Apache Web Server

Note: This page has comments

Before embarking on this lecture, let's look at what you as a class had to say about your perception of OS+Web Server combinations and what languages you thought were the best 2020 Results.

How to Install, Configure (Server, Virtual Hosts, etc.), Secure, and manage Logs on for Apache 2 on Ubuntu.


The simplest task is installing Apache 2 on Ubuntu. This process has not changed significantly in several versions.

sudo apt install apache2

After this finishes, all required packages are installed and we can test it by going to the default page on our server with a browser. Usually you should see something like this:



The first thing you might notice is the location of the resources (web pages) that the server will look in. /var/www/html

The second thing you should know about Linux systems in general is that they almost always include documentation,AND THAT DOCUMENTATION IS SPECIFIC TO THE PLATFORM YOU ARE ON! In this case You will notice that the documentation for this installation references /usr/share/doc/apache2/README.Debian.gz. This tells us that the documentation for this installation (which builds on the Debian distribution) is gzipped and the location of that file.

How would you look at that file without unzipping it? less /usr/share/doc/apache2/README.Debian.gz will show you the page just as if it was a man page.

Demo/View Configuraton:


We consider three aspects of security here:

  1. Hardening the server
  2. Encrypting communication via SSL
  3. Authentication/Authorization options in Apache2

Hardening Apache2

Correctly configuring Apache goes a long way to securing it. To that end, we are going to look at the documentation related to hardening the apache server on ubuntu/debian. Give special attention to the security configuration contained in conf-avaialble/security.conf identified here as being in conf.d/security for debian (For full description of ServerTokens, See: https://httpd.apache.org/docs/2.4/mod/core.html#servertokens).

Encrypting Communication

Configure Apache with an SSL certificate and change settings to allow https See: https://websiteforstudents.com/how-to-setup-self-signed-ssl-certificates-on-ubuntu-20-04-18-04/

Demo on fresh installed vm (desktop so you can do it all locally).

# a2enmod ssl

Now edit /etc/apache2/sites-available/default-ssl.conf - save it as 000-default-ssl.conf.

# a2ensite 000-default-ssl
# apachectl configtest
# systemctl restart apache2

No go look at the website using https.

DEMO: Take a look at dralin.cs.southern.edu and see if you can get it to work.

Authentication and Authorization Options for Apache2

There are 4 types of authentication provided by Apache2: AuthType $$\in$$ {None|Basic|Digest|Form}

Demo: Today we are going to setup Basic authentication using on dralin.cs.southern.edu. You can follow along at: https://cwiki.apache.org/confluence/display/HTTPD/PasswordBasicAuth

Now let's take a look at Digest Authentication. You might think that this is better than sending passwords in clear text, but you could be wrong. See: https://httpd.apache.org/docs/2.4/mod/mod_auth_digest.html. As a consequence of what they say here, we are not going to even look at digest authentication/authorization.

Finally, let's look at Forms authentication: https://httpd.apache.org/docs/2.4/mod/mod_auth_form.html. We will leave this as an exercise for you to complete.

Also see: https://httpd.apache.org/docs/2.4/howto/auth.html


When something goes wrong, looking in the logs is essential. Where are they? Well if you are not familiar with BASH scripts this may be a bit confusing. First log directory is something like ${APACHE_LOG_DIR}/error.log. But where is APACHE_LOG_DIR set? envvars of course! Looking in that file and we see right away that this is set near the top:

export APACHE_LOG_DIR=/var/log/apache2$SUFFIX

And $SUFFIX is defined near the top.

if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR} ] ; then 

Now, ## deletes longest match of the substring following the ## from the front of original string. So this literally tries to remove "/etc/apache2-" from the front of the config directory that by default is "/etc/apache2". For the default it will be unsuccessful and there will be no suffix. So we can safely assume that the $SUFFIX="", and that APACHE_LOG_DIR="/var/log/apache2/error.log". Of course it didn't take the computer as long to figure that out as it for us. Now let's take a look at where these logs.

Make sure to demo tail -f /var/log/apache2/...


We looked at the following topics

We found that Installing Apache2 on Ubuntu 20.04 is quite easy.

Apache2 Configuration resides completely text files. The main config file is /etc/apache2/apache2.conf. You can find all the other files as they are imported from here. General configuration, module and site configuration files are turned on and off through a level of indirection provided by the *-enabled directories allowing multiple configurations to be retained, but not enabled.

We looked at both hardening Apache2 Security and installing an SSL certificate. I highly recommend letsencrypt as a resource for this on your internet facing websites. Then we looked at the options Apache2 provides for Authentication and Authorization.

Log files were located through the config and envvars files. We used tail to follow the changes being made to the log file.

WebServices/LectureNotes/LectureNotes02 (last edited 2020-09-01 14:20:26 by scot)