Configuration (Apache)

From vWiki
Jump to navigation Jump to search

Log Rotation

There are two ways to ensure your logs get rotated...

  • logrotate - The standard, cross application log rotation solution. Its very reliable and easy to configure, but requires that Apache is restarted every time your log is rotated so that it follows the log switch around.
  • rotatelog pipe - Has more overhead as logs are piped to a child process to handle, but doesn't require Apache restarts.

rotatelog

Edit you existing config file to redirect logging through the child rotatelogs process, this will probably be found in either your site config (EG in /etc/apache2/sites-enabled) or your Apache service config (EG in /etc/apache2/ )

ErrorLog  "|/usr/sbin/rotatelogs /var/log/apache2/error-%Y-%m-%d.log 86400"
CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access-%Y-%m-%d.log 86400" combined

Check that the path for rotatelogs is correct (search using find / -iname rotatelogs )

Restart Apache, perform a test page load on your site (that would generate log entries), and check that a log file has been generated as per your config

User/pass restrictions

To restrict access to a site with a username and password

  1. Create a user/pass entry in a file for a username
    • htpasswd -c /etc/apache2/htusers username
  2. Add the relevant bits to the config file for the website (see below)
    • EG /etc/apache2/sites-available/your-website file, eg
  3. Restart the apache service
    • apache2ctl -k graceful
<Directory />
    AuthType Basic 
    AuthName "Restricted Access" 
    AuthUserFile /etc/apache2/htusers 
    Require valid-user 
</Directory>

See also Secure Website

Status Page

Apache comes with its own in-built status page which, whilst not particularly pretty, gives a good overview of how your web-server is running. In the more recent versions of Apache its enabled by default, but only accessible from localhost.

To check that its enabled, look in /etc/apache/mods-enabled/ for two file link for status.conf and status.load. If not, create so that its enabled when you next restart Apache...

  1. cd /etc/apache/mods-enabled
  2. ln -s ../mods-available/status.load status.load
  3. ln -s ../mods-available/status.conf status.conf

Edit the status.conf to add the IP address(es) that you want to be able to (see http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow for guidance on this). Also enable ExtendedStatus. Example config file...

<IfModule mod_status.c>
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Uncomment and change the ".example.com" to allow
# access from other hosts.
# 

ExtendedStatus On

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24 123.234.5.6
</Location>

</IfModule>

Restart Apache to apply (apache2ctl -k graceful), then access through through an URL similar to http://www.domain.com/server-status.

If you also add 127.0.0.1 to the Allow from statement above you can get a status output to the console by using...

  • apache2ctl fullstatus

For further info see http://httpd.apache.org/docs/2.2/mod/mod_status.html