oreilly.comSafari Books Online.Conferences.


Apache: The Definitive Guide, 3rd Edition

Creating an Apache Site with Public and Secure Access

by Peter Laurie, coauthor of Apache: The Definitive Guide, 3rd Edition

If you want Apache to do anything useful, you have to write a config file. And, although we all know very well just how to do it in our heads, 99 times out of 100, we start out with an existing file and modify it.

I thought it might be interesting to run through such a file, to look at how it works and see where the subtle jokes are.

This particular web site is a demonstration from the new edition of Apache: The Definitive Guide; the page references below are to this book (and specifically, this site is discussed on page 260 of the book). Like most web sites I'm asked to create, this one, which offers a notional postcard business to the world, has a public face and a private face. Like a big store, in fact, it has a public entrance, which anyone can enter or exit from, and a private entrance, which can only be passed through with a key. Round the back we can maintain the site, check up on the visitors, exchange links with other sites, and do all that sort of stuff. It is typical of many small, useful web sites, and might even be useful to you. It also uses Apache v2, which is slightly different from v1.3.

I've assumed that you can fake up a couple of URLs: for the public site, and for the private one. You can, of course, change these to whatever suits you.

The config file is:

1:User webserv
2:Group webserv

3:LogLevel notice
4:LogFormat "%h %l %t \"%r\" %s %b %a %{user-agent}i %U" sidney

5:SSLSessionCache dbm:/usr/src/apache/apache_1.3.19/src/modules/ssl/gcache
6:SSLSessionCacheTimeout 3600

9:SSLCACertificateFile /usr/www/APACHE3/ca_cert/persfree2.crt
10:SSLVerifyDepth 2
11:SSLVerifyClient require


16:SSLEngine off

17:DocumentRoot /usr/www/APACHE3/site.virtual/htdocs/customers
18:ErrorLog /usr/www/APACHE3/site.ssl/apache_2/logs/error_log
19:CustomLog /usr/www/APACHE3/site.ssl/apache_2/logs/butterthlies_log sidney

22:SSLEngine on

24:DocumentRoot /usr/www/APACHE3/site.virtual/htdocs/salesmen
25:ErrorLog /usr/www/APACHE3/site.ssl/apache_2/logs/error_log
26:CustomLog /usr/www/APACHE3/site.ssl/apache_2/logs/butterthlies_log sidney

27:<Directory /usr/www/APACHE3/site.virtual/htdocs/salesmen>
29:AuthType Basic
30:AuthName darkness
31:AuthUserFile /usr/www/APACHE3/ok_users/sales
32:AuthGroupFile /usr/www/APACHE3/ok_users/groups
33:Require group cleaners


Each line has been numbered so that we can talk about it below--you wouldn't number the lines is a real file.

Lines 1 and 2 set up the user and group that Apache operates under when executing incoming requests. It is important for security that the site's files and scripts can only be read and executed by "webserv," and this user cannot log on and has no permissions to do anything anywhere else.

Lines 3 and 4 organize the level of logging and the format you want for the log messages (A:TDG, ED 3, p.191 et seq.).

Lines 5 and 6 specify the optional cache that speeds up secure service of parallel requests. In fact, for a simple web site, you probably don't need this, but there's no drawback to doing it, so you might as well. We refer to apache_1.3.19 in the path, but this is because this site has been inherited from the last version of the book, which was limited to Apache v1.3.

Related Reading

Apache: The Definitive Guide
By Ben Laurie, Peter Laurie

Lines 7 through 9 locate the Certificate files that prove the site is who it says it is, and that the user is who he says he is. If you or your staff are going to be the only secure users, then the authenticity of your site is not in question and you can make up your own certificates (A:TDG, ED 3, pp.225, 229); if strangers are to have access to the secure site, then you would probably need a certificate from a respectable Certificate Authority (CA).

Line 10 sets the number of Certificate Authorities certifying each other that you will tolerate. In theory, you only accept CAs signed by an authority you have specified, so "1" should be the entry. In practice, Apache complained, so we made it larger.

Line 11 is rather important: it makes it necessary for the client to present a certificate, so we know who is coming in the back door. If you want to let in anyone who knows the password (lines 29,30), set this to "0" or "none;" if you want them to have a certificate as well, set it to "2" or "require."

Lines 12 and 13 tell Apache to look out for calls for our IP number and the default ports. 80 is the default for ordinary HTTP and 443 for SSL access.

Line 14 directs ordinary requests to a virtual host, which is named in line 15. We could have had a line above:


And then:


but this format would not have worked for the secure section below, as we will see.

Line 16 switches encryption off. This is the default behaviour in Apache V2, but it makes it clear to anyone reading the file what is happening.

Lines 17-19 set up the directory of documents to be served and the logs, and line 20 ends the public virtual host section.

Line 21 introduces the secure section of the site. We can't use the NameVirtualHost directive followed by <VirtualHost URL>, because when it is executed, the incoming data--including the host name as part of the HTTP environment variables (A:TDG, ED 3, p.333)--is encrypted. Line 22 turns encryption on and 23 names the host we want to serve.

Lines 24-26 are the same as before. Line 27 sets up extra protection for the salesmen's root directory.

Line 28 makes sure you haven't inadvertently turned SSL off--it will refuse access to this directory tree unless SSL is in use.

Line 29 introduces authentication of the client (A:TDG, ED 3, p.98). The glaring defect of normal authentication is that the passwords are transmitted unencrypted. However, under SSL, they are encrypted along with everything else.

Lines 29 through 33 set up the user and group lists.

Lines 34 closes the Directory directive and 35 closes the VirtualHost section.

You now start Apache in the usual way, and you should be able to browse to the public site with and to the private one with (Don't forget the "s" in "https!"). There is nothing more disheartening than looking at a "This page cannot be displayed" dialog. But once you get some action, it's much easier to modify and improve the Configuration file above.

O'Reilly & Associates recently released (December 2002) Apache: The Definitive Guide, 3rd Edition.

Sponsored by: