The main configuration file for Apache is located at /etc/apache2/apache2.conf. Apache may work a little different on Ubuntu (and other Debian based distributions) than other operating systems when it comes to adding and removing modules as well as virtual host configuration. The differences are the result of an effort to make it more flexible and easier to administer
The apache2.conf file is quite long, rather than pasting the whole file here, I will discuss the main points of the file.
Contents
The included files
There are several files that are included with this configuration file that get loaded in the apache configuration. Scattered throughout the config file are Include and IncludeOptional commands. The IncludeOptional command differs from Include by ignoring the line of code if the files or directory does not exist.
Below are the lines of code that included additional folders and files within the apache.conf file
- IncludeOptional mods-enabled/*.load
- IncludeOptional mods-enabled/*.conf
- Include ports.conf
- IncludeOptional conf-enabled/*.conf
- IncludeOptional sites-enabled/*.conf
Variable Settings
There are several items in the apache2.conf file that are defined by variables. An example of a variable would be ${EXAMPLE_VARIABLE}. The values of the variables are defined in the /etc/apache2/envvars file.
The Mutex (mutual exclusion object) file is a program object designed to allow a program (in this case apache) with multiple threads the opportunity to share the same file resource. The default value for the variable ${APACHE_LOCK_DIR} is … In apache2.conf you should find the following line of code that sets the Mutex file location:
Mutex file:${APACHE_LOCK_DIR} default
When the Apache service is started it will record the process id number in the PidFile. This allows Apache to determine if another instance of Apache is running. The ${APACHE_PID_FILE} variable is … You should find the following line of code that sets the PidFile in apache2.conf:
PidFile ${APACHE_PID_FILE}
In Debian based setups, Apache runs using both a user and group named www-data. This differs from instances of Apache on Red Hats servers in which the user and group are httpd. The variables ${APACHE_RUN_USER} and ${APACHE_RUN_GROUP} are used to define this user. You should find the following lines of code that set the user and group that Apache uses:
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
It is always important to know where the log files are located on the operating system. They provide valuable feedback on the operation of the software. The ${APACHE_LOG_DIR} variable is used to define the location of the error log. By default, the value is set to the directory location /var/log/… You should find the following line of code setting the location of the error log file within apache2.conf:
ErrorLog ${APACHE_LOG_DIR}/error.log
Directory Security
Because the Apache application communicates with the public Internet, security is always a concern. In the apache2.conf file a few settings are configured to control access to operating system directories. Using <Directory> tags, control options can be configured for a specific folder. The first set of <Directory> tags defines settings for the / (root) directory of the operating system. Within the tags the options FollowSymLinks is set, which allows Apache to follow symbolic links (think shortcuts) within folders. Also the AllowOverride option is set to none. This means that the use of .htaccess files are not allowed. The last option is Require all denied. The prevents Apache from access any folders or files from the operating system. Below is the code from apache2.conf with sets these settings:
<Directory / >
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
The /usr/share directory is commonly used for keeping scripts used by web applications. Because we have not allowed Apache to access any folders in the operating system we will need to make an exception for this folder. The options are inherited down the folder hierarchy so we already have the FollowSymLinks option set. To allow Apache access to this folder we can grant access to everyone. This is done with the setting Require all granted. Below is the code from apache2.conf that allows access to the /usr/share directory:
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
Web pages that are accessed from Apache usually reside in the /var/www directory. As with the /usr/share directory we will need to allow access to the files and folders within /var/www. In the default settings the Indexes option is included. If an index.html, index.htm, or index.php file is not located in the web directory Apache will then display a list of the file and folders as a web page. Below is the code from apache2.conf that allows access to the /var/www directory:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
The AllowOverride setting can be set to All instead of None. This will set Apache to look for a file named .htaccess within the directory. Within the .htaccess file, additional control options can be added to directories and files. In most cases the use of .htaccess files is not recommended as it relies on the server taking extra resources to search for and process the file. Some applications will require the use of .htaccess file. In that case the apache2.conf file blocks access to the files directly from outside the server. Below is the code from the apache2.conf file that uses a regular expression to block access to any file that starts with .ht, such as .htaccess:
<FilesMatch “^\.ht”>
Require all denied
</FilesMatch>
Additional Settings
The following settings can be tweaked to optimize the Apache server. The default settings are often recommended and most likely will not need changed.
The maximum amount of time a script can run is set to 300 seconds by default. Below is the code in apache2.conf used to change this time:
Timeout 300
The web page will either use the HTTP or HTTPS protocol. Both rely on the connection oriented protocol TCP for transport. Using the KeepAlive setting, the server can be set to either close the TCP connection after each request from a client or keep the connection persistant. Typically KeepAlive should be set to “On” as it reduces the network traffic overhead caused by establishing a new TCP connection for each web page request during a session. Special case scenarios for setting KeepAlive to “Off” would include a server being overloaded by requests from hundreds of clients at once and/or servers that are using load balancers. Below is the code in apache2.conf used to change keeping the TCP connection alive:
KeepAlive On
With the KeepAlive option set to “On” another consideration is to how many requests should be allowed for the connection. The MaxKeepAliveRequests is set to 100 users by default. Setting it to 0 would then allow an unlimitied number of requests by the client to use the same TCP connection. Typically an unlimited number is not recommended as a malicious client could take up all the available TCP connections causing a Denial of Service for others. Also, load balanced web traffic will not be balanced if this setting is set to 0. Below is the code in apache2.conf used to change the MaxKeepAliveRequests:
MaxKeepAliveRequests 100
Another setting available to persistent traffic is the KeepAliveTimeout. This setting will determine how long the server wait for additional requests from the client before closing the connection. This should be set to a number lower than 60. The default is 5 seconds and this servers as a good trade off for both network traffic and server resources. Below is the setting in apache2.conf:
KeepAliveTimeout 5
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it’d be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, …, trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# “LogLevel info ssl:warn”
#
LogLevel warn