WebServer. Webserver. http http $: # - ;1< = '# 6 > 4? $, " 6789:

WebServer

Webserver webserver !" # $% & ' & ( ' ) * + % , -$ ./) & 0 ./) % % ' TCP/IP % 1 23 " % 45 6 789 / http & % " $ : # - ; 1 < = ' # 6 >4? $ , $% http = ' @ 6 - A " & % " 1 % 45 6 789 / . % B /C 5 ( ' $ ) & ' D # & ( ' 7 % B * + ) E) $% %% F G < $ H' ' & $ 5 %- % % I % : $ , $ / J 5K D # & $ ' : B * + 5 % 6 >4? & L @ $% G 5K $ L M >4? & B 5B G 6 C7 N5B L ' E7 //:http 6 789 : % / J G ./) - O % http & % " 6 789 $ P J ' % 45 J G %

Q 6 + $ M ) 789 @ % % % , F / $ ./) -& % F & & N5" L ' % 45 6 789 J 6 + % 45 remote telnet R : S T N - : # U N S $ & ' & /CB 5 V K % % ! J ( ' ; ) & ' & D # http B * + G % ' # 5 & $ & % D I > G 6 + W ) ' ./) http / & 1 6 789 , 6 789 # % " % % ' ' & X -% & 1 B Y P, / G N I % 5 >4? $ - " & B . % 3 & $ # -LightHttpd Apache : Litespeed : Nginx GGG # * + X -Z ) % 5 1 [ ' , B Z N P -I % - # 5 % wget % " ' http://httpd.apache.org/download.cgi 1 H 9

wget http://apache.multihomed.net//httpd/httpd-2.2.16.tar.gz Z L% , % J tar -xvf httpd-2.2.16.tar.gz Z ; ) .K \ 6 # & 5 % B [G configure Z ] % '. ( ' ^ make * + 6 E 7 S B make install # * + X -Nginx Z % SSH ' , B G Z E< # : Q 1 <" / J service httpd stop Z # nginx % " / J wget http://nginx.org/download/nginx-0.8.33.tar.gz Z % '_ % % , "-tar -zxf nginx-0.8.33."-tar.gz Z # R "% nginx % B

cd nginx-0.8.33 Z - Q # * + / J ] - 5 % % / J ^

./configure select_module poll_module http_charset_module http_gzip_module

http_ssi_module http_userid_module

http_access_module http_auth_basic_module http_autoindex_module http_geo_module http_map_module http_referer_module http_rewrite_module http_fastcgi_module

http_memcached_module http_limit_zone_module http_limit_req_module http_empty_gif_module

http_browser_module http_upstream_ip_hash_module mail_pop3_module mail_imap_module

–without-mail_smtp_module –without-pcre openssl=/usr/lib/openssl –with-ipv6 ( -6 5 % % / J make make install # ( 0 * + wget http://litespeedtech.com/packages/3.0/lsws-3.0.1-std-i386-linux.tar.gz tar -xvfz lsws-3.0.1-std-i386-linux.tar.gz cd lsws-3.0.1 ./install.sh 5CR * + .K 2 ) $ N ) # N & ` * + - /E % ( 0 . php \ % J '. ( ' ( 0 3 ) G H' 6 ? N Q % 5" '- $ 1 a GGG Mysql 7 ' B 87 $ # * EQ % Load PHP # N % - ) O ` = $ b B 'c 5< 52 ` - . ( 0 ( 0 # D d % #

# # N B /etc/httpd B C G B N % ' % & 5' % conf conf.d % % % 7 symbolic link modules logs run % % - = symbolic link Symbolic N % & < ' link I % & < J$ G % I % N ` . " modules : symbolic link & 5' % /usr/lib/httpd/modules [ B % conf & $ . " % httpd.conf magic % % [ B % conf.d % -& $ . " manual.conf & $ ' @ - ' = $ . "N man command % % G %- B ' manual / ip :// http 5 $ $ -e $ X -GGG # N % 45 ' G I % N

-" ' $ . -"N ! I K html % \' % 5 $ ` # 3 I % % /var/www/manual . "N 6 5> php.conf S php J F 52 : / N <) .so P U php Load / :. 7 N 87 . % 6 5> @ 7 E " D J 5 J '# P5 ; % & $ & 5' % ] G '% 9 . "N & 5' % D % -% B ^ C '& = $ DirectoryIndex index.php B J ; ) G . "N 6 5>

perl.conf - 3 & $ . " ( / & 3 perl $ G . "N 6 5>

proxy_Ajp.conf . " mod_proxy_ajp.so Load / G 1 a N tomcat : E proxying AJP/1.3 backend server

6 % % / ? G . "N 6 5> python.conf 1 a . "N python Load / G python - 7 G . "N 6 5>

README > T ) $ B * + # P % % G = . "N J / % 2 , ' R ' < GG . "N 6 5> squid.conf squid & ! D cache server G . "N 6 5> ssl.conf - C5, & # J ; ) 23 SSL ' <3 . "N G . "N 6 5> cat /etc/httpd/conf.d/ssl.conf |less

welcome.conf

3 . "N L X = & $ f J ; ) 23

' < GGG

& ' $ , . "N 6 5> L 1 H 9 & = f I % /var/www/error/noindex.html % % G . "N 6 5> webalizer.conf % , 5 - $ . "N G wenalizer D # L ! R G ' $ X !L ) % % . " # N & % % 5B % %- >4? N : GGG . "N 6 5> B % $ . " /etc/httpd/conf % % Httpd.conf , magic . " magic D ' # ' g + P & $ ' Jh87 & D . B % ' / 8H : " /7 D # % 5 gif B % % . "N ! ) $ Y P, ) . "N 5 S GGG # % D ' 23 " ? G

Httpd.conf # N & / . " ' GG ' N & J % ' < 5, J $% . " G . " /etc/httpd/conf/httpd.conf & F, D nano '-nano /etc/httpd/conf/httpd.conf F, - % 45 23 -0 6 > T ) nano

& $ '% - % & \5 3 & ctrl + w % 45 ' '% % 6 f) &- c& ctrl + x ( Y Enter , 4 ` # & / . " ServerTokens $ % % ) 789 subcomponents $ ] % &! $ O % / X " B% % ^ G B 1 <" Q % 45 i ? - & L E3 23 G ServerRoot “/etc/httpd” # B N )0 G " ' # & $ . .H conf log B ' % ] ` : 6 ; ) : $ 1 a ^GGG Timeout 120 8H :J5 $ $ , 1 K % % '- ) # % B >4? N -N % 45 % time out $ G KeepAlive Off D L Connection % D - 5, - 3 9 % % $ G O % KeepAlive N5B % F -X 4 j Connection G MaxKeepAliveRequests 100 $ '&% <) N 5, connection ) $ - 3 request %-G KeepAliveTimeout 15 ' k & # ;5 H' K 9 $ 1 a - l < default 5 $ * + & ` JF 52 .? % Core 5 $ ` 1 a .H prefork , % & / . " % F $ 1 a <IfModule _{1 a} .c> ….. </IfModule> 1 a prefork

StartServers % <) - Q & $ MinSpareServers % 2F m 9 5 ' $ % <) . K MaxSpareServers % % F m 9 5 ' $ % <) H' K ServerLimit % <) N 5, MaxClient '1 C # ' $ MaxClients % <) N 5, $ $ ' Client B 5B % 5 MaxRequestsPerChild $ n & % % <) N 5, ] ^ n D : 5 % @2 5 ' R X % -/ R ) L % ' ] G D n ^ $ n ] $ ^ 7 \ thread $ 5 $ $ k ` 1 a worker 1 a & 3 Multi-Processing # D & multi-threaded multi-process StartServers - Q & $ % <) MaxClient % <) N 5,

simultaneous client connection

MinSpareThreads & $ L '% <) N 5 ' $ S T ] $ k ^ & % F m & ' , G MaxSpareThreads $ S T & $ L '% <) N 5, ] $ k ^ F m & ' , & % G ThreadsPerChild $ S T & $ L ' o% <) ] $ k ^ $ % MaxRequestsPerChild % % <) N 5, $ & / . 7 G

1 a N p "O % prefork worker ' N prefork D X % -] n ^ $ h $ % k & worker = ` # 6 Listen 12.34.56.78:80 Listen 80 @P Dynamic Shared Object (DSO) Support

J 5 php I % DSO suPhp J 0 ` suPHP 5, ` > T ) % . "N - @P N & ? GGG & D .so ' $ Load % ' G 1 a WC) @P asis cern_meta

LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule asis_module modules/mod_asis.so

mod_asis X 4 j

& K . "1 HTTP headers

Mod_cern_meta : Emulate the CERN HTTPD Meta file semantics. Meta files are HTTP headers that can be output in addition to the normal range of headers for each file accessed. They appear rather like the Apache .asis files, and are able to provide a crude way of influencing the Expires: header, as well as providing other curiosities. There are many ways to manage meta information, this one was chosen because there is already a large number of CERN users who can exploit this moduleG

? 8

CERN httpd metafile semantics

5 $ 1 <" Q 1 < 9 :p "1 a % 5CR ` @P Include conf.d/*.conf 5 N ] Include conf.d/*.conf ^ % & / & $ . " ) ' < N I % [ etc/httpd/conf.d ' 3 P ] ` Load ' ^ Include conf.d/*.conf @P ExtendedStatus On ExtendedStatus On N L ON : J $% ] - 5CR J % J$ ' ^ J 5 J ' $ , # <T G 5 L B ' < W 1 % server status J J / $ , - f

The default is Off

- N <) @P ] ' ^ L User apache

Group apache 9 % N default # ' 5 : $ run & - $ : B $ , p "& $ : # GGG $ J N J 5 1 K ) 3 % -J $% f) % @P Main' server configuration

All of these directives may appear inside <VirtualHost> containers_q in which case these default settings will be overridden for the virtual host being definedG

- & VirtualHost VirtualHost 173.244.180.89:80 ServerName resellers.ghorbani.us ServerAlias www.resellers.ghorbani.us DocumentRoot /home/ghorbani/public_html/resellers ServerAdmin webmaster@resellers.ghorbani.us UseCanonicalName On

Options -ExecCGI -Includes

RemoveHandler cgi-script .cgi .pl .plx .ppl .perl

CustomLog /usr/local/apache/domlogs/resellers.ghorbani.us combined CustomLog /usr/local/apache/domlogs/resellers.ghorbani.us-bytes_log

"%{%s}t %I .\n%{%s}t %O G

User ghorbani # Needed for Cpanel::ApacheConf IfModule mod_suphp.c

suPHP_UserGroup ghorbani ghorbani [

IfModule

IfModule !mod_disable_suexec.c SuexecUserGroup ghorbani ghorbani

[ IfModule

ScriptAlias /cgi-bin/ /home/ghorbani/public_html/resellers/cgi-bin [

To customize this VirtualHost use an include file at the following location

Include

[ VirtualHost $ $ ] -^ D J / % \ ' VirtualHost '% , % \ & / . " % J$ $ & # 6 / $ 1 a J 5 ) $ 5 % N 1 <" [ J '1 <" Q G ServerName ' C p " % % ' 9 $ resellers.ghorbani.us & I % 6 173.244.180.89:80 % % % 3 G DocumentRoot ) B % 'N & $ . " /home/ghorbani/public_html/resellers F G ServerAdmin # & = f ' ) >4? % ' 'N Y 5P . N 0 ./, 5 = >4? N B .+ 5 ' % , % % @ I % . % webmaster@resellers.ghorbani.us % rF % G CustomLog \' % 5 " 'N & $ % ' $ , % B c G 1 a suphp B C 1 <" '& J$ G ) N F 5 J % D & I % @ $% J "' % -" % . / & $% # VirtualHost 192.168.100.1 ServerName site1.domain.com DocumentRoot /var/httpd/www/site1 ServerPath /site1 [ VirtualHost VirtualHost 192.168.100.1 ServerName site2.domain.com DocumentRoot /var/httpd/www/site2 ServerPath /site2 [ VirtualHost . @P

# ServerAdmin: Your address, where problems with the server should be # e-mailed. This address appears on some server-generated pages, such # as error documents. e.g. admin@your-domain.com

#

$ X !L B . N ./, L $ - 6 ? % GGG @P ServerName 5 $ M $ B L $ ) 5 L ' % : DNS name / ' B % / % \ % $ & & C5< GGG J / % 2 , N & $ $ UseCanonicalName F & 3 GGG ] % I % & % # 5 B : # * + -$ , N - ' % 45 C5< N % D - I % & N & \ $ P L 1 K : ' F D ' ^

# ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify

# it explicitly to prevent problems during startup. #

# If this is not set to valid DNS name for your host, server-generated # redirections will not work. See also the UseCanonicalName directive. #

# If your host doesn't have a registered DNS name, enter its IP address here. # You will have to access it by its address anyway, and this will make # redirections work in a sensible way.

#

#ServerName www.example.com:80

@P '- % 45

1 /

# UseCanonicalName: Determines how Apache constructs self-referencing # URLs and the SERVER_NAME and SERVER_PORT variables.

# When set "Off", Apache will use the Hostname and Port supplied # by the client. When set "On", Apache will use the value of the # ServerName directive. # UseCanonicalName Off 7 N % - % 45 6 ? % ServerName 5 UseCanonicalName On ' G @P DocumentRoot # % @ 23 % & $ . " % % & & 5' % I %

[ var/www/html

# DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # DocumentRoot "/var/www/html" B 5B % 5 % $ B ' # ' J ; ) 5 & 5' % B 5B % 5 % $ [ 5B

# Each directory to which Apache has access can be configured with respect # to which services and features are allowed and/or disabled in that

# directory (and its subdirectories). #

# First, we configure the "default" to be a very restrictive set of # features. # <Directory /> Options FollowSymLinks AllowOverride None </Directory> & 5' % C ' & = $ : p " % [ ] root ^ 5 % 5 % ' M $ X % L % ] \5 3 ^ ' G @P Directory "/var/www/html N 3 ) DocumentRoot ' f) B G

# This should be changed to whatever you set DocumentRoot to. #

<Directory "/var/www/html">

@P Options Indexes FollowSymLinks # Possible values for the Options directive are "None", "All",

# or any combination of:

# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

#

# Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you.

#

# The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs/2.2/mod/core.html#options

# for more information. #

Options Indexes FollowSymLinks

Options Indexes FollowSymLinks % ' 1 C% & < symbolic link W ) $ # G @P AllowOverride % $ . 7 5 % J $ - 3 J 5 G htaccess % F G J$ % All", "None & E'6 E'- C' ) $

5 B

G Options FileInfo

AuthConfig Limit # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords:

# Options FileInfo AuthConfig Limit # AllowOverride None . " % p "J ; ) E 7 5 % M $ G htaccess , 1 7 %G

# Controls who can get stuff from this server. #

Order allow,deny Allow from all </Directory> @P UserDir % 6 ? % user " % & ` I % ' F & 5' % 5 ~userid/public_html B G B 5B % 3 ) ' userid 5 % &- \ & % B userid/public_html J$ & % 5 % - \ B B W " '& $ . " ) G

# UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received.

#

# The path to the end user account 'public_html' directory must be # accessible to the webserver userid. This usually means that ~userid

# must have permissions of 711, ~userid/public_html must have permissions # of 755, and documents contained therein must be world-readable.

# Otherwise, the client will only receive a "403 Forbidden" message. #

# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden #

<IfModule mod_userdir.c> #

# UserDir is disabled by default since it can confirm the presence # of a username on the system (depending on home directory # permissions).

#

UserDir disable #

# To enable requests to /~user/ to serve the user's public_html

# directory, remove the "UserDir disable" line above, and uncomment # the following line instead:

# #UserDir public_html </IfModule> & $ & 5' % 5 % 1 5 '@P UserDir % $ 5 % 1 5 ' % B

$ D % 1 H & : 5 $ ' & $ & 5'

B W " " L X ) E " # Control access to UserDir directories. The following is an example

# for a site where these directories are restricted to read-only. #

#<Directory /home/*/public_html>

# AllowOverride FileInfo AuthConfig Limit

# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec # <Limit GET POST OPTIONS>

# Order allow,deny # Allow from all # </Limit>

# <LimitExcept GET POST OPTIONS> # Order deny,allow

# Deny from all # </LimitExcept> #</Directory>

& 5' % D 6 ? % >4? D @ @P DirectoryIndex 8H & 5' % D N ~userid/public_html/linuxtalk N ' $ : 9 % B % % @ @2 >4? : C ' % Default

# DirectoryIndex: sets the file that Apache will serve if a directory # is requested.

#

# The index.html.var file (a type-map) is used to deliver content- # negotiated documents. The MultiViews Option can be used for the # same purpose, but it is much slower.

#

DirectoryIndex index.html index.html.var

@P AccessFileName

.htaccess

% , % 45 $ & 5' % & 23

G

# AccessFileName: The name of the file to look for in each directory # for additional configuration directives. See also the AllowOverride # directive. # AccessFileName .htaccess & $ . " G htaccess ] $ U = ^ .htpasswd 8'W ) % , % `

# The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients.

#

<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

> T ) 6

4

Allow from all $ - 3 % % & <

Deny from all $ - 3 % & <

& W "

B 5B % 5 %

order allow,deny allow from 1.1.1.1 deny from all

N % Peyman.com B 5B 5 % ] B S ^ deny from peyman.com

IndexOption $

./B N 2 & L >

IndexOptions option [Option]…

N 5 2 -Option $ Description Width=[n_s] - 3 $ T ) 5 1 9 ' t % B Y P, 5' ' * K G L s : B 0 9 - 5 - F ) N T ) t B $ G FancyIndexing 1 5 ' - 3 ' 5, & & - * ) >) & 6 789 $ IconHeight $ DE/B A 7 1 9 & HTML <) N / 1 a mime $ ) ' $ . " S .? % : J rF m 5B ]" ^ 6 789 ] 5 % ^ / N <) G - , P . "& 5> /etc/mime.types . "I % - % % mime.types / Y P,

# TypesConfig describes where the mime.types file (or equivalent) is # to be found.

#

#

# DefaultType is the default MIME type the server will use for a document # if it cannot otherwise determine one, such as from filename extensions. # If your server contains mostly text or HTML documents, "text/plain" is # a good value. If most of your content is binary, such as applications # or images, you may want to use "application/octet-stream" instead to # keep browsers from trying to display binary files as though they are # text.

#

DefaultType text/plain #

# The mod_mime_magic module allows the server to use various hints from the

# contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located. # <IfModule mod_mime_magic.c> # MIMEMagicFile /usr/share/magic.mime MIMEMagicFile conf/magic </IfModule> @P HostnameLookups N L on N % D 5 $ &% B DNS C C5< G L Off B C I % & # 5 ' G Q N 5, ' 9 P ' / 1 <" G

# HostnameLookups: Log the names of clients or just their IP addresses # e.g., www.apache.org (on) or 204.62.129.132 (off).

# The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on, since enabling it means that # each client request will result in AT LEAST one lookup request to the # nameserver. # HostnameLookups Off @P EnableMMAP ' 3 $ 1 5 ' memory-mapping % % 45 1 K % G 52 :% , & $ ' % 0 u 7 6 $ L memory-mapping B 1 <" Q GG

-Z & $ J5 - l < & multiprocessor : memory-mapping 5 performance # $% @$ ' G Z . " D % ' m % ' ) ' GGG # N/ ' ) ? % crash ' G & $ . " % '1 <" Q & mount B NFS J $ -

<Directory "/path-to-nfs-files"> EnableMMAP Off </Directory>

# EnableMMAP: Control whether memory-mapping is used to deliver # files (assuming that the underlying OS supports it).

# The default is on; turn this off if you serve from NFS-mounted # filesystems. On some systems, turning it off (regardless of # filesystem) can improve performance; for details, please see # http://httpd.apache.org/docs/2.2/mod/core.html#enablemmap #

#EnableMMAP off

@P EnableSendfile EnableSendfile: Control whether the sendfile kernel support is used to deliver files (assuming that the OS supports itG^

The default is on; turn this off if you serve from NFS-mounted filesystems. Please see

http://httpd.apache.org/docs/2.2/mod/core.html#enablesendfile EnableSendfile off

@P ErrorLog & $ v 0 = & $ f & / D N <) ]

$ % ^ 5 % <VirtualHost>

# ErrorLog: The location of the error log file.

# If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be

# logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here.

# ErrorLog logs/error_log @P LogLevel % <) 1 5 ' $ t= B % & $ f error_log. N/ % N '

alert, emerg. B 6 > T ) emerg a : Q . _ % 45 % , G & 1 H Child cannot

open lock file, exiting alert @ ' " & -0 G & 1 H getpwuid: couldn't determine user name

from uid crit B W > G & 1 H socketL Failed to get a socket, exiting child

error ' C F %G & 1 Premature end of script headers

warn Eh - ' % J2 5 % 3 ) G & 1 H child process 1343

did not exit, sending another SIGHUP notice $% & R < N/ ' -B 5B % G & 1 H httpd:

caught SIGBUS, attempting to dump core in GGG info 23 6 789 G & 1 H server seems busy, (you may need to increase

StartServers, or Min/MaxSpareServers GG^ debug 23 %-1 /B % 45 % , G

# LogLevel: Control the number of messages logged to the error_log. # Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg. #

LogLevel warn

F % @P %

B c F ' $ % " WC) '

# The following directives define some format nicknames for use with # a CustomLog directive (see below).

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

# "combinedio" includes actual counts of actual bytes received (%I) and sent (%O); this

# requires the mod_logio module to be loaded.

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

#

# The location and format of the access logfile (Common Logfile Format).

# If you do not define any access logfiles within a <VirtualHost> # container, they will be logged here. Contrariwise, if you *do* # define per-<VirtualHost> access logfiles, transactions will be # logged therein and *not* in this file.

#

#CustomLog logs/access_log common #

# If you would like to have separate agent and referer logfiles, uncomment

# the following directives. #

#CustomLog logs/referer_log referer #CustomLog logs/agent_log agent #

# For a single logfile with access, agent, and referer information # (Combined Logfile Format), use the following directive: #

CustomLog logs/access_log combined

# l @P # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory

# listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents).

# Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail

# ServerSignature On & ' $ 1 a ) % % @ : B 1 <" N L : B B * + % , G @P Alias # >4? % J 5 & 5' % D = : @ 5 N/ ' R J $% , % ` - 'N & Alias J / % 45 GGG N # & / . " % ' B % %

Aliases: Add here as many aliases as you need (with no limit). The format is

Alias fakename realname

Note that if you include a trailing / on fakename then the server will require it to be present in the URL. So "/icons" isn't aliased in this example, only "/icons/". If the fakename is slash-terminated, then the realname must also be slash terminated, and if the fakename omits the trailing slash, the realname must also omit it_G

We include the /icons/ alias for FancyIndexed directory listings. If you do not use FancyIndexing, you may comment this outG

Alias /icons/ "/var/www/icons _[ Directory "/var/www/icons Options Indexes MultiViews AllowOverride None

Order allow,deny Allow from all

[ Directory

9 :p " % % Default & 5' % # icons & D % ' % % /7 & $ . " GG % % @ & G B % ' & 5' % $ < /var/www/ @ % # :J / % \ ` k # 3 O % ` D B N % & 5' % $ % \ - -alias J ' "T # & / . " % G & 5/ % J % + :1 H 9 Peyman B % /var/www/ # % J @ ` .K cd /var/www mkdir peyman cd peyman nano index.html $ ! & % % J $ :J 1 H 9 : salam ( c / J ctrl + x > Y ' ` % ' "T alias % , X " 4=R ` nano /etc/httpd/conf/httpd.conf % @P ScriptAlias icons J $ - %

Alias /peyman/ "/var/www/peyman/" <Directory "/var/www/peyman"> Options Indexes MultiViews AllowOverride None

Order allow,deny Allow from all </Directory> 5 $ % L % & 5/ % N $ , % N 1 K : '&- c ` • ' ' % [ J2 0 % @P 1 a 6 ; ) WebDAV

1 a WebDAV $ T & D ] 6 "T ^ HTTP w R) # & $ O - ) & D R http://www.webdav.org/specs/rfc4918.html 1 H .h N ) %- /B B & G

# WebDAV module configuration section. #

<IfModule mod_dav_fs.c>

# Location of the WebDAV lock database. DAVLockDB /var/lib/dav/lockdb </IfModule> @P ScriptAlias N 27 & $ ( / & 5' % 1 5 ' ` ScriptAlias $ & <5 & $ (Alias) !3 documents ' $

3 W ) ' $ \ < J & % $ & $ & 5/ %

% B % 'O $ , documents & & client / 1 G $ & 5' % J 5 4L , : N & 1 H J / % \ ' ] & 5' % Peyman ^ J $ N % ` , &- % N & $ ( / : ) % 9

ScriptAlias /cgi-sys /usr/local/cpanel/cgi-sys_[

ScriptAlias /mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin[ N '

JB % ' B %

# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured.

#

<Directory "/var/www/cgi-bin"> AllowOverride None

Options None Order allow,deny Allow from all </Directory>

@P - 3 ReDirect

Redirect allows you to tell clients about documents which used to exist in your server's namespace, but do not anymore. This allows you to tell the

clients where to look for the relocated document_G Example

Redirect permanent /foo http://www.example.com/bar

:p " % '1 <"& 'V rK ` B /foo N % http://www.example.com/bar B % % 1 5 G @P IndexOptions / 1 5 ' / % \ ' $ & 5/ % @P N

# IndexOptions: Controls the appearance of server-generated directory # listings.

#

IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable @P Aaddicon* . " ) "D & % :J / % E % & ' $ ` . " / S 3 ' magic I % % /etc/httpd/conf P, ) Y ` . " ' 5 " & % ; % G 6 > T ) e " N - : , R & 5/ % % ' $ . " '& $ / . J $ f) J 5 # & /

# AddIcon* directives tell the server which icon to show for different # files or filename extensions. These are only displayed for

# FancyIndexed directories. #

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/*

AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/*

" E "8H .bin / icons/binary.gif % @ % , %

AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar

AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps

AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi

AddIcon /icons/uuencoded.gif .uu

AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex

AddIcon /icons/bomb.gif core AddIcon /icons/back.gif ..

AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ #

# DefaultIcon is which icon to show for files which do not have an icon # explicitly set.

#

DefaultIcon /icons/unknown.gif #

# AddDescription allows you to place a short description after a file in # server-generated indexes. These are only displayed for FancyIndexed # directories.

# Format: AddDescription "description" filename #

#AddDescription "GZIP compressed document" .gz #AddDescription "tar archive" .tar

#AddDescription "GZIP compressed tar archive" .tgz

@P IndexIgnore IndexIgnore F $ & 5' % % C ' $ . "J & % , B R G

# IndexIgnore is a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. #

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

J - ' $ J 5

2 :

' C 5, J$ F % --GGG

#

# DefaultLanguage and AddLanguage allows you to specify the language of # a document. You can then use content negotiation to give a browser a # file in a language the user can understand.

#

# Specify a default language. This means that all data

# going out without a specific language tag (see below) will # be marked with this one. You probably do NOT want to set # this unless you are sure it is correct for all cases.

#

# * It is generally better to not mark a page as

# * being a certain language than marking it with the wrong # * language!

#

# DefaultLanguage nl #

# Note 1: The suffix does not have to be the same as the language # keyword --- those with documents in Polish (whose net-standard # language code is pl) may wish to use "AddLanguage pl .po" to # avoid the ambiguity with the common suffix for perl scripts. #

# Note 2: The example entries below illustrate that in some cases # the two character 'Language' abbreviation is not identical to # the two character 'Country' code for its country,

# E.g. 'Danmark/dk' versus 'Danish/da'. #

# Note 3: In the case of 'ltz' we violate the RFC by using a three char # specifier. There is 'work in progress' to fix this and get

# the reference data for rfc1766 cleaned up. #

# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)

# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) # Norwegian (no) - Polish (pl) - Portugese (pt)

# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)

# AddLanguage ca .ca AddLanguage cs .cz .cs AddLanguage da .dk AddLanguage de .de AddLanguage el .el AddLanguage en .en AddLanguage eo .eo AddLanguage es .es AddLanguage et .et AddLanguage fr .fr AddLanguage he .he AddLanguage hr .hr AddLanguage it .it AddLanguage ja .ja AddLanguage ko .ko AddLanguage ltz .ltz AddLanguage nl .nl AddLanguage nn .nn AddLanguage no .no AddLanguage pl .po AddLanguage pt .pt AddLanguage pt-BR .pt-br AddLanguage ru .ru AddLanguage sv .sv AddLanguage zh-CN .zh-cn AddLanguage zh-TW .zh-tw #

# LanguagePriority allows you to give precedence to some languages # in case of a tie during content negotiation.

#

# Just list the languages in decreasing order of preference. We have

# more or less alphabetized them here. You probably want to change this. #

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

#

# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)

# [in case no accepted languages matched the available variants] #

ForceLanguagePriority Prefer Fallback #

# Specify a default charset for all content served; this enables # interpretation of all content as UTF-8 by default. To use the # default browser choice (ISO-8859-1), or to allow the META tags # in HTML content to override this choice, comment out this # directive: # AddDefaultCharset UTF-8_{GGG X 5 S 'J$ N} # & x 7 B ' 'J$ F % & $ @P : B % % t T ) $ @P N ) B P 3 B #

# AddType allows you to add to or override the MIME configuration # file mime.types for specific file types.

#

#AddType application/x-tar .tgz #

# AddEncoding allows you to have certain browsers uncompress # information on the fly. Note: Not all browsers support this.

# Despite the name similarity, the following Add* directives have nothing # to do with the FancyIndexing customization directives above.

#

#AddEncoding x-compress .Z #AddEncoding x-gzip .gz .tgz

# If the AddEncoding directives above are commented-out, then you # probably should define those extensions to indicate media types: #

AddType application/x-compress .Z AddType application/x-gzip .gz .tgz #

# actions unrelated to filetype. These can be either built into the server # or added with the Action directive (see below)

#

# To use CGI scripts outside of ScriptAliased directories:

# (You will also need to add "ExecCGI" to the "Options" directive.) #

#AddHandler cgi-script .cgi #

# For files that include their own HTTP headers: #

#AddHandler send-as-is asis #

# For type maps (negotiated resources):

# (This is enabled by default to allow the Apache "It Worked" page # to be distributed in multiple languages.)

#

AddHandler type-map var #

# Filters allow you to process content before it is sent to the client. #

# To parse .shtml files for server-side includes (SSI):

# (You will also need to add "Includes" to the "Options" directive.) #

AddType text/html .shtml

AddOutputFilter INCLUDES .shtml #

# Action lets you define media types that will execute a script whenever # a matching file is called. This eliminates the need for repeated URL # pathnames for oft-used CGI file processors.

# Format: Action media/type /cgi-script/location # Format: Action handler-name /cgi-script/location #

#

# Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects

#

# Some examples:

#ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html

#ErrorDocument 404 "/cgi-bin/missing_handler.pl"

#ErrorDocument 402 http://www.example.com/subscription_info.html #

#

# Putting this all together, we can internationalize error responses. #

# We use Alias to redirect any /error/HTTP_<error>.html.var response to # our collection of by-error message multi-language collections. We use # includes to substitute the appropriate text.

#

# You can modify the messages' appearance without changing any of the # default HTTP_<error>.html.var files by adding the line:

#

# Alias /error/include/ "/your/include/path/" #

# which allows you to create your own set of files by starting with the # /var/www/error/include/ files and

# copying them to /your/include/path/, even on a per-VirtualHost basis. #

Alias /error/ "/var/www/error/" <IfModule mod_negotiation.c> <IfModule mod_include.c> <Directory "/var/www/error"> AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny

Allow from all

LanguagePriority en es de fr

ForceLanguagePriority Prefer Fallback </Directory>

# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var # ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var # ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var # ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var # ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var # ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var # ErrorDocument 410 /error/HTTP_GONE.html.var # ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var # ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var # ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var # ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var # ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var # ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var # ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var # ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var # ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var # ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var </IfModule> </IfModule> #

# The following directives modify normal HTTP response behavior to # handle known problems with browser implementations.

#

BrowserMatch "Mozilla/2" nokeepalive

BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0

BrowserMatch "JDK/1\.0" force-response-1.0 #

# The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a

# problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods.

# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.

#

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully

BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully

BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully BrowserMatch "^gnome-vfs/1.0" redirect-carefully

BrowserMatch "^XML Spy" redirect-carefully

BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully #

# Allow server status reports generated by mod_status, # with the URL of http://servername/server-status

# Change the ".example.com" to match your domain to enable. #

#<Location /server-status> # SetHandler server-status # Order deny,allow

# Deny from all

# Allow from .example.com #</Location>

#

# Allow remote server configuration reports, with the URL of

# http://servername/server-info (requires that mod_info.c be loaded). # Change the ".example.com" to match your domain to enable.

#

#<Location /server-info> # SetHandler server-info # Order deny,allow # Deny from all

# Allow from .example.com #</Location>

#

# enable the proxy server: # #<IfModule mod_proxy.c> #ProxyRequests On # #<Proxy *> # Order deny,allow # Deny from all

# Allow from .example.com #</Proxy>

#

# Enable/disable the handling of HTTP/1.1 "Via:" headers.

# ("Full" adds the server version; "Block" removes all outgoing Via: headers)

# Set to one of: Off | On | Full | Block #

#ProxyVia On #

# To enable a cache of proxied content, uncomment the following lines. # See http://httpd.apache.org/docs/2.2/mod/mod_cache.html for more details. # #<IfModule mod_disk_cache.c> # CacheEnable disk / # CacheRoot "/var/cache/mod_proxy" #</IfModule> # #</IfModule>

# End of proxy directives. ### Section 3: Virtual Hosts #

# VirtualHost: If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations

# use only name-based virtual hosts so the server doesn't need to worry about

# IP addresses. This is indicated by the asterisks in the directives below. #

# Please see the documentation at

# <URL:http://httpd.apache.org/docs/2.2/vhosts/>

# for further details before you try to setup virtual hosts. #

# You may use the command line option '-S' to verify your virtual host # configuration.

#

# Use name-based virtual hosting. #

#NameVirtualHost *:80 #

# NOTE: NameVirtualHost cannot be used without a port specifier # (e.g. :80) if mod_ssl is being used, due to the nature of the

# SSL protocol. #

#

# VirtualHost example:

# Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name.

'& - = X !L 1 & : w E5P & $ . N <) #<VirtualHost *:80>

# ServerAdmin webmaster@dummy-host.example.com # DocumentRoot /www/docs/dummy-host.example.com # ServerName dummy-host.example.com

# ErrorLog logs/dummy-host.example.com-error_log

# CustomLog logs/dummy-host.example.com-access_log common #</VirtualHost> # Include /etc/httpd/conf.d/nagios.conf # Include /etc/httpd/conf.d/apcupsd.conf log % % -I % % # ] @ ^

ls /usr/local/httpd_[ $ 1 a R mod / .2 2 / docs / org . apache . httpd :// http [ Options $ options # html . core / mod / .2 2 / docs / org . apache . httpd :// http % 5 & $ & 5' % - \ t= N <) ServerRoot mkdir /usr/local/apache cd /usr/local/apache mkdir bin conf logs

L . " / R f)

chown 0 . bin conf logs

L /R f)

Change Group Ownership chgrp 0 . bin conf logs

% 5 % - \ f)

$ & 5' chmod 755 . bin conf logsmkdir /usr/local/apache cd /usr/local/apache

& $ & 5' % bin

conf logs

mkdir bin conf logs

L . " / R f)

chown 0 . bin conf logs

L /R f)

Change Group Ownership chgrp 0 . bin conf logs

chmod 755 . bin conf logs

[ q [ usr q [ usr/local B y8? . 6 W ) W " cp httpd /usr/local/apache/bin chown 0 /usr/local/apache/bin/httpd chgrp 0 /usr/local/apache/bin/httpd chmod 511 /usr/local/apache/bin/httpd - ;"> System Settings % - % G htaccess $% <Directory /> AllowOverride None </Directory>

R < 9 & $ . "- ;"K This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration:

B % 5 'M $ ] [ 6 ^ ' \5 3 <Directory /> Order Deny,Allow Deny from all </Directory>

This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example,

$ public_html

B 5B % 5 %

<Directory /usr/users/*/public_html> Order Deny,Allow

Allow from all </Directory>

<Directory /usr/local/httpd> Order Deny,Allow

Allow from all </Directory> F % 5 % /E 7 # % 'N X G 5 '.? K 9 B & $ M N * + $ 6 ? N Q % : ' G 89 % ' 4P # S X F . C - # I K 6 7 & $ 1 a # & B * + ServerSignature Off ServerTokens Prod G % '.? K 9 % $ L & 't= ] apache ^ % B 3 User apache Group apache .4 !3 & F % & $ B % B Nz = web root B C I 5 % . G Directory [ Order Deny,Allow Deny from all

Options None AllowOverride None [ Directory Directory /web Order Allow,Deny Allow from all

[ Directory G - '- # & $ B R $ , E G Options –Indexes G - '- $ B { ) - % 45 V 9 - $ B % E Options –Includes G '1 <" Q | / & 3 E Options –ExecCGI G $% k % .C & $ D R # $ - 3 G Options –FollowSymLinks G - 1 <" Q L 6 5 !L Options None 1% < !L N Options -ExecCGI -FollowSymLinks –Indexes

G & 2E "- C5, G htaccess Q '1 <" AllowOverride None : '1 7 !R 5 % t= % f) p ". "J ) - 6 ? % E3 1 H 9 ' $ . " .ht B S $ & , - Q G AccessFileName .httpdoverride Files ~ "^\.ht Order allow,deny Deny from all Satisfy All [ Files G 1 a mod_security & '* + % # ' N " / ' ) E { 5, & J$ " B # / 5, 6 789 & org . modsecurity . www :// http <3

G , 1 <" Q -& $ 1 a mod_imap, mod_include, mod_info, mod_userdir, mod_status,

^ mod_cgi, mod_autoindex U = N N5 1 <" Q httpd.conf . " % grep LoadModule 5B & \5 3 G & $ B 5 % t= ' '.? K 9 B , ' % > G B 6 L 6 /R >) -& $ I %

chown -R root:root /usr/local/apache chmod -R o-rwx /usr/local/apache

G

'# P5 % ;5 & B ) -6 & / '&% 7

G Timeout 45 G E3 & ! % - 5L F F LimitRequestBody 1048576 G % imitRequestFields,LimitRequestFieldSize,LimitRequestLine $ % % <) C & L E3 23 % & ; ) I % 6 8 K -J ' G ! 5 XML 3 6 ? % & 1 a mod_dav '% > LimitXMLRequestBody 10485760 G ! $ & 3 % '% > 5 % F & L6 ; ) ! $ X -% / 1 H & % % % > 6 ? % : % % 3 5 % D & ' 2 -J !L : % MaxClients !L % - ;"K B % = % N % % 3 G % 6 / * 5 % # P5 rR !R6 = F @$ ' % % 5 ' F % , % MaxSpareServers, MaxRequestsPerChild Apache 2 ThreadsPerChild, ServerLimit, MaxSpareThreads

G % > & $ % '& # - % 45 6 ? % & 5 % % '% >

% N < B

/CB g % >

G Order Deny,Allow

Deny from all

Or by IP

Order Deny,Allow Deny from all

Allow from 127.0.0.1 G @P KeepAlive ) 5 !LN t > ? J ; ) # 6 > T ) . "6 3 }C9 # ' ? % ' "T G ' ! * # P5 rR @ !" # P5 N % % $ MaxKeepAliveRequests 100 KeepAliveTimeout 15 B % % A 4, 6 ? 1 % G G W > % # & 3 Chroot SecChrootDir /chroot/apache Chroot / J$ " B I C> R ! W > D % & 3 / 1 a ' 'c -0 mod_security R ! W > N -/ C5, 5 G D 6 0 + ) % '% > F F IP rpm –ivh http://dominia.org/djao/limit/mod_limitipconn-0.04-1.i386.rpm 5 % * + wget http://dominia.org/djao/limit/mod_limitipconn-0.04.tar.gz tar xzvf mod_limitipconn-0.04.tar.gz cd mod_limitipconn-0.04 make make install & / . " % 6 ; ) & ExtendedStatus On

# Only needed if the module is compiled as a DSO

LoadModule limitipconn_module lib/apache/mod_limitipconn.so AddModule mod_limitipconn.c

<IfModule mod_limitipconn.c> <Location /somewhere>

# exempting images from the connection limit is often a good # idea if your web page has lots of inline images, since these # pages often generate a flurry of concurrent image requests NoIPLimit image/*

</Location> <Location /mp3>

MaxConnPerIP 1

# In this case, all MIME types other than audio/mpeg and video* # are exempt from the limit check

OnlyIPLimit audio/mpeg video </Location> </IfModule> 5, 6 > T ) I % http://dominia.org/djao/limitipconn.html & $ 1 a R mod_actions

This module provides for executing CGI scripts based on media type or request method.

mod_alias

Provides for mapping different parts of the host filesystem in the document tree and for URL redirection

mod_asis

Sends files that contain their own HTTP headers mod_auth_basic

Basic authentication mod_auth_digest

User authentication using MD5 Digest Authentication. mod_authn_alias

Provides the ability to create extended authentication providers based on actual providers

mod_authn_anon

Allows "anonymous" user access to authenticated areas mod_authn_dbd

User authentication using an SQL database mod_authn_dbm

User authentication using DBM files mod_authn_default

Authentication fallback module mod_authn_file

User authentication using text files mod_authnz_ldap

Allows an LDAP directory to be used to store the database for HTTP Basic authentication.

mod_authz_dbm

Group authorization using DBM files mod_authz_default

Authorization fallback module mod_authz_groupfile

Group authorization using plaintext files mod_authz_host

Group authorizations based on host (name or IP address) mod_authz_owner

Authorization based on file ownership mod_authz_user

User Authorization mod_autoindex

Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command

mod_cache

Content cache keyed to URIs. mod_cern_meta

CERN httpd metafile semantics mod_cgi

Execution of CGI scripts mod_cgid

Execution of CGI scripts using an external CGI daemon mod_charset_lite

Specify character set translation or recoding mod_dav

Distributed Authoring and Versioning (WebDAV) functionality mod_dav_fs

filesystem provider for mod_dav mod_dav_lock

generic locking module for mod_dav mod_dbd

Manages SQL database connections mod_deflate

Compress content before it is delivered to the client mod_dir

Provides for "trailing slash" redirects and serving directory index files mod_disk_cache

Content cache storage manager keyed to URIs mod_dumpio

Dumps all I/O to error log as desired. mod_echo

A simple echo server to illustrate protocol modules mod_env

Modifies the environment which is passed to CGI scripts and SSI pages mod_example

Illustrates the Apache module API mod_expires

Generation of Expires and Cache-Control HTTP headers according to user-specified criteria

mod_ext_filter

Pass the response body through an external program before delivery to the client

mod_file_cache

Caches a static list of files in memory mod_filter

Context-sensitive smart filter configuration module mod_headers

Customization of HTTP request and response headers mod_ident

RFC 1413 ident lookups mod_imagemap

Server-side imagemap processing mod_include

Server-parsed html documents (Server Side Includes) mod_info

Provides a comprehensive overview of the server configuration mod_isapi

ISAPI Extensions within Apache for Windows mod_ldap

LDAP connection pooling and result caching services for use by other LDAP modules

mod_log_config

Logging of the requests made to the server mod_log_forensic

mod_logio

Logging of input and output bytes per request mod_mem_cache

Content cache keyed to URIs mod_mime

Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)

mod_mime_magic

Determines the MIME type of a file by looking at a few bytes of its contents

mod_negotiation

Provides for content negotiation mod_nw_ssl

Enable SSL encryption for NetWare mod_proxy

HTTP/1.1 proxy/gateway server mod_proxy_ajp

AJP support module for mod_proxy mod_proxy_balancer

mod_proxy extension for load balancing mod_proxy_connect

mod_proxy extension for CONNECT request handling mod_proxy_ftp

FTP support module for mod_proxy mod_proxy_http

HTTP support module for mod_proxy mod_proxy_scgi

SCGI gateway module for mod_proxy mod_reqtimeout

Set timeout and minimum data rate for receiving requests mod_rewrite

Provides a rule-based rewriting engine to rewrite requested URLs on the fly

mod_setenvif

Allows the setting of environment variables based on characteristics of the request

mod_so

Loading of executable code and modules into the server at start-up or restart time

mod_speling

Attempts to correct mistaken URLs that users might have entered by ignoring capitalization and by allowing up to one misspelling

mod_ssl

Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols

mod_status

Provides information on server activity and performance mod_substitute

Perform search and replace operations on response bodies mod_suexec

Allows CGI scripts to run as a specified user and Group mod_unique_id

Provides an environment variable with a unique identifier for each request mod_userdir

User-specific directories mod_usertrack

Clickstream logging of user activity on a site mod_version

Version dependent configuration mod_vhost_alias

Provides for dynamically configured mass virtual hosting

-% - % 45 % '% > RLimitMEM bytes|max [bytes|max]

RLimitNPROC number|max [number|max] RLimitCPU seconds|max [seconds|max]

* +

mod_rewrite

F % & 5' % & 5' % D ' N 1 a N ' ] C5< C5< ^ redirect / G 6 8 K - & L E3 & # ! D ' . R% N $ dos / ddos % , # > G - % SSH B - ' % F, &% nano 6 ? % % C * + - 5 % * + J / yum install nano

nano /etc/httpd/conf/httpd.conf 4- J / \5 3 - % . "N % ] \5 3 & Ctrl+w )

LoadModule rewrite_module modules/mod_rewrite.so

N 1 % L J / m :% ] ` 1 <" ) Z % B ) AllowOverride none J $ 4) - AllowOverride All 5- % \ # 1 K : ) ' ~ J / : service httpd restart N F J '1 <" ' - D & . " .htaccess $% % - % '- Options +FollowSymLinks RewriteEngine On ) ' . •••••••• •• •••5, ••••••••••••••••••••••••••••••• mod_proxy Links : --- http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypassreverse http://apache.webthing.com/mod_proxy_html/ --> http://www.apachetutor.org/admin/reverseproxies Modules : ---

yum install httpd-devel yum install libxml2-devel Configuration:

---

cp proxy_html.conf /etc/httpd/conf/ vim /etc/httpd/conf/httpd.conf LoadFile /usr/lib/libxml2.so

LoadModule proxy_html_module modules/mod_proxy_html.so Include conf/proxy_html.conf

(

Also Check :

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so ) Vhost : --- Example : <VirtualHost 208.109.169.70:80> ServerAdmin "webmaster@upframr.com" ServerName upframr.com ServerAlias www.upframr.com MIMEMagicFile /dev/null CustomLog logs/upframr.com_access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" ErrorLog logs/upframr.com_error_log DocumentRoot "/home/admin2/public_html" <Directory "/home/admin2/public_html"> Options +Indexes +FollowSymLinks Order allow,deny

Allow from all AllowOverride All

AddHandler mod_python .py

PythonHandler mod_python.publisher PythonDebug On

</Directory>

Alias /mod_perl "/home/admin2/public_html/mod_perl" <Directory "/home/admin2/public_html/mod_perl"> SetHandler perl-script PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI </Directory> <Location /perl-status> SetHandler perl-script PerlResponseHandler Apache::Status Order deny,allow

Deny from all

Allow from upframr.com </Location>

Alias /usage /var/www/stats/upframr.com <Directory /var/www/stats/upframr.com> Order allow,deny

Allow from all </Directory>

<Location /usage> Order allow,deny Allow from all </Location>

</VirtualHost>

010101010100000000101010101011111101

% 'N & $ Technical Reference: Apache 2.0 DMZ Secure Server Install

Overview

This document is a guide to installing and hardening an Apache 2.0 web server to common security standards. It will guide you through practical measures to harden your Apache server, by way of example.

Because a web server is often placed at the edge of the network, it is one of the most vulnerable services to attack. Therefore, it’s vital that you follow this guide to ensure that:

1) The opportunity to compromise the web server is limited

2) Should the web server be compromised, the damage potential to the rest of the network, data, and systems is limited.

1. Prepare the host operating system

1.1 Install and secure the host operating system.

Follow the hardening guidelines in the The Center for Internet Security. Hardening the host O/S ensures that, should someone compromise the security of your web server, the amount of damage that they could inflict will be minimized.

It’s important to separate the binaries /bin, docs (/htdocs), and logs (/logs) into separate partitions on the system. You can choose whatever root you want, but this example will use

/opt/apache2 as the root directory for the Apache web server.

1.3 Create the host groups for administering and running the server.

Create a distinct group for all the users who will have permission to change the configuration, start, and stop the web server. For example, if you want to call the group “webadmin”, create it like this:

# groupadd webadmin

Create a distinct group for the web server user – no one will actually log into this group, but it will only be used to hold the userid which will run the web server. For example, if you want to call that group “webserv”, create it like this:

# groupadd webserv

Take note that you should not create a “web developer” group on this host. Since this is a hardened production host you must not provide web developers login accounts on this system. Instead, developers should deploy documents and code to the server using your code/content deployment system, such as Kintana’s Apps*Integrity.

1.4 Create an unprivileged host user id to run the server.

Never run the web server as root; if the web server is ever compromised, the attacker will have complete control over the system. Instead, the best way to reduce your exposure to attack when running a web server is to create a for the server application. The

userid is often used for this purpose, but a userid and group that are unique to the web

server is a more secure solution.

$ % & ' (

)

* + , " #

-# useradd -d /opt/apache2/htdocs -g webserv -c &-#34;Web Server" webserv

1.5 Lock down the web server account

It’ s important that no one can successfully execute a password guessing attack against this account, so in this step, we’ ll restrict this account so that no one can log into it.

1.5.1 Issue this command to lock the password for the web server account:

# passwd –l webserv

Password changed.

# grep webserv /etc/shadow

… a :!: at the beginning of the line indicates that the password is locked.

1.5.3 Issue this command to remove the shell for this account:

# usermod –s /bin/false webserv

# grep webserv /etc/passwd

…/bin/false at the end of the line indicates that the shell is set to a non-existent shell.

1.5.5 Test the web server account to be sure you can’ t login. Issue this command to try to log in:

> login webserv

2. Download and verify Apache source code

By default, web servers return information about the product and version they are running in the Server variable of the HTTP header. This information can be very useful to hackers, enabling them to target attacks to that specific server. To prevent that information from being returned from the web server, this step shows you how to modify that header and build your own copy of the web server.

Because web servers often host sensitive information, or allow users to log in with plain-text passwords, it’ s important to encrypt the HTTP traffic. Therefore, this section will show you how to configure mod_ssl on your web server.

Note: Don’ t build the web server on your production, hardened host. Build it on a staging or development server (with identical O/S), and then copy it to your production host.

These steps will guide you through downloading Apache source code, validating it, compiling it, and installing it. We don’ t recommend use of pre-compiled or DSO versions. DSO versions may allow a hacker to introduce new “ features” without having to recompile the code.

If you intend to add other module to your Apache web server installation, repeat the validation steps below for each module you add.

2.1 Download the latest version of Apache 2.0

Ensure that you retrieve the latest copy, so that you have cumulative bug fixes and security patches. You can download it from the Apache site.

From here, download four files:

1) The Apache source code itself, called something like httpd-2.0.45.tar.gz. 2) The PGP keys for the Apache signers: a file named “KEYS”

3) The PGP key for this source distribution, called something like httpd-2.0.45.tar.gz.asc

4) The MD5 checksum for this source distribution, called something like httpd-2.0.45.tar.gz.md5

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz wget http://www.apache.org/dist/httpd/KEYS

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.asc wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.md5

2.2 Verify PGP signature for the Apache source

To ensure that you have an authentic version from the Apache Group, and that it’ s not been tampered with (remember, there are many mirrors from which you can download the Apache source), you should check the PGP signature. If you don’ t have PGP installed on this server, you can validate these files on another machine.

a) If you don’ t already have them in your PGP keyring, import the public keys from the

~> pgp –ka KEYS

b) Check the PGP signature:

~> pgp httpd_2.0.45.tar.gz

… if the signature is correct, you should get something similar to this:

CUT

--File 'httpd-2.0.45.tar.gz.asc' has signature, but with no text.

Text is assumed to be in file 'httpd-2.0.45.tar.gz'. Good signature from user "Justin R. Erenkrantz <justin@erenkrantz.com>".

Signature made 2003/03/31 07:49 GMT

WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Justin R. Erenkrantz <justin@erenkrantz.com>".

The fact that it says, “Good Signature from…” is what we’re looking for here. The WARNING statement indicates that we’ve not verified this signature with a 3rd _party,

2.3 Verify the MD5 checksum for the Apache source.

MD5 is a way to validate the integrity of the file itself, much more reliable than checksum and similar methods. Normally, mismatches in the MD5 checksum from the Apache source are the result of download errors or file corruption. If you don’ t have MD5 on your system, you can download it from here.

Compare the results of these two commands – visually inspect them to ensure they match (if they don’ t, download it again):

~> pwd /usr/local/build ~> cat httpd-2.0.45.tar.gz.md5 MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75 ~> md5 apache_1.3.27.tar.gz MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75

2.4 Extract the zipped Apache source file. ~> /pwd /usr/local/build ~> tar xvfz httpd-2.0.45.tar.gz

This will create a new directory under your current one, named “ httpd-2.0.45” .

3. Create SSL certificates ! " # $ % & '' $ $ ' ' ' ' ( ) "$ * $ * + # ' % ' ,

3.1 Create a key and certificate request for your web server

Using OpenSSL, the following command will create a 1024-bit private key named, “ private.key” and generate a certificate signing request (CSR). You need to have the CSR signed by a

Certificate Authority (CA) who can validate your identity. When prompted to input information, note the answers in bold print below. (Answer the prompts with the information relevant for your server, of course).

Note: If you provide a challenge password, you will be unable to start the web server unattended. We don’t recommend providing a challenge password, just leave it blank.

/usr/local/build

~> openssl req -nodes -newkey rsa:1024 -keyout

/usr/local/build/server.key -out /usr/local/build/server.crt

Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key

...++++++ ...++++++

writing new private key to 'server.key'

---You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value,

If you enter '.', the field will be left blank.

---Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:NC Locality Name (eg, city) []:RTP

Organization Name (eg, company):XianCo Systems, Inc. Organizational Unit Name (eg, section) []:InfoSec Common Name (eg, YOUR name) []:xianshield.xianco.com Email Address []:webmaster@xianshield.xianco.com

to be sent with your certificate request A challenge password []: <blank>

An optional company name []: <blank>

Most importantly, make sure your “ Common Name” above matches the DNS name of your server. The locale information is less important, but we think it’ s best to use the locality of the server itself.

3.2. Submit CSR for validation/signing by a CA.

- , . / ' ' .% $ 0$ ' '1 $ $ $ # $ .% $ * ' $ * # ' .% #* $ 2 3 ' 4 5 " , $ $ #.% ' ' 26 .% $ 5

Send your request for a certificate to the CA. Include your name, your web server (Apache, in this case) your OS, and of course, the .csr (certificate signing request).

3.3 Rename your certificate files

The names aren’ t important, they just have to match what’ s in conf/ssl.conf. You will receive 2 files from the PKI team. The first file will be your server certificate (and will probably be named <server name>.cer), the 2nd _{file is the certificate chain. Here, we’ ll} rename them to fit what’ s specified in conf/ssl.conf.

mv “XianCo CA (01-03).cer” ca.crt mv xianshield.cer server.crt

Since you received these certs via email, and they’ re now sitting on your laptop, we need to copy both server.crt and ca.crt to the server. We’ ll copy them up to

/usr/local/build. We’ ll move them both to the appropriate locations under

conf/ssl.conf later.

scp *.crt xianshield:/usr/local/build/.

4. Configure and build the Apache Server

In this section, we’ll configure Apache with SSL and mod_ldap support. As of Apache V2, these are both included modules, and don’t require a separate download.

In order to customize Apache to the extent necessary, we need to download the source for the latest version of Apache. Once that’s complete, we’ll configure and test it.

4.1 Alter the Apache version

We want to remove/modify the default HTTP response header parameter for the “ Server:” token to hide the identity of our web server. (You’ d be surprised how many vulnerability scanners are looking for specific versions of Apache.) To do this, we must open a header file (httpd.h) prior to compiling the server. To do this, edit the ap_release.h file located in

${ApacheSrcDir}/include ~> pwd /usr/local/build/httpd-2.0.45/include ~> vi ap_release.h …