Table of content
  1. File System
  2. Startup
  3. SSL
  4. Virtual host
  5. Optimisation
    1. mmap & sendfile
  6. Macros
    1. Enabling SSL
    2. Redirection

Installing a Web server running under Apache. The base configuration will be presented, along with potential architecture to facilitate hosting of multiple sites.

Build information

Ensure the following options:

www/apache24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

[x] ACTIONS             Action triggering on requests
[x] ALIAS               Mapping of requests to different filesystem parts
[x] ALLOWMETHODS        Restrict allowed HTTP methods
[x] ASIS                Sends files that contain their own HTTP headers
[x] AUTHNZ_FCGI         FastCGI authorizer-based authentication and authorization
[x] AUTHNZ_LDAP         LDAP based authentication
[x] AUTHN_ANON          Anonymous user authentication control
[x] AUTHN_CORE          Core authentication module
[x] AUTHN_DBD           SQL-based authentication control
[x] AUTHN_DBM           DBM-based authentication control
[x] AUTHN_FILE          File-based authentication control
[x] AUTHN_SOCACHE       Cached authentication control
[x] AUTHZ_CORE          Core authorization provider vector module
[x] AUTHZ_DBD           SQL based authorization and Login/Session support
[x] AUTHZ_DBM           DBM-based authorization control
[x] AUTHZ_GROUPFILE     "require group" authorization control
[x] AUTHZ_HOST          Host-based authorization control
[x] AUTHZ_OWNER         "require file-owner" authorization control
[x] AUTHZ_USER          "require user" authorization control
[x] AUTH_BASIC          Basic authentication
[x] AUTH_DIGEST         RFC2617 Digest authentication
[x] AUTH_FORM           Form authentication
[x] AUTOINDEX           Directory listing
[x] BROTLI              Brotli compression support
[x] BUFFER              Filter Buffering
[x] CACHE               Dynamic file caching
[x] CACHE_DISK          Disk caching module
[x] CACHE_SOCACHE       Shared object cacheing module
[x] CERN_META           CERN-type meta files
[x] CGI                 CGI scripts (non-threaded MPMs)
[x] CGID                CGI scripts (threaded MPMs)
[x] CHARSET_LITE        Character set translation. Enabled by default only on EBCDIC systems
[x] DATA                RFC2397 data encoder
[x] DAV                 WebDAV protocol handling. --enable-dav also enables mod_dav_fs
[x] DAV_FS              DAV provider for the filesystem. --enable-dav also enables mod_dav_fs
[x] DAV_LOCK            DAV provider for generic locking
[x] DBD                 Apache DBD Framework
[x] DEFLATE             Deflate transfer encoding support
[x] DIR                 Directory request handling
[x] DUMPIO              I/O dump filter
[x] ENV                 Clearing/setting of ENV vars
[x] EXPIRES             Expires header control
[x] EXT_FILTER          External filter module
[x] FILE_CACHE          File cache
[x] FILTER              Smart Filtering
[x] HEADERS             HTTP header control
[x] HEARTBEAT           Generates Heartbeats
[x] HEARTMONITOR        Collects Heartbeats
[x] HTTP2               HTTP/2 (RFC 7540) support
[x] IMAGEMAP            Server-side imagemaps
[x] INCLUDE             Server-side includes
[x] INFO                Server information
[ ] IPV4_MAPPED         Allow IPv6 sockets to handle IPv4 connections
[x] LBMETHOD_BYBUSYNESS Apache proxy Load balancing by busyness
[x] LBMETHOD_BYREQUESTS Apache proxy Load balancing by request counting
[x] LBMETHOD_BYTRAFFIC  Apache proxy Load balancing by traffic counting
[x] LBMETHOD_HEARTBEAT  Apache proxy Load balancing from Heartbeats
[x] LDAP                LDAP caching and connection pooling services
[x] LOGIO               Input and output logging
[x] LOG_DEBUG           Configurable debug logging
[x] LOG_FORENSIC        Forensic logging
[x] MACRO               Define and use macros in configuration files
[x] MD                  Managing domains across virtual hosts, certificate provisioning via the ACME protocol
[x] MIME                Mapp file-ext. to MIME (recommended)
[x] MIME_MAGIC          Automagically determining MIME type
[x] NEGOTIATION         Content negotiation
[x] PROXY               Build enabled PROXY modules
[x] RATELIMIT           Output Bandwidth Limiting
[x] REFLECTOR           Reflect request through the output filter stack
[x] REMOTEIP            Translate header contents to an apparent client remote_ip
[x] REQTIMEOUT          Limit time waiting for request from client
[x] REQUEST             Request Body Filtering
[x] REWRITE             Rule based URL manipulation
[x] SED                 Filter request and/or response bodies through sed
[x] SESSION             Build enabled SESSION modules
[x] SETENVIF            Modify ENV vars based on characteristics of the request
[x] SLOTMEM_PLAIN       Slotmem provider that uses plain memory
[x] SLOTMEM_SHM         Slotmem provider that uses shared memory
[x] SOCACHE_DBM         dbm small object cache provider
[x] SOCACHE_MEMCACHE    memcache small object cache provider
[x] SOCACHE_SHMCB       shmcb small object cache provider
[x] SPELING             Correct common URL misspellings
[x] SSL                 SSL/TLS support (mod_ssl)
[x] STATUS              Process/thread monitoring
[x] SUBSTITUTE          Response content rewrite-like filtering
[ ] SUEXEC              Set uid and gid for spawned processes
[ ] SUEXEC_SYSLOG       Enable syslog for suexec
[x] UNIQUE_ID           Per-request unique ids
[x] USERDIR             Mapping of requests to user-specific directories
[x] USERTRACK           User-session tracking
[x] VERSION             Determining httpd version in config files
[x] VHOST_ALIAS         Mass virtual hosting
[x] WATCHDOG            Watchdog module
[x] XML2ENC             i18n support for markup filters
[x] PROXY_AJP           AJP support module for mod_proxy
[x] PROXY_BALANCER      mod_proxy extension for load balancing
[x] PROXY_CONNECT       mod_proxy extension for CONNECT request handling
[x] PROXY_EXPRESS       Dynamic mass reverse proxy extension for mod_proxy
[x] PROXY_FCGI          FastCGI support module for mod_proxy
[x] PROXY_HTTP2         HTTP/2 support module for h2 and h2c
[x] PROXY_FDPASS        fdpass external process support module for mod_proxy
[x] PROXY_FTP           FTP support module for mod_proxy
[x] PROXY_HCHECK        Dynamic health check of Balancer members (workers) for mod_proxy
[x] PROXY_HTML          Fix HTML Links in a Reverse Proxy
[x] PROXY_HTTP          HTTP support module for mod_proxy
[x] PROXY_SCGI          SCGI gateway module for mod_proxy
[x] PROXY_UWSGI         UWSGI gateway module for mod_proxy
[x] PROXY_WSTUNNEL      Websockets Tunnel module for mod_proxy
[x] SESSION_COOKIE      Session cookie module
[x] SESSION_CRYPTO      Session crypto module
[x] SESSION_DBD         Session dbd module
(*) MPM_PREFORK         non-threaded, pre-forking web server
(*) MPM_SHARED          all MPMs as loadable module

File System

To organize and segment the disk space dedicated to web sites, each site will be assigned a dedicated file system, thereby facilitating backup, migration or quota implementation.

ZFS name Mount point Description
system/web /web Root of the different websites and common architecture
system/web/${webhost} /web/${webhost} Directory dedicated to the ${webhost} website

Startup

rc.conf
1
2

apache24_enable="YES"
apache24_http_accept_enable="YES"

The apache24_http_accept_enable tell the startup script to run apache with socket filters (http and data), the script will also manage the loading of the necessary kernel modules (accf_http and accf_data). This will increase performance by only accepting connection when a full HTTP header has been buffered by the kernel.

SSL

Mime types

Defining the mime types for the *.crt (certificat) and *.crl (certificat revokation list) files:

1
2
3

  # Mime types 
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl
SSL settings

Configuration of Apache to match the characteristics of the operating system on which it is running

1
2
3
4
5
6
7
8
9
10
11

  # Random seed 
  SSLRandomSeed startup   file:/dev/urandom 512 
  SSLRandomSeed connect   file:/dev/urandom 512 

  # Pass Phrase Dialog
  SSLPassPhraseDialog     builtin

  # Inter-Process Session Cache:
  SSLMutex                file:/var/run/ssl_mutex
  SSLSessionCache         shmcb:/var/run/ssl_scache(512000)
  SSLSessionCacheTimeout  300
SSL certificats

Thanks to the TLS Extension Server Name Indication (SNI) it is now possible for different virtual hosts to use different SSL certificats (and so to have the directives SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile inside a VirtualHost) section

1
2
3

  SSLCertificateFile      /etc/cert/wildcard.example.com.crt
  SSLCertificateKeyFile   /etc/cert/wildcard.example.com.key
  SSLCertificateChainFile /etc/cert/cachain.pem
Virtual host

A typical virtual host configuration for serving page through https is to listen on port 443 with SSL turn on. To enhance security the list of available cyphers can be restrained (SSLCipherSuite).

1
2
3
4
5

Listen 443

<VirtualHost _default_:443>
    SSLEngine on
</VirtualHost>

Virtual host

The chosen directory structure is as follows and is located in /web/www.example.com/:

Directory Description
conf Configuration for Apache (apache.conf) and other applications
log Log files (apache, php, rewrite, …)
htdocs Website content
session Session management
tmp Temporary files (uploaded files, …)
_virtualhost_.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

<VirtualHost *:80>
    ## Server information ################################################
    ServerName          www.example.com
    ServerAdmin         admin@example.com
 
    ## Logging ###########################################################
    ErrorLog            /web/www.example.com/log/error.log
    CustomLog           /web/www.example.com/log/access.log combined
    RewriteLog          /web/www.example.com/log/rewrite.log
    php_value error_log /web/www.example.com/log/php.log

    ## PHP config ########################################################
    AddType             application/x-httpd-php   .php
    php_value           session.save_path         /web/www.example.com/session/
    php_value           upload_tmp_dir            /web/www.example.com/tmp/
    php_admin_value     open_basedir              /usr/local/share/pear/:\
/web/www.example.com/tmp/:/web/www.example.com/htdocs/

    ## Root / Index ######################################################
    DocumentRoot        /web/www.example.com/htdocs
    DirectoryIndex      index.php index.html

    ## Security ##########################################################
    <Directory /web/www.example.com/htdocs/>
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

Optimisation

mmap & sendfile

If the pages are served from a remote file system (NFS, Samba), it is necessary to disable the use of mmap and sendfile.

1
2

  EnableMMAP     off
  EnableSendfile off

Macros

Enabling SSL

Enabling SSL
1
2
3
4
5
6
7

<Macro SSL $dir $crt $key $ca>
    SSLEngine 	    	      on

    SSLCertificateFile        $dir/$crt
    SSLCertificateKeyFile     $dir/$key
    SSLCertificateChainFile   $dir/$ca
</Macro>
Using Let's Encrypt certificate
1
2
3
4

<Macro SSL_LetsEncrypt>
    Use SSL		/usr/local/etc/cert/letsencrypt \
    			wildcard.crt wildcard.key ca.pem
</Macro>

Redirection

Redirecting from http to https
1
2
3
4
5
6
7
8
9
10
11
12
13

<Macro VHost_http_to_https $servername>
<Virtualhost *:80>
    Define logroot      ${LOGDIR}/$servername

    ServerName          $servername
    ServerAdmin         admin@example.com

    ErrorLog            ${logroot}/error.log
    CustomLog           ${logroot}/access.log combined

    RedirectMatch      (.*) https://$servername$1
</VirtualHost>
</Macro>