First published on NZ Techonverse
Apache is a well known webserver that is currently the second most webserver used worldwide. It is only two percent behind nginx at the time of writing, and each has about a third of the webserver market. The remaining third is made up of several products; MS IIS only has a single digit percentage. As an open source product, apache is commonly included in most Linux distro’s package archives. It is a core component of the LAMP server stack, in which these letters stand for Linux, Apache, MySQL and PHP, the most commonly used components of a webserver stack.
Apache is very reliable and not too hard to set up, but there are a few things that can trip you up when getting it going. My main use of apache is not on a dedicated web server, but on a desktop computer that is running all sorts of things, and I expect Apache to be able to serve documents from somewhere in my home directory, rather than from /var/www which is one of the default locations specified in configuration files. This means the permissions need to be set correctly on the home directory to allow other users (other than the owner, which is me) to read and execute files and folders. Otherwise the user account Apache runs under (which is neither root nor me) will not be able to read anything.
Once permissions are taken care of then there are two configuration files to edit. The first one is apache2.conf contained in /etc/apache2. A <Directory> </Directory> section is needed to specify each path on the computer where web files can be served from. These sections basically tell Apache the permissions on these paths using directives within the section so that it knows what to do when it gets a request for documents from within those paths. The file comes with sections that tell the server to deny requests from the root filesystem (/) and to allow requests from /usr/share and /var/www. So all request paths will be blocked except /usr/share and /var/www. In my case with the home path we need to create a section specifically for the base directory where files will be served from and some options which in my case are commonly used ones.
The second one is a conf file that is specific to each web site. These files are placed into the /etc/apache2/sites-available folder and then the command a2ensite followed by the name of the conf file for a particular site is run, followed by systemctl reload apache2 to restart the server. In my case since I only have one web site I can use the default conf which is called 000-default and change it to stop using /var/www as the default site’s root path. Instead I can change this setting (DocumentRoot) to point to my web site and then when I type http://localhost into the browser, it will go to the new location. Again reloading the server will pick up the change to the 000-default.conf file to point it in the direction of my web site.
That usually is enough. In the past the main issue I have seen is permissions, and a problem with one computer was the use of ACLs, because these supersede the normal permissions. Rather than muck around setting these, I decided the easiest option was to remove all the ACLs with the setfacl command. The reason for having ACLs in the first place was the historical establishment of another user account (backupuser) to handle backups. Since I can use the rsync daemon and tell it to do the task read only I don’t really need a special user account with permission restrictions to protect my source data during a backup operation.
The normal step is to install all packages in one go. This means the following apt command is required:
apt install apache2 php libapache2-mod-php php-mbstring sqlite3 php-sqlite3
When this is run it installs Apache2, PHP and a couple of modules I use on my webserver (mbstring and sqlite3). Obviously depending on requirements there may be different modules needed.
The next step as mentioned above is to go into the /etc/apache2 folder and edit the apache2.conf file as follows. Scroll down to the part of the file that contains <Directory> sections and change the folowing section:
and leave the rest of the section the same. This gets rid of the use of the default folder in /var/www. While you are there you may as well remove the <Directory /usr/share> section as well since this removes one more attack surface if someone hacked into your computer. This should leave only the <Directory /> section apart from the section pointing to your home folder, which is essential since it blocks Apache from loading web pages from anywhere else on the computer. N.B. The directory path must be exactly the same as in the apache2.conf file. Don’t put a trailing slash on it here if you didn’t put one onto it in apache2.conf.
Save the file and then open the second file which is located at /etc/apache2/sites-enabled/000-default.conf
The 000-default.conf file is the configuration for apache’s default web site. In the previous step in apache2.conf we edited a <Directory> entry to give the Apache2 server permission to load web site files from a directory in our home folder. The second step is to tell Apache where a web site is located within that specified path. To do this, as we only have one web site used on our Apache server, we can change the default web site (specified in 000-default.conf) to the one in our home folder. To do this we simply change the parameter called DocumentRoot as follows:
Then save the file. The next step is to restart the apache2 server which is done with systemctl reload apache2
Everything should now be working properly.