= Apache HTTP Server

'''

[NOTE]
======

This page was automatically converted from https://fedoraproject.org/wiki/Apache_HTTP_Server

It is probably

* Badly formatted
* Missing graphics and tables that do not covert well from mediawiki
* Out-of-date
* In need of other love

Please fix it, remove this notice, and then add to `_topic_map.yml`

Pull requests accepted at https://pagure.io/fedora-docs/fedora-howto

Once that is live, go to the original wiki page and add an `{{old}}`
tag, followed by a note like

....
{{admon/note|This page has a new home!|
This wiki page is no longer maintained. Please find the up-to-date
version at: https://docs.fedoraproject.org/whatever-the-url
}}
....

======

'''


The Apache HTTP Server is one of the most commonly-used web servers.
This page acts as a quick start guide to deploying and configuring
Apache on Fedora. For (many) more details, please see
https://httpd.apache.org/docs/current/[upstream's extensive
documentation].

[[installation]]
Installation
~~~~~~~~~~~~

`$ su` +
`# dnf install httpd`

To have the server start at each boot:

`# systemctl enable httpd.service`

To start the server now:

`# systemctl start httpd.service`

At this point, you should be able to browse to http://localhost on the
server and access the Apache test page. You will most likely not be able
to access the server from any other host, yet: we will change this
link:#firewall-configuration[later].

[[tlsssl-support]]
TLS/SSL support
~~~~~~~~~~~~~~~

If you want TLS/SSL support, you can also install , which is based on
https://www.openssl.org[OpenSSL]. Alternatives are (uses
https://www.gnutls.org/[GnuTLS]) and (uses
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS]).

[[using-mod_ssl]]
Using mod_ssl
^^^^^^^^^^^^^

Install mod_ssl package and it will be automatically enabled

`# dnf install mod_ssl`

[[install-an-existing-certificate]]
Install an existing certificate
+++++++++++++++++++++++++++++++

If you already have a certificate generated on another computer, move
the certificate and the key file to the correct folder, and ensure their
SELinux contexts, ownership, and permissions are correct:

`# mv key_file.key /etc/pki/tls/private/myhost.com.key` +
`# restorecon /etc/pki/tls/private/myhost.com.key` +
`# chown root.root /etc/pki/tls/private/myhost.com.key` +
`# chmod 0600 /etc/pki/tls/private/myhost.com.key` +
`#` +
`# mv certificate.crt /etc/pki/tls/certs/myhost.com.crt` +
`# restorecon /etc/pki/tls/certs/myhost.com.crt` +
`# chown root.root /etc/pki/tls/certs/myhost.com.crt` +
`# chmod 0600 /etc/pki/tls/certs/myhost.com.crt`

After this link:#mod_ssl-configuration[ set it up]

[[generate-a-new-certificate]]
Generate a new certificate
++++++++++++++++++++++++++

How to https://fedoraproject.org/wiki/Https#openssl[generate a new
certificate]

[[mod_ssl-configuration]]
mod_ssl configuration
+++++++++++++++++++++

The default TLS/SSL configuration is contained in the file (if you are
using ). If you examine that file, you will see the directives that
specify where the TLS/SSL certificate and key are located:

`SSLCertificateFile /etc/pki/tls/certs/localhost.crt` +
`SSLCertificateKeyFile /etc/pki/tls/private/localhost.key`

If you look carefully, you will see that these directives are actually
enclosed in a block defining a
https://httpd.apache.org/docs/current/vhosts/[virtual host]:

 +
`...` +
`SSLCertificateFile /etc/pki/tls/certs/localhost.crt` +
`...` +
`SSLCertificateKeyFile /etc/pki/tls/private/localhost.key` +
`...` +

If we wanted to define a different location for these files, we could
edit the lines in directly, but it would be better to create a new file
:

 +
`SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt` +
`SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key` +

This file will override those two settings for the _default_:443 virtual
host; all other settings from will be kept.

[[settings-for-individual-virtual-hosts]]
Settings for individual virtual hosts

If you want a specific virtual host to use SSL/TLS with a different
certificate from the default, open that virtual host's configuration
file, usually , and insert these lines between and :

`SSLEngine on` +
`SSLCertificateFile /etc/pki/tls/certs/hostname.crt` +
`SSLCertificateKeyFile /etc/pki/tls/private/hostname.key`

[[installing-webapps]]
Installing webapps
~~~~~~~~~~~~~~~~~~

You probably want to run something on your web server. Many of the most
popular 'web applications' are packaged for Fedora. Using the packaged
versions of web applications is usually recommended: they will be
configured following the distribution's best practices which help to
ensure the security of the installation, for instance by installing
static files to locations the web server does not have the ability to
write to, and doing access control with configuration files rather than
files, which are slightly more vulnerable to attack.

Packaged web applications will also be configured to work with SELinux,
which provides significant security benefits.

You will also receive updates through the usual Fedora update process,
making it easier to keep your installation up to date.

They will also often have the default configuration tweaked according to
Fedora's conventions, meaning you have to do less work to get the
application up and running.

Most web applications are simply packaged according to their name. For
example, you can install Wordpress with:

`# dnf install wordpress`

Packaged web applications will usually provide Fedora-specific
instructions in a documentation file - for instance, Wordpress provides
the files and . It is always a good idea to read these files!

Packaged web applications usually restrict access by default so you can
access them only from the server host itself, to ensure you can run all
initial configuration safely and things like administration interfaces
are not left accessible to the public. For information on how to broaden
access, see link:#webapp-access-control[below].

Web applications commonly require the use of a database server. This
wiki contains information on installing and configuring PostgreSQL and
MariaDB on Fedora.

[[configuration]]
Configuration
~~~~~~~~~~~~~

is the main Apache configuration file. It _includes_ : if the same
setting is specified in both and a file in , the setting from the file
will win. Files in are read in alphabetical order: a setting from will
win over a setting from , which will win over a setting from , which
will win over a setting from .

It is usually best practice never to modify or any of the files shipped
by Fedora packages directly. If you make any local changes to these
files, then any changes to them in newer package versions will not be
directly applied: instead a file will be created and you will have to
merge the changes manually. It is usually better instead to create a new
file in which will take precedence over the file you wish to 'modify',
and make your settings there. For instance, to change a setting
specified in you could create the file and place your setting in that
file. We will see an example of this next.

After making any changes to your server configuration, you should run:

`# apachectl reload`

to apply the changes. Certain changes may require Apache to be fully
restarted:

`# systemctl restart httpd.service`

[[enabling-access-to-web-applications]]
Enabling access to web applications
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Fedora-packaged web applications are usually configured such that, by
default, access is allowed only from localhost. Typically you will find
that there is a file with the following (among other settings):

 +
`    ` +
`        # Apache 2.4` +
`        Require local` +
`    ` +
`    ` +
`        # Apache 2.2` +
`        Order Deny,Allow` +
`        Deny from all` +
`        Allow from 127.0.0.1` +
`        Allow from ::1` +
`    ` +

Before allowing general access to the webapp, ensure you have configured
it correctly and the administration interface and other sensitive areas
are not accessible without appropriate authentication. Also remember to
ensure your database configuration is secure, if the application uses a
database. To broaden access to the application, you can create a file .
To allow access to all systems on a typical local network, you could
write:

 +
`    ` +
`        # Apache 2.4` +
`        Require local` +
`        Require ip 192.168.1` +
`    ` +
`    ` +
`        # Apache 2.2` +
`        Order Deny,Allow` +
`        Deny from all` +
`        Allow from 127.0.0.1` +
`        Allow from ::1` +
`        Allow from 192.168.1` +
`    ` +

Once you are sure the application is correctly configured, this
configuration will allow access from any host:

 +
`    ` +
`        # Apache 2.4` +
`        Require all granted` +
`    ` +
`    ` +
`        # Apache 2.2` +
`        Order Deny,Allow` +
`        Allow from all` +
`    ` +

[[opening-firewall-ports]]
Opening firewall ports
^^^^^^^^^^^^^^^^^^^^^^

Apache uses port 80 for plain http connections and port 443 for TLS/SSL
connections by default. To make this service available from other
computers or the Internet your have to allow Apache through the firewall
like this:

To open the firewall at each boot:

For plain HTTP connections:

`# firewall-cmd --permanent --add-service=http`

For TLS/SSL connections:

`# firewall-cmd --permanent --add-service=https`

To open the firewall right now:

For plain HTTP connections:

`# firewall-cmd --add-service=http`

For TLS/SSL connections:

`# firewall-cmd --add-service=https`

Remember that if your server is running behind a NAT router, you will
also need to configure your router to forward the HTTP and HTTPS ports
to your server if you wish to allow access from outside your local
network.

[[disable-test-page]]
Disable test page
^^^^^^^^^^^^^^^^^

To disable the test page comment out all the lines in the file

[[references]]
References
~~~~~~~~~~

* https://httpd.apache.org/docs/current/[Apache documentation]
* https://httpd.apache.org/docs/current/getting-started.html[Apache
"Getting Started"]
* https://httpd.apache.org/docs/current/ssl/[Apache TLS/SSL
documentation]
* https://httpd.apache.org/docs/current/misc/security_tips.html[Apache
security tips]
* OwnCloud
'''

See a typo, something missing or out of date, or anything else which can be
improved? Edit this document at https://pagure.io/fedora-docs/fedora-howto.