images/yast2_apache_wizard3.png" alt="HTTP Server Wizard: Default Host"></div></div></div><br class="figure-break"><p>
Here is list of the default settings of the server:
</p><div class="variablelist"><dl><dt><span class="term"><code class="systemitem">Document Root</code>
</span></dt><dd><p>
Path to the directory from which Apache serves files for this host.
<code class="filename">/srv/www/htdocs</code> is the default location.
</p></dd><dt><span class="term"><code class="systemitem">Alias</code>
</span></dt><dd><p>
With the help of <code class="systemitem">Alias</code> directives, URLs can
be mapped to physical file system locations. This means that a
certain path even outside the <code class="literal">Document Root</code> in the
file system can be accessed via a URL aliasing that path.
</p><p>
The default openSUSE <code class="systemitem">Alias</code>
<code class="filename">/icons</code> points to
<code class="filename">/usr/share/apache2/icons</code> for the Apache icons
displayed in the directory index view.
</p></dd><dt><span class="term"><code class="systemitem">ScriptAlias</code>
</span></dt><dd><p>
Similar to the <code class="systemitem">Alias</code> directive, the
<code class="systemitem">ScriptAlias</code> directive maps a URL to a file
system location. The difference is that
<code class="systemitem">ScriptAlias</code> designates the target directory
as a CGI location, meaning that CGI scripts should be executed in
that location.
</p></dd><dt><span class="term"><code class="systemitem">Directory</code>
</span></dt><dd><p>
With <code class="systemitem">Directory</code> settings, you can enclose a
group of configuration options that will only apply to the specified
directory.
</p><p>
Access and display options for the directories
<code class="filename">/srv/www/htdocs</code>,
<code class="filename">/usr/share/apache2/icons</code> and
<code class="filename">/srv/www/cgi-bin</code> are configured here. It should
not be necessary to change the defaults.
</p></dd><dt><span class="term"><code class="systemitem">Include</code>
</span></dt><dd><p>
With include, additional configuration files can be specified. Two
<code class="systemitem">Include</code> directives are already
preconfigured: <code class="filename">/etc/apache2/conf.d/</code> is the
directory containing the configuration files that come with external
modules. With this directive, all files in this directory ending in
<code class="filename">.conf</code> are included. With the second directive,
<code class="filename">/etc/apache2/conf.d/apache2-manual.conf</code>, the
<code class="filename">apache2-manual</code> configuration file is included.
</p></dd><dt><span class="term"><code class="systemitem">Server Name</code>
</span></dt><dd><p>
This specifies the default URL used by clients to contact the Web
server. Use a fully qualified domain name (FQDN) to reach the Web
server at <code class="literal">http://<em class="replaceable"><code>FQDN</code></em>/</code>
or its IP address. You cannot choose an arbitrary name here—the
server must be <span class="quote">“<span class="quote">known</span>”</span> under this name.
</p></dd><dt><span class="term"><code class="systemitem">Server Administrator E-Mail</code>
</span></dt><dd><p>
E-mail address of the server administrator. This address is, for
example, shown on error pages Apache creates.
</p></dd></dl></div><p>
After finishing with the <span class="guimenu">Default Host</span> step, click
<span class="guimenu">Next</span> to continue with the configuration.
</p></div><div class="sect4" title="28.2.3.1.4. Virtual Hosts"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.yast.wizard.virtual_hosts"></a>28.2.3.1.4. Virtual Hosts<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.wizard.virtual_hosts">¶</a></span></h5></div></div></div><p>
In this step, the wizard displays a list of already configured virtual
hosts (see <a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.vhost" title="28.2.2.1. Virtual Host Configuration">Section 28.2.2.1, “Virtual Host Configuration”</a>).
If you have not made manual changes prior to starting the YaST HTTP
wizard, no virtual host is present.
</p><p>
To add a host, click <span class="guimenu">Add</span> to open a dialog in which to
enter basic information about the host, such as <span class="guimenu">Server
Name</span>, <span class="guimenu">Server Contents Root</span>
(<code class="systemitem">DocumentRoot</code>), and the <span class="guimenu">Administrator
E-Mail</span>. <span class="guimenu">Server Resolution</span> is used to
determine how a host is identified (name based or IP based). Specify the
name or IP address with <span class="guimenu">Change Virtual Host ID</span>
</p><p>
Clicking <span class="guimenu">Next</span> advances to the second part of the
virtual host configuration dialog.
</p><p>
In part two of the virtual host configuration you can specify whether or
not to enable CGI scripts and which directory to use for these scripts.
It is also possible to enable SSL. If you do so, you must specify the
path to the certificate as well. See
<a class="xref" href="cha.apache2.html#sec.apache2.ssl.configuration" title="28.6.2. Configuring Apache with SSL">Section 28.6.2, “Configuring Apache with SSL”</a> for details on SSL and
certificates. With the <span class="guimenu">Directory Index</span> option, you
can specify which file to display when the client requests a directory
(by default, <code class="filename">index.html</code>). Add one or more filenames
(space-separated) if you want to change this. With <span class="guimenu">Enable
Public HTML</span>, the content of the users public directories
(<code class="filename">~<em class="replaceable"><code>user</code></em>/public_html/</code>) is
made available on the server under
<code class="literal">http://www.example.com/~<em class="replaceable"><code>user</code></em></code>.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Creating Virtual Hosts"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Creating Virtual Hosts</th></tr><tr><td colspan="2" align="left" valign="top"><p>
It is not possible to add virtual hosts at will. If using name-based
virtual hosts, each hostname must be resolved on the network. If using
IP-based virtual hosts, you can assign only one host to each IP address
available.
</p></td></tr></table></div></div><div class="sect4" title="28.2.3.1.5. Summary"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.yast.wizard.summary"></a>28.2.3.1.5. Summary<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.wizard.summary">¶</a></span></h5></div></div></div><p>
This is the final step of the wizard. Here, determine how and when the
Apache server is started: when booting or manually. Also see a short
summary of the configuration made so far. If you are satisfied with your
settings, click <span class="guimenu">Finish</span> to complete configuration. If
you want to change something, click <span class="guimenu">Back</span> until you
have reached the desired dialog. Clicking <span class="guimenu">HTTP Server Expert
Configuration</span> opens the dialog described in
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.server_configuration" title="28.2.3.2. HTTP Server Configuration">Section 28.2.3.2, “HTTP Server Configuration”</a>.
</p><div class="figure"><a name="fig.apache2.configuration.yast.summary"></a><p class="title"><b>Figure 28.2. HTTP Server Wizard: Summary</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.apache2.configuration.yast.summary">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><img src="images/yast2_apache_wizard5.png" alt="HTTP Server Wizard: Summary"></div></div></div><br class="figure-break"></div></div><div class="sect3" title="28.2.3.2. HTTP Server Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.configuration.yast.server_configuration"></a>28.2.3.2. HTTP Server Configuration<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.server_configuration">¶</a></span></h4></div></div></div><p>
The <span class="guimenu">HTTP Server Configuration</span> dialog also lets you
make even more adjustments to the configuration than the wizard (which
only runs if you configure your Web server for the first time). It
consists of four tabs described in the following. No configuration option
you change here is effective immediately—you always must confirm
your changes with <span class="guimenu">Finish</span> to make them effective.
Clicking <span class="guimenu">Abort</span> leaves the configuration module and
discards your changes.
</p><div class="sect4" title="28.2.3.2.1. Listen Ports and Addresses"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.yast.server_configuration.listen"></a>28.2.3.2.1. Listen Ports and Addresses<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.server_configuration.listen">¶</a></span></h5></div></div></div><p>
In <span class="guimenu">HTTP Service</span>, select whether Apache should be
running (<span class="guimenu">Enabled</span>) or stopped
(<span class="guimenu">Disabled</span>). In <span class="guimenu">Listen on Ports</span>,
<span class="guimenu">Add</span>, <span class="guimenu">Edit</span>, or
<span class="guimenu">Delete</span> addresses and ports on which the server should
be available. The default is to listen on all interfaces on port
<code class="literal">80</code>. You should always check <span class="guimenu">Open Port In
Firewall</span>, because otherwise the Web server is not reachable
from outside. Keeping the port closed is only useful in test situations
where no external access to the Web server is necessary. If you have
multiple network interfaces, click <span class="guimenu">Firewall
Details...</span> to specify on which interface(s) the port(s) should
be opened.
</p><p>
With <span class="guimenu">Log Files</span>, watch either the access log or the
error log. This is useful if you want to test your configuration. The
log file opens in a separate window from which you can also restart or
reload the Web server. For details, see
<a class="xref" href="cha.apache2.html#sec.apache2.start_stop" title="28.3. Starting and Stopping Apache">Section 28.3, “Starting and Stopping Apache”</a>. These commands are
effective immediately and their log messages are also displayed
immediately.
</p><div class="figure"><a name="fig.apache2.configuration.yast.server_configuration.listen"></a><p class="title"><b>Figure 28.3. HTTP Server Configuration: Listen Ports and Addresses</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.apache2.configuration.yast.server_configuration.listen">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><img src="images/yast2_apache_config_listen.png" alt="HTTP Server Configuration: Listen Ports and Addresses"></div></div></div><br class="figure-break"></div><div class="sect4" title="28.2.3.2.2. Server Modules"><div class="titlepage"><div><div><h5 class="title"><a name="sec.apache2.configuration.yast.server_configuration.modules"></a>28.2.3.2.2. Server Modules<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.configuration.yast.server_configuration.modules">¶</a></span></h5></div></div></div><p>
You can change the status (enabled or disabled) of Apache2 modules by
clicking <span class="guimenu">Toggle Status</span>. Click <span class="guimenu">Add
Module</span> to add a new module that is already installed but not
yet listed. Learn more about modules in
<a class="xref" href="cha.apache2.html#sec.apache2.modules" title="28.4. Installing, Activating, and Configuring Modules">Section 28.4, “Installing, Activating, and Configuring Modules”</a>.
</p><div class="figure"><a name="fig.apache2.configuration.yast.server_configuration.modules"></a><p class="title"><b>Figure 28.4. HTTP Server Configuration: Server Modules</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#fig.apache2.configuration.yast.server_configuration.modules">¶</a></span></p><div class="figure-contents"><div class="mediaobject"><img src="images/yast2_apache_config_modules.png" alt="HTTP Server Configuration: Server Modules"></div></div></div><br class="figure-break"></div><div class="sect4" title="28.2.3.2.3. Main Host or Hosts"><div class="titlepage"><div><div><h5 class="title"><a name="id496584"></a>28.2.3.2.3. Main Host or Hosts<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#id496584">¶</a></span></h5></div></div></div><p>
These dialogs are identical to the ones already described. Refer to
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.wizard.default_host" title="28.2.3.1.3. Default Host">Section 28.2.3.1.3, “Default Host”</a>
and
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.wizard.virtual_hosts" title="28.2.3.1.4. Virtual Hosts">Section 28.2.3.1.4, “Virtual Hosts”</a>.
</p><a class="indexterm" name="id496603"></a></div></div></div></div><div class="sect1" title="28.3. Starting and Stopping Apache"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.start_stop"></a>28.3. Starting and Stopping Apache<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.start_stop">¶</a></span></h2></div></div></div><a class="indexterm" name="id496625"></a><a class="indexterm" name="id496633"></a><p>
If configured with YaST as described in
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast" title="28.2.3. Configuring Apache with YaST">Section 28.2.3, “Configuring Apache with YaST”</a>, Apache is started
at boot time in runlevels 3 and 5 and stopped in runlevels 0, 1, 2, and
6. You can change this behavior using YaST's runlevel editor or the
command line tool <span class="command"><strong>chkconfig</strong></span>.
</p><p>
To start, stop, or manipulate Apache on a running system, use the init
script <span class="command"><strong>/usr/sbin/rcapache2</strong></span>. For general information
about init scripts, refer to <a class="xref" href="cha.boot.html#sec.boot.init.skripte" title="16.2.2. Init Scripts">Section 16.2.2, “Init Scripts”</a>. The
<span class="command"><strong>rcapache2</strong></span> command takes the following parameters:
</p><div class="variablelist"><dl><dt><span class="term"><code class="option">status</code>
</span></dt><dd><p>
Checks if Apache is started.
</p></dd><dt><span class="term"><code class="option">start</code>
</span></dt><dd><p>
Starts Apache if it is not already running.
</p></dd><dt><span class="term"><code class="option">startssl</code>
</span></dt><dd><p>
Starts Apache with SSL support if it is not already running. For more
information about SSL support, refer to
<a class="xref" href="cha.apache2.html#sec.apache2.ssl" title="28.6. Setting Up a Secure Web Server with SSL">Section 28.6, “Setting Up a Secure Web Server with SSL”</a>.
</p></dd><dt><span class="term"><code class="option">stop</code>
</span></dt><dd><p>
Stops Apache by terminating the parent process.
</p></dd><dt><span class="term"><code class="option">restart</code>
</span></dt><dd><p>
Stops and then restarts Apache. Starts the Web server if it was not
running before.
</p></dd><dt><span class="term"><code class="option">try-restart</code>
</span></dt><dd><p>
Stops then restarts Apache only if it is already running.
</p></dd><dt><span class="term"><code class="option">reload</code> or <code class="option">graceful</code>
</span></dt><dd><p>
Stops the Web server by advising all forked Apache processes to first
finish their requests before shutting down. As each process dies, it
is replaced by a newly started one, resulting in a complete
<span class="quote">“<span class="quote">restart</span>”</span> of Apache.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: Restarting Apache in Production Environments"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">Restarting Apache in Production Environments</th></tr><tr><td colspan="2" align="left" valign="top"><p>
To activate changes in the Apache configuration without causing
connection break-offs, use the
<span class="command"><strong>rcapache2 <code class="option">reload</code></strong></span> command.
</p></td></tr></table></div></dd><dt><span class="term"><code class="option">restart-graceful</code>
</span></dt><dd><p>
Starts a second Web server that immediately serves all incoming
requests. The previous instance of the Web server continues to handle
all existing requests for a defined period of time configured with
<code class="systemitem">GracefulShutdownTimeout</code>.
</p><p>
<span class="command"><strong>rcapache2 <code class="option">restart-graceful</code></strong></span> is
either useful when upgrading to a new version or when having changed
configuration options that require a restart. Using this option
ensures a minimum server downtime.
</p><p>
<code class="systemitem">GracefulShutdownTimeout</code> needs to be set,
otherwise <code class="option">restart-graceful</code> will result in a regular
restart. If set to zero, the server will wait indefinitely until all
remaining requests have been fully served.
</p><p>
A graceful restart can fail if the original Apache instance is not
able to clear all necessary resources. In this case, the command will
result in a graceful stop.
</p></dd><dt><span class="term"><code class="option">stop-graceful</code>
</span></dt><dd><p>
Stops the Web server after a defined period of time configured with
<code class="systemitem">GracefulShutdownTimeout</code> in order to ensure
that existing requests can be finished.
</p><p>
<code class="systemitem">GracefulShutdownTimeout</code> needs to be set,
otherwise <code class="option">stop-graceful</code> will result in a regular
restart. If set to zero, the server will wait indefinitely until all
remaining requests have been fully served.
</p></dd><dt><span class="term"><code class="option">configtest</code> or <code class="option">extreme-configtest</code>
</span></dt><dd><p>
Checks the syntax of the configuration files without affecting a
running Web server. Because this check is forced every time the server
is started, reloaded, or restarted, it is usually not necessary to run
the test explicitly (if a configuration error is found, the Web server
is not started, reloaded, or restarted). The
<code class="option">extreme-configtest</code> options start the Web server as
user <code class="systemitem">nobody</code> and actually
load the configuration, so more errors can be detected. Note that
although the configuration is loaded, it is not possible to test the
SSL setup because the SSL certificates cannot be read by
<code class="systemitem">nobody</code>.
</p></dd><dt><span class="term"><code class="option">probe</code>
</span></dt><dd><p>
Probes for the necessity of a reload (checks whether the configuration
has changed) and suggests the required arguments for the
<span class="command"><strong>rcapache2</strong></span> command.
</p></dd><dt><span class="term"><code class="option">server-status and full-server-status</code>
</span></dt><dd><p>
Dumps a short or full status screen, respectively. Requires either
lynx or w3m installed as well as the module mod_status enabled. In
addition to that, <code class="literal">status</code> must be added to
<code class="systemitem">APACHE_SERVER_FLAGS</code> in the file
<code class="filename">/etc/sysconfig/apache2</code>.
</p></dd></dl></div><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: Additional Flags"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">Additional Flags</th></tr><tr><td colspan="2" align="left" valign="top"><p>
If you specify additional flags to the <span class="command"><strong>rcapache2</strong></span>,
these are passed through to the Web server.
</p></td></tr></table></div></div><div class="sect1" title="28.4. Installing, Activating, and Configuring Modules"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.modules"></a>28.4. Installing, Activating, and Configuring Modules<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules">¶</a></span></h2></div></div></div><a class="indexterm" name="idx.apache2.modules"></a><p>
The Apache software is built in a modular fashion: all functionality
except some core tasks are handled by modules. This has progressed so far
that even HTTP is processed by a module (http_core).
</p><p>
Apache modules can be compiled into the Apache binary at build time or
dynamically loaded at runtime. Refer to
<a class="xref" href="cha.apache2.html#sec.apache2.modules.activating" title="28.4.2. Activation and Deactivation">Section 28.4.2, “Activation and Deactivation”</a> for details of how
to load modules dynamically.
</p><p>
Apache modules can be divided into four different categories:
</p><div class="variablelist"><dl><dt><span class="term">Base Modules</span></dt><dd><p>
Base modules are compiled into Apache by default. Apache in
openSUSE has only <code class="systemitem">mod_so</code> (needed to load
other modules) and <code class="systemitem">http_core</code> compiled in. All
others are available as shared objects: rather than being included in
the server binary itself, they can be included at runtime.
</p></dd><dt><span class="term">Extension Modules</span></dt><dd><p>
In general, modules labeled as extensions are included in the Apache
software package, but are usually not compiled into the server
statically. In openSUSE, they are available as shared objects
that can be loaded into Apache at runtime.
</p></dd><dt><span class="term">External Modules</span></dt><dd><p>
Modules labeled external are not included in the official Apache
distribution. However, openSUSE provides several of them.
</p></dd><dt><span class="term">Multiprocessing Modules (MPMs)</span></dt><dd><p>
MPMs are responsible for accepting and handling requests to the Web
server, representing the core of the Web server software.
</p></dd></dl></div><div class="sect2" title="28.4.1. Module Installation"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.modules.installing"></a>28.4.1. Module Installation<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules.installing">¶</a></span></h3></div></div></div><a class="indexterm" name="id497168"></a><p>
If you have done a default installation as described in
<a class="xref" href="cha.apache2.html#sec.apache2.quickstart.installation" title="28.1.2. Installation">Section 28.1.2, “Installation”</a>, the following
modules are already installed: all base and extension modules, the
multiprocessing module Prefork MPM, and the external modules
<code class="systemitem">mod_php5</code> and
<code class="systemitem">mod_python</code>.
</p><p>
You can install additional external modules by starting YaST and
choosing <span class="guimenu">Software</span>+<span class="guimenu">Software
Management</span>. Now choose
<span class="guimenu">Filter</span>+<span class="guimenu">Search</span> and search for
<span class="emphasis"><em>apache</em></span>. Among other packages, the results list
contains all available external Apache modules.
</p></div><div class="sect2" title="28.4.2. Activation and Deactivation"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.modules.activating"></a>28.4.2. Activation and Deactivation<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules.activating">¶</a></span></h3></div></div></div><p>
Activate or deactivate particular modules either manually or with
YaST. In YaST, script language modules (PHP5, Perl, and Python) need
to be enabled or disabled with the module configuration described in
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.wizard" title="28.2.3.1. HTTP Server Wizard">Section 28.2.3.1, “HTTP Server Wizard”</a>. All other
modules can be enabled or disabled as described in
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast.server_configuration.modules" title="28.2.3.2.2. Server Modules">Section 28.2.3.2.2, “Server Modules”</a>.
</p><p>
If you prefer to activate or deactivate the modules manually, use the
commands <span class="command"><strong>a2enmod <em class="replaceable"><code>mod_foo</code></em></strong></span>
or <span class="command"><strong>a2dismod</strong></span> <em class="replaceable"><code>mod_foo</code></em>,
respectively. <span class="command"><strong>a2enmod -l</strong></span> outputs a list of all
currently active modules.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Including Configuration Files for External Modules"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Including Configuration Files for External Modules</th></tr><tr><td colspan="2" align="left" valign="top"><p>
If you have activated external modules manually, make sure to load
their configuration files in all virtual host configurations.
Configuration files for external modules are located under
<code class="filename">/etc/apache2/conf.d/</code> and are not loaded by
default. If you need the same modules on each virtual host, you can
include <code class="filename">*.conf</code> from this directory. Otherwise
include individual files. See
<code class="filename">/etc/apache2/vhost.d/vhost.template</code> for examples.
</p></td></tr></table></div></div><div class="sect2" title="28.4.3. Base and Extension Modules"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.modules.base_extension"></a>28.4.3. Base and Extension Modules<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules.base_extension">¶</a></span></h3></div></div></div><a class="indexterm" name="id497310"></a><p>
All base and extension modules are described in detail in the Apache
documentation. Only a brief description of the most important modules is
available here. Refer to
<a class="ulink" href="http://httpd.apache.org/docs/2.2/mod/" target="_top">http://httpd.apache.org/docs/2.2/mod/</a>
to learn details about each module.
</p><div class="variablelist"><dl><dt><span class="term">mod_actions</span></dt><dd><p>
Provides methods to execute a script whenever a certain MIME type
(such as <code class="systemitem">application/pdf</code>), a file with a
specific extension (like <code class="filename">.rpm</code>), or a certain
request method (such as <code class="systemitem">GET</code>) is requested.
This module is enabled by default.
</p></dd><dt><span class="term">mod_alias</span></dt><dd><p>
Provides <code class="systemitem">Alias</code> and
<code class="systemitem">Redirect</code> directives with which you can map a
URL to a specific directory (<code class="systemitem">Alias</code>) or
redirect a requested URL to another location.
This module is enabled by default.
</p></dd><dt><span class="term">mod_auth*</span></dt><dd><p>
The authentication modules provide different authentication methods:
basic authentication with <code class="systemitem">mod_auth_basic</code> or
digest authentication with <code class="systemitem">mod_auth_digest</code>.
Digest authentication in Apache 2.2 is considered experimental.
</p><p>
<code class="systemitem">mod_auth_basic</code> and
<code class="systemitem">mod_auth_digest</code> must be combined with an
authentication provider module, <code class="systemitem">mod_authn_*</code>
(for example, <code class="systemitem">mod_authn_file</code> for text
file–based authentication) and with an authorization module
<code class="systemitem">mod_authz_*</code> (for example,
<code class="systemitem">mod_authz_user</code> for user authorization).
</p><p>
More information about this topic is available in the
<em class="citetitle">Authentication HOWTO</em> at
<a class="ulink" href="http://httpd.apache.org/docs/2.2/howto/auth.html" target="_top">http://httpd.apache.org/docs/2.2/howto/auth.html</a>.
</p></dd><dt><span class="term">mod_autoindex</span></dt><dd><p>
Autoindex generates directory listings when no index file (for
example, <code class="filename">index.html</code>) is present. The look and
feel of these indexes is configurable. This module is enabled by
default. However, directory listings are disabled by default via the
<code class="systemitem">Options</code> directive—overwrite this
setting in your virtual host configuration. The default configuration
file for this module is located at
<code class="filename">/etc/apache2/mod_autoindex-defaults.conf</code>.
</p></dd><dt><span class="term">mod_cgi</span></dt><dd><p>
<code class="systemitem">mod_cgi</code> is needed to execute CGI scripts.
This module is enabled by default.
</p></dd><dt><span class="term">mod_deflate</span></dt><dd><p>
Using this module, Apache can be configured to compress given file
types on the fly before delivering them.
</p></dd><dt><span class="term">mod_dir</span></dt><dd><p>
<code class="systemitem">mod_dir</code> provides the
<code class="systemitem">DirectoryIndex</code> directive with which you can
configure which files are automatically delivered when a directory is
requested (<code class="filename">index.html</code> by default). It also
provides an automatic redirect to the correct URL when a directory
request does
not contain a trailing slash. This module is enabled by default.
</p></dd><dt><span class="term">mod_env</span></dt><dd><p>
Controls the environment that is passed to CGI scripts or SSI pages.
Environment variables can be set or unset or passed from the shell
that invoked the httpd process. This module is enabled by default.
</p></dd><dt><span class="term">mod_expires</span></dt><dd><p>
With <code class="systemitem">mod_expires</code>, you can control how often
proxy and browser caches refresh your documents by sending an
<code class="systemitem">Expires</code> header. This module is enabled by
default.
</p></dd><dt><span class="term">mod_include</span></dt><dd><p>
<code class="systemitem">mod_include</code> lets you use Server Side
Includes (SSI), which provide a basic functionality to generate HTML
pages dynamically. This module is enabled by default.
</p></dd><dt><span class="term">mod_info</span></dt><dd><p>
Provides a comprehensive overview of the server configuration under
http://localhost/server-info/. For security reasons, you should
always limit access to this URL. By default only
<code class="systemitem">localhost</code> is allowed to
access this URL. <code class="systemitem">mod_info</code> is configured at
<code class="filename">/etc/apache2/mod_info.conf</code>.
</p></dd><dt><span class="term">mod_log_config</span></dt><dd><p>
With this module, you can configure the look of the Apache log files.
This module is enabled by default.
</p></dd><dt><span class="term">mod_mime</span></dt><dd><p>
The mime module makes certain that a file is delivered with the
correct MIME header based on the filename's extension (for example
<code class="systemitem">text/html</code> for HTML documents). This module
is enabled by default.
</p></dd><dt><span class="term">mod_negotiation</span></dt><dd><p>
Necessary for content negotiation. See
<a class="ulink" href="http://httpd.apache.org/docs/2.2/content-negotiation.html" target="_top">http://httpd.apache.org/docs/2.2/content-negotiation.html</a>
for more information. This module is enabled by default.
</p></dd><dt><span class="term">mod_rewrite</span></dt><dd><p>
Provides the functionality of <code class="systemitem">mod_alias</code>, but
offers more features and flexibility. With
<code class="systemitem">mod_rewrite</code>, you can redirect URLs based on
multiple rules, request headers, and more.
</p></dd><dt><span class="term">mod_setenvif</span></dt><dd><p>
Sets environment variables based on details of the client's request,
such as the browser string the client sends, or the client's IP
address. This module is enabled by default.
</p></dd><dt><span class="term">mod_speling</span></dt><dd><p>
<code class="systemitem">mod_speling</code> attempts to automatically
correct typographical errors in URLs, such as capitalization errors.
</p></dd><dt><span class="term">mod_ssl</span></dt><dd><p>
Enables encrypted connections between Web server and clients. See
<a class="xref" href="cha.apache2.html#sec.apache2.ssl" title="28.6. Setting Up a Secure Web Server with SSL">Section 28.6, “Setting Up a Secure Web Server with SSL”</a> for details. This module is enabled
by default.
</p></dd><dt><span class="term">mod_status</span></dt><dd><p>
Provides information on server activity and performance under
http://localhost/server-status/. For security reasons, you should
always limit access to this URL. By default, only
<code class="systemitem">localhost</code> is allowed to
access this URL. <code class="systemitem">mod_status</code> is configured at
<code class="filename">/etc/apache2/mod_status.conf</code>
</p></dd><dt><span class="term">mod_suexec</span></dt><dd><p>
<code class="systemitem">mod_suexec</code> lets you run CGI scripts under a
different user and group. This module is enabled by default.
</p></dd><dt><span class="term">mod_userdir</span></dt><dd><p>
Enables user-specific directories available under
<code class="filename">~<em class="replaceable"><code>user</code></em>/</code>. The
<code class="systemitem">UserDir</code> directive must be specified in the
configuration. This module is enabled by default.
</p></dd></dl></div></div><div class="sect2" title="28.4.4. Multiprocessing Modules"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.modules.mpm"></a>28.4.4. Multiprocessing Modules<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules.mpm">¶</a></span></h3></div></div></div><a class="indexterm" name="id497868"></a><p>
openSUSE provides two different multiprocessing modules (MPMs) for
use with Apache:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<a class="xref" href="cha.apache2.html#sec.apache2.modules.mpm.prefork" title="28.4.4.1. Prefork MPM">Prefork MPM</a>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<a class="xref" href="cha.apache2.html#sec.apache2.modules.mpm.worker" title="28.4.4.2. Worker MPM">Section 28.4.4.2, “Worker MPM”</a>
</p></li></ul></div><div class="sect3" title="28.4.4.1. Prefork MPM"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.modules.mpm.prefork"></a>28.4.4.1. Prefork MPM<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules.mpm.prefork">¶</a></span></h4></div></div></div><p>
The prefork MPM implements a nonthreaded, preforking Web server. It
makes the Web server behave similarly to Apache version 1.x. In this
version it isolates each request and handles it by forking a separate
child process. Thus problematic requests cannot affect others, avoiding
a lockup of the Web server.
</p><p>
While providing stability with this process-based approach, the prefork
MPM consumes more system resources than its counterpart, the worker
MPM. The prefork MPM is considered the default MPM for Unix-based
operating systems.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: MPMs in This Document"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">MPMs in This Document</th></tr><tr><td colspan="2" align="left" valign="top"><p>
This document assumes Apache is used with the prefork MPM.
</p></td></tr></table></div></div><div class="sect3" title="28.4.4.2. Worker MPM"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.modules.mpm.worker"></a>28.4.4.2. Worker MPM<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules.mpm.worker">¶</a></span></h4></div></div></div><p>
The worker MPM provides a multi-threaded Web server. A thread is a
<span class="quote">“<span class="quote">lighter</span>”</span> form of a process. The advantage of a thread
over a process is its lower resource consumption. Instead of only
forking child processes, the worker MPM serves requests by using
threads with server processes. The preforked child processes are
multi-threaded. This approach makes Apache perform better by consuming
fewer system resources than the prefork MPM.
</p><p>
One major disadvantage is the stability of the worker MPM: if a thread
becomes corrupt, all threads of a process can be affected. In the worst
case, this may result in a server crash. Especially when using the
Common Gateway Interface (CGI) with Apache under heavy load, internal
server errors might occur due to threads being unable to communicate
with system resources. Another argument against using the worker MPM
with Apache is that not all available Apache modules are thread-safe
and thus cannot be used in conjunction with the worker MPM.
</p><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: Using PHP Modules with MPMs"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">Using PHP Modules with MPMs</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Not all available PHP modules are thread-safe. Using the worker MPM
with <code class="systemitem">mod_php</code> is strongly discouraged.
</p></td></tr></table></div></div></div><div class="sect2" title="28.4.5. External Modules"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.modules.external"></a>28.4.5. External Modules<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules.external">¶</a></span></h3></div></div></div><a class="indexterm" name="id498015"></a><p>
Find a list of all external modules shipped with openSUSE here.
Find the module's documentation in the listed directory.
</p><div class="variablelist"><dl><dt><span class="term">mod-apparmor</span></dt><dd><p>
Adds support to Apache to provide Novell AppArmor confinement to individual CGI
scripts handled by modules like <code class="systemitem">mod_php5</code> and
<code class="systemitem">mod_perl</code>.
</p><table border="0" summary="Simple list" class="simplelist"><tr><td>
Package Name: <code class="systemitem">apache2-mod_apparmor</code>
</td></tr><tr><td>
More Information: Part “Confining Privileges with Novell AppArmor” (↑Security Guide)
</td></tr></table></dd><dt><span class="term">mod_mono</span></dt><dd><p>
Using <code class="systemitem">mod_mono</code> allows you to run ASP.NET
pages in your server.
</p><table border="0" summary="Simple list" class="simplelist"><tr><td>
Package Name: <code class="systemitem">apache2-mod_mono</code>
</td></tr><tr><td>
Configuration File:
<code class="filename">/etc/apache2/conf.d/mod_mono.conf</code>
</td></tr></table></dd><dt><span class="term">mod_perl</span></dt><dd><p>
<code class="systemitem">mod_perl</code> enables you to run Perl scripts in
an embedded interpreter. The persistent interpreter embedded in the
server avoids the overhead of starting an external interpreter and
the penalty of Perl start-up time.
</p><table border="0" summary="Simple list" class="simplelist"><tr><td>
Package Name: <code class="systemitem">apache2-mod_perl</code>
</td></tr><tr><td>
Configuration File: <code class="filename">/etc/apache2/conf.d/mod_perl.conf</code>
</td></tr><tr><td>
More Information:
<code class="filename">/usr/share/doc/packages/apache2-mod_perl</code>
</td></tr></table></dd><dt><span class="term">mod_php5</span></dt><dd><p>
PHP is a server-side, cross-platform HTML embedded scripting
language.
</p><table border="0" summary="Simple list" class="simplelist"><tr><td>
Package Name: <code class="systemitem">apache2-mod_php5</code>
</td></tr><tr><td>
Configuration File: <code class="filename">/etc/apache2/conf.d/php5.conf</code>
</td></tr><tr><td>
More Information:
<code class="filename">/usr/share/doc/packages/apache2-mod_php5</code>
</td></tr></table></dd><dt><span class="term">mod_python</span></dt><dd><p>
<code class="systemitem">mod_python</code> allows embedding Python within
the Apache HTTP server for a considerable boost in performance and
added flexibility in designing Web-based applications.
</p><table border="0" summary="Simple list" class="simplelist"><tr><td>
Package Name: <code class="systemitem">apache2-mod_python</code>
</td></tr><tr><td>
More Information:
<code class="filename">/usr/share/doc/packages/apache2-mod_python</code>
</td></tr></table></dd><dt><span class="term">mod_tidy</span></dt><dd><p>
<code class="systemitem">mod_tidy</code> validates each outgoing HTML page
by means of the TidyLib. In case of a validation error, a page with
an error list is delivered. Otherwise the original HTML page is
delivered.
</p><table border="0" summary="Simple list" class="simplelist"><tr><td>
Package Name: <code class="systemitem">apache2-mod_tidy</code>
</td></tr><tr><td>
Configuration File: <code class="filename">/etc/apache2/mod_tidy.conf</code>
</td></tr><tr><td>
More Information: <code class="filename">/usr/share/doc/packages/apache2-mod_tidy</code>
</td></tr></table></dd></dl></div></div><div class="sect2" title="28.4.6. Compilation"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.modules.building_modules"></a>28.4.6. Compilation<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.modules.building_modules">¶</a></span></h3></div></div></div><a class="indexterm" name="id498308"></a><p>
Apache can be extended by advanced users by writing custom modules. To
develop modules for Apache or compile third-party modules, the package
<code class="systemitem">apache2-devel</code> is required along with the
corresponding development tools. <code class="systemitem">apache2-devel</code>
also contains the <span class="command"><strong>apxs2</strong></span> tools, which are necessary
for compiling additional modules for Apache.
</p><p>
<span class="command"><strong>apxs2</strong></span> enables the compilation and installation of
modules from source code (including the required changes to the
configuration files), which creates <span class="emphasis"><em>dynamic shared
objects</em></span> (DSOs) that can be loaded into Apache at runtime.
</p><p>
The <span class="command"><strong>apxs2</strong></span> binaries are located under
<code class="filename">/usr/sbin</code>:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/usr/sbin/apxs2</code>—suitable for building an
extension module that works with any MPM. The installation location is
<code class="filename">/usr/lib/apache2</code>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/usr/sbin/apxs2-prefork</code>—suitable for
prefork MPM modules. The installation location is
<code class="filename">/usr/lib/apache2-prefork</code>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/usr/sbin/apxs2-worker</code>—suitable for worker
MPM modules. The installation location is
<code class="filename">/usr/lib/apache2-worker</code>.
</p></li></ul></div><p>
Install and activate a module from source code with the following
commands:
</p><pre class="screen">cd /path/to/module/source; apxs2 -cia
<em class="replaceable"><code>mod_foo</code></em>.c</pre><p>
where <code class="option">-c</code> compiles the module, <code class="option">-i</code>
installs it, and <code class="option">-a</code> activates it. Other options of
<span class="command"><strong>apxs2</strong></span> are described in the
<code class="systemitem">apxs2(1)</code> man page.
</p><a class="indexterm" name="id498451"></a></div></div><div class="sect1" title="28.5. Getting CGI Scripts to Work"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.cgi"></a>28.5. Getting CGI Scripts to Work<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.cgi">¶</a></span></h2></div></div></div><a class="indexterm" name="id498469"></a><p>
Apache's Common Gateway Interface (CGI) lets you create dynamic content
with programs or scripts usually referred to as CGI scripts. CGI scripts
can be written in any programming language. Usually, script languages
such as Perl or PHP are used.
</p><p>
To enable Apache to deliver content created by CGI scripts,
<code class="systemitem">mod_cgi</code> needs to be activated.
<code class="systemitem">mod_alias</code> is also needed. Both modules are
enabled by default. Refer to
<a class="xref" href="cha.apache2.html#sec.apache2.modules.activating" title="28.4.2. Activation and Deactivation">Section 28.4.2, “Activation and Deactivation”</a> for details on
activating modules.
</p><div class="warning"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Warning: CGI Security"><tr class="head"><td width="32"><img alt="[Warning]" src="admon/warning.png"></td><th align="left">CGI Security</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Allowing the server to execute CGI scripts is a potential security hole.
Refer to <a class="xref" href="cha.apache2.html#sec.apache2.security" title="28.7. Avoiding Security Problems">Section 28.7, “Avoiding Security Problems”</a> for additional
information.
</p></td></tr></table></div><div class="sect2" title="28.5.1. Apache Configuration"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.cgi.configuration"></a>28.5.1. Apache Configuration<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.cgi.configuration">¶</a></span></h3></div></div></div><p>
In openSUSE, the execution of CGI scripts is only allowed in the
directory <code class="filename">/srv/www/cgi-bin/</code>. This location is
already configured to execute CGI scripts. If you have created a virtual
host configuration (see
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.vhost" title="28.2.2.1. Virtual Host Configuration">Section 28.2.2.1, “Virtual Host Configuration”</a>) and
want to place your scripts in a host-specific directory, you must unlock
and configure this directory.
</p><div class="example"><a name="ex.apache2.cgi.configuration"></a><p class="title"><b>Example 28.5. VirtualHost CGI Configuration</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#ex.apache2.cgi.configuration">¶</a></span></p><div class="example-contents"><pre class="screen">ScriptAlias /cgi-bin/ "/srv/www/www.example.com/cgi-bin/"<a name="co.apache2.cgi.script_alias"></a><img src="callouts/1.png" alt="1" border="0">
<Directory "/srv/www/www.example.com/cgi-bin/">
Options +ExecCGI<a name="co.apache2.cgi.options"></a><img src="callouts/2.png" alt="2" border="0">
AddHandler cgi-script .cgi .pl<a name="co.apache2.cgi.handler"></a><img src="callouts/3.png" alt="3" border="0">
Order allow,deny<a name="co.apache2.cgi.order"></a><img src="callouts/4.png" alt="4" border="0">
Allow from all
</Directory></pre><div class="calloutlist"><table border="0" summary="Callout list"><tr><td width="5%" valign="top" align="left"><p><a href="#co.apache2.cgi.script_alias"><img src="callouts/1.png" alt="1" border="0"></a> </p></td><td valign="top" align="left"><p>
Tells Apache to handle all files within this directory as CGI
scripts.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.apache2.cgi.options"><img src="callouts/2.png" alt="2" border="0"></a> </p></td><td valign="top" align="left"><p>
Enables CGI script execution
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.apache2.cgi.handler"><img src="callouts/3.png" alt="3" border="0"></a> </p></td><td valign="top" align="left"><p>
Tells the server to treat files with the extensions .pl and .cgi as
CGI scripts. Adjust according to your needs.
</p></td></tr><tr><td width="5%" valign="top" align="left"><p><a href="#co.apache2.cgi.order"><img src="callouts/4.png" alt="4" border="0"></a> </p></td><td valign="top" align="left"><p>
The <code class="systemitem">Order </code>and <code class="systemitem">Allow</code>
directives control the default access state and the order in which
allow and deny directives are evaluated. In this case
<span class="quote">“<span class="quote">allow</span>”</span> statements are evaluated before
<span class="quote">“<span class="quote">deny</span>”</span> statements and universal access is enabled.
</p></td></tr></table></div></div></div><br class="example-break"></div><div class="sect2" title="28.5.2. Running an Example Script"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.cgi.example_script"></a>28.5.2. Running an Example Script<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.cgi.example_script">¶</a></span></h3></div></div></div><p>
CGI programming differs from "regular" programming in that the CGI
programs and scripts must be preceded by a MIME-Type header such as
<code class="literal">Content-type: text/html</code>. This header is sent to the
client, so it understands what kind of content it receives. Secondly,
the script's output must be something the client, usually a Web browser,
understands—HTML in most cases or plain text or images, for
example.
</p><p>
A simple test script available under
<code class="filename">/usr/share/doc/packages/apache2/test-cgi</code> is part of
the Apache package. It outputs the content of some environment variables
as plain text. Copy this script to either
<code class="filename">/srv/www/cgi-bin/</code> or the script directory of your
virtual host (<code class="filename">/srv/www/www.example.com/cgi-bin/</code>) and name
it <code class="filename">test.cgi</code>.
</p><p>
Files accessible by the Web server should be owned by the user
<code class="systemitem">root</code>. For additional
information see <a class="xref" href="cha.apache2.html#sec.apache2.security" title="28.7. Avoiding Security Problems">Section 28.7, “Avoiding Security Problems”</a>. Because the Web
server runs with a different user, the CGI scripts must be
world-executable and world-readable. Change into the CGI directory and
use the command <span class="command"><strong>chmod 755 test.cgi</strong></span> to apply the
proper permissions.
</p><p>
Now call <code class="literal">http://localhost/cgi-bin/test.cgi</code> or
<code class="literal">http://www.example.com/cgi-bin/test.cgi</code>. You should see the
<span class="quote">“<span class="quote">CGI/1.0 test script report</span>”</span>.
</p></div><div class="sect2" title="28.5.3. CGI Troubleshooting"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.cgi.troubleshooting"></a>28.5.3. CGI Troubleshooting<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.cgi.troubleshooting">¶</a></span></h3></div></div></div><p>
If you do not see the output of the test program but an error message
instead, check the following:
</p><div class="itemizedlist" title="CGI Troubleshooting"><p class="title"><b>CGI Troubleshooting</b></p><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
Have you reloaded the server after having changed the configuration?
Check with <span class="command"><strong>rcapache2 probe</strong></span>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
If you have configured your custom CGI directory, is it configured
properly? If in doubt, try the script within the default CGI directory
<code class="filename">/srv/www/cgi-bin/</code> and call it with
<code class="literal">http://localhost/cgi-bin/test.cgi</code>.
</p></li><li class="listitem" style="list-style-type: disc"><p>
Are the file permissions correct? Change into the CGI directory and
execute <span class="command"><strong>ls -l test.cgi</strong></span>. Its output should start
with
</p><pre class="screen">-rwxr-xr-x 1 root root</pre></li><li class="listitem" style="list-style-type: disc"><p>
Make sure that the script does not contain programming errors. If you
have not changed <code class="filename">test.cgi</code>, this should not be the
case, but if you are using your own programs, always make sure that
they do not contain programming errors.
</p></li></ul></div></div></div><div class="sect1" title="28.6. Setting Up a Secure Web Server with SSL"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.ssl"></a>28.6. Setting Up a Secure Web Server with SSL<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.ssl">¶</a></span></h2></div></div></div><a class="indexterm" name="idx.apache2.ssl"></a><p>
Whenever sensitive data, such as credit card information, is transferred
between Web server and client, it is desirable to have a secure,
encrypted connection with authentication.
<code class="systemitem">mod_ssl</code> provides strong encryption using the
secure sockets layer (SSL) and transport layer security (TLS) protocols
for HTTP communication between a client and the Web server. Using
SSL/TSL, a private connection between Web server and client is
established. Data integrity is ensured and client and server are able to
authenticate each other.
</p><p>
For this purpose, the server sends an SSL certificate that holds
information proving the server's valid identity before any request to a
URL is answered. In turn, this guarantees that the server is the uniquely
correct end point for the communication. Additionally, the certificate
generates an encrypted connection between client and server that can
transport information without the risk of exposing sensitive, plain-text
content.
</p><p>
<code class="systemitem">mod_ssl</code> does not implement the SSL/TSL protocols
itself, but acts as an interface between Apache and an SSL library. In
openSUSE, the OpenSSL library is used. OpenSSL is automatically
installed with Apache.
</p><p>
The most visible effect of using <code class="systemitem">mod_ssl</code> with
Apache is that URLs are prefixed with <code class="literal">https://</code> instead
of <code class="literal">http://</code>.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: Example Certificate"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">Example Certificate</th></tr><tr><td colspan="2" align="left" valign="top"><p>
An example certificate for a hypothetical company <span class="quote">“<span class="quote">Snake
Oil</span>”</span> is available when installing the package
<code class="systemitem">apache2-example-certificates</code>.
</p></td></tr></table></div><div class="sect2" title="28.6.1. Creating an SSL Certificate"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.ssl.certificate"></a>28.6.1. Creating an SSL Certificate<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.ssl.certificate">¶</a></span></h3></div></div></div><a class="indexterm" name="id498914"></a><p>
In order to use SSL/TSL with the Web server, you need to create an SSL
certificate. This certificate is needed for the authorization between
Web server and client, so that each party can clearly identify the other
party. To ensure the integrity of the certificate, it must be signed by
a party every user trusts.
</p><p>
There are three types of certificates you can create: a
<span class="quote">“<span class="quote">dummy</span>”</span> certificate for testing purposes only, a
self-signed certificate for a defined circle of users that trust you,
and a certificate signed by an independent, publicly-known certificate
authority (CA).
</p><p>
Creating a certificate is basically a two step process. First, a private
key for the certificate authority is generated then the server
certificate is signed with this key.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: For More Information"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">For More Information</th></tr><tr><td colspan="2" align="left" valign="top"><p>
To learn more about concepts and definitions of SSL/TSL, refer to
<a class="ulink" href="http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html" target="_top">http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html</a>.
</p></td></tr></table></div><div class="sect3" title="28.6.1.1. Creating a “Dummy” Certificate"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.ssl.certificate.dummy"></a>28.6.1.1. Creating a <span class="quote">“<span class="quote">Dummy</span>”</span> Certificate<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.ssl.certificate.dummy">¶</a></span></h4></div></div></div><p>
Generating a dummy certificate is simple. Just call the script
<span class="command"><strong>/usr/bin/gensslcert</strong></span>. It creates or overwrites the
files listed below. Make use of <span class="command"><strong>gensslcert</strong></span>'s
optional switches to fine-tune the certificate. Call
<span class="command"><strong>/usr/bin/gensslcert <code class="option">-h</code></strong></span> for
more information.
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/etc/apache2/ssl.crt/ca.crt</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/etc/apache2/ssl.crt/server.crt</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/etc/apache2/ssl.key/server.key</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/etc/apache2/ssl.csr/server.csr</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="filename">/root/.mkcert.cfg</code>
</p></li></ul></div><p>
A copy of <code class="filename">ca.crt</code> is also placed at
<code class="filename">/srv/www/htdocs/CA.crt</code> for download.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: For Testing Purposes Only"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">For Testing Purposes Only</th></tr><tr><td colspan="2" align="left" valign="top"><p>
A dummy certificate should never be used on a production system. Only
use it for testing purposes.
</p></td></tr></table></div></div><div class="sect3" title="28.6.1.2. Creating a Self-Signed Certificate"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.ssl.certificate.custom"></a>28.6.1.2. Creating a Self-Signed Certificate<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.ssl.certificate.custom">¶</a></span></h4></div></div></div><p>
If you are setting up a secure Web server for an Intranet or for a
defined circle of users, it might be sufficient if you sign a
certificate with your own certificate authority (CA).
</p><p>
Creating a self-signed certificate is an interactive nine-step process.
Change into the directory
<code class="filename">/usr/share/doc/packages/apache2</code> and run the
following command: <span class="command"><strong>./mkcert.sh
make <code class="option">--no-print-directory /usr/bin/openssl /usr/sbin/
custom</code></strong></span>. Do not attempt to run this command from
outside this directory. The program provides a series of prompts, some
of which require user input.
</p><div class="procedure" title="Procedure 28.4. Creating a Self-Signed Certificate with mkcert.sh"><a name="pro.apache2.ssl.certificate.custom"></a><p class="title"><b>Procedure 28.4. Creating a Self-Signed Certificate with <span class="command"><strong>mkcert.sh</strong></span></b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#pro.apache2.ssl.certificate.custom">¶</a></span></p><ol class="procedure" type="1"><li><p>
<code class="literal">Decide the signature algorithm used for certificates
</code>
</p><p>
Choose RSA (<span class="keycap">R</span>, the default), because some older
browsers have problems with DSA.
</p></li><li><p>
<code class="literal">Generating RSA private key for CA (1024 bit)</code>
</p><p>
No interaction needed.
</p></li><li><p>
<code class="literal">Generating X.509 certificate signing request for
CA</code>
</p><p>
Create the CA's distinguished name here. This requires you to answer
a few questions, such as country name or organization name. Enter
valid data, because everything you enter here later shows up in the
certificate. You do not need to answer every question. If one does
not apply to you or you want to leave it blank, use <span class="quote">“<span class="quote">.</span>”</span>.
Common name is the name of the CA itself—choose a significant
name, such as <em class="replaceable"><code>My company</code></em> CA.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Common Name of the CA"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Common Name of the CA</th></tr><tr><td colspan="2" align="left" valign="top"><p>
The common name of the CA must be different from the server's common
name, so do not choose the fully qualified hostname in this step.
</p></td></tr></table></div></li><li><p>
<code class="literal">Generating X.509 certificate for CA signed by
itself</code>
</p><p>
Choose certificate version <span class="keycap">3</span> (the default).
</p></li><li><p>
<code class="literal">Generating RSA private key for SERVER (1024 bit)</code>
</p><p>
No interaction needed.
</p></li><li><p>
<code class="literal">Generating X.509 certificate signing request for
SERVER</code>
</p><p>
Create the distinguished name for the server key here. Questions are
almost identical to the ones already answered for the CA's
distinguished name. The data entered here applies to the Web server
and does not necessarily need to be identical to the CA's data (for
example, if the server is located elsewhere).
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Selecting a Common Name"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Selecting a Common Name</th></tr><tr><td colspan="2" align="left" valign="top"><p>
The common name you enter here must be the fully qualified hostname
of your secure server (for example, www.example.com). Otherwise the
browser issues a warning that the certificate does not match the
server when accessing the Web server.
</p></td></tr></table></div></li><li><p>
<code class="literal">Generating X.509 certificate signed by own CA</code>
</p><p>
Choose certificate version <span class="keycap">3</span> (the default).
</p></li><li><p>
<code class="literal">Encrypting RSA private key of CA with a passphrase for
security</code>
</p><p>
It is strongly recommended to encrypt the private key of the CA with
a password, so choose <span class="keycap">Y</span> and enter a password.
</p></li><li><p>
<code class="literal">Encrypting RSA private key of SERVER with a passphrase for
security</code>
</p><p>
Encrypting the server key with a password requires you to enter this
password every time you start the Web server. This makes it difficult
to automatically start the server on boot or to restart the Web
server. Therefore, it is common sense to say <span class="keycap">N</span> to
this question. Keep in mind that your key is unprotected when not
encrypted with a password and make sure that only authorized persons
have access to the key.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Encrypting the Server Key"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Encrypting the Server Key</th></tr><tr><td colspan="2" align="left" valign="top"><p>
If you choose to encrypt the server key with a password, increase
the value for <code class="systemitem">APACHE_TIMEOUT</code> in
<code class="filename">/etc/sysconfig/apache2</code>. Otherwise you do not
have enough time to enter the passphrase before the attempt to start
the server is stopped unsuccessfully.
</p></td></tr></table></div></li></ol></div><p>
The script's result page presents a list of certificates and keys it
has generated. Contrary to what the script outputs, the files have not
been generated in the local directory <code class="filename">conf</code>, but to
the correct locations under <code class="filename">/etc/apache2/</code>.
</p><p>
The last step is to copy the CA certificate file from
<code class="filename">/etc/apache2/ssl.crt/ca.crt</code> to a location where
your users can access it in order to incorporate it into the list of
known and trusted CAs in their Web browsers. Otherwise a browser
complains that the certificate was issued by an unknown authority. The
certificate is valid for one year.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Self-Signed Certificates"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Self-Signed Certificates</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Only use a self-signed certificate on a Web server that is accessed by
people who know and trust you as a certificate authority. It is not
recommended to use such a certificate for a public shop, for example.
</p></td></tr></table></div></div><div class="sect3" title="28.6.1.3. Getting an Officially Signed Certificate"><div class="titlepage"><div><div><h4 class="title"><a name="sec.apache2.ssl.certificate.official"></a>28.6.1.3. Getting an Officially Signed Certificate<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.ssl.certificate.official">¶</a></span></h4></div></div></div><p>
There are a number of official certificate authorities that sign your
certificates. The certificate is signed by a trustworthy third party,
so can be fully trusted. Publicly operating secure Web servers usually
have got an officially signed certificate.
</p><p>
The best-known official CAs are Thawte
(<a class="ulink" href="http://www.thawte.com/" target="_top">http://www.thawte.com/</a>) or Verisign
(<a class="ulink" href="http://www.verisign.com" target="_top">http://www.verisign.com</a>). These and other CAs are
already compiled into all browsers, so certificates signed by these
certificate authorities are automatically accepted by the browser.
</p><p>
When requesting an officially signed certificate, you do not send a
certificate to the CA. Instead, issue a Certificate Signing Request
(CSR). To create a CSR, call the script
<span class="command"><strong>/usr/share/ssl/misc/CA.sh -newreq</strong></span>.
</p><p>
First the script asks for a password with which the CSR should be
encrypted. Then you are asked to enter a distinguished name. This
requires you to answer a few questions, such as country name or
organization name. Enter valid data—everything you enter here
later shows up in the certificate and is checked. You do not need to
answer every question. If one does not apply to you or you want to
leave it blank, use <span class="quote">“<span class="quote">.</span>”</span>. Common name is the name of the CA
itself—choose a significant name, such as <em class="replaceable"><code>My
company</code></em> CA. Last, a challenge password and an alternative
company name must be entered.
</p><p>
Find the CSR in the directory from which you called the script. The
file is named <code class="filename">newreq.pem</code>.
</p></div></div><div class="sect2" title="28.6.2. Configuring Apache with SSL"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.ssl.configuration"></a>28.6.2. Configuring Apache with SSL<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.ssl.configuration">¶</a></span></h3></div></div></div><a class="indexterm" name="id499490"></a><p>
The default port for SSL and TLS requests on the Web server side is 443.
There is no conflict between a <span class="quote">“<span class="quote">regular</span>”</span> Apache listening
on port 80 and an SSL/TLS-enabled Apache listening on port 443. In fact,
HTTP and HTTPS can be run with the same Apache instance. Usually
separate virtual hosts are used to dispatch requests to port 80 and port
443 to separate virtual servers.
</p><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Firewall Configuration"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Firewall Configuration</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Do not forget to open the firewall for SSL-enabled Apache on port 443.
This can be done with YaST as described in
Section “Configuring the Firewall with YaST” (Chapter 14, <i>Masquerading and Firewalls</i>, ↑Security Guide).
</p></td></tr></table></div><p>
The SSL module is enabled by default in the global server configuration.
In case it has been disabled on your host, activate it with the
following command: <span class="command"><strong>a2enmod ssl</strong></span>. To finally enable
SSL, the server needs to be started with the flag <span class="quote">“<span class="quote">SSL</span>”</span>. To
do so, call <span class="command"><strong>a2enflag SSL</strong></span>. If you have chosen to
encrypt your server certificate with a password, you should also
increase the value for <code class="systemitem">APACHE_TIMEOUT</code> in
<code class="filename">/etc/sysconfig/apache2</code>, so you have enough time to
enter the passphrase when Apache starts. Restart the server to make
these changes active. A reload is not sufficient.
</p><p>
The virtual host configuration directory contains a template
<code class="filename">/etc/apache2/vhosts.d/vhost-ssl.template</code> with
SSL-specific directives that are extensively documented. Refer to
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.vhost" title="28.2.2.1. Virtual Host Configuration">Section 28.2.2.1, “Virtual Host Configuration”</a> for the
general virtual host configuration.
</p><p>
To get started, copy the template to
<code class="filename">/etc/apache2/vhosts.d/<em class="replaceable"><code>mySSL-host</code></em>.conf</code>
and edit it. Adjusting the values for the following directives should be
sufficient:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">DocumentRoot</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">ServerName</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">ServerAdmin</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">ErrorLog</code>
</p></li><li class="listitem" style="list-style-type: disc"><p>
<code class="systemitem">TransferLog</code>
</p></li></ul></div><div class="important"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Important: Name-Based Virtual Hosts and SSL"><tr class="head"><td width="32"><img alt="[Important]" src="admon/important.png"></td><th align="left">Name-Based Virtual Hosts and SSL</th></tr><tr><td colspan="2" align="left" valign="top"><p>
It is not possible to run multiple SSL-enabled virtual hosts on a
server with only one IP address. Users connecting to such a setup
receive a warning message stating that the certificate does not match
the server name every time they visit the URL. A separate IP address or
port is necessary for every SSL-enabled domain to achieve communication
based on a valid SSL certificate.
</p></td></tr></table></div><a class="indexterm" name="id499662"></a></div></div><div class="sect1" title="28.7. Avoiding Security Problems"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.security"></a>28.7. Avoiding Security Problems<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.security">¶</a></span></h2></div></div></div><a class="indexterm" name="id499680"></a><p>
A Web server exposed to the public Internet requires an ongoing
administrative effort. It is inevitable that security issues appear, both
related to the software and to accidental misconfiguration. Here are some
tips for how to deal with them.
</p><div class="sect2" title="28.7.1. Up-to-Date Software"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.security.up-to-date"></a>28.7.1. Up-to-Date Software<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.security.up-to-date">¶</a></span></h3></div></div></div><p>
If there are vulnerabilities found in the Apache software, a security
advisory will be issued by SUSE. It contains instructions for fixing
the vulnerabilities, which in turn should be applied as soon as
possible. The SUSE security announcements are available from the
following locations:
</p><div class="itemizedlist"><ul class="itemizedlist" type="bullet"><li class="listitem" style="list-style-type: disc"><p title="Web Page"><b>Web Page. </b>
<a class="ulink" href="http://www.novell.com/linux/security/securitysupport.html" target="_top">http://www.novell.com/linux/security/securitysupport.html</a>
</p></li><li class="listitem" style="list-style-type: disc"><p title="Mailing List"><b>Mailing List. </b>
<a class="ulink" href="http://en.opensuse.org/openSUSE:Support_channels" target="_top">http://en.opensuse.org/openSUSE:Support_channels</a>
</p></li><li class="listitem" style="list-style-type: disc"><p title="RSS Feed"><b>RSS Feed. </b>
<a class="ulink" href="http://www.novell.com/linux/security/suse_security.xml" target="_top">http://www.novell.com/linux/security/suse_security.xml</a>
</p></li></ul></div></div><div class="sect2" title="28.7.2. DocumentRoot Permissions"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.security.permissions"></a>28.7.2. DocumentRoot Permissions<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.security.permissions">¶</a></span></h3></div></div></div><p>
By default in openSUSE, the <code class="systemitem">DocumentRoot</code>
directory <code class="filename">/srv/www/htdocs</code> and the CGI directory
<code class="filename">/srv/www/cgi-bin</code> belong to the user and group
<code class="systemitem">root</code>. You should not change these permissions.
If the directories are writable for all, any user can place files into
them. These files might then be executed by Apache with the permissions
of <code class="systemitem">wwwrun</code>, which may give the user unintended
access to file system resources. Use subdirectories of
<code class="filename">/srv/www</code> to place the
<code class="systemitem">DocumentRoot</code> and CGI directories for your
virtual hosts and make sure that directories and files belong to user
and group <code class="systemitem">root</code>.
</p></div><div class="sect2" title="28.7.3. File System Access"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.security.filesystem"></a>28.7.3. File System Access<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.security.filesystem">¶</a></span></h3></div></div></div><p>
By default, access to the whole file system is denied in
<code class="filename">/etc/apache2/httpd.conf</code>. You should never overwrite
these directives, but specifically enable access to all directories
Apache should be able to read. For details, see
<a class="xref" href="cha.apache2.html#sec.apache2.configuration.manually.vhost.basic_configuration" title="28.2.2.1.3. Basic Virtual Host Configuration">Section 28.2.2.1.3, “Basic Virtual Host Configuration”</a>.
In doing so, ensure that no critical files, such as password or system
configuration files, can be read from the outside.
</p></div><div class="sect2" title="28.7.4. CGI Scripts"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.security.cgi"></a>28.7.4. CGI Scripts<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.security.cgi">¶</a></span></h3></div></div></div><p>
Interactive scripts in Perl, PHP, SSI, or any other programming language
can essentially run arbitrary commands and therefore present a general
security issue. Scripts that will be executed from the server should
only be installed from sources the server administrator
trusts—allowing users to run their own scripts is generally not a
good idea. It is also recommended to do security audits for all scripts.
</p><p>
To make the administration of scripts as easy as possible, it is common
practice to limit the execution of CGI scripts to specific directories
instead of globally allowing them. The directives
<code class="systemitem">ScriptAlias</code> and <code class="systemitem">Option
ExecCGI</code> are used for configuration. The openSUSE
default configuration does not allow execution of CGI scripts from
everywhere.
</p><p>
All CGI scripts run as the same user, so different scripts can
potentially conflict with each other. The module suEXEC lets you run CGI
scripts under a different user and group.
</p></div><div class="sect2" title="28.7.5. User Directories"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.security.users"></a>28.7.5. User Directories<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.security.users">¶</a></span></h3></div></div></div><p>
When enabling user directories (with
<code class="systemitem">mod_userdir</code> or
<code class="systemitem">mod_rewrite</code>) you should strongly consider not
allowing <code class="filename">.htaccess</code> files, which would allow users
to overwrite security settings. At least you should limit the user's
engagement by using the directive
<code class="systemitem">AllowOverRide</code>. In openSUSE,
<code class="filename">.htaccess</code> files are enabled by default, but the
user is not allowed to overwrite any <code class="systemitem">Option</code>
directives when using <code class="systemitem">mod_userdir</code> (see the
<code class="filename">/etc/apache2/mod_userdir.conf</code> configuration file).
</p></div></div><div class="sect1" title="28.8. Troubleshooting"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.troubleeshooting"></a>28.8. Troubleshooting<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.troubleeshooting">¶</a></span></h2></div></div></div><a class="indexterm" name="id499961"></a><p>
If Apache does not start, the Web page is not accessible, or users cannot
connect to the Web server, it is important to find the cause of the
problem. Here are some typical places to look for error explanations and
important things to check:
</p><div class="variablelist"><dl><dt><span class="term">Output of <span class="command"><strong>rcapache2</strong></span>
</span></dt><dd><p>
Instead of starting and stopping the Web server with the binary
<code class="filename">/usr/sbin/httpd2</code>, rather use the
<span class="command"><strong>rcapache2</strong></span> script instead (described in
<a class="xref" href="cha.apache2.html#sec.apache2.start_stop" title="28.3. Starting and Stopping Apache">Section 28.3, “Starting and Stopping Apache”</a>). It is verbose about
errors, and it even provides tips and hints for solving configuration
errors.
</p></dd><dt><span class="term">Log Files and Verbosity</span></dt><dd><p>
In case of both fatal and nonfatal errors, check the Apache log files
for causes, mainly the error log file that is located at
<code class="filename">/var/log/apache2/error_log</code> by default.
Additionally, you can control the verbosity of the logged messages
with the <code class="systemitem">LogLevel</code> directive if more detail is
needed in the log files.
</p><div class="tip"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Tip: A Simple Test"><tr class="head"><td width="32"><img alt="[Tip]" src="admon/tip.png"></td><th align="left">A Simple Test</th></tr><tr><td colspan="2" align="left" valign="top"><p>
Watch the Apache log messages with the command <span class="command"><strong>tail -F
/var/log/apache2/<em class="replaceable"><code>my_error_log</code></em></strong></span>.
Then run <span class="command"><strong>rcapache2 restart</strong></span>. Now, try to connect
with a browser and check the output.
</p></td></tr></table></div></dd><dt><span class="term">Firewall and Ports</span></dt><dd><p>
A common mistake is to not open the ports for Apache in the firewall
configuration of the server. If you configure Apache with YaST,
there is a separate option available to take care of this specific
issue (see <a class="xref" href="cha.apache2.html#sec.apache2.configuration.yast" title="28.2.3. Configuring Apache with YaST">Section 28.2.3, “Configuring Apache with YaST”</a>). If you
are configuring Apache manually, open firewall ports for HTTP and
HTTPS via YaST's firewall module.
</p></dd></dl></div><p>
If the error cannot be tracked down with the help of any these, check the
online Apache bug database at
<a class="ulink" href="http://httpd.apache.org/bug_report.html" target="_top">http://httpd.apache.org/bug_report.html</a>. Additionally, the
Apache user community can be reached via a mailing list available at
<a class="ulink" href="http://httpd.apache.org/userslist.html" target="_top">http://httpd.apache.org/userslist.html</a>. A recommended
newsgroup is <a class="ulink" href="comp.infosystems.www.servers.unix" target="_top">comp.infosystems.www.servers.unix</a>.
</p></div><div class="sect1" title="28.9. For More Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.apache2.more_information"></a>28.9. For More Information<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.more_information">¶</a></span></h2></div></div></div><p>
The package <code class="systemitem">apache2-doc</code> contains the complete
Apache manual in various localizations for local installation and
reference. It is not installed by default—the quickest way to
install it is to use the command <span class="command"><strong>zypper in
apache2-doc</strong></span>. Once installed, the Apache manual is available at
<a class="ulink" href="http://localhost/manual/" target="_top">http://localhost/manual/</a>. You may also access it on
the Web at <a class="ulink" href="http://httpd.apache.org/docs-2.2/" target="_top">http://httpd.apache.org/docs-2.2/</a>.
SUSE-specific configuration hints are available in the directory
<code class="filename">/usr/share/doc/packages/apache2/README.*</code>.
</p><div class="sect2" title="28.9.1. Apache 2.2"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.more_information.apache22"></a>28.9.1. Apache 2.2<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.more_information.apache22">¶</a></span></h3></div></div></div><p>
For a list of new features in Apache 2.2, refer to
<a class="ulink" href="http://httpd.apache.org/docs/2.2/new_features_2_2.html" target="_top">http://httpd.apache.org/docs/2.2/new_features_2_2.html</a>.
Information about upgrading from version 2.0 to 2.2 is available at
<a class="ulink" href="http://httpd.apache.org/docs-2.2/upgrading.html" target="_top">http://httpd.apache.org/docs-2.2/upgrading.html</a>.
</p></div><div class="sect2" title="28.9.2. Apache Modules"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.more_information.modules"></a>28.9.2. Apache Modules<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.more_information.modules">¶</a></span></h3></div></div></div><p>
More information about external Apache modules that are briefly
described in <a class="xref" href="cha.apache2.html#sec.apache2.modules.external" title="28.4.5. External Modules">Section 28.4.5, “External Modules”</a> is available
at the following locations:
</p><div class="variablelist"><dl><dt><span class="term">mod-apparmor</span></dt><dd><p>
<a class="ulink" href="http://en.opensuse.org/SDB:AppArmor" target="_top">http://en.opensuse.org/SDB:AppArmor</a>
</p></dd><dt><span class="term">mod_mono</span></dt><dd><p>
<a class="ulink" href="http://www.mono-project.com/Mod_mono" target="_top">http://www.mono-project.com/Mod_mono</a>
</p></dd><dt><span class="term">mod_perl</span></dt><dd><p>
<a class="ulink" href="http://perl.apache.org/" target="_top">http://perl.apache.org/</a>
</p></dd><dt><span class="term">mod_php5</span></dt><dd><p>
<a class="ulink" href="http://www.php.net/manual/en/install.unix.apache2.php" target="_top">http://www.php.net/manual/en/install.unix.apache2.php</a>
</p></dd><dt><span class="term">mod_python</span></dt><dd><p>
<a class="ulink" href="http://www.modpython.org/" target="_top">http://www.modpython.org/</a>
</p></dd><dt><span class="term">mod_tidy</span></dt><dd><p>
<a class="ulink" href="http://mod-tidy.sourceforge.net/" target="_top">http://mod-tidy.sourceforge.net/</a>
</p></dd></dl></div></div><div class="sect2" title="28.9.3. Development"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.more_information.cgi"></a>28.9.3. Development<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.more_information.cgi">¶</a></span></h3></div></div></div><p>
More information about developing Apache modules or about getting
involved in the Apache Web server project are available at the following
locations:
</p><div class="variablelist"><dl><dt><span class="term">Apache Developer Information</span></dt><dd><p>
<a class="ulink" href="http://httpd.apache.org/dev/" target="_top">http://httpd.apache.org/dev/</a>
</p></dd><dt><span class="term">Apache Developer Documentation</span></dt><dd><p>
<a class="ulink" href="http://httpd.apache.org/docs/2.2/developer/" target="_top">http://httpd.apache.org/docs/2.2/developer/</a>
</p></dd><dt><span class="term">Writing Apache Modules with Perl and C </span></dt><dd><p>
<a class="ulink" href="http://www.modperl.com/" target="_top">http://www.modperl.com/</a>
</p></dd></dl></div></div><div class="sect2" title="28.9.4. Miscellaneous Sources"><div class="titlepage"><div><div><h3 class="title"><a name="sec.apache2.more_information.miscellaneous_sources"></a>28.9.4. Miscellaneous Sources<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.apache2.more_information.miscellaneous_sources">¶</a></span></h3></div></div></div><p>
<span>If you experience difficulties specific to Apache in
openSUSE, take a look at the openSUSE wiki at
<a class="ulink" href="http://old-en.opensuse.org/Apache" target="_top">http://old-en.opensuse.org/Apache</a>.</span> The history
of Apache is provided at
<a class="ulink" href="http://httpd.apache.org/ABOUT_APACHE.html" target="_top">http://httpd.apache.org/ABOUT_APACHE.html</a>. This page also
explains why the server is called Apache.
</p><a class="indexterm" name="id500428"></a></div></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.opensuse.reference.html">Reference</a><span class="breadcrumbs-sep"> > </span><a href="part.reference.services.html">Services</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 27. Samba" href="cha.samba.html"><span>◀</span></a> <a accesskey="n" title="Chapter 29. Setting up an FTP server with YaST" href="cha.ftp.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018