mod_rewrite by jianghongl

VIEWS: 2 PAGES: 83

									                   WebServer
                                                                                                          Webserver
-        % ,        *+       ) ( '&           '          & !"                #        $%                  webserver
         /     % 45       6 789   " % 1                 23 TCP/IP ./)                  %%        ' 0 & $ ./)
     $:               # -     ; 1 <           =        ' # 6 > 4?                $,         " %&               http
1                  " %&           6       - A "@                 =       '        http                         $%
                                                                                           . /            % 45 6 789




) ( '                 7     % B *+        &                  #       D       '& ) ( ' $                    5        /CB %
    %-             % %        5       $   &         '       $            H'       < G%% F            E)        $%
    ': B *+                  $    &                #     D        5K J /              $,         $         :          I %
               &             > 4? M $ L           5K G $% @              L        &              5              % 6 > 4?
    6 789              : //:http6 C7 N5B                L                '                  7
                                                                                           E G B               5B
% GJ ' % 45               J$ P    6 789       " %&              http ./)          -    O     % GJ /                     %
N5" L &     & F % & $ ./)             - /         F % ,       %%@                ) 789 M $ 6            +               Q
       N S T                   R : telnet       remote 6      + % 45                 J ' % 45            6 789
J ! V K         %      %          5       /CB &       '&        S      $         N -:           #           U
                       G              B * + http           # D         &         '         & ) ( ' ;
W    ) '6      +           G       I      > D         % &$           &           5                  #       %           '
    6 789              #              ,     1                        6 789 &               / http ./)
I % N G /          1           B Y P,             &    X -%    &         '           %              % '         " %
                                            . B                 &$         -          "    > 4?                     5
                                                                       % 3           &$         # -
                                                GGG Nginx :Litespeed :Apache                    LightHttpd




                                                                                           # * + X-
                                                                B ,                  '[1        )%              5 Z

                    ' " % wget              5 %       -I % -                 #              P        N          Z

    http://httpd.apache.org/download.cgi

                                                                                                    1H          9
 wget http://apache.multihomed.net//httpd/httpd-2.2.16.tar.gz

                                                      J            % L% , "- Z

 tar -xvf httpd-2.2.16.tar.gz

                          5 %   B      &            # 6       ; ) .K          \ Z

[G configure

                                                  ^ % ' . ( ']                  Z

 make
                                                             * + 6 E7S B
 make install

                                                  Nginx            # * + X-

                                              G   B ,          ' SSH %          Z

                                     J / 1 <" Q              : E<         # Z

 service httpd stop

                                           J /      " %      nginx        # Z

 wget http://nginx.org/download/nginx-0.8.33.tar.gz

                                                      % '_         %   % , "- Z

 tar -zxf nginx-0.8.33.tar.gz

                                            % B nginx          #       R "%     Z
  cd nginx-0.8.33

                             ^J / %           - 5 %] J / - Q                        # *+ Z

./configure –without-select_module –without-poll_module –without-
http_charset_module –without-http_gzip_module –without-
http_ssi_module –without-http_userid_module –without-
http_access_module –without-http_auth_basic_module –without-
http_autoindex_module –without-http_geo_module –without-
http_map_module –without-http_referer_module –without-
http_rewrite_module –without-http_fastcgi_module –without-
http_memcached_module –without-http_limit_zone_module –without-
http_limit_req_module –without-http_empty_gif_module –without-
http_browser_module –without-http_upstream_ip_hash_module –without-
mail_pop3_module –without-mail_imap_module –without-
mail_smtp_module –without-pcre –with-openssl=/usr/lib/openssl –with-
ipv6

                                                           J / %               -6       5 % (

  make

  make install
                                                           #     (     0* +
wget http://litespeedtech.com/packages/3.0/lsws-3.0.1-std-i386-linux.tar.gz
tar -xvfz lsws-3.0.1-std-i386-linux.tar.gz
cd lsws-3.0.1
./install.sh
   %     *+ -       /E `        )         # N &     * + .K      2 ) $ N 5CR
    H' 6   ?N       Q % GJ ' . ( ' (          0          3 )       % \       php    (     0.
                                                  Mysql             GGG 5"         '- $1 a
                 # N        % Load PHP    7        '               B 87 $               Q
                                                                                    # *E %
                    `        B 'c 5<          52 b             =    $    `              - )O
     %d                 (      0      #              D         (         0              -.
                                                                                    #
(   0   52
                                                                          #
                                               G B C /etc/httpd       # N              B
                             % %      conf.d        conf & 5' % %         BN        % '
                           % %       run logs       modules symbolic link % 7
                                                          symbolic link -       =
            `N %   I % G         I % & <    J$ link N %       & <     ' Symbolic
             /usr/lib/httpd/modules & 5' %            symbolic link : modules . "
                   % %      magic httpd.conf & $             . " % conf        B %[
                                                %        -& $. "conf.d         B %[
G% %   man command & $           '      @       - ' = $ . "N         manual.conf
        # N GGG    $X -     e $       $ -           5 http://ip/manual %-        B '
                                                                      G       ' % 45
                                                                    I % N -
               `       %    \' %       5 $ html      "   '    $ . "N       ! I K
                                                  /var/www/manual I % % # 3
                                                                    . "N 6      5>




       php P           U   .so J F            52 : / N <)     php S       php.conf
     . %6   5> @           7       E"      D J     5 :. 7 N         87    / Load
'%     9    . "N & 5' % D          %      -    ] GJ ' # P 5   ; %       & $ & 5' %
                                                                         ^% B
                   G       B J ; ) DirectoryIndex index.php         C     '& = $

                                                                    . "N 6      5>
G $   perl & $ . "   ( / & 3 - 3 perl.conf
                              . "N 6   5>
: tomcat    1 a N G / Load     mod_proxy_ajp.so . " proxy_Ajp.conf
      G /   ?       6      % % AJP/1.3 backend server   proxying   E
                                                        . "N 6     5>




            - 7 python G   / Load     python 1 a . "N     python.conf
                                                              G
                                                        . "N 6     5>
                G $          B*+            #    P       %    % > T ) README
                                            GG   ' <R=       . "N J / % 2 ,        '
                                                                     . "N 6   5>




                       G    cache server&-           &       ! D squid squid.conf
                                                                     . "N 6   5>




   G   ' <3     . "N       SSL -       C 5, &                # J;)    23 ssl.conf
                                                                     . "N 6   5>
cat /etc/httpd/conf.d/ssl.conf |less
  GGG ' <3 . "N               L X           = &$ f J ;)          23 welcome.conf
                 I %       &=     f &           ' $,              . "N 6       5>     L1H     9
                                        G           %%        /var/www/error/noindex.html
                                                                                    . "N 6    5>




                                            G% ,         5    -       $ . "N        webalizer.conf
    # N &         % %. ")           $       X !L ' G              #    L! R D           wenalizer
                                        GGG         5B % %-               > 4? N : % %


                                                                                    . "N 6    5>




                                              % %        /etc/httpd/conf      B % $. "
                                                                           Httpd.conf , magic
    D '      #         '        g + P & $ ' Jh &
                                             87                       D . B    % ' magic . "
          . "N               B %%       gif          "       /7 D         #     % 5 8H :       /
G            # %           D ' 23 " ? GGG $ Y P , )                   . "N     5        S    ) !
  N &        J % ' <               5,       ' GG                    # N &            / . " ' Httpd.conf
                                                                                                     GJ $%      . "
                 ' - nano       & F,                           D         /etc/httpd/conf/httpd.conf . "
nano /etc/httpd/conf/httpd.conf
                                                           nano F,                - % 45            23 -0 6 > T )
                                                ' % 45 ctrl + w & $                  '% -       %     & \5 3 &
                `       ,4     Enter Y ( ctrl + x                            '% %     6         f) &-          c&


                                                                                       #              &      / . "


  % &!     $O       %] $           subcomponents                    $%        %       ) 789 ServerTokens
         G B 1 <" Q            % 45 i              ?           -& LE3             23 G ^ / X " B%               %
  .H         # & $. " 'G                               #            B N )0          ServerRoot “/etc/httpd”
                                        ^GGG : 6       ; ) : $1 a ] `                       B       ' % log conf
:J5 $ $ , 1 K %               % '-          )          #        %        B > 4? N 8H Timeout 120
                                        G $        time out N                        % 45                    % -
 -3                 9        % %                % D - 5, Connection D L KeepAlive Off
                G        Connection N5B % F                         -X       4 j KeepAlive O                 %G $
 ) $       - 3 connection $                     ' &% <) N 5,             MaxKeepAliveRequests 100
                                                                                                     G%-     request
                         '     k        &                  #        ;5   H' K KeepAliveTimeout 15


      Core JF       52 .? % ` 5 $ * +                           &        default          9         $1 a - l<
                                                                          prefork1 a .H ` 5 $
                                                   ,       %             &          / . " %             F    $1 a
<IfModule 1 a            .c>
…..
</IfModule>
                                                                                                     prefork1 a
                                                        -Q &            $                % <) StartServers
          %       2F m            9             5       '       $            % <) . K MinSpareServers
        % % F m              9           5          '       $               % <) H' K MaxSpareServers
                           '1 C             #       '       $ MaxClient % <) N 5,                 ServerLimit
                  B       5B %         5 Client $ '                     $        % <) N 5,            MaxClients
    ^         ]                  $ n &                          % % <) N 5,        MaxRequestsPerChild
L                     %            /        R) X %          - n D :                5          % @2 5          ' R
                                                                                         ^       D        n ]G '
                                      ` 5 $ $k                      $       thread 7 \         -^ $       ] $ n
multi-threaded                    # D &             Multi-Processing 1 a & 3 worker 1 a
                                                                             multi-process




                                                        -Q &            $                % <) StartServers
                                 simultaneous client connection % <) N 5,                             MaxClient
& % F m           &        '^ $k        ] $S T              & $ L ' % <) N 5 ' MinSpareThreads
                                                                                                          G   ,
    F m       &           '^ $k        ] $S T           & $ L ' % <) N 5,                    MaxSpareThreads
                                                                                                      G   , & %
                           $ % ^ $k             ] $S T              &$ L '        o% <) ThreadsPerChild
 G / . 7                               $&                       % % <) N 5,        MaxRequestsPerChild
^ n]          D X%       - prefork '           N worker prefork 1 a N p "O                                %
                           `           = worker         $       h $           %       k           &
                                                                                      # 6
 Listen 12.34.56.78:80
Listen 80
                                       Dynamic Shared Object (DSO) Support @P
 `        5, suPHP              `J          0 suPhp DSOI               %     phpJ             5
     G    % ' Load '        $ .so &     D GGG %     . "N - @P N &             ?           > T )
                                            cern_meta asis1 a WC) @P
  LoadModule cern_meta_module modules/mod_cern_meta.so
  LoadModule asis_module modules/mod_asis.so
                             HTTP headers & K . "1          X 4 j mod_asis
Mod_cern_meta : Emulate the CERN HTTPD Meta file semantics. Meta
files are HTTP headers that can be output in addition to the normal range of
headers for each file accessed. They appear rather like the Apache .asis files,
and are able to provide a crude way of influencing the Expires: header, as
well as providing other curiosities. There are many ways to manage meta
information, this one was chosen because there is already a large number of
CERN users who can exploit this moduleG
                                               CERN httpd metafile semantics                  ?8
                                            ` 5 $ 1 <" Q 1 <      9    :p "1 a            % 5CR
                                                            Include conf.d/*.conf @P
         %&   / & $. "          ) '           <N     ^Include conf.d/*.conf] 5                     N
                                ^ ' Load] ` ' 3             P     etc/httpd/conf.d[ I %
Include conf.d/*.conf
                                                                ExtendedStatus On @P
 ExtendedStatus On
     J 5 ^J        % J$               ' - 5CR] : J $%       ON                            N           L
     L    B    '     <         W 1      %     5    GJ ' $ ,                       #               <T
                                         J /      $,        - f J          server status
                                     The default is Off
                                                            L ^       '] -        N <) @P
User apache
Group apache
 & -         $ : B run                 #    ' 5 :      $ default   9        %      N
%     -      3 )     $J N J      5 1 K GGG $       ,      p "& $        :       #
                                                                        J $%        f)
                                           Main' server configuration       % @P
    All of these directives may appear inside <VirtualHost> containersq
    in which case these default settings will be overridden for the
    virtual host being definedG

                                                          VirtualHost - &
  VirtualHost 173.244.180.89:80
ServerName resellers.ghorbani.us
ServerAlias www.resellers.ghorbani.us
DocumentRoot /home/ghorbani/public_html/resellers
ServerAdmin webmaster@resellers.ghorbani.us
UseCanonicalName On
Options -ExecCGI -Includes
RemoveHandler cgi-script .cgi .pl .plx .ppl .perl
CustomLog /usr/local/apache/domlogs/resellers.ghorbani.us combined
CustomLog /usr/local/apache/domlogs/resellers.ghorbani.us-bytes_log
 G "%{%s}t %I .\n%{%s}t %O
User ghorbani # Needed for Cpanel::ApacheConf
  IfModule mod_suphp.c
suPHP_UserGroup ghorbani ghorbani
  IfModule[
  IfModule !mod_disable_suexec.c
SuexecUserGroup ghorbani ghorbani
  IfModule[
[ScriptAlias /cgi-bin/ /home/ghorbani/public_html/resellers/cgi-bin


To customize this VirtualHost use an include file at the following
location
Include
 "/usr/local/apache/conf/userdata/std/2/ghorbani/resellers.ghorbani.us/*.conf
 VirtualHost[
  '% ,      %\ &         / . " % J$ VirtualHost D J / % \                      '^ - ]           $ $
      $     &            # 6 /         $1 a              J    5 ) $                           5 %N
                                                                               GJ ' 1 <" Q[1 <"
 &     resellers.ghorbani.us       '     C p " %              % ' 9            $ ServerName
                                        G% % % 3 173.244.180.89:80 6                          I %
                                        B %       'N & $. "                ) DocumentRoot
                               G   F          /home/ghorbani/public_html/resellers
  # &=          f       ' ) > 4? % '            'N           Y 5P .        N        ServerAdmin
     ./,        5   =     > 4? N       B .+ 5        ' % ,        %%@                     0
                G% rF       % webmaster@resellers.ghorbani.us I % .                                %
     G% B       c \' %     5 "           'N & $%               ' $             ,     CustomLog
                                                G B C 1 <"            '&        J$ suphp 1 a

                          J $% @   I %      & D                       %J        5         F    N        )
                      $%        #                    &        / . "%                - %                "'
 VirtualHost 192.168.100.1
ServerName site1.domain.com
DocumentRoot /var/httpd/www/site1
ServerPath /site1
 VirtualHost[
 VirtualHost 192.168.100.1
ServerName site2.domain.com
DocumentRoot /var/httpd/www/site2
ServerPath /site2
 VirtualHost[
                                                                  . @P
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin root@localhost
                          GGG $    X !L B           .   N       ./,        L $-     6   ? %
                                                                           ServerName @P
DNS    L    '      %:      $                   )                5             5 $M $ B L
J/    %2,    N            GGG /     '      B       % / %\ %              $&     & C5< name
                                    GGG        F & 3    UseCanonicalName & $                $
  $, %             I %         &    %               #       5       B:        # *+ -            ]
      N -        ' % 45        C5< N % D - I %          & N &\            $ P     L 1K :        '
                                                                   ^   F D '
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you
specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName www.example.com:80
                                                          1 / ' - % 45 @P
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off
On UseCanonicalName              5 ServerName       7 N % - % 45 6 ? %
                                                                                        G       '
                                                                         DocumentRoot @P
                   #       %@       23 %        &$. " %%            &           & 5' % I %
                                                                            var/www/html[
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"

& 5' %         B    5B %    5 % $     B    '         #           'J ; )      5
                                                5B [ B 5B %          5 %  $
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
   Options FollowSymLinks
   AllowOverride None
</Directory>
     5    %         5 % ' M $ ^root] [ & 5' %       C '& = $: p "         %
                                                      G   ' ^ \ 5 3] X % L       %
                                               Directory "/var/www/html @P
                           G ' f)         B DocumentRoot       3 )     N
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/var/www/html">
                                       Options Indexes FollowSymLinks @P
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI
MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
   Options Indexes FollowSymLinks
W ) $ symbolic link % ' 1 C% & <            Options Indexes FollowSymLinks
                                                            G                 #
                                                            AllowOverride @P
   All", J$      %   G% F     htaccessG %     $. 7    5 %       J$    -3 J    5
          Options FileInfo      G B        5 & E 6 E - C ' ) $ "None
                                                 '     '
                                                          AuthConfig Limit
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
   AllowOverride None
                        G% , 1 7 htaccessG . " % p "J ; ) E 7 5 % M $
# Controls who can get stuff from this server.
#
   Order allow,deny
   Allow from all

</Directory>
                                                                     UserDir @P
I %        ' F       & 5' %       5    `    " %&     user              %6    ? %
                                                     G B ~userid/public_html
                                                       ' B       5B % 3 )
                                       B             5 % &- \ & %        userid
                        B             5 %- \ & %       J$ userid/public_html
                                            G B          W " '& $. " )
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
  #
  # UserDir is disabled by default since it can confirm the presence
  # of a username on the system (depending on home directory
  # permissions).
  #
  UserDir disable

     #
     # To enable requests to /~user/ to serve the user's public_html
     # directory, remove the "UserDir disable" line above, and uncomment
     # the following line instead:
     #
     #UserDir public_html

</IfModule>
                                     UserDir & $ & 5' %        5 % 1 5 ' @P
 $        D %1H &      :   5 $      ' & $ & 5' %    $     5 %1 5'      %   B
                                                B           W" "L   X ) E"
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS>
#      Order allow,deny
#      Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS>
#      Order deny,allow
#      Deny from all
# </LimitExcept>
#</Directory>
                DirectoryIndex & 5' % D               6    ? % > 4? D @       @P
  N     ' $:-        ~userid/public_html/linuxtalk            & 5' % D N 8H
                 Default 9 % B % % @ @2 > 4? : C                      '     %
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
# The index.html.var file (a type-map) is used to deliver content-
# negotiated documents. The MultiViews Option can be used for the
# same purpose, but it is much slower.
#
DirectoryIndex index.html index.html.var
                                                          AccessFileName @P
                         G% , % 45 $ & 5' % &                   23 .htaccess
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
               `% ,    %     8' W ) .htpasswd^ $ U = ] htaccess G & $ . "
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
   Order allow,deny
   Deny from all
</Files>
                                                                   4 6 > T )
                                         $       -3       %%& <     Allow from all
                                        $    -3       %     & <     Deny from all
                                             B    5B %        5 %           & W"
order allow,deny
allow from 1.1.1.1
deny from all
                            ^ B S     ] B    5B             5 % Peyman.com N %
deny from peyman.com
                                                                $ IndexOption
                                                   ./B N      2 & L              >
IndexOptions option [Option]…
                                                       $ Option N 5 2 -
Description Width=[ns ]
: B s            L G% B Y P ,   5' ' * K       tT )      5 1 9 ' $           -3
                            G B $     t T )N )     0 9 -          5    -     F
FancyIndexing
                   $    6 789 &- * )       >) &   & 5, 1 5 ' - 3             '
IconHeight
                                      / N <)      HTML & $ DE A 7 1 9
                                                             /B
                                                                  mime1 a
5 %]   6 789 ^     ]
                  " S .? % : J rF m 5B             '     $. "      $                 )
                          /etc/mime.types . "& 5> - , P G / N <)                 ^
                                / Y P,      mime.types . "I %          - %           %




# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /etc/mime.types
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain

#
# The mod_mime_magic module allows the server to use various hints from
the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
<IfModule mod_mime_magic.c>
# MIMEMagicFile /usr/share/magic.mime
   MIMEMagicFile conf/magic
</IfModule>
                                                         HostnameLookups @P
 B Off L G      C    C5< DNS         N %D        5       $ &%    B on        N   L
  Q        N   5,       ' 9P        'G    CI %       &           #       5        '
                                                                       G / 1 <"
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
                                                              EnableMMAP @P
                              G%   % 45 1 K % memory-mapping '           3 $1 5 '
memory-mapping           52        :% ,      &$            ' %   0 u7 6          $L
                                                                     - GG B 1 <" Q
 5     memory-mapping : multiprocessor & $ J5             -    l< &            Z
                                 G $% @$ '         #          performance
           #        N/       ' ) ? % GGG . " D         % 'm         % ' ) 'Z
                                                                   G ' crash
            J$            -       NFS B mount & $ . " % ' 1 <" Q &
 <Directory "/path-to-nfs-files"> EnableMMAP Off </Directory>
 # EnableMMAP: Control whether memory-mapping is used to deliver
 # files (assuming that the underlying OS supports it).
 # The default is on; turn this off if you serve from NFS-mounted
 # filesystems. On some systems, turning it off (regardless of
 # filesystem) can improve performance; for details, please see
 # http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap
 #
 #EnableMMAP off
                                                      EnableSendfile @P


     EnableSendfile: Control whether the sendfile kernel support is
     used to deliver files (assuming that the OS supports it G^
     The default is on; turn this off if you serve from NFS-mounted
     filesystems. Please see
     http://httpd.apache.org/docs/2.2/mod/core.html#enablesendfile

     EnableSendfile off
                                                                ErrorLog @P
<VirtualHost>         5 % ^ $%      ] & $v 0 = & $ f &           / D N <)
 # ErrorLog: The location of the error log file.
 # If you do not specify an ErrorLog directive within a <VirtualHost>
 # container, error messages relating to that virtual host will be
 # logged here. If you *do* define an error logfile for a <VirtualHost>
 # container, that host's errors will be logged there and not here.
 #
 ErrorLog logs/error_log
                                                            LogLevel @P
                         error_log.    B%     &$ f        $ t=        % <) 1 5 '
                debug, info, notice, warn, error, crit,       N/      %   N        '
                                                                alert, emerg.
                                                                          B
                                                                     6 > T )
                                                                       emerg
Child cannot 1 H & G% , _                      % 45 .     Q         :     a
                                                      open lock file, exiting
                                                                         alert
getpwuid: couldn't determine user name 1 H & G                -0 & " @ '
                                                                    from uid
                                                                          crit
        socketL Failed to get a socket, exiting child 1 H & G         > W B
                                                                        error
     Premature end of script headers 1 & G% F            C                   '
                                                                        warn
child process 1343     1H & G % 3 ) -                  5 J2 % - ' E       h
                                    did not exit, sending another SIGHUP
                                                                       notice
httpd: 1 H & G B 5B %                     -         N/    ' R < & $%
                         GGG caught SIGBUS, attempting to dump core in
                                                                  info
server seems busy, (you may need to increase 1 H & G       6 789 23
                                  GG^StartServers, or Min/MaxSpareServers
                                                                    debug
                                               G% , % 45     %- 1 /B 23


   # LogLevel: Control the number of messages logged to the error_log.
   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   #
   LogLevel warn
                   B    c F '           $%          " WC)      ' F % @P %
   # The following directives define some format nicknames for use with
   # a CustomLog directive (see below).
   #
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-
Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# "combinedio" includes actual counts of actual bytes received (%I) and
sent (%O); this
# requires the mod_logio module to be loaded.
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-
Agent}i\" %I %O" combinedio

#
# The location and format of the access logfile (Common Logfile
Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog logs/access_log common

#
# If you would like to have separate agent and referer logfiles,
uncomment
# the following directives.
#
#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent

#
# For a single logfile with access, agent, and referer information
# (Combined Logfile Format), use the following directive:
#
CustomLog logs/access_log combined
                                                             # l @P
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP
directory
   # listings, mod_status and mod_info output etc., but not CGI generated
   # documents or custom error documents).
   # Set to "EMail" to also include a mailto: link to the ServerAdmin.
   # Set to one of: On | Off | EMail
   #
   ServerSignature On
% % @ : B 1 <"         N L: B         B*+          &       ' $1 a       )
                                                                               G% ,
                                                                           Alias @P
#    > 4? % J   5    & 5' % D      =    :        @          5         N/       ' R
                                                                      `J $%    , %
                                       GGG J /       % 45       Alias -       'N &
                           B%    % N         #       &    / . " % '
      Aliases: Add here as many aliases as you need (with no limit). The
    format is
      Alias fakename realname

     Note that if you include a trailing / on fakename then the server will
     require it to be present in the URL. So "/icons" isn't aliased in this
     example, only "/icons/". If the fakename is slash-terminated, then the
     realname must also be slash terminated, and if the fakename omits the
     trailing slash, the realname must also omit itG

     We include the /icons/ alias for FancyIndexed directory listings. If you
     do not use FancyIndexing, you may comment this outG

    Alias /icons/ "/var/www/icons [

  Directory "/var/www/icons
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
 Directory[
&    D       % ' icons& 5' %                #            Default 9          :p " %                 %
                               G%           %@               &   GG % %              /7 & $ . "
@        %         # :J / % \ /var/www/                B % ' & 5' % $                      <
                                                                                      `
D            BN    % & 5' % $ % \ -                    -`              # 3O               % k
                                    GJ ' " T                     # &       / . " % alias
         #    %    /var/www/         B % Peyman & 5/ % J % + :1 H                              9
                                                                                `J          @
                                                                                           .K
    cd /var/www
    mkdir peyman
    cd peyman
    nano index.html

                                      :1H       9     :J $          J %              % &!          $
    salam
                                                                          J /              c (
    ctrl + x > Y
                                                                                `                  '
                                                    `% , X        " 4=Ralias % ' "T
    nano /etc/httpd/conf/httpd.conf
                        J$          - %                icons        ScriptAlias @P %
    Alias /peyman/ "/var/www/peyman/"

    <Directory "/var/www/peyman">
      Options Indexes MultiViews
      AllowOverride None
      Order allow,deny
      Allow from all
    </Directory>
       ` 5 $%      L     % & 5/ % N              $,          % N 1K:            ' &-               c
                                                      J2 0             %[ '           '        % •
                                                       WebDAV 1 a 6                       ; ) @P
     w R)   # & $ O- ) &         HTTP ^6 "T ] $                T&           D WebDAV 1 a


1H          .h    N            ) http://www.webdav.org/specs/rfc4918.html D R
                                                                        G%-       /B   B&
     # WebDAV module configuration section.
     #
     <IfModule mod_dav_fs.c>
       # Location of the WebDAV lock database.
       DAVLockDB /var/lib/dav/lockdb
     </IfModule>
                                                                              ScriptAlias @P
                       `                  N       27           & $ ( / & 5' % 1 5 '
 '     $ documents !3            (Alias)          <5   &$           $&            ScriptAlias
 3          W    ) '       $              \                <   J    & % $         & $ & 5/ %
        G / 1     client &           & documents % B                    % 'O       $     ,
  J /       %\   '     $ & 5' % J             5             4L ,        :        N &     1H
                                      `J $                     N    %       ^ Peyman& 5' %]
                       ,        &-    %                N            &$ ( / : ) %             9
ScriptAlias /cgi-sys /usr/local/cpanel/cgi-sys[
ScriptAlias /mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin[
                                      JB % ' B        %        N '
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
   AllowOverride None
   Options None
   Order allow,deny
   Allow from all
</Directory>
                                                          ReDirect - 3 @P
  Redirect allows you to tell clients about documents which used to exist in
  your server's namespace, but do not anymore. This allows you to tell the
 clients where to look for the relocated documentG
 Example
 Redirect permanent /foo http://www.example.com/bar
                                      ` ' V rK    :p "              % ' 1 <"&
           G       B % % 1 5 http://www.example.com/bar N %           /foo      B
                                                           IndexOptions @P
                           / 1 5'       / %\          ' $ & 5/ % @P N
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
                                                            Aaddicon* @P
               `          "D & % :J / % E %           &         '    $. "         )
. " '`      Y P, )       /etc/httpd/confI % % magic . "     / S 3                 '
                                                  G       5 "       & % ; %
. "        N -:      ,         R & 5/ % % ' $ . " ' & $         / e6 > T )
                                       J$      f) J 5        #        &       /
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions. These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
                      % , % % @ icons/binary.gif / .bin              "    E "8H
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /icons/unknown.gif

#
# AddDescription allows you to place a short description after a file in
# server-generated indexes. These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz
                                                            IndexIgnore @P
      F      $ & 5' % %       C '      $ . "J    &         % ,   IndexIgnore
                                                                     G B      R
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
                                                                         - @P
                GGG '   C 5, J$ F %    -- 2     :J -     '   $       J   5


#
# DefaultLanguage and AddLanguage allows you to specify the language of
# a document. You can then use content negotiation to give a browser a
# file in a language the user can understand.
#
# Specify a default language. This means that all data
# going out without a specific language tag (see below) will
# be marked with this one. You probably do NOT want to set
# this unless you are sure it is correct for all cases.
#
# * It is generally better to not mark a page as
# * being a certain language than marking it with the wrong
# * language!
#
# DefaultLanguage nl
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#
# Note 2: The example entries below illustrate that in some cases
# the two character 'Language' abbreviation is not identical to
# the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. There is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
# Norwegian (no) - Polish (pl) - Portugese (pt)
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
#
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

#
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
#
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt
pt-BR ru sv zh-CN zh-TW
#
# ForceLanguagePriority allows you to serve a result page rather than
# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE
(Fallback)
# [in case no accepted languages matched the available variants]
#
ForceLanguagePriority Prefer Fallback

#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default. To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8 GGG          X 5     S ' J$ N
# &      x 7        B     ' ' J$ F % & $ @P : B % % t T ) $ @P N )
                                                  B    P   3   B
#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
#AddType application/x-tar .tgz

#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz

# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi

#
# For files that include their own HTTP headers:
#
#AddHandler send-as-is asis

#
# For type maps (negotiated resources):
# (This is enabled by default to allow the Apache "It Worked" page
# to be distributed in multiple languages.)
#
AddHandler type-map var

#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

#
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
#

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# Putting this all together, we can internationalize error responses.
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections. We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line:
#
# Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /var/www/error/include/ files and
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
  <Directory "/var/www/error">
    AllowOverride None
    Options IncludesNoExec
    AddOutputFilter Includes html
    AddHandler type-map var
    Order allow,deny
    Allow from all
    LanguagePriority en es de fr
    ForceLanguagePriority Prefer Fallback
  </Directory>
# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
#                                     ErrorDocument       405
/error/HTTP_METHOD_NOT_ALLOWED.html.var
# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
# ErrorDocument 410 /error/HTTP_GONE.html.var
# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
#                                     ErrorDocument       413
/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
#                                     ErrorDocument       414
/error/HTTP_REQUEST_URI_TOO_LARGE.html.var
#                                     ErrorDocument       415
/error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
#                                     ErrorDocument       500
/error/HTTP_INTERNAL_SERVER_ERROR.html.var
# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

</IfModule>
</IfModule>

#
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-
1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for
DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider"
redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.
#
#<Location /server-status>
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Location>

#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".example.com" to match your domain to enable.
#
#<Location /server-info>
# SetHandler server-info
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Location>

#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .example.com
#</Proxy>

#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via:
headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On

#
# To enable a cache of proxied content, uncomment the following lines.
# See http://httpd.apache.org/docs/2.2/mod/mod_cache.html for more
details.
#
#<IfModule mod_disk_cache.c>
# CacheEnable disk /
# CacheRoot "/var/cache/mod_proxy"
#</IfModule>
#

#</IfModule>
# End of proxy directives.

### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most
configurations
# use only name-based virtual hosts so the server doesn't need to worry
about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# Use name-based virtual hosting.
#
#NameVirtualHost *:80
#
# NOTE: NameVirtualHost cannot be used without a port specifier
# (e.g. :80) if mod_ssl is being used, due to the nature of the
# SSL protocol.
#

#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
                              ' & - = X !L 1                  5P
                                                      & : w E & $.            N <)
#<VirtualHost *:80>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

# Include /etc/httpd/conf.d/nagios.conf

# Include /etc/httpd/conf.d/apcupsd.conf

                                   ^@     ] % %      -I % %              # log
ls /usr/local/httpd[



                          [http://httpd.apache.org/docs/2.2/mod $ 1 a             R
          http://httpd.apache.org/docs/2.2/mod/core.html#options $ Options
                                                                    5        %
                                       ServerRoot & $ & 5' % - \ t= N <)
mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
                                                         L . "      /R           f)
chown 0 . bin conf logs
                                   Change Group Ownership       L       /R       f)
chgrp 0 . bin conf logs
                                              $ & 5' %        5 %- \    f)
chmod 755 . bin conf logs mkdir /usr/local/apache
cd /usr/local/apache
                                           logs conf bin & $ & 5' %
mkdir bin conf logs
                                                        L . " /R        f)
chown 0 . bin conf logs
                                  Change Group Ownership       L /R f)
chgrp 0 . bin conf logs
chmod 755 . bin conf logs
                           B y8? .           6 W ) W "usr/local[ qusr[ q[
cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd
                                                  System Settings- ;">
                                                $%    htaccessG %       - %
<Directory />
AllowOverride None
</Directory>
                                             R < 9            & $ . "- ;"K
This would allow clients to walk through the entire filesystem. To work
around this, add the following block to your server's configuration:
                                       ' \ 5 3 ^6 ] [       B %     5   'M $
<Directory />
Order Deny,Allow
Deny from all
</Directory>

This will forbid default access to filesystem locations. Add appropriate
Directory blocks to allow access only in those areas you wish. For example,
                                            B 5B %       5 % public_html    $
<Directory /usr/users/*/public_html>
Order Deny,Allow
Allow from all
</Directory>
<Directory /usr/local/httpd>
Order Deny,Allow
Allow from all
</Directory>
                                                             F % 5 % /E 7
                                                         #       % 'N X
       $   6   ?N     Q %:    ' .? K     9    B         & $M N         *+ -    5 G
                                                                           '
    & $1 a           # S      X F .C-             # I    K 6 789       % ' 4P G
                                                             # &              B*+
ServerSignature Off
ServerTokens Prod
     % B 3 ^apache]%   $ L & ' t= %                              ' .? K        9G
User apache
Group apache
    G B C I 5 % . web root!3 & F % & $ B                           %     B Nz = .4
 [ Directory
Order Deny,Allow
Deny from all
Options None
AllowOverride None
 Directory[
 Directory /web
Order Allow,Deny
Allow from all
 Directory[
                             G -      '-            # &$       B            R $,          E G
Options –Indexes
          -     '-           $     B { ) - % 45           V 9- $            B         %   E G
Options –Includes
                                                    ' 1 <" Q       |       / & 3          E G
Options –ExecCGI
                  G $% k             % .C    & $D R                         #      $      -3G
Options –FollowSymLinks
                                                  - 1 <" Q             L    6     5        !LG
Options None
                                                                                1% <      !L N
Options -ExecCGI -FollowSymLinks –Indexes
                                 ' 1 <" Q htaccessG & 2E "- C 5, G
AllowOverride None
    : '1 7      !R     5 % t=   % f) p ". "J          ) - 6 ? %
                                                                                   3
                                                                                  E 1H          9
                                      G B S          $&        ,       - Q .ht        '   $. "
AccessFileName .httpdoverride
  Files ~ "^\.ht
Order allow,deny
Deny from all
Satisfy All
 Files[
{ ) E" /       'N        '       '* + %            # &         mod_security 1 a G
                                            / J$ " B           # &                5,
                    <3       http://www.modsecurity.org                     5, 6 789 &
                                                , 1 <" Q - & $ 1 a G
                mod_imap, mod_include, mod_info, mod_userdir, mod_status,
                                               mod_cgi, mod_autoindex ^
   5B & \ 5 3 grep LoadModule . " % httpd.conf U = N N5                                            1 <" Q
G B       ,      '      % >             &$        B             5 % t=       '         ' .? K             9G
                               B 6    L       6      /R > ) - & $ I %
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache
        G '# P5               % ;5 &    B ) -6 &          / ' &% 7G
Timeout 45
                                   F     F     - 5L !             3
                                                              %& E G
LimitRequestBody 1048576
      imitRequestFields,LimitRequestFieldSize,LimitRequestLine % G
                        'J ; ) I % 6 8 K - & L E3                23 %        &$                  % % <)    C
            ' % > mod_dav 1 a & 3 6                                  ? %              XML         5 !      G
LimitXMLRequestBody 10485760
                                                                         ! $& 3 % '% > G
      5             %    F          &            L6   ;)             ! $ X -%               /
                                                                                            1H &        % %
  % > 6         ? %:%         % 3            5              %D &             '        2            - J !L
                B       % =     %       N    % % -          ;"K                      !L MaxClients : %
              !R 6 =          F @$ ' %                6 /        *       5       %        # P 5 rRG % 3
                                                            %        %           5        ' F%      ,      %
MaxSpareServers, MaxRequestsPerChild
                                                                                                  Apache 2
ThreadsPerChild, ServerLimit, MaxSpareThreads
 % > & $% '&             # - % 45 6 ? % &                                             5 % % '% > G
                                                                                                 %N <          B
                                                                                      G /CB g           % >
Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16
Or by IP
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
                                                          KeepAlive @P G
   )     5     !L N t > ?        J;)           # 6 > T ) . "6 3                 } C9
       ' !              *                G
                                  # P 5 rR    ' "T        #         '           ? %
                                           @ !"      # P5 N             %       %
                                                                                    $
MaxKeepAliveRequests 100
KeepAliveTimeout 15
                                    G        B %%     A 4, 6        ?       1       %
                                             Chroot W >   %         # & 3 G
SecChrootDir /chroot/apache
          / J$ "        B I C>         R! W > D %             & 3       / Chroot
   G /       C 5,   5       R ! W > N - mod_security 1 a       '            'c          -0
                                             IP D 6 0 + ) % ' % > F F
rpm –ivh http://dominia.org/djao/limit/mod_limitipconn-0.04-1.i386.rpm

                                                                            5 %* +
wget http://dominia.org/djao/limit/mod_limitipconn-0.04.tar.gz
tar xzvf mod_limitipconn-0.04.tar.gz
cd mod_limitipconn-0.04
make
make install
                                               &   / . " %6             ; )&
ExtendedStatus On

# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so
AddModule mod_limitipconn.c

<IfModule mod_limitipconn.c>
  <Location /somewhere>
     MaxConnPerIP 3
     # exempting images from the connection limit is often a good
     # idea if your web page has lots of inline images, since these
     # pages often generate a flurry of concurrent image requests
     NoIPLimit image/*
  </Location>

  <Location /mp3>
     MaxConnPerIP 1
     # In this case, all MIME types other than audio/mpeg and video*
     # are exempt from the limit check
     OnlyIPLimit audio/mpeg video
  </Location>
</IfModule>
                http://dominia.org/djao/limitipconn.html 5, 6 > T ) I %
                                                              & $1 a          R
mod_actions
  This module provides for executing CGI scripts based on media type or
request method.
mod_alias
  Provides for mapping different parts of the host filesystem in the
document tree and for URL redirection
mod_asis
  Sends files that contain their own HTTP headers
mod_auth_basic
  Basic authentication
mod_auth_digest
  User authentication using MD5 Digest Authentication.
mod_authn_alias
  Provides the ability to create extended authentication providers based on
actual providers
mod_authn_anon
  Allows "anonymous" user access to authenticated areas
mod_authn_dbd
  User authentication using an SQL database
mod_authn_dbm
  User authentication using DBM files
mod_authn_default
  Authentication fallback module
mod_authn_file
  User authentication using text files
mod_authnz_ldap
  Allows an LDAP directory to be used to store the database for HTTP
Basic authentication.
mod_authz_dbm
  Group authorization using DBM files
mod_authz_default
  Authorization fallback module
mod_authz_groupfile
  Group authorization using plaintext files
mod_authz_host
  Group authorizations based on host (name or IP address)
mod_authz_owner
  Authorization based on file ownership
mod_authz_user
  User Authorization
mod_autoindex
  Generates directory indexes, automatically, similar to the Unix ls
command or the Win32 dir shell command
mod_cache
  Content cache keyed to URIs.
mod_cern_meta
  CERN httpd metafile semantics
mod_cgi
  Execution of CGI scripts
mod_cgid
  Execution of CGI scripts using an external CGI daemon
mod_charset_lite
  Specify character set translation or recoding
mod_dav
  Distributed Authoring and Versioning (WebDAV) functionality
mod_dav_fs
  filesystem provider for mod_dav
mod_dav_lock
  generic locking module for mod_dav
mod_dbd
  Manages SQL database connections
mod_deflate
  Compress content before it is delivered to the client
mod_dir
   Provides for "trailing slash" redirects and serving directory index files
mod_disk_cache
   Content cache storage manager keyed to URIs
mod_dumpio
   Dumps all I/O to error log as desired.
mod_echo
   A simple echo server to illustrate protocol modules
mod_env
   Modifies the environment which is passed to CGI scripts and SSI pages
mod_example
   Illustrates the Apache module API
mod_expires
   Generation of Expires and Cache-Control HTTP headers according to
user-specified criteria
mod_ext_filter
   Pass the response body through an external program before delivery to the
client
mod_file_cache
   Caches a static list of files in memory
mod_filter
   Context-sensitive smart filter configuration module
mod_headers
   Customization of HTTP request and response headers
mod_ident
   RFC 1413 ident lookups
mod_imagemap
   Server-side imagemap processing
mod_include
   Server-parsed html documents (Server Side Includes)
mod_info
   Provides a comprehensive overview of the server configuration
mod_isapi
   ISAPI Extensions within Apache for Windows
mod_ldap
   LDAP connection pooling and result caching services for use by other
LDAP modules
mod_log_config
   Logging of the requests made to the server
mod_log_forensic
   Forensic Logging of the requests made to the server
mod_logio
   Logging of input and output bytes per request
mod_mem_cache
   Content cache keyed to URIs
mod_mime
   Associates the requested filename's extensions with the file's behavior
(handlers and filters) and content (mime-type, language, character set and
encoding)
mod_mime_magic
   Determines the MIME type of a file by looking at a few bytes of its
contents
mod_negotiation
   Provides for content negotiation
mod_nw_ssl
   Enable SSL encryption for NetWare
mod_proxy
   HTTP/1.1 proxy/gateway server
mod_proxy_ajp
   AJP support module for mod_proxy
mod_proxy_balancer
   mod_proxy extension for load balancing
mod_proxy_connect
   mod_proxy extension for CONNECT request handling
mod_proxy_ftp
   FTP support module for mod_proxy
mod_proxy_http
   HTTP support module for mod_proxy
mod_proxy_scgi
   SCGI gateway module for mod_proxy
mod_reqtimeout
   Set timeout and minimum data rate for receiving requests
mod_rewrite
   Provides a rule-based rewriting engine to rewrite requested URLs on the
fly
mod_setenvif
   Allows the setting of environment variables based on characteristics of the
request
mod_so
   Loading of executable code and modules into the server at start-up or
restart time
mod_speling
  Attempts to correct mistaken URLs that users might have entered by
ignoring capitalization and by allowing up to one misspelling
mod_ssl
  Strong cryptography using the Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) protocols
mod_status
  Provides information on server activity and performance
mod_substitute
  Perform search and replace operations on response bodies
mod_suexec
  Allows CGI scripts to run as a specified user and Group
mod_unique_id
  Provides an environment variable with a unique identifier for each request
mod_userdir
  User-specific directories
mod_usertrack
  Clickstream logging of user activity on a site
mod_version
  Version dependent configuration
mod_vhost_alias
  Provides for dynamically configured mass virtual hosting
                                                 -%      - % 45    % '% >
RLimitMEM bytes|max [bytes|max]
RLimitNPROC number|max [number|max]
RLimitCPU seconds|max [seconds|max]

                                                            mod_rewrite* +

      G   / redirect ^ C5<    C5< ] F % & 5' %        & 5' % D      '       N 1 a N           '
               G% ,   #   > dos / ddos6 8 K - & L E &
                                                   3       #        ! D     '        %
                                                                                    .RN $

                                                                            B SSH %       -

                   J / *+     - 5 %    % C*+ 6        ? % nano &%       '   %       F,    -

yum install nano

                                  J / - %        F,                 #           6    ; ). "3-
nano /etc/httpd/conf/httpd.conf

                                  Ctrl+w ) \ 5 3 & ] J /          \5 3        - %       . "N      %4-

LoadModule rewrite_module modules/mod_rewrite.so

                                   )% B     Z1 <" )] `J / m              :%             N 1       % L

AllowOverride none

                                                                     J$            4) -

AllowOverride All

                              :J / &-           ~% \                # 1K:                 )       '5-

service httpd restart

                                                       J ' 1 <"    ' - D &                N        F

                                           $%           %     - %             '-       .htaccess . "

Options +FollowSymLinks
RewriteEngine On

                                                                                   .          )        '



                                                                    • •• • • • •••••••••
                                                                    ••      • • •••••••••
                                                                    • •• • •5, •••••••••••

                                                                    mod_proxy

Links :
-------
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreverse
http://apache.webthing.com/mod_proxy_html/ -->
http://www.apachetutor.org/admin/reverseproxies

Modules :
---------
yum install httpd-devel
yum install libxml2-devel

Configuration:
--------------
cp proxy_html.conf /etc/httpd/conf/
vim /etc/httpd/conf/httpd.conf

LoadFile   /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so
Include conf/proxy_html.conf

(
Also Check   :
LoadModule   proxy_module modules/mod_proxy.so
LoadModule   proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule   proxy_http_module modules/mod_proxy_http.so
LoadModule   proxy_connect_module modules/mod_proxy_connect.so
)

Vhost :
-------
Example :

<VirtualHost 208.109.169.70:80>
    ServerAdmin "webmaster@upframr.com"
    ServerName upframr.com
    ServerAlias www.upframr.com
    MIMEMagicFile /dev/null
    CustomLog logs/upframr.com_access_log "%h %l %u %t \"%r\" %>s %b
\"%{Referer}i\" \"%{User-agent}i\""
    ErrorLog logs/upframr.com_error_log

    DocumentRoot "/home/admin2/public_html"
    <Directory "/home/admin2/public_html">
        Options +Indexes +FollowSymLinks
        Order allow,deny
        Allow from all
        AllowOverride All
        AddHandler mod_python .py
        PythonHandler mod_python.publisher
        PythonDebug On
    </Directory>

    Alias /mod_perl "/home/admin2/public_html/mod_perl"
    <Directory "/home/admin2/public_html/mod_perl">
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlOptions +ParseHeaders
        Options +ExecCGI
    </Directory>

    <Location /perl-status>
        SetHandler perl-script
        PerlResponseHandler Apache::Status
        Order deny,allow
        Deny from all
        Allow from upframr.com
    </Location>

    ScriptAlias /cgi-bin "/home/admin2/public_html/cgi-bin"
      Alias /usage /var/www/stats/upframr.com
      <Directory /var/www/stats/upframr.com>
          Order allow,deny
          Allow from all
      </Directory>

    <Location /usage>
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>
                      010101010100000000101010101011111101

                                                                                               % 'N & $

                  Technical Reference: Apache 2.0 DMZ Secure Server Install

Overview

This document is a guide to installing and hardening an Apache 2.0 web server to common security
standards. It will guide you through practical measures to harden your Apache server, by way of example.




Because a web server is often placed at the edge of the network, it is one of the most vulnerable services to
attack. Therefore, it’s vital that you follow this guide to ensure that:




    1)   The opportunity to compromise the web server is limited

    2)   Should the web server be compromised, the damage potential to the rest of the network, data, and
         systems is limited.

1. Prepare the host operating system



         1.1 Install and secure the host operating system.



         Follow the hardening guidelines in the The Center for Internet Security. Hardening the host O/S
         ensures that, should someone compromise the security of your web server, the amount of damage
         that they could inflict will be minimized.




         1.2 Create the directories to hold the Apache files
It’s important to separate the binaries /bin, docs (/htdocs), and logs (/logs) into separate
partitions on the system. You can choose whatever root you want, but this example will use
/opt/apache2 as the root directory for the Apache web server.




1.3 Create the host groups for administering and running the server.




Create a distinct group for all the users who will have permission to change the configuration,
start, and stop the web server. For example, if you want to call the group “webadmin”, create it
like this:




         # groupadd webadmin




Create a distinct group for the web server user – no one will actually log into this group, but it will
only be used to hold the userid which will run the web server. For example, if you want to call
that group “webserv”, create it like this:




         # groupadd webserv




Take note that you should not create a “web developer” group on this host. Since this is a
hardened production host you must not provide web developers login accounts on this system.
Instead, developers should deploy documents and code to the server using your code/content
deployment system, such as Kintana’s Apps*Integrity.




1.4 Create an unprivileged host user id to run the server.



Never run the web server as root; if the web server is ever compromised, the attacker will have
complete control over the system. Instead, the best way to reduce your exposure to attack when
running a web server is to create a                                  for the server application. The
userid          is often used for this purpose, but a userid and group that are unique to the web
server is a more secure solution.



                !                                                                        "     #
                                                        $ %         &                  '       (


)
                   *     +      ,                               "         #                -

     # useradd -d /opt/apache2/htdocs -g webserv -c "Web
     Server" webserv

1.5 Lock down the web server account



It’ s important that no one can successfully execute a password guessing attack against this
account, so in this step, we’ ll restrict this account so that no one can log into it.




         1.5.1 Issue this command to lock the password for the web server account:




                  # passwd –l webserv




                  Password changed.




                  # grep webserv /etc/shadow




         … a :!: at the beginning of the line indicates that the password is locked.




         1.5.3 Issue this command to remove the shell for this account:




                  # usermod –s /bin/false webserv




         1.5.4 To be sure the account is locked, issue the command:
                           # grep webserv /etc/passwd




                           … /bin/false at the end of the line indicates that the shell is set to a non-
                           existent shell.




                  1.5.5 Test the web server account to be sure you can’ t login. Issue this command to try to
                  log in:




                           > login webserv




2. Download and verify Apache source code



By default, web servers return information about the product and version they are running in the Server
variable of the HTTP header. This information can be very useful to hackers, enabling them to target
attacks to that specific server. To prevent that information from being returned from the web server, this
step shows you how to modify that header and build your own copy of the web server.




Because web servers often host sensitive information, or allow users to log in with plain-text passwords,
it’ s important to encrypt the HTTP traffic. Therefore, this section will show you how to configure mod_ssl
on your web server.




Note: Don’ t build the web server on your production, hardened host. Build it on a staging or development
server (with identical O/S), and then copy it to your production host.




These steps will guide you through downloading Apache source code, validating it, compiling it, and
installing it. We don’ t recommend use of pre-compiled or DSO versions. DSO versions may allow a
hacker to introduce new “ features” without having to recompile the code.




If you intend to add other module to your Apache web server installation, repeat the validation steps below
for each module you add.
2.1 Download the latest version of Apache 2.0



Ensure that you retrieve the latest copy, so that you have cumulative bug fixes and security
patches. You can download it from the Apache site.




From here, download four files:




1) The Apache source code itself, called something like httpd-2.0.45.tar.gz.

2) The PGP keys for the Apache signers: a file named “KEYS”

3) The PGP key for this source distribution, called something like httpd-2.0.45.tar.gz.asc

4) The MD5 checksum for this source distribution, called something like httpd-2.0.45.tar.gz.md5




wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz

wget http://www.apache.org/dist/httpd/KEYS

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.asc

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.md5




2.2 Verify PGP signature for the Apache source



To ensure that you have an authentic version from the Apache Group, and that it’ s not been
tampered with (remember, there are many mirrors from which you can download the Apache
source), you should check the PGP signature. If you don’ t have PGP installed on this server, you
can validate these files on another machine.




    a)   If you don’ t already have them in your PGP keyring, import the public keys from the
         Apache Group into your keyring:
     ~> pgp –ka KEYS




b)   Check the PGP signature:




     ~> pgp httpd_2.0.45.tar.gz




     … if the signature is correct, you should get something similar to this:




     -- CUT --

     File 'httpd-2.0.45.tar.gz.asc' has signature, but with no
     text.

     Text is assumed to be in file 'httpd-2.0.45.tar.gz'.

     Good signature from user "Justin R. Erenkrantz
     <justin@erenkrantz.com>".

     Signature made 2003/03/31 07:49 GMT




     WARNING: Because this public key is not certified with a
     trusted signature, it is not known with high confidence
     that this public key actually belongs to: "Justin R.
     Erenkrantz <justin@erenkrantz.com>".




     The fact that it says, “Good Signature from…” is what we’re looking for here. The
     WARNING statement indicates that we’ve not verified this signature with a 3rd party,
     which is ok here.
2.3 Verify the MD5 checksum for the Apache source.




MD5 is a way to validate the integrity of the file itself, much more reliable than checksum and
similar methods. Normally, mismatches in the MD5 checksum from the Apache source are the
result of download errors or file corruption. If you don’ t have MD5 on your system, you can
download it from here.




Compare the results of these two commands – visually inspect them to ensure they match (if they
don’ t, download it again):




        ~> pwd

        /usr/local/build




        ~> cat httpd-2.0.45.tar.gz.md5

        MD5 (httpd-2.0.45.tar.gz) =
              1f33e9a2e2de06da190230fa72738d75




        ~> md5 apache_1.3.27.tar.gz

        MD5 (httpd-2.0.45.tar.gz) =
              1f33e9a2e2de06da190230fa72738d75
        2.4 Extract the zipped Apache source file.




                 ~> /pwd

                 /usr/local/build




                 ~> tar xvfz httpd-2.0.45.tar.gz




        This will create a new directory under your current one, named “ httpd-2.0.45” .

3. Create SSL certificates



                                                                  !            "  #                $
                               %          &        ''                          $ $                '
    '    '                                      '   ( )                   "$                  *
                                  $        *    + #                   '                       %
    '                   ,




        3.1 Create a key and certificate request for your web server



        Using OpenSSL, the following command will create a 1024-bit private key named, “ private.key”
        and generate a certificate signing request (CSR). You need to have the CSR signed by a
        Certificate Authority (CA) who can validate your identity. When prompted to input information,
        note the answers in bold print below. (Answer the prompts with the information relevant for your
        server, of course).




        Note: If you provide a challenge password, you will be unable to start the web server unattended.
        We don’t recommend providing a challenge password, just leave it blank.




        ~> pwd
        /usr/local/build




        ~> openssl req -nodes -newkey rsa:1024 -keyout
        /usr/local/build/server.key -out /usr/local/build/server.crt




        Using configuration from /usr/share/ssl/openssl.cnf

        Generating a 1024 bit RSA private key

        ................++++++

        .......++++++

        writing new private key to 'server.key'

        -----

        You are about to be asked to enter information that will be
        incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

        There are quite a few fields but you can leave some blank

        For some fields there will be a default value,

        If you enter '.', the field will be left blank.

        -----

        Country Name (2 letter code) [AU]:US

        State or Province Name (full name) [Some-State]:NC

        Locality Name (eg, city) []:RTP

        Organization Name (eg, company):XianCo Systems, Inc.

        Organizational Unit Name (eg, section) []:InfoSec

        Common Name (eg, YOUR name) []:xianshield.xianco.com

        Email Address []:webmaster@xianshield.xianco.com




        Please enter the following 'extra' attributes
     to be sent with your certificate request

     A challenge password []: <blank>

     An optional company name []: <blank>




     Most importantly, make sure your “ Common Name” above matches the DNS name of your
     server. The locale information is less important, but we think it’ s best to use the locality of the
     server itself.




     3.2. Submit CSR for validation/signing by a CA.



-,                             ./          ' '          .%         $               '  '$
                                                                                       1
                                                                                       0
      $      $            $                                                       # $
                  .%          $       *                    '                $   *#
       '                .%        #
                                  *                       $               2   3 '  4 5"
   ,   $ $                                                     #.%            6
                                                                          ' ' 2
.%   $ 5




     Send your request for a certificate to the CA. Include your name, your web server (Apache, in this
     case) your OS, and of course, the .csr (certificate signing request).
3.3 Rename your certificate files

    The names aren’ t important, they just have to match what’ s in conf/ssl.conf. You will
    receive 2 files from the PKI team. The first file will be your server certificate (and will
    probably be named <server name>.cer), the 2nd file is the certificate chain. Here, we’ ll
    rename them to fit what’ s specified in conf/ssl.conf.




    mv “XianCo CA (01-03).cer” ca.crt

    mv xianshield.cer server.crt




3.4 Copy certificates to your server.
            Since you received these certs via email, and they’ re now sitting on your laptop, we need to
            copy both server.crt and ca.crt to the server. We’ ll copy them up to
            /usr/local/build. We’ ll move them both to the appropriate locations under
            conf/ssl.conf later.




            scp *.crt xianshield:/usr/local/build/.




4. Configure and build the Apache Server



       In this section, we’ll configure Apache with SSL and mod_ldap support. As of Apache V2,
       these are both included modules, and don’t require a separate download.




       In order to customize Apache to the extent necessary, we need to download the source for
       the latest version of Apache. Once that’s complete, we’ll configure and test it.




       4.1 Alter the Apache version



       We want to remove/modify the default HTTP response header parameter for the “ Server:” token to
       hide the identity of our web server. (You’ d be surprised how many vulnerability scanners are
       looking for specific versions of Apache.) To do this, we must open a header file (httpd.h) prior
       to compiling the server. To do this, edit the ap_release.h file located in
       ${ApacheSrcDir}/include




       ~> pwd

       /usr/local/build/httpd-2.0.45/include




       ~> vi ap_release.h

       …
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"                         Change this…

#define AP_SERVER_BASEPRODUCT "Apache"                                          and this




These are the lines you want to change; change these to remove references to Apache. We’ ll hide
the actual version using the ServerTokens directive in the httpd.conf file.




Example:




#define SERVER_BASEVENDOR                 "Network Services"

#define SERVER_BASEPRODUCT                "Networks, Inc."




4.2 Configure Apache software for compilation



There are a few standard modules that should be disabled when you set up the Apache web
server.

Modules to disable

Generally, the following modules make it easier to configure/support your web server but also
give too much information to attackers. We recommend that you disable the following default
modules for your production server:




    info: gives out too much information about your web server to potential attackers.

    status: gives out server stats via web pages

    autoindex: provides directory listings when no index.html file is present

    imap: provides server-side mapping of index files

    include: provides server-side includes (.shtml files)

    userdir: translates URLs to user-specific directories

    auth: you won’ t need it – you’ ll set up authentication against LDAP via mod_ldap
Modules to enable

Here are two modules that will provide strong authentication and encryption for your web server.
If you have any protected content on your web server, it’ s important that you only allow your
users to access it over SSL, otherwise your user passwords will be sent in clear text, subject to
snooping.




    ssl: Encrypts the traffic from the browser to the web server – an important means of
    protecting login passwords and sensitive data.

    auth_ldap: Allows you to validate passwords against ldap.xianco.com or other LDAP.

A word about LDAP authentication

It’ s important that you don’ t set up your own userid/password store, since it propagates passwords
into insecure locations. Instead, you should modify your configuration to defer authentication to a
central store, such as a centrally maintained LDAP. To authenticate against an LDAP store, you
need to compile Apache with support. In order to use mod_ldap, you’ ll need LDAP libraries
installed on your system. You can use OpenLDAP or Netscape Directory SDK for the LDAP
client libraries.

Configuration commands

Here’ s how to configure Apache with these options:




~> pwd




/usr/local/build/httpd-2.0.45




~> sudo ./configure –-prefix=/opt/apache2 \

--enable-so \

--enable-ssl \

--with-ldap \

--enable-ldap \

--enable-auth-ldap \

--disable-info \
--disable-status \

--disable-autoindex \

--disable-imap \

--disable-include \

--disable-userdir \

--disable-auth




checking for chosen layout... Apache

checking for working mkdir -p... yes

checking build system type... sparc64-unknown-linux-gnu

checking host system type... sparc64-unknown-linux-gnu

checking target system type... sparc64-unknown-linux-gnu




Configuring Apache Portable Runtime library ...

…




4.3 Compile the Apache server
         Now that the software is validated and configured, it’ s time to compile it. Since you won’ t have a
         compiler on your production host, we’ ll compile and install it on a separate server, then
         tar/compress it and scp it to your production host. You’ ll need to run make using “ sudo” so that
         Apache knows it can use ports < 1000.




                  ~> pwd

                  /usr/local/build/httpd-2.0.45




                  ~> sudo make

                  ===> src

                  make[1]: Entering directory `/usr/local/build/httpd-2.0.45'

make[2]: Entering directory `/usr/local/build/httpd-2.0.45/src'

                  ===> src/regex

                  sh ./mkh           -p regcomp.c >regcomp.ih

                  …




         4.4 Install the Apache server

         If you have followed our instructions for securing the host, you will have to unpack the
         distribution and compile it on a separate host. To make your server more secure, use a
         separate disk partition for your web content. Create a unique mount point for this
         directory -- htdocs is a good name to use, but make it somewhere outside the
                                         ll
         ServerRoot directory. You' need to update /etc/vfstab to mount this partition as
                             s
         part of your server' startup process.

         .
         !                                                                '              (
                                                                      (
                   !             (                      (                        +
              (                      /


0   +                        1                      "       #




                  ~> pwd
                  /usr/local/build/httpd-2.0.45




                  ~> sudo make install

                  ===> [mktree: Creating Apache installation tree]

                  ./src/helpers/mkdir.sh /opt/apache2/bin

                  ./src/helpers/mkdir.sh /opt/apache2/libexec

                  ./src/helpers/mkdir.sh /opt/apache2/man/man1

                  ./src/helpers/mkdir.sh /opt/apache2/man/man8

                  ./src/helpers/mkdir.sh /opt/apache2/conf

                  ..

5. Install SSL certificates

Now that the server is installed, we need to copy certificate key, server certificate, and CA chain to
Apache’ s configuration directory.




         5.1 Set up the Apache certificate directories



         ~> pwd

         /opt/apache2/conf




         ~> sudo mkdir ssl.crt ssl.key




         5.2 Copy the certificate and key to the SSL configuration directory



         ~> sudo cp /usr/local/build/server.crt ./ssl.crt/.

         ~> sudo cp /usr/local/build/server.key ./ssl.key/.
6. Configure the Apache server



Configure the file permissions and runtime settings of the Apache server. It’ s important that you place
your htdocs, cgi-bin, and logs directories on separately mounted filesystems.




         6.1 Configure httpd.conf



         Set the following in your httpd.conf file. You can also download an example httpd.conf with
         these settings here.




         Directive and setting                                            Description/rationale
         ServerSignature Off                                              Prevents server from giving
                                                                          version info on error pages.
         ServerTokens Prod                                                Prevents server from giving
                                                                          version info in HTTP
                                                                          headers
         Listen 80 (remove)                                               Remove the “ Listen”
                                                                          directive – we’ ll set this
                                                                          directive only in ssl.conf, so
                                                                          that it will only be available
                                                                          over https.
         User webserv (or whatever you created in                         Ensure that the child
         step 2 above)                                                    processes run as
                                                                          unprivileged user
         Group webserv (or whatever you created in                        Ensure that the child
         step 2 above)                                                    processes run as
                                                                          unprivileged group
         ErrorDocument 404 errors/404.html                                To further obfuscate the
                                                                          web server and version, this
         ErrorDocument 500 errors/500.html                                will redirect to a page that
                                                                          you should create, rather
         etc.                                                             than using the default
                                                                          Apache pages.
         ServerAdmin <hostname>-                                          Use a mail alias – never use
         webmaster@xianco.com                                             a person’ s email address
                                                                          here.
         UserDir disabled root                                            Remove the UserDir line,
                                                                          since we disabled this
                                                                          module. If you do enable
                                                                          user directories, you’ ll need
                                                                          this line to protect root’ s
                                                                          files.
<Directory />                                            Deny access to the root file
                                                         system.
    Order Deny, Allow

    deny from all

</Directory>
<Directory /opt/apache2/htdocs">                         LimitExcept prevents
                                                         TRACE from allowing
  <LimitExcept GET POST>                                 attackers to find a path
                                                         through cache or proxy
     deny from all                                       servers.

  </LimitExcept>

                                                         The “ -“ before any directive
                                                         disables that option.
Options -FollowSymLinks -Includes -Indexes -MultiViews

  AllowOverride None
                                                         FollowSymLinks allows
  Order allow,deny                                       a user to navigate outside
                                                         the doc tree, and Indexes
                                                         will reveal the contents of
  Allow from all
                                                         any directory in your doc
                                                         tree.
</Directory>



                                                         Includes allows .shtml
                                                         pages, which use server-side
                                                         includes (potentially
                                                         allowing access to the
                                                         host). If you really need
                                                         SSI, use IncludesNoExec
                                                         instead.




                                                         AllowOverride None
                                                         will prevent developers
                                                         from overriding these
                                                         specifications in other parts
                                                         of the doc tree.
AddIcon (remove)                                                 Remove all
                                                                 references to these
IndexOptions (remove)                                            directives, since
                                                                 we disabled the
                                                                 fancy indexing
AddDescription (remove)
                                                                 module.
ReadmeName (remove)

HeaderName (remove)

IndexIgnore (remove)
Alias /manual (remove)                                           Don’t provide any
                                                                 accessible
                                                                 references to the
                                                                 Apache manual, it
                                                                 gives attackers too
                                                                 much info about
                                                                 your server.




You should familiarize yourself with the following parameters. Unless you are running a high-
volume web site, you can safely leave the settings at their default values. If you are running a
high-volume web site, you’ ll want to adjust these directives upward to better withstand denial-of-
service attacks.




     StartServers

     MinSpareServers

     MaxSpareServers

     Timeout

     Keepalive

     MaxKeepAliveRequests

     KeepAliveTimeout

     MaxClients

     MaxRequestsPerChild




6.2 Configure ssl.conf
     Set the following in your ssl.conf file. You can also download an example ssl.conf with
     these settings here.




     Directive and setting                                              Description/rationale
     SSLCertificateChainFile                                            (Find this line and
     /opt/apache2/conf/ssl.crt/ca.crt                                   uncomment it). This points
                                                                        to the Certificate Authority
                                                                        file for your chained
                                                                        certificate.




     6.3 Remove default Apache files



"#                   *                                           7
                                                                ."             2       *           %
    5   $                                  *        #          ' '                     '               $
  * 6 #              $                               ,          '
8       $           $        *      $       '$




     ~> sudo rm –fr /opt/apache2/htdocs/*

     ~> sudo rm –fr /opt/apache2/cgi-bin/*

     ~> sudo rm –fr /opt/apache2/icons




     To test that your web server is running, you can now place this file in your htdocs directory – it’ s
     just a simple index.html file. Make sure you set the permissions to world-readable.




     6.4 Set directory and file permissions for the server



     To protect the directories on your server, it’ s important that you protect the directories
     themselves.




         bin is where the executable portion of the Apache web server is. It should be
         readable/executable only by members of the webadmin group, but only writable by root.
    ~> sudo chown –R root:webadmin /opt/apache2/bin

    ~> sudo chmod –R 770 /opt/apache2/bin




 conf is where your web server configuration files are and needs to be read/writable only by
the webadmin group.




    ~> sudo chown –R root:webadmin /opt/apache2/conf

    ~> sudo chmod –R 770 /opt/apache2/conf




logs is where your access and error logs will go. It should be readable only by the webadmin
group.




    ~> sudo chown –R root:webadmin /opt/apache2/logs

    ~> sudo chmod –R 755 /opt/apache2/logs




 htdocs is where your HTML files are and needs to be world readable, but writable only by
root (you should copy content in from a staging server).




    ~> sudo chown –R root /opt/apache2/htdocs

    ~> sudo chmod –R 775 /opt/apache2/htdocs




cgi-bin is where your executable scripts are and needs to be world read/executable, but
writable only by root (you should copy content in from a staging server).




    ~> sudo chown –R root /opt/apache2/cgi-bin

    ~> sudo chmod –R 775 /opt/apache2/cgi-bin
7. Make final configuration and start server

Lastly, we need to modify the startup configuration for Apache and restart the server.




         7.1 Modify Apache startup script so that it will notify you when it’s restarted.



%                                                 $                                      *
     $         #




         Open /opt/apache/bin/apachectl and add something like this to the file:




         tail /opt/apache2/logs/error_log |

         /bin/mail -s 'Apache web server has restarted' <hostname>-
         webmaster@xianco.com




         7.2 Test your configuration by starting the server




         sudo /opt/apache2/bin/apachectl startssl




         7.3 Keep your web server patched



.      $              %                            '




         Apache web server: http://nagoya.apache.org/dist/httpd/patches/




         OpenSSL: http://www.openssl.org/source
         OpenLDAP: http://www.openldap.org/




8. Configure authentication against an LDAP directory.



In this final section, we’ ll configure the Apache httpd.conf file so that resources are authenticated against
an LDAP server. This step really can’ t be run until you’ ve installed the web server. Once you’ ve got your
web server installed, just add the LDAP authentication directives to any directory (or httpd.conf file) where
you want password protection with CEC credentials. Here’ s an example of protecting a directory named
“ Internal”




<Location "/internal">

       AuthName CEC

       AuthType Basic

     AuthLDAPURL
ldap://ldap.xianco.com:389/ou=employees,ou=people,o=xianco.com?uid?sub?
(objectclass=xiancoPerson)

       require valid-user

</Location>




                                                                                      httpd % /E 7 >
#!/bin/bash
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
#
# httpd      Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: The Apache HTTP Server is an efficient and extensible \
#         server implementing the current HTTP standards.
# processname: httpd
# pidfile: /var/log/httpd/httpd.pid
# config: /etc/sysconfig/httpd
#
### BEGIN INIT INFO
# Provides: httpd
# Required-Start: $local_fs $remote_fs $network $named
# Required-Stop: $local_fs $remote_fs $network
# Should-Start: distcache
# Short-Description: start and stop Apache HTTP Server
# Description: The Apache HTTP Server is an extensible server
# implementing the current HTTP standards.
### END INIT INFO

# Source function library.
. /etc/rc.d/init.d/functions

if [ -f /etc/sysconfig/httpd ]; then
       . /etc/sysconfig/httpd
fi

# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}

# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules
may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.

httpd=${HTTPD-/usr/sbin/httpd}
prog=httpd
pidfile=${PIDFILE-/var/log/httpd/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd}
RETVAL=0

# check for 1.3 configuration
check13 () {
      CONFFILE=/etc/httpd/conf/httpd.conf
      GONE="(ServerType|BindAddress|Port|AddModule|ClearModuleList
|"
      GONE="${GONE}AgentLog|RefererLog|RefererIgnore|FancyIndexi
ng|"
      GONE="${GONE}AccessConfig|ResourceConfig)"
      if grep -Eiq "^[[:space:]]*($GONE)" $CONFFILE; then
             echo
             echo 1>&2 " Apache 1.3 configuration directives found"
             echo 1>&2 " please read @docdir@/migration.html"
             failure "Apache 1.3 config directives test"
             echo
             exit 1
      fi
}

# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
      echo -n $"Starting $prog: "
      check13 || exit 1
      LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd
$OPTIONS
      RETVAL=$?
      echo
     [ $RETVAL = 0 ] && touch ${lockfile}
     return $RETVAL
}
stop() {
       echo -n $"Stopping $prog: "
       killproc -p ${pidfile} $httpd
       RETVAL=$?
       echo
       [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
       echo -n $"Reloading $prog: "
       check13 || exit 1
       killproc -p ${pidfile} $httpd -HUP
       RETVAL=$?
       echo
}

# See how we were called.
case "$1" in
 start)
        start
        ;;
 stop)
        stop
        ;;
 status)
     if ! test -f ${pidfile}; then
         echo $prog is stopped
         RETVAL=3
     else
         status -p {$pidfile} $httpd
         RETVAL=$?
     fi
     ;;
 restart)
        stop
        start
        ;;
 condrestart)
        if test -f ${pidfile} && status -p ${pidfile} $httpd >&/dev/null; then
                stop
                start
        fi
        ;;
 reload)
     reload
        ;;
 configtest)
     LANG=$HTTPD_LANG $httpd $OPTIONS -t
     RETVAL=$?
     ;;
 graceful)
     echo -n $"Gracefully restarting $prog: "
        LANG=$HTTPD_LANG $httpd $OPTIONS -k $@
        RETVAL=$?
     echo
        ;;
 *)
        echo $"Usage: $prog
{start|stop|restart|condrestart|reload|status|graceful|help|configtest}"
        exit 1
esac

exit $RETVAL

                                         www.linuxtalk.ir , www.httpd.apache.org O
   $               #                     '% N       + : B        % 'm %     R N     '
 & $ . 1 5'W             )$ 5        N    H' G% %% 3 @           / . " %        $ 5
          G            &%    '<                 ,   V rK cpanel,directadmin           &   )
   5          '     1 a *+                  #           %    N        5C        5 :R          %
                   G B      5" L         %45 %               '^      EF     -     5CR] %%
   N $        ^-         - 5 ' 5K ]              BJ;)       5B N /         -N 5 ' % R N
       G $%X !L                    6 $ C5B N J,              ' % %&% - & $ C5B        Y      %
                                                                                            .R
                                                                                 N U C)
                                                                            +989198480676
     info@ghorbani.us

GGG B $   5E ' R N
               2F

								
To top