Using and maintaining Apache 2.2 on Debian/Ubuntu Linux (some basic principles)

This page describes some basic principles about using and maintaining an Apache HTTP server on Debian/Ubuntu to get you started more easy.

Maintainability: strict separation of default config files and user-generated config files

Debian and Ubuntu are very maintainable operating systems. This is especially true regarding updates and keeping configurations traceable for you and third persons (e.g. another system administrator). To make this possible, they take care of a strict separation of automatically created default configuration files and user-generated configuration files.

The named characteristics are realized for the Apache HTTP Server by the following directory and file structure:

  • /etc/apache2/
    Default apache configuration files. /etc/apache2/ is the central configuration directory. You should not touch files located directly in this dir! The files there were created when you installed your Apache, enabling you to basically use the software. Changing these file is a bad idea because it may gets overwritten when you are updating the system:
    • /etc/apache2/apache2.conf (do NOT edit!)
    • /etc/apache2/httpd.conf (do NOT edit!)
    • /etc/apache2/ports.conf (do NOT edit!)
  • /etc/apache2/conf.d/
    User-generated *.conf files. Apache is looking for user-generated *.conf files in the /etc/apache2/conf.d/ directory automatically. Therefore it is possible and recommended to create separate /etc/apache2/conf.d/this-conf-file-does-foo.conf files for every logical job you add. If you follow this rule, you will always know where you are configuring what, making updates, clearance and troubleshooting less painful. The files are included in alphabetical order, so you may use numerical prefixes to control which files are loaded first. Examples:
    • /etc/apache2/conf.d/0000-basic.conf – good place to add own, basic directives and defaults. The 0000- prefix makes sure that the file will be included first.
    • /etc/apache2/conf.d/ports_additional.conf – good place to add additional Listen directives.
    • /etc/apache2/conf.d/compression.conf – good place to configure mod_deflate/mod_gzip…
  • /etc/apache2/mods-available/
    *.conf and *.load files files of all modules (enabled and disabled ones)
  • /etc/apache2/mods-enabled/
    *.conf and *.load files files of enabled/active modules. Every file in this directory should be a symlink, pointing to the real config file located in /etc/apache2/mods-available/.
  • /etc/apache2/sites-available/
    *.conf files files of all vHosts (enabled and disabled ones)
  • /etc/apache2/sites-enabled/
    *.conf files files of enabled/active vHosts. Every file in this directory should be a symlink, pointing to the real config file located in /etc/apache2/sites-available/.

Modules

Apache modules are loaded by the LoadModule directive, you have to pass the absolute path to the related .so file. Most modules also need additional Loading commands. Therefore a module gets it's own .load and – if needed – .conf file below /etc/apache2/mods-available/ to make things maintainable. Example:

  • mod_deflate brings
    • /etc/apache2/mods-available/deflate.load
    • /etc/apache2/mods-available/deflate.conf

Apache is looking for *.load and *.conf files within /etc/apache2/mods-enabled/ instead of /etc/apache2/mods-available/ at startup. Therefore, you have to create symlinks in /etc/apache2/mods-enabled/, pointing to the files in/etc/apache2/mods-available/ to “activate” a module. Or delete the symlinks to “disable” a module. But you don't have to do this by hand. Debian/Ubuntu provides two commands for the job:

  • a2enmod1)
  • a2dismod2)

Their usage is self-explanatory. If called without parameter, the commands are asking which module you want to handle. Or pass the module to enable/disable as first parameter. Please note that you need root privileges (→ sudo) to execute the scripts.

Name Based Virtual Hosts (vHosts)

vHosts are defined by the VirtualHost directive (see “Name based vHosts with Apache 2.2 on Debian/Ubuntu Linux” for details). Every defined vHost gets it's own .conf file below /etc/apache2/sites-available/ to make things maintainable.

Apache is looking for *.conf files within /etc/apache2/sites-enabled/ instead of /etc/apache2/sites-available/ at startup. Therefore, you have to create symlinks in /etc/apache2/sites-enabled/, pointing to the files in/etc/apache2/sites-available/ to “activate” a vHost. Or delete the symlinks to “disable” a vHost. But you don't have to do this by hand. Debian/Ubuntu provides two commands for the job:

  • a2ensite3)
  • a2dissite4)

Their usage is self-explanatory. If called without parameter, the commands are asking which vHost you want to handle. Or pass the vHost to enable/disable as first parameter (=its config file name without extension). Please note that you need root privileges (→ sudo) to execute the scripts.

Tips and tricks

Check your configuration syntax before usage

Apache reads the configuration files during startup. Therefore you can edit your configuration while Apache is running. If you made any errors, your server won't come up during the next restart. But there is a validation tool to find syntax errors without restarting your server:

sudo apache2ctl configtest

Why do I need root privileges to start the server? I thought Apache is using the www-data user?

Simple answer: Cause Apache is listening on a port 80 by default. Although the Apache daemon is running with its own user, you need root privileges to start something listening on a port smaller than 1024.

Restrictive file delivery

If there is more the one fitting <Directory> rule, the most general one will be process first, the most specific/nested one will be processed last. You can use this behavior the block all access to the general webroot (→ “/”) by default and allow access to some website directories afterwards (→ whitelist instead of a blacklist).

This is especially useful regarding vHosts:

  1. Block the root dir before any vHost is defined:
    #Set stricter default behaviour. More relaxed directives can be set via a more
    #specific <Directory>-setting, e.g. within a <VirtualHost>
    <Directory />
      Order Deny,Allow
      Deny from all
    </Directory>
  2. Permit access within the specific <VirtualHost> by using:
    <VirtualHost [...]>
      <Directory /var/www/htdocs/your-vhost-webroot>
        Order Deny,Allow
        Allow from all
      </Directory>
    </VirtualHost>
1)
apache 2 enable module
2)
apache 2 disable module
3)
apache 2 enable site
4)
apache 2 disable site
Print/export
QR Code
QR Code app:apache-http-server:apache2-debian-ubuntu (generated for current page)
Languages
Translations of this page: