httpd.conf defines some basic server settings. NEW denotes new features/changes to NCSA httpd 1.3.
Options:
inetd is the lesser used of the two options. In
this mode, the server must be started from the system's inet daemon.
This is achieved by adding the command to start apache to
/etc/services.
Each connection Apache receives, results in a new version of Apache being initiated. After the connection is complete, this version of Apache exits.
There's a high price to pay per connection, but for security reasons, some admins prefer this option.
standalone is the most common setting for ServerType since it is far more efficient. Apache is started once, and services all subsequent connections.
If you intend running Apache to serve a busy site, standalone will probably be your only option.
SECURITY: if you are paranoid about security, run in inetd mode. Security cannot be guaranteed in either, but while most people are happy to use standalone, inetd is probably least prone to attack.
All unix http servers listen to a known port to communicate with clients. Traditionally, port 80 is used. Most client software assume that servers use port 80.
Port 80 is one of unix's special ports. All ports numbered below 1024 are reserved for system use, i.e. regular users cannot make use of them, and instead they can only use higher port numbers.
To use port 80, you must start Apache from the root account. This might at first sound like a dangerous thing to do, but it should be noted that Apache (and other http servers) usually change to a low privileged user before accepting connections. See User/Group.
If you cannot use port 80, choose any other unused port. Non-root users will have to choose a port number higher than 1024
SECURITY: If you do start Apache as root, be sure not to set See User/Group to root. If you run the server as root while handling connections, your site is open to a major security attack.
Options:
A unix http server can either listen on for connections to every IP address of the server machine, or just one IP address of the server machine.
If the value is "*", then the server will listen for connections on every IP address, otherwise it will only listen on the IP address specified. The default is "*".
This option can be used to support virtual hosts.
In order to serve requests, Apache has to run as a user with enough privileges to access the resources requested. However, this user should have no privileges which result in it being able to access files which aren't supposed to be visible to the outside world, and similarly, the user shouldn't be able to execute code which isn't meant for httpd requests.
When started by the root user, Apache uses the User and Group settings to change to a less privileged user and group. Thus reducing the scope for security attacks.
What this boils down to, is that you should set the User and Group settings to a username and groupname with limitted privilege. It is recommended that you set up a new user and group specifically for running Apache. Some admins use user nobody, but this isn't always possible or desireable.
If you start Apache as a non-root user, Apache will fail to change to the lesser privileged user, and it will instead continue to run as that original user.
SECURITY: Don't set User/Group to root unless you know exactly what you are doing, and what the dangers are.
Use this setting to specify an email address to which people can send problem reports, or to just contact the server administrator.
It's probably worth setting up a dedicated address for this, e.g. www-admin@foo.bar.com... users don't always tell you that they're talking about the server !.
When you install Apache, you'll have a directory where the conf/ and logs/ directories reside. This setting tells Apache exactly where.
Most sites will use /usr/local/httpd or /usr/local/etc/httpd, but there's no restriction on where the directory should be.
Apache needs to record any errors it detects. Traditionally, it stores these in ServerRoot/logs/error_log, and one sets that using,
ErrorLog logs/error_log
One can use any direcotry and pathname. If the path you give doesn't start with a slash (/), then Apache assumes you mean it is relative to ServerRoot.
All requests made to Apache need to be logged somwhere. TransferLog defines the file in which requests are logged.
Setting TransferLog is much the same setting ErrorLog. If the filename doesn't start with a slash (/), then Apache assumes you mean it is relative to ServerRoot.
Typically, TransferLog will be set to,
TransferLog logs/access_log
In standalone mode. It is often useful to be able to send Apache a signal, so that it closes and then reopens ErrorLog and TransferLog.
Why ?, many admins will want to start new log files periodically, so that the old ones can be removed or compressed (they can get very big).
PidFile is a file which will hold the process id of the Apache daemon. Sending a SIGHUP (kill -1), to that process has the effect of closing and reopening the logfiles.
PidFile is set in the same way as ErrorLog and TransferLog.
Typicall, PidFile will be set to,
PidFile logs/httpd.pid
ServerName can be used to define the preferred hostname on which Apache runs. A machine with multiple names e.g. www.foo.bar.com and thor.foo.bar.com can refer to the same machine. Apache can be made to inform cleints (when appropriate) that the correct name to use is www.foo.bar.com (n.b. thor.foo.bar.com will still work).
Until proxy cache servers begin to recognize content negotiated request responses, they will continue to ignore the different variations which documents might have. e.g. logo, might be avaialable as a gif and jpg. Neither format should be cached by a proxy which might be serving clients with different preferences.
By default, Apache sends Pragma: no-cache with each document that was negotiated on the basis of content. This asks the proxy not to cache the document.
Using CacheNegotiatedDocs (by adding it uncommented to httpd.conf), the Pragma: no-cache HTTP header isn't sent, and proxies will be allowed to cache the documents.
Apache has a default time out setting of 400 seconds on both the receipt of a connection, and the completion of a request, so if it takes more than 400 seconds for a client to send a request or receive a response, Apache will break off the connection.
Timeout can be set to any value you want, the units are seconds, e.g. to set it to 100 seconds..
Timeout 100
VirtualHost (multi-home) support requires that your server machine is configured to accept IP packets for multiple addresses. This can be accomplished with the ifconfig alias flag (if your OS supports it), or through kernel patches like VIF which adds this support to SunOS_4.1.X.
<VirtualHost host.foo.com> ServerAdmin webmaster@host.foo.com DocumentRoot /www/docs/host.foo.com ServerName host.foo.com ErrorLog logs/host.foo.com-error_log TransferLog logs/host.foo.com-access_log </VirtualHost>
See also, information on Virtual Hosts.
