Solved

Simple Q's about config ServerRoot, DocumentRoot, ServerName, Directory

Posted on 2002-04-09
16
1,111 Views
Last Modified: 2012-06-27
Hi all,

I am setting up Apache 2.0.35 for Windows on Win2k Adv. Server. I have no experience with Apache, but some years on IIS. I just had enough of it, that's why I'm trying Apache now and I need some newbies help.

I have compiled and installed Apache 2.0.35 (no MSI available yet), but before I start it I would like to know some things about the configuration file httpd.conf that I did not understand from the manuals.

ServerRoot
Must this point to the same directory that also has the binaries? Can I configure it in a way that the ServerRoot is on a data disk and the binaries are somewhere else? I would like to have the conf, error, manual and log files separately from the bin-files.

ServerName
Can this be only one? Or can I provide more? Like www.mydomain1.com, www.mydomain2.com and
www.myOtherdomain.com? Or do I need VirtualHosts for that?

UserDir
Currently I don't want to enable any user-specific features. I am the only one that needs access. How can I safely disable this? is "UserDir disabled root" enough?

Directory
Can I use some kind of macros in httpd.conf, or do have to repeat the directories every time in full?

AddHandler
Can I config this to an arbitrary program? Basically, what I want to do, is use Ruby and Rebol for the scripts I am going to create. That means that the Ruby executable must be called when a .rb file is accessed so that it can be parsed. The same is true for .r files for Rebol. The output to stdout should be send to the client of course.

NameVirtualHost
What can I use it for?

Directory
Are these directories in the way the client sees them? I mean, should I use the Directory keyword for full qualified paths, or simply for partial paths? And how does it know which virtual root to take?

What I want to set up is a local directory structure like this:

#Program files here:
C:\Program Files\Apache

#data here:
D:\Internet\Apache 2.5\manual
D:\Internet\Apache 2.5\error
D:\Internet\Apache 2.5\logs
D:\Internet\Apache 2.5\_root
D:\Internet\Apache 2.5\_root\scripts
D:\Internet\Apache 2.5\_root\static
D:\Internet\Apache 2.5\_root\images
D:\Internet\Apache 2.5\www.mydomain.com
D:\Internet\Apache 2.5\www.mydomain.com\scripts
D:\Internet\Apache 2.5\www.mydomain.com\static
D:\Internet\Apache 2.5\www.mydomain.com\images
D:\Internet\Apache 2.5\www.mydomain.com\someVirtualPath
D:\Internet\Apache 2.5\www.mydomain.com\someVirtualPath\SomeSubPath
D:\Internet\Apache 2.5\othername.mydomain.com
....[same as above for mydomain]
D:\Internet\Apache 2.5\test.blabla.com
....[same as above for mydomain]
D:\Internet\Apache 2.5\yourname.blabla.com
....[same as above for mydomain]


The root should be called when any unknown domain is called or the site is referred to by its ip address. The other paths will have the exact same name as the registered dns names. I would like to know how to set this up using Directory, ServerName, ServerRoot, Alias, Location (?) and/or VirtualHost. I do not need a complet example, I just need some hints and then I'll find out the rest myself.

Thanks for any help,
Abel
0
Comment
Question by:abel
  • 9
  • 6
16 Comments
 
LVL 15

Expert Comment

by:samri
Comment Utility
Before you proceed - most of the item has it's own explanation in the httpd.conf file.  Very detail.


1. ServerRoot
- Yes It can be on a different location.  Beware that changing the server root would require you to dig the config files for path that is relative to ServerRoot and you might have to manually adjust them (or recreate the directories).  It is advisable to keep the ServerRoot at the standard location, BUT relocate other dirs (logs, conf, htdocs, etc.).

--- from httpd.cof (Unix).
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at <URL:http://httpd.apache.org/docs-2.0/mod/core.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/usr/local/apache2"

2. ServerName
- Is not really important.  Apache will complain if it;s begin set incorrectly, but it should be OK.  It is only important for Redirection to work properly.  If you happens to need for multiple servername, but all will point to the same website (same content), It does not matter which name you use.  IF you are doing VirtualHosting - one server will be service pages for different website, then the first VirtualHost will be the default VirtualHost for request that does not match any of the defined VirtualHost.

-- gee.. After going this far, I thought that, it is best to look at httpd.conf first, and see if you still need any assistance

3. UserDir
 - refer to httpd.conf.

4. Directory
mod_rewrite docs.
http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html
Practical Rewriting Guid (For 1.3+, but should work with 2.0).
http://httpd.apache.org/docs/misc/rewriteguide.html

5. AddHandler
- againg, from httpd.conf.  Back to your scenario, assuming Ruby or Rebool program are executablewith .r and .rb extension, you will need to add

AddHangler cgi-scripts .r .rb

And you must make sure your program conform to CGI/HTML standard, thus it send the correct HTTP header.  Otherwise you will get an error.

- from httpd.conf
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi

6. NameVirtualHost
- httpd.conf
# Please see the documentation at
# <URL:http://httpd.apache.org/docs-2.0/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

#
# Use name-based virtual hosting.

7. Directory.

The <Directory> directive is used to control access, and behavior for docs/files within the dir and beneath it.  Normally it will be combined with Alias directive.  This would allow each directory to be configured depending on how strict the security/access method is.

- httpd.conf
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.

------
I hope these are the information that you are looking for.  I would recommend you to browse httpd.conf first, and check with the online docs that comes with your Apache, since most of the items are coveren quite extensively there.  Most we can do here is cut-and-past (sight!).

Should there is any specific Q that you are still blurred, let us know.

Cheers.
0
 
LVL 5

Expert Comment

by:harwantgrewal
Comment Utility
If you want to configure the virtual host first define the Navevirtualhost IP

and in <VirtualHost IP>
--all configuration for this host
</Virtualhost>

harry
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Thanks, samri.

I see that I was not completely clear about something. I have read the manuals and the complete httpd.conf file (some more than once) to try to understand them. Some explanations are just to unclear to me, that's why I created that list. About all the other dozens of settings I *do* understand. I just want it set up properly and be prepared before I run in several leaks or errors I created with my ignorance.

BTW, some things probably are in the manual, and are very clear to you, but because it is so much information at once, I just need an extra hand here.

You explained quite some things though. But I still have some questions:

> It is advisable to keep the ServerRoot at the standard location
Allright. I assume I should use absolute patsh for the logs, manual and error directories?
How do I make sure that that ServerRoot is save enough to stand attacks to my server?

UserDir
Q. from original posting remains. Can I just leave it commented to reach my goal?

AddHandler
But how does it know to call the ruby executable? I heard something about ExecCGI...?

NameVirtualHost
From the docs: they advice to use IP-addresses. But when you have about a dozen or so registered names and they all are configured to one ip address? I guess I need names then?

Directory
It is still unclear if it is a directory that is ALWAYS relative to the virtual path, or that is ALWAYS absolute the the real path.
And where is this "Default" directory "/"?

One additional question (if you still have the energy ;) is: I would like to start out with a secure system. How can I be sure that my local paths are not mapped incorrectly or that I left some (default?) leak somewhere?

Thanks so far.

Abel
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
ServerRoot is used by Apache httpd process for it's internal engine, and only few directories are actually be available to http clients, namely htdocs, cgi-bin.  Other directories like logs, etc, proxy will be used by the server for config (etc), logging (logs), and/or, proxy/caching (proxy).

Apache (at least on Unix) has mature enough to sustain such attack on FS, and it give the popularity and internet community support (65%+ of the webservers are Apache's - http://www.webcraft.com/), I would say that if configured properly (note the word IF), the server should be safe.  

There are several other factors, not the httpd process itself that might open your server (machine, and OS) for attacks.  Things like unsecured CGI programs, inproper FS permission.  httpd runs as Root, etc.  Unfortunately, I do not have much exposure on running Apache on Win32 that enable me to comment much.

Additional Info:
http://httpd.apache.org/docs/misc/

Some security tips, from Apache wesite
http://httpd.apache.org/docs/misc/security_tips.html

UserDir - yes you can leave it alone.  I think the reason why it is there is just to make the config file more uniform to those of Unix version of Apache.

-- I need to go, should be able to continue in a while.

cheers.
0
 
LVL 15

Accepted Solution

by:
samri earned 250 total points
Comment Utility
UserDir - cont'd.

Unless you had users on the server, and each has their own "HomeDir", then the directive would be applicable. Other than that, it should be safe to leave it untouch.

AddHandler

-- again httpd.conf
    # AddHandler allows you to map certain file extensions to "handlers",
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action command (see below)

Basically, in most cases, we would need to add filetype for CGI program that will be outside of cgi-bin (or ScriptAlias) directory.  AddHandler directive, along with Option ExecCGI will make this possible.  By default any (in fact all) files defined  in ScriptAlias directive (can have multiple ScriptAlias) will be executed, for those outside of this (ScriptAlias), then the way to get the server to treat as CGI (run the code,  rather than just display the page as HTML), AddHandler, with Option ExecCGI must be used.  The handler will be in the format AddHandler <handler> <.file-extension>.  Back to your case, the directive would look like;

# you can have multiple file extension!  This example, any file with extension .r, .rb .exe, or .pl will be executed.
AddHandler cgi-script .r .rb .exe .pl

And assuming that you have those files in "C:\WebData\Ruby Code"

The complete config to get it to work would be


Alias /ruby/ "C:\WebData\Ruby Code/"

<Directory "C:\WebData\Ruby Code">
        Options Indexes MultiViews ExecCGI
        AllowOverride None
        Order allow,deny
        Allow from all
</Directory>

AddHandler cgi-script .r .rb

Directory directive.
-- Apache docs :)
http://httpd.apache.org/docs-2.0/mod/core.html#directory

Gee... you got me.  personally I always use absolute path.  I think it might work with path relative to ServerRoot.  Have to check on this.

VirtualHost
-- Apache docs.
http://httpd.apache.org/docs-2.0/mod/core.html#virtualhost

VirtualHost is a way to define separate configuration for differen website hosted under the same httpd process.

For the VirtualHost to function properly, you need to have the site to be in the DNS,either A or CNAME record.  The respective dns entry will along with it's associate ServerName directive inside a VirtualHost container will define a set of config for that specific VirtualHost.

For example, your ip address is 10.10.10.10, and there is a DNS entry such;

myredhat.mydomain.com.  in         a 10.10.10.10
www.mydomain.com.      in cname myredhat.mydomain.com.
www.yourdomain.com    in cname myredhat.mydomain.com.
www.theirdomain.com    in cname myredhat.mydomain.com.

there are 4 ways (infact, 5 ways) to reach your apache; the four names, and the IP address.

According to apache docs, the first VirtualHost container will be the default for names not matching any other VirtualHost

NameVirtualHost *

<VirtualHost *>
    ServerAdmin webmaster@myredhat.mydomain.com
    DocumentRoot c:\webdata\mydomain
    ServerName www.mydomain.com
    ErrorLog logs/mydomain-error_log
    CustomLog logs/mydomain_log common
</VirtualHost>

.. and goes all VirtualHost

The DocumenRoot directory for each VirtualHost must be manually created.  

Almost all Apache directives may go into the VirtualHost container.  Btw, the "*" will indicates the Vhost will listen to all available interfaces.  You can substitute the * with 10.10.10.10 (the example IP address).


#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".your_domain.com" to match your domain to enable.
#
<Location /server-info>
    SetHandler server-info
    Order deny,allow
    Deny from all
    Allow from 192.168.0 127.0.0    <---- this can be domain name or ip address or cidr notation 192.168.0.0/24
</Location>

This would enable  you to see the Apache Runnnig configuration.  By default this is disabled.

- I hope the explanation is not too log.


good luck.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
> - I hope the explanation is not too log.
No, I rather like long explanations ;)

Thanks a lot for all these explanations. I hope it is enough to set up my default ideal server. This weekend I'll have some time. I'll leave the question open for some days while trying to get things to work and to see if I comprehend these things about the .conf enough by now.

Cheers!
Abel
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
Ideal server to my knowledge is a bit too far, but still reachable.  maybe after a few install/reinstall you might get comfortable enough to work with Apache.

try to look into possibilities to work with Apache in Unix environment.  It's much more interesting than it's Win32  version.

Some misc. reading material that might interest you.

http://httpd.apache.org/docs/misc/
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
abel,

are you still wandering about apache?

should you need more clarification, we would be happy to help.

cheers.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 39

Author Comment

by:abel
Comment Utility
Samri,
Sorry for the delay and keeping you waiting. I had to properly set up my DNS, which caused some troubles (a q. I asked about that particular problem is http://Q.20285664.html , it's answered since yesterday).

In order, my planning basically looks like this:
1. tcp/ip
2. dns
3. tcp/pop cq. mail
4. http/https cq. apache

With some delays I am now at #3, which does not seem to cause me real trouble anymore. Please bear with me for (at most) a few days.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Sorry, should've been http:Q.20285664.html , I almost forget the right format of these abbreviations ;-)
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
abel,

I would presume that AvonWyss's answer already get you thru the DNS problem.

Based on the setup (that is recommended), I would say that you already had you MX entry point to the right mail server that you are going to use.

Whatever address you configure, assuming that you had;

External DNS:
mydomain.com.          IN MX 10 mail.mydomain.com.
mail.mydomain.com.     IN A  213.213.456.786

Internal DNS:
<same thing except the IP is different>

You need to configure you mail server to receive mail for the configured domain.  Depending on what smtp mailserver (MTA) you would be using, the configuration options would be different.  If you are using sendmail, add the mydomain, to Cw (ie. Cwmydomain.com).

as far as apache is concerned, by default, it will listen to any interface.  This would allow the request to be coming from whatever IP/network.  The trick is, if you defined the VirtualHosting, where the host-header is check prior to processing the request, you might have to watch the trick.  Note that the first VH will be the Default VH for any request not mathing any other VH.  

If you need help on those items to; please let us know.
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
abel,

do you stilll need assistance on this Q?
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Your help is very appreciated, and maybe I still need some, but not yet.
My DNS indeed works correctly and I am halfway setting up the mail server (after evaluating several products I decided to use XMailServer, alas, the easy Mercury did not run and SendMail is not for Win32). I'm sorry that it all goes quite slow, it's just that I have only a few hours in the week to accomplish this. Probably if I knew all about the terminologies and buzz-words used in this niche, I'd set it up in only a few hours, but unfortunately that is not the case.
I do a lot of reading, because I want to comprehend the whole thing. Nevertheless, I did not reach my prev. goal of setting everything up in just a few days.

But don't worry, I won't forget this thread. I'll try to hurry up a bit more, and reward you soon. Ok?
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
Don't worry about the pts.  It's not something that I could go on a shopping spree :)

I does not have that much experience with MS Windows environment.  If I were to decide on platform, I would opt for Unix version.

Anyway, if you need help on a general aspect, I might be able to help.

cheers.
0
 
LVL 39

Author Comment

by:abel
Comment Utility
Samri,
Thanks for all your patience. I've come to understand the concepts a lot better, and the server is kinda running in a test-environment now and it seems promising. In the end it appears a lot clearer and more open minded then IIS, but that is no surprise for you I guess.

For now, there's only one question left, but I leave that for a new thread: how to test a system for security vulnerabilities.

Cheers,
Abel
0
 
LVL 15

Expert Comment

by:samri
Comment Utility
abel,

Yes, it's not a surprise.  But it will be surprising some Big companies won't buy the OpenSource concept - Linux, Apache, are a big NO NO.

Personally, I would say IIS is not bad, but the problem is, it tends to server more that JUST web service.  And that is what I think the problem.  Plus, integration with OS is kinda too much.  It's like getting a device that will do everthing, while you only need it to do one specific task.  It's not bad, but looking after (maintenance, administration - and such), will be such a headache.

Security vulnerabilities?  Have you check out http://httpd.apache.org/docs/, specifically http://httpd.apache.org/docs/misc/security_tips.html  

The point in setting up web service (or any service at all, that is open for public), is to keep it simple (or the KISS - Keep It Simple & Stupid ( I hope I got it right)).

Yup... It's good to start another thread.

One advise.  If you post it in Apache TA, you might end-up having too much "Apache oriented", perhaps Networking | Security, or Unix/Linux networking would be an option.

To me, it's not the Apache that causes too much trouble, it's the OS.  Well it all depends on who is talking (did I talk too much already).


cheers.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now