The DirectoryIndex lines specifies the files Apache looks for when passed a URL that does not specify a filename, that is, when the URL specifies a directory, such as http://www.example.com/products/, instead of a file, such as http://www.example.com/products/prodlist.html. Apache searches for the files in the order listed and the first match wins. In the httpd.conf file shipped, the order is: 1. index.php 2. index.html 3. index.html.var The TypesConfig, DefaultType, and MIMEMagicFile directives work together to help Apache determine file types. TypesConfig tells Apache where to find a list or database of MIME types (/etc/mime.types in this case). This file maps MIME types to filename extensions. Consider the follow- ing two entries from /etc/mime.types, for example: text/html html htm video/mpeg mpeg mpg mpe The first line means that files ending with the extensions html and htm (rather, .html and .htm) should be considered to be standard HTML files. Similarly, the second line indicates that files having the filename extensions .mpeg, .mpg, and .mpe have the MIME type video/mpeg. These mappings are important because Apache sends them the MIME types to Web clients, which use the information to determine how to display the associated content. Files with a MIME type of text/html will ordinarily be displayed as a nor- mal Web page, while Web browsers might start an MPEG player to display files that have a MIME type of video/mpeg. DefaultType text/plain provides a default MIME type (plain text) for any file that Apache serves for which a MIME type is not defined. MIMEMagicFile supplements the MIME typing system, making it possible for Apache to determine a file’s MIME type by examining the contents of a file. The logging directives control the level and format of Apache’s log output. The directive ErrorLog logs/error_log specifies the error log Apache uses. The four LogFormat directives define log formats named combined, common, referer, and agent (yes, referer is misspelled). These format names can then be used in other log-related directives to identify the output format. For example, the directive CustomLog lobs/access_log combined uses the combined format defined. The CustomLog directive indicates the file used to log all requests sent to the server. Access log entries might resemble the following: 534 Chapter 23 30_599496 ch23.qxd 8/30/05 7:15 PM Page 534 127.0.0.1 - - [26/Mar/2005:09:47:33 -0500] “GET /manual/images/up.gif HT\ TP/1.1”200 57 “http://localhost/manual/mod/core.html” “Mozilla/5.0 (X11;\ U; Linux i686; en-US; rv:1.7.6) Gecko/20050302 Firefox/1.0.1 Fedora/1.0\ .1-1.3.2” 127.0.0.1 - - [26/Mar/2005:09:47:39 -0500] “GET /manual/mod/quickreferen\ ce.htmlHTTP/1.1” 200 95342 “http://localhost/manual/mod/directives.html”\ “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050302 Firefo\ x/1.0.1 Fedora/1.0.1-1.3.2” 127.0.0.1 - - [26/Mar/2005:10:19:53 -0500] “GET /manual/mod/mod_access.h\ tml HTTP/1.1” 200 18557 http://localhost/manual/mod/quickreference.html”\ “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050302 Firefo\ x/1.0.1 Fedora/1.0.1-1.3.2” The log entries don’t break as shown in the text. These access log entries record the requests the server processed when opening a Web page named ssitest.html (see Listing 23-3). The long series of AddIconByEncoding, AddIconByType, and AddIcon directives define the various icons displayed next to files with a given icon. The directive AddIcon /icons/binary.gif .bin .exe, for example, indi- cates that files ending with .bin and .exe should have the image /icons /binary.gif displayed next to them. Note that the directory /icons/ was aliased to /var/www/icons/ using the Alias directive Alias /icons/ “/var/www/icons/” earlier in the httpd.conf file, so the file system path to binary.gif is expanded to /var/www/icons/binary.gif. As a fall- back measure, the directive DefaultIcon /icons/unknown.gif defines the default icon Apache displays if it cannot determine the file type of a given file based on the definitions given by the TypesConfig and MIMEModMagic directives and additional types appended to the MIME type listing using AddType directives. To handle non-HTML document types (MIME types), Apache uses the AddType and AddHandler directives. AddType is used for MIME types that are not specified in MIME configuration files (as set with the MIMEMagicFile directive) or for predefined MIME types that you want to override. It works by associating filename extensions with specific content handlers. Its general syntax is: AddType mimetype extension [ ] This directive associates one or more filename endings specified by extension with the MIME type specified by mimetype. For example, the following directive assigns the MIME type text/html (a normal HTML file) with files whose filename extension is .shtml: AddType text/html .shtml Configuring a Web Server 535 30_599496 ch23.qxd 8/30/05 7:15 PM Page 535 AddHandler’s purpose is to define a content handler for specific MIME types. Its syntax is comparable to AddType’s: AddHandler handler extension [ ] This directive associates any file that has the extension extension with the content handler named by handler. The following statement, for instance, instructs Apache to use the image map handler imap-file with files whose name ends with map: AddHandler imap-file map The AddLanguage directives map filenames to language encodings. So, for example, files ending with .en are treated as English documents, and files ending with .en.gz or .en.tgz are treated as gzip compressed English doc- uments. The LanguagePriority directive, similarly, determines which file the server returns if the browser does not indicate a preference. For example, if the files index.en.html and index.fr.html both exist and a client does not specify a preferred content language, the server returns index.en.html. AddDefaultCharset and AddCharset load Apache’s support for vari- ous character sets. AddDefaultCharset specifies the default character set Apache uses to serve content if a browser does not specifically request one. The default character set in Fedora Core and RHEL is UTF-8. The BrowserMatch directives set environment variables that can be used in CGI scripts and SSI based on the information in the User-Agent HTTP request header field. The first argument is the text to match from the request header. The second and subsequent arguments name the variables to set and the value or values to which to set the variables. The variable assignments can take one of the following forms: ■■ varname — Sets varname to 1 ■■ !varname — Removes (unsets) varname if it was already set ■■ varname=value — Assigns value to varname If a User-Agent header matches multiple BrowserMatch strings, Apache merges the matching strings. Entries are processed in the order in which they appear, and later entries can override earlier ones. TIP If you do not know or cannot be sure of the case of the request header you want to match, you can use the BrowserMatchNoCase directive, which matches regardless of case. 536 Chapter 23 30_599496 ch23.qxd 8/30/05 7:15 PM Page 536 Configuring Virtual Servers Virtual servers (also referred to as virtual hosts) are primarily used to run Web servers for multiple domains on a single physical system. Virtual servers can also be used to allow multiple workgroups or departments that share the same network or subnet to maintain independent Web pages without requiring individual dedicated departmental servers. Virtual hosts fall into two cate- gories: IP-based virtual hosts and name-based virtual hosts. IP-based virtual hosts refer to Web servers that have different IP addresses. In some cases, the different IP addresses correspond to different Ethernet inter- faces, such as eth0 and eth1 (machines that have multiple Ethernet interfaces are called multihomed hosts). In other cases, a single Ethernet interface is assigned multiple IP addresses using aliases. In this configuration, a system might have a single Ethernet interface, say, eth0, and a single primary IP addresses, for example, 192.168.0.1. The aliases have IP addresses of the form 192.168.0.1:n, where n is a digit such as 1, 2, or 3. Regardless of the method you use to implement virtual hosts, end users will not realize that the Web sites they are viewing reside on the same physical server. Table 23-3 shows the Apache configuration directives that control the configuration and behavior of virtual servers. Table 23-3 Virtual Server Configuration Directives DIRECTIVE DESCRIPTION <VirtualHost ipaddr[:port]> Defines a virtual host whose IP address is directives addr (listening on port, if specified); </VirtualHost> directives are one or more of the directives listed previously and override the directives listed for the default server. NameVirtualHost ipaddr[:port] Defines the IP address addr (listening on port, if specified) for a name-based virtual host. ServerAlias altname Enables the virtual server to respond to one or more alternate hostnames altname when used with name-based virtual hosts. A single VirtualHost directive can have multiple ServerAlias statements. ServerName fqdn Sets the name of the virtual server to the FQDN fqdn. Configuring a Web Server 537 30_599496 ch23.qxd 8/30/05 7:15 PM Page 537 A bare-bones set of name-based virtual server definitions might resemble the following: Listen 80 [ ] NameVirtualHost *:80 <VirtualHost *:80> ServerName webbeast.example.com DocumentRoot /var/www/webbeast # other directives </VirtualHost> <VirtualHost *:80> ServerName www.mydomain.com DocumentRoot /var/www/mydomain # other directives </VirtualHost> <VirtualHost *:80> ServerName www.yourdomain.org DocumentRoot /var/www/yourdomain # other directives </VirtualHost> This example shows three virtual hosts, webbeast.example.com, www .mydomain.com, and www.yourdomain.org, all of which have the same IP address. For the purpose of this example, the actual IP address doesn’t matter because the asterisks match all IP addresses, but suppose that the address is 192.168.0.2. One of the side effects of using the asterisk is that the main server won’t answer any requests. Apache will pass all requests to the appropriate virtual host, depending on the name specified in the request. Furthermore, the virtual host webbeast.example.com is the default or primary server because it is the first listed host. As a result, it will answer any request that isn’t answered by one of the other virtual hosts. As stated earlier in the chapter, configuration directives for the default server also apply to virtual servers unless specifically overridden in a <VirtualHost> block. Therefore, if your virtual hosts require special config- uration needs not provided or explicitly disabled or disallowed in the default server, you must specify these custom configuration directives inside the appropriate <VirtualHost> block. If you add a name-based virtual host to an existing Web server, you must also add a virtual host for the existing Web server. Moreover, the directives in the virtual host you create for the original, single-site server must match those you specified for the original single-site server. In addition, the virtual host 538 Chapter 23 30_599496 ch23.qxd 8/30/05 7:15 PM Page 538 you create for the existing server should appear before any other virtual hosts so that it will act as the default server. If you fail to add a virtual host for the existing server, requests that should be answered by the existing Web server will be answered by the added virtual host. Why? When a request comes in, Apache first looks to see if the requested name matches an address specified for a NameVirtualHost. Because all of the IP addresses in a name-based vir- tual host are the same, Apache routes the request to the first matching virtual host, bypassing the default server. Starting and Stopping Apache To start and stop Apache, the preferred method is to use the httpd initializa- tion script and the service utility, as shown in the following examples: # service httpd start Starting httpd: [ OK ] # service httpd stop Stopping httpd: [ OK ] There are some additional arguments you might want to use, such as restart, reload, and configtest. As you might guess, the restart argument stops and starts Apache. The reload argument signals Apache to reload its configuration files and is a good way to refresh a running server’s configuration without restarting it and closing all active connections. The configtest argument causes Apache to parse its configuration files. If it detects an error, it will display an error message indicating what went wrong and where in the configuration file it found the error. This is a very easy way to test configuration changes without causing havoc for yourself or users of your Web site. Configuring a Web Server 539 (NOT) USING THE APACHE CONFIGURATION TOOL If you prefer graphical configuration tools, you can configure Apache’s basic functionality using HTTP Configuration Tool. HTTP Configuration Tool enables you to edit the /etc/httpd/conf/httpd.conf configuration file for the Apache HTTP server. Using the graphical interface, you can configure directives such as virtual hosts, logging attributes, and server control parameters. To start HTTP Configuration Tool, type system-config-httpd at a command prompt or select Red Hat ➪ System Settings ➪ Server Settings ➪ HTTP Server. However, we do not recommend using HTTP Configuration Tool on your systems because it has the annoying habit of overwriting changes made outside of the tool and it does not recognize manually installed Web servers that don’t store their configuration information in in /etc/httpd/conf or /etc/httpd/conf.d. 30_599496 ch23.qxd 8/30/05 7:15 PM Page 539 Implementing SSI Server-side includes (SSI) are specially formatted statements placed in HTML documents and evaluated by the server before the server sends the document to a client. SSI lets you add dynamically generated content to an existing HTML page without needing to generate the entire page using CGI or another dynamic page generation technique. SSI is best used to add small amounts of dynamically generated content to otherwise static documents. Server-side includes are also a great way to specify standard, static header and footer info on Web pages. SSI content doesn’t have to be dynamic. For simple sites, it’s a great alternative to PHP, Perl, and other fuller-featured approaches for includ- ing headers, footers, style sheets, and so forth in Web pages. The stock Fedora Core and RHEL configuration includes support for SSI using the statements: AddType text/html .shtml AddOutputFilter INCLUDES .shtml The first line adds the file extension .shtml to the text/html MIME type. The AddOutputFilter directive tells Apache that files with an .shtml extension should be processed using mod_include, the module that provides Apache’s SSI support (the default Red Hat httpd.conf file should contain these directives). TIP If, for some reason, you have to add the AddType text/html .shtml and AddOutputFilter INCLUDES .shtml directives to the httpd.conf file, the server must be restarted to make them take effect. You can use one of the following commands to force Apache to reread its configuration file: # service httpd restart # service httpd reload The first command stops and restarts the server. The second one sends Apache the SIGHUP signal, which causes it to reread httpd.conf. The effect is the same regardless of which command you use. However, you need to tell Apache which directories contain content it should parse for SSI content. To do so, add the Includes argument to the Options statement for the directory in which you want SSI to work. For example, suppose that you create a directory name /var/www/html/tests and want to enable SSI for this directory. Add a file named tests.conf to /etc/httpd/conf.d that contains the following <Directory> block: 540 Chapter 23 30_599496 ch23.qxd 8/30/05 7:15 PM Page 540 <Directory “/var/www/html/tests”> Options Indexes FollowSymLinks Includes AllowOverride None Order allow,deny Allow from all </Directory> The Options Includes directive instructs Apache to parse files it serves from this directory for SSI directives. Next, create the Web page shown in Listing 23-3, naming it ssitest.shtml and placing it in /var/www/html/tests: <html> <head> <title>SSI Test Page</title> <link rel=”stylesheet” type=”text/css” href=”rhlnsa3.css”> </head> <body> <h1>SSI Test Page</h1> <div id=”content”> <pre> <! #exec cmd=”ls -lh /var/www” > </pre> </div> <! content > <! #include virtual=”footer.html” > </body> </html> Listing 23-3 An SSI test page. SSI directives look like HTML comments. They take the following general form: <! #element attribute=value > Because SSI directives look like comments, if SSI is improperly configured on the server, the browser ignores the contents. Otherwise, the server creates prop- erly formatted HTML output that Web browsers render properly. In Listing 23-3, the first SSI directive is <! #exec cmd=”ls -lh /var/www” >, which uses the built-in exec command to execute ls -lh /var/www, embedding the output of this command in <pre></pre> tags to maintain the appropriate for- matting. The second SSI directive, include virtual=/includes/footer .html, includes a standard footer file. Finally, open the document in your Configuring a Web Server 541 30_599496 ch23.qxd 8/30/05 7:15 PM Page 541 Web browser, using the URL http://localhost/tests/ssitest.shtml if accessing the server locally or http://your.server.name/tests /ssitest.shtml if accessing the server remotely, replacing your .server.name with the name of your Web server. Figure 23-2 shows how the page appears in the Firefox Web browser. As you can see in Figure 23-2, the SSI statement shows output of the ls -lh command. For comparison purposes, ls -lh executed in a terminal window might resemble the following: $ ls -lh /var/www total 28K drwxr-xr-x 2 root root 33 May 19 02:07 cgi-bin drwxr-xr-x 3 root root 4.0K May 19 01:05 error drwxr-xr-x 4 root root 33 May 22 00:04 html drwxr-xr-x 3 root root 8.0K May 19 01:47 icons drwxr-xr-x 14 root root 8.0K May 19 01:05 manual drwxr-xr-x 2 root root 162 May 19 01:52 mrtg drwxr-xr-x 2 root root 61 May 19 02:09 nut-cgi-bin drwxr-xr-x 2 webalizer root 43 May 19 01:05 usage After confirming that SSI is properly configured using the test page, the SSI configuration is complete. Figure 23-2 Viewing ssitest.html in Firefox. 542 Chapter 23 30_599496 ch23.qxd 8/30/05 7:15 PM Page 542 Enabling CGI CGI, the Common Gateway Interface, is a protocol that defines a standard method enabling Web servers to communicate with external programs. These programs are known as CGI scripts, CGI programs, or, more colloquially, just CGIs. Many programming and scripting languages provide CGI implementa- tions so that you can use them in Web pages. Perl is the Big Daddy in the Linux world, but it is far from the only option: Python, Ruby, and even Bash can be used to create CGIs. CGI scripts are commonly used to create or update Web pages or parts of Web pages dynamically. In this respect, CGIs are much like SSI, but CGI is far more flexible than SSI and provides additional functionality that SSI cannot. For example, CGI scripts can be used for user authentication, to create a user interface on a Web page, and, within limits, in any situation in which a Web-based interface is used to execute programs and display the results in a near real-time environment. This section briefly explains Apache configuration directives and procedures that enable CGI. As you might suspect by this point, your first task is to ensure that Apache’s configuration permits CGI script execution. The ScriptAlias directive asso- ciates a directory name with a file system path, which means that Apache treats every file in that directory as a script. If not present, add the following directive to httpd.conf: ScriptAlias /cgi-bin/ “/var/www/cgi-bin” This directive tells Apache that any URL beginning with /cgi-bin/ should be served from /var/www/cgi-bin. Thus, given a URL of http: //localhost/cgi-bin/cgiscript.pl or http://your.server.name /cgi-bin/cgiscript.pl, Apache reads and executes the script /var/www /cgi-bin/cgiscript.pl. If necessary, modify the configuration file to include the ScriptAlias directive shown, and restart Apache as explained previously. Then use the script in Listing 23-4 to test the configuration. #!/usr/bin/perl print ‘Content-type: text/html\r\n\r\n’; print ‘<html>\n’; print ‘<head>\n’; print ‘<title>CGI Test Page</title>\n’; print ‘<link rel=”stylesheet” type=”text/css” \ href=”/tests/rhlnsa3.css”>\n’; Listing 23-4 A CGI test script. (continued) Configuring a Web Server 543 30_599496 ch23.qxd 8/30/05 7:15 PM Page 543 [...]... fingerprint, verifying that the data stream hasn’t been accidentally or deliberately altered while in transit between the server and the client 2 Digital certificates provide a certain level of assurance, or trust, that the identities behind a Web server and a Web client are genuine, that is, that a Web server or client is not being operated by an impostor Depending on the type of certificate in use, a digital... have an IMAP server installed, or don’t know if you do, please refer to Chapter 2 1, which describes how to configure an email server and how to set up IMAP services Make sure that Apache, your email server, and your IMAP server are running before proceeding The discussion that follows assumes that you are using the Postfix MTA and that you are using the Cyrus IMAP daemon that is part of the standard... configuration looks for the certificate in this location, so there is no need to install the certificate Nonetheless, it is helpful to know where the certificate is stored Be sure to make a copy of the key file and the certificate file and store them in a secure location At this point, the secure server has been configured, and you are ready to test it First, restart Apache so it will load the certificate:... secure server, which operates on port 443 rather than port 80 When you first connect, you will see the dialog box shown in Figure 23-6 This dialog box indicates that the Web server has presented an unverified server certificate In this case, the “problem” is that the certificate is selfsigned, and the browser does not recognize the certificate signer (you) as a valid CA If you are curious, click the... indication that you are connected to a secure page Firefox, for example, shows a padlock icon in the lower-right corner of the screen Obtaining a Certificate from a Certification Authority To obtain a digital certificate from a recognized CA, you must create a CSR, as described in the previous section, and submit it to a CA You also have to pay for the certificate You can choose from a number of CAs, some... the authority to create, manage, and delete mailing lists and administer the Mailman installation, while not having any other system administrative rights or responsibilities You don’t have to have a site moderator, and at small sites you probably won’t have the personnel to assign a dedicated site moderator 5 If your mail host and Web server do not reside on the same system, edit /usr/lib/mailman/Mailman/mm_cfg.py... From your mailing list’s main administration page, click Membership Management ➪ Mass Subscription On the resulting page, add the email addresses in the top text area, one address per line To subscribe these email addresses immediately, make sure that the Subscribe radio button is selected It’s usually good form to let people know when they’ve been subscribed to a mailing list, so make sure the Send Welcome... warriors and remote employees that cannot access LAN-based services using VNC or VPN, perhaps the most valuable service you can provide is Web-based or browser-based email access Fedora Core and RHEL ship with SquirrelMail, a popular and capable browser-based email package that uses IMAP for mail handling, Apache for Web services, and PHP to glue everything together As with Mailman, most of the work has already... hash) to use to confirm that the certificate has not been altered since it was issued The certificate also contains the certificate ID of the person or entity that issued the certificate and that certified (signed) the information provided in the certificate Accordingly, you have to trust the issuer of the certificate, the certificate authority (CA) A CA’s certificate is referred to as a root certificate... review some of Apache’s configuration options Most Web servers serve dynamic content, so you also need to know how to enable and test Apache’s support SSI, CGI, and PHP Creating a secure server is a vital step if your Web site will be used for electronic commerce or to conduct any type of transaction that must be secured, so you also learned how to create a secure server using SSL The features you learned . looks for when passed a URL that does not specify a filename, that is, when the URL specifies a directory, such as http://www.example.com/products /, instead of a file, such as http://www.example.com/products/prodlist.html. Apache. certificates provide a certain level of assurance, or trust, that the identities behind a Web server and a Web client are genuine, that is, that a Web server or client is not being operated by. IP addresses, for example, 192.168.0.1. The aliases have IP addresses of the form 192.168.0.1:n, where n is a digit such as 1, 2, or 3. Regardless of the method you use to implement virtual hosts, end