Setup Time: Configuring Apache

Configuring a web server is like configuring an email or DNS server — small changes can have unforeseen consequences. Most web security problems are caused by configuration errors rather than exploits of the Apache code.

Apache Configuration Files

I mentioned that Apache’s configuration files could be found under /etc/httpd/conf, /usr/local/apache/conf, or some less well-lit place. The most prominent file is httpd.conf, but you will also see access.conf and srm.conf. These are historic remnants from the original NCSA web server. You can put any of Apache’s configuration directives in any of these files. In practice, people usually throw everything into httpd.conf . If you’d like to separate security-related directives from others, put them in access.conf . This has some advantages: access.conf is smaller, an editing error won’t break everything else, and security settings are more visible. But everything will work fine if you make your changes in httpd.conf.

Tip

There are also GUI tools to modify the Apache configuration, such as Red Hat’s X-based Apache Configuration Tool or the web-based webmin . Here, we’ll do it the old-fashioned text way and supply more information in place of screenshots.

Any time you change Apache’s configuration, check it before restarting the server:

# apachectl configtest

If this succeeds, start Apache:

# apachectl start

Before starting Apache, let’s see how secure we can make it.

Configuration Options

To see what options your ...

Get Building Secure Servers with Linux now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.