Apache: In the beginning...

bionicfysh · September 26, 2003, 12:38pm

Hello Everyone,

This is my first post on this forum, and I a already like it

As you can tell I am a complete newbie to Apache. My mission is to setup a web server on my Suse Linux 8.1 box, initially for test purposes, and then if my ISP provider permits, then to allow other poeple to connect to it too....

Anyways, I have taken on board the advice of most forum administrators, in the sense that I looked at all of the post which are likelly to answer my question, in the hope not to bore you with trivial questions.
I have also digested numerous FAQs, and HOT-TOs, together with many google searches on Apache....

And the truth is that I still never get a straight answer to the most basic questions....
My question is: How do I use Apache ?

I have correctly installed it: OK
I have successfully started it as root (apachectl start)
I have also edited the /usr/local/apache/conf/httpd.conf file (after making a backup of course)
and I made some changes:

Listen myipaddress:80
BindAddress *
User wwwrun
Group users
DocumentRoot "/home/RSIA_taehakkyo/usr/rsia/rsias/www"
<Directory "/home/RSIA_taehakkyo/usr/rsia/rsias/www">
<IfModule mod_userdir.c>
UserDir public_html
UserDir www
</IfModule>
In all, I added all of the specifications that anyone else would in my position

Now I have copied one index.html and one cgi script to the ~user/www/ directory and ~user/www/cgi-bin directories respectively (N.B I also created these directories)
Now I try to restart the httpd, through apachectl restart, and it indicates that this went OK.

However, when I do this:
lynx
netscape
opera
...

or any other browser with :
http://myipaddress/index.html
http://myipaddress/icgi-bin/file.cgi
I get a default Suse Linux page, and nothing else.
Can someone, please tell me what I am doing wrong, and how I can overcome this issue.

I appreciate any help in this direction.

N.B last question: can I host my website (having bought a domain name) from home ?
what is the procedure ?
what are the pros & cons

Merci beaucoup mes amis !

Da Bionicfysh

csejl · September 26, 2003, 4:32pm

The index.html file goes into /usr/local/apache/htdocs directory. In general, if you are setting up user specific path you access it by going to yourdomain.com is available for purchase - Sedo.com.

In order for you to set up a web server that can be accessed by people outside. You need a real ip address (ask your isp), domain name and dns server (check out granitecanyon.com if you don't want to set it up yourself or pay for it).

Hope this helps.

cbkihong · September 26, 2003, 10:28pm

i don't think you should modify the default DocumentRoot. It's intended to be for use by root in most installations.

Sounds like you use the SuSE rpms so it defaults to the SuSE-specific default page.

Sounds like your URL should be instead
http://localhost/~RSIA_taehakkyo/index.html

As for CGI scripts, you can't run one unless you explicitly enable using the ExecCGI option.

I suggest you to restore to your SuSE configuration and restart from there.

Neo · September 30, 2003, 9:40am

This is not true.

The DocumentRoot has nothing to do with the root user. In fact, most people do not run Apache as root, to do so would decrease security.

You can put your DocumentRoot anywhere you want to as long as your have permissions to do so and give the documents the appropriate ownership and permissions.

cerberusofhnsg · September 30, 2003, 10:14pm

I think what he meant was that only root had write access, which is normal. That way, if someone gains nobody (or apache, whatever user apache runs as, as it differs on distros) privledges, they still cannot "deface" the website. As this user is very new with *nix, they probably would not check for this. That being said, doing a:
ln -s /path/to/webserver/directory /www
would accomplish this, while still being ok from anyone who would gain nobody, or apache.

Neo · September 30, 2003, 10:36pm

Many people do not run their apache web server as 'nobody' and it really has nothing to do with the document root.

Many versions of software like MySQL more easily run as a user such as mysql and when the web server runs as the mysql user, things work a lot better.

There is no reason to associate the root directory of an apache a document tree with the root user or similar groups and permissions.

Root, in this instance, simply means document tree root. Apache can run as many users, normally should not be root, but not necessarily 'nobody' for many applications. The root of document trees in Apache can owned and written to by any user, according to the configuration of the system.

cerberusofhnsg · October 1, 2003, 6:23pm

nobody 12954 0.0 0.0 6184 0 ? SW Sep20 0:00 [httpd]

This is the default on Red Hat 7.3, and I am not where I can confirm this on other distros. Apache typically runs either as nobody, or apache. Apache should *NEVER* run as root as whenever possible. I have pushed out several servers, where Apache is either running as nobody, or apache, and MySql was installed and configured to work with Apache. IMHO, Apache should not run as another user. I have never had any problems with MySQL running as a user different than Apache, and in fact this is more secure. If someone takes over MySQL, you don't want them to be able to kill httpd, etc.

I beg to differ on the permissions of the document tree root, root should be the only person (static websites here) that has write access to the website, so if someone does break into Apache, they cannot deface the website:

drwxr-xr-x 5 root root 4096 Aug 4 23:40 htdocs

is the default when installing Apache from source. This is done for a reason.

Please don't take this the wrong way Neo, simply giving my two cents on the matter. I guess I'm a bit paranoid on security, but in my job you have to be

Neo · October 1, 2003, 7:01pm

If you read my posts you will see that no one is advocating running Apache as root and I have NO idea why you posted your reply.

Apache can be run as 'nobody' and it can be run as other users, like the example I gave, a 'mysql' user. This is not root.

The question about DOCUMENTROOT has ZERO to do with the user ID root.

This thread was about DOCUMENT ROOT (read the original post) and give me a break

In fact, the original poster specified that his web server ran as:

wwwrun

.... so 'wwwrun' is the userid that Apache will run when subsequent connection are made.... 'wwwrun' is not root

cerberusofhnsg · October 1, 2003, 10:44pm

I wasn't saying anyone was running it as root. I was simply saying that leaving the default permissions where only root had write access was more secure. However, we all seemed to trail from that... I was simply saying that the document root was more secure when ONLY root had read/write (unless software that dynamically edits the website is used, like wiki). Let's let this discussion die

Neo · October 1, 2003, 10:53pm

I'm glad to let the thread die, but I don't agree that making sure only 'root' has write access is necessarily more secure.

It might be more secure, or it might not, depending on how the system is configured and what are the files, the permissions, and a host of other things.

We have web servers that runs as user 'foo' and the entire filesystem under document DocumentRoot is owned by 'foo' and I'm very happy with the security and would not change it.

'foo' can have a shell like /dev/null and be very secure too and there is no chance of any script executing as 'root' with an accidental SUID flag, etc.

This is off topic from the original post, but it is something that is important. DocumentRoot with Apache and the userid of the listening process can be a host of userids, that is why it is configurable in Apache.

Neo

cerberusofhnsg · October 2, 2003, 12:41am

I'll take that as a comprimise. 'Nuff said