Make sure that the following requirements are met before trying to set up the Apache Web server:

Apache on SUSE Linux Enterprise Server is not installed by default. To install it, start YaST and select Software+Software Management. Now choose Filter+Patterns and select Web and LAMP Server under Primary Functions. Confirm the installation of the dependent packages to finish the installation process.

Apache is installed with a standard, predefined configuration that runs “out of the box”. The installation includes the multiprocessing module apache2-prefork as well the PHP5 module. Refer to Section 40.4, “Installing, Activating, and Configuring Modules” for more information about modules.

To start Apache and make sure that it is automatically started during boot, start YaST and select System+System Services (Runlevel). Search for apache2 and Enable the service. The Web server starts immediately. By saving your changes with Finish, the system is configured to automatically start Apache in runlevels 3 and 5 during boot. For more information about the runlevels in SUSE Linux Enterprise Server and a description of the YaST runlevel editor, refer to Section 20.2.3, “Configuring System Services (Runlevel) with YaST”.

To start Apache using the shell, run rcapache2 start. To make sure that Apache is automatically started during boot in runlevels 3 and 5, use chkconfig -a apache2.

If you have not received error messages when starting Apache, the Web server should be running now. Start a browser and open http://localhost/. You should see an Apache test page starting with “If you can see this, it means that the installation of the Apache Web server software on this system was successful.” If you do not see this page, refer to Section 40.8, “Troubleshooting”.

Now that the Web server is running, you can add your own documents, adjust the configuration according to your needs, or add functionality by installing modules.

Configuring Apache manually involves editing the plain text configuration files as the user root.

/etc/apache2/
 |
 |- charset.conv 
 |- conf.d/
 |   |
 |   |- *.conf
 |
 |- default-server.conf
 |- errors.conf
 |- httpd.conf
 |- listen.conf
 |- magic
 |- mime.types
 |- mod_*.conf
 |- server-tuning.conf
 |- ssl.*
 |- ssl-global.conf
 |- sysconfig.d
 |   |
 |   |- global.conf
 |   |- include.conf
 |   |- loadmodule.conf . .
 |
 |- uid.conf
 |- vhosts.d
 |   |- *.conf

40.2.1.2. Virtual Host Configuration¶

The term virtual host refers to Apache's ability to serve multiple URIs (universal resource identifiers) from the same physical machine. This means that several domains, such as www.example.com and www.example.net, are run by a single Web server on one physical machine.

It is common practice to use virtual hosts to save administrative effort (only a single Web server needs to be maintained) and hardware expenses (each domain does not require a dedicated server). Virtual hosts can be name based, IP based, or port based.

Virtual hosts can be configured via YaST (see Section 40.2.2.1.4, “Virtual Hosts”) or by manually editing a configuration file. By default, Apache in SUSE Linux Enterprise Server is prepared for one configuration file per virtual host in /etc/apache2/vhosts.d/. All files in this directory with the extension .conf are automatically included to the configuration. A basic template for a virtual host is provided in this directory (vhost.template or vhost-ssl.template for a virtual host with SSL support).

Always Create a Virtual Host Configuration

It is recommended to always create a virtual host configuration file, even if your Web server only hosts one domain. In doing so, you not only have the domain-specific configuration in one file, but you can always fall back to a working basic configuration by simply moving, deleting, or renaming the configuration file for the virtual host. For the same reason, you should also create separate configuration files for each virtual host.

The <VirtualHost></VirtualHost> block holds the information that applies to a particular domain. When Apache receives a client request for a defined virtual host, it uses the directives enclosed in this section. Almost all directives can be used in a virtual host context. See http://httpd.apache.org/docs/2.2/mod/quickreference.html for further information about Apache's configuration directives.

40.2.1.2.1. Name-Based Virtual Hosts¶

With name-based virtual hosts, more than one Web site is served per IP address. Apache uses the host field in the HTTP header sent by the client to connect the request to a matching ServerName entry of one of the virtual host declarations. If no matching ServerName is found, the first specified virtual host is used as a default.

The directive NameVirtualHost tells Apache on which IP address and, optionally, which port to listen for requests by clients containing the domain name in the HTTP header. This option is configured in the configuration file /etc/apache2/listen.conf.

The first argument can be a fully qualified domain name, but it is recommended to use the IP address. The second argument is the port and is optional. By default, port 80 is used and is configured via the Listen directive.

The wild card * can be used for both the IP address and the port number to receive requests on all interfaces. IPv6 addresses must be enclosed in square brackets.

Example 40.1. Variations of Name-Based VirtualHost Entries¶

# NameVirtualHost IP-address[:Port]
NameVirtualHost 192.168.3.100:80
NameVirtualHost 192.168.3.100
NameVirtualHost *:80
NameVirtualHost *
NameVirtualHost [2002:c0a8:364::]:80

The opening VirtualHost tag takes the IP address (or fully qualified domain name) previously declared with the NameVirtualHost as an argument in a name-based virtual host configuration. A port number previously declared with the NameVirtualHost directive is optional.

The wild card * is also allowed as a substitute for the IP address. This syntax is only valid in combination with the wild card usage in NameVirtualHost * . When using IPv6 addresses, the address must be included in square brackets.

Example 40.2. Name-Based VirtualHost Directives¶

<VirtualHost 192.168.3.100:80>
  ...
</VirtualHost>

<VirtualHost 192.168.3.100>
  ...
</VirtualHost>

<VirtualHost *:80>
  ...
</VirtualHost>

<VirtualHost *>
  ...
</VirtualHost>

<VirtualHost [2002:c0a8:364::]>
  ...
</VirtualHost>

40.2.1.2.2. IP-Based Virtual Hosts¶

This alternative virtual host configuration requires the setup of multiple IPs for a machine. One instance of Apache hosts several domains, each of which is assigned a different IP.

The physical server must have one IP address for each IP-based virtual host. If the machine does not have multiple network cards, virtual network interfaces (IP aliasing) can also be used.

The following example shows Apache running on a machine with the IP 192.168.3.100, hosting two domains on the additional IPs 192.168.3.101 and 192.168.3.102. A separate VirtualHost block is needed for every virtual server.

Example 40.3. IP-Based VirtualHost Directives¶

<VirtualHost 192.168.3.101>
  ...
</VirtualHost>

<VirtualHost 192.168.3.102>
  ...
</VirtualHost>

Here, VirtualHost directives are only specified for interfaces other than 192.168.3.100. When a Listen directive is also configured for 192.168.3.100, a separate IP-based virtual host must be created to answer HTTP requests to that interface—otherwise the directives found in the default server configuration (/etc/apache2/default-server.conf) are applied.

40.2.1.2.3. Basic Virtual Host Configuration¶

At least the following directives should be present in each virtual host configuration in order to set up a virtual host. See /etc/apache2/vhosts.d/vhost.template for more options.

ServerName

The fully qualified domain name under which the host should be addressed.

DocumentRoot

Path to the directory from which Apache should serve files for this host. For security reasons, access to the entire file system is forbidden by default, so you must explicitly unlock this directory within a Directory container.

ServerAdmin

E-mail address of the server administrator. This address is, for example, shown on error pages Apache creates.

ErrorLog

The error log file for this virtual host. Although it is not necessary to create separate error log files for each virtual host, it is common practice to do so, because it makes debugging of errors much easier. /var/log/apache2/ is the default directory where Apache's log files should be kept.

CustomLog

The access log file for this virtual host. Although it is not necessary to create separate access log files for each virtual host, it is common practice to do so, because it allows separate analysis of access statistics for each host. /var/log/apache2/ is the default directory where Apache's log files should be kept.

As mentioned above, access to the whole file system is forbidden by default for security reasons. Therefore, explicitly unlock the directories in which you have placed the files Apache should serve—for example the DocumentRoot:

<Directory "/srv/www/www.example.com/htdocs">
  Order allow,deny
  Allow from all
</Directory>

The complete configuration file looks like this:

Example 40.4. Basic VirtualHost Configuration¶

<VirtualHost 192.168.3.100>
  ServerName www.example.com;
  DocumentRoot /srv/www/www.example.com/htdocs
  ServerAdmin webmaster@example.com
  ErrorLog /var/log/apache2/www.example.com_log
  CustomLog /var/log/apache2/www.example.com-access_log common
  <Directory "/srv/www/www.example.com/htdocs">
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

To configure your Web server with YaST, start YaST and select Network Services+HTTP Server. When starting the module for the first time, the HTTP Server Wizard starts, prompting you to make just a few basic decisions concerning administration of the server. After having finished the wizard, the dialog in Section 40.2.2.2, “HTTP Server Configuration” starts every time you call the HTTP Server module.

40.2.2.1. HTTP Server Wizard¶

The HTTP Server Wizard consists of five steps. In the last step of the dialog, you are given the opportunity to enter the expert configuration mode to make even more specific settings.

40.2.2.1.1. Network Device Selection¶

Here, specify the network interfaces and ports Apache uses to listen for incoming requests. You can select any combination of existing network interfaces and their respective IP addresses. Ports from all three ranges (well-known ports, registered ports, and dynamic or private ports) that are not reserved by other services can be used. The default setting is to listen on all network interfaces (IP addresses) on port 80.

Check Open Firewall for Selected Ports to open the ports in the firewall that the Web server listens on. This is necessary to make the Web server available on the network, which can be a LAN, WAN, or the public Internet. Keeping the port closed is only useful in test situations where no external access to the Web server is necessary.

Click Next to continue with configuration.

40.2.2.1.2. Modules¶

The Modules configuration option allows for the activation or deactivation of the script languages, the web server should support. For the activation or deactivation of other modules, refer to Section 40.2.2.2.2, “Server Modules”. Click Next to advance to the next dialog.

40.2.2.1.3. Default Host¶

This option pertains to the default Web server. As explained in Section 40.2.1.2, “Virtual Host Configuration”, Apache can serve multiple virtual hosts from a single physical machine. The first declared virtual host in the configuration file is commonly referred to as the default host. Each virtual host inherits the default host's configuration.

To edit the host settings (also called directives), choose the appropriate entry in the table then click Edit. To add new directives, click Add. To delete a directive, select it and click Delete.

Figure 40.1. HTTP Server Wizard: Default Host¶

Here is list of the default settings of the server:

Document Root

Path to the directory from which Apache serves files for this host. /srv/www/htdocs is the default location.

Alias

With the help of Alias directives, URLs can be mapped to physical file system locations. This means that a certain path even outside the Document Root in the file system can be accessed via a URL aliasing that path.

The default SUSE Linux Enterprise Alias /icons points to /usr/share/apache2/icons for the Apache icons displayed in the directory index view.

ScriptAlias

Similar to the Alias directive, the ScriptAlias directive maps a URL to a file system location. The difference is that ScriptAlias designates the target directory as a CGI location, meaning that CGI scripts should be executed in that location.

Directory

With the Directory setting, you can enclose a group of configuration options that will only apply to the specified directory.

Access and display options for the directories /usr/share/apache2/icons and /srv/www/cgi-bin are configured here. It should not be necessary to change the defaults.

Include

With include, additional configuration files can be specified. Two Include directives are already preconfigured: /etc/apache2/conf.d/ is the directory containing the configuration files that come with external modules. With this directive, all files in this directory ending in .conf are included. With the second directive, /etc/apache2/conf.d/apache2-manual.conf, the apache2-manual configuration file is included.

Server Name

This specifies the default URL used by clients to contact the Web server. Use a fully qualified domain name (FQDN) to reach the Web server at http://FQDN/ or its IP address. You cannot choose an arbitrary name here—the server must be “known” under this name.

Server Administrator E-Mail

E-mail address of the server administrator. This address is, for example, shown on error pages Apache creates.

After finishing with the Default Host step, click Next to continue with the configuration.

40.2.2.1.4. Virtual Hosts¶

In this step, the wizard displays a list of already configured virtual hosts (see Section 40.2.1.2, “Virtual Host Configuration”). If you have not made manual changes prior to starting the YaST HTTP wizard, no virtual host is present.

To add a host, click Add to open a dialog in which to enter basic information about the host. Server Identification includes the server name, server contents root (DocumentRoot), and administrator e-mail. Server Resolution is used to determine how a host is identified (name based or IP based). Specify the name or IP address with Change Virtual Host ID

Clicking Next advances to the second part of the virtual host configuration dialog.

In part two of the virtual host configuration you can specify whether to enable CGI scripts and which directory to use for these scripts. It is also possible to enable SSL. If you do so, you must specify the path to the certificate as well. See Section 40.6.2, “Configuring Apache with SSL” for details on SSL and certificates. With the Directory Index option, you can specify which file to display when the client requests a directory (by default, index.html). Add one or more filenames (space-separated) if you want to change this. With Enable Public HTML, the content of the users public directories (~user/public_html/) is made available on the server under http://www.example.com/~user.

	Creating Virtual Hosts
It is not possible to add virtual hosts at will. If using name-based virtual hosts, each hostname must be resolved on the network. If using IP-based virtual hosts, you can assign only one host to each IP address available.

40.2.2.1.5. Summary¶

This is the final step of the wizard. Here, determine how and when the Apache server is started: when booting or manually. Also see a short summary of the configuration made so far. If you are satisfied with your settings, click Finish to complete configuration. If you want to change something, click Back until you have reached the desired dialog. Clicking HTTP Server Expert Configuration opens the dialog described in Section 40.2.2.2, “HTTP Server Configuration”.

Figure 40.2. HTTP Server Wizard: Summary¶

40.2.2.2. HTTP Server Configuration¶

The HTTP Server Configuration dialog also lets you make even more adjustments to the configuration than the wizard (which only runs if you configure your Web server for the first time). It consists of four tabs described in the following. No configuration option you change here is effective immediately—you always must confirm your changes with Finish to make them effective. Clicking Cancel leaves the configuration module and discards your changes.

40.2.2.2.1. Listen Ports and Addresses¶

In HTTP Service, select whether Apache should be running (Enabled) or stopped (Disabled). In Listen on Ports, Add, Edit, or Delete addresses and ports on which the server should be available. The default is to listen on all interfaces on port 80. You should always check Open Firewall on Selected Ports, because otherwise the Web server is not reachable from the outside. Keeping the port closed is only useful in test situations where no external access to the Web server is necessary.

With Log Files, watch either the access log or the error log. This is useful if you want to test your configuration. The log file opens in a separate window from which you can also restart or reload the Web server (see Section 40.3, “Starting and Stopping Apache” for details). These commands are effective immediately.

Figure 40.3. HTTP Server Configuration: Listen Ports and Addresses¶

40.2.2.2.2. Server Modules¶

You can change the status (enabled or disabled) of Apache2 modules by clicking Toggle Status. Click Add Module to add a new module that is already installed but not yet listed. Learn more about modules in Section 40.4, “Installing, Activating, and Configuring Modules”.

Figure 40.4. HTTP Server Configuration: Server Modules¶

40.2.2.2.3. Main Host or Hosts¶

These dialogs are identical to the ones already described. Refer to Section 40.2.2.1.3, “Default Host” and Section 40.2.2.1.4, “Virtual Hosts”.

If you have followed the default way of installing Apache (described in Section 40.1.2, “Installation”), it is installed with all base and extension modules, the multiprocessing module Prefork MPM, and the external modules mod_php5 and mod_python.

You can install additional external modules by starting YaST and choosing Software+Software Management. Now choose Filter+Search and search for apache. Among other packages, the result list contains all available external Apache modules.

Using YaST, you can activate or deactivate the script language modules (PHP5, Perl, Python) with the module configuration described in Section 40.2.2.1, “HTTP Server Wizard”. All other modules can be enabled or disabled as described in Section 40.2.2.2.2, “Server Modules”.

If you prefer to activate or deactivate the modules manually, use the commands a2enmod mod_foo or a2dismod mod_foo, respectively. a2enmod -l outputs a list of all currently active modules.

Including Configuration Files for External Modules

If you have activated external modules manually, make sure to load their configuration files in all virtual host configurations. Configuration files for external modules are located under /etc/apache2/conf.d/ and are not loaded by default. If you need the same modules on each virtual host, you can include *.conf from this directory. Otherwise include individual files. See /etc/apache2/vhost.d/vhost.template for examples.

All base and extension modules are described in detail in the Apache documentation. Only a brief description of the most important modules is available here. Refer to http://httpd.apache.org/docs/2.2/mod/ to learn details about each module.

SUSE Linux Enterprise Server provides two different multiprocessing modules (MPMs) for use with Apache.

40.4.4.1. Prefork MPM¶

The prefork MPM implements a nonthreaded, preforking Web server. It makes the Web server behave similarly to Apache version 1.x in that it isolates each request and handles it by forking a separate child process. Thus problematic requests cannot affect others, avoiding a lockup of the Web server.

While providing stability with this process-based approach, the prefork MPM consumes more system resources than its counterpart, the worker MPM. The prefork MPM is considered the default MPM for Unix-based operating systems.

	MPMs in This Document
This document assumes Apache is used with the prefork MPM.

40.4.4.2. Worker MPM¶

The worker MPM provides a multithreaded Web server. A thread is a “lighter” form of a process. The advantage of a thread over a process is its lower resource consumption. Instead of only forking child processes, the worker MPM serves requests by using threads with server processes. The preforked child processes are multithreaded. This approach makes Apache perform better by consuming fewer system resources than the prefork MPM.

One major disadvantage is the stability of the worker MPM: if a thread becomes corrupt, all threads of a process can be affected. In the worst case, this may result in a server crash. Especially when using the Common Gateway Interface (CGI) with Apache under heavy load, internal server errors might occur due to threads unable to communicate with system resources. Another argument against using the worker MPM with Apache is that not all available Apache modules are thread-safe and thus cannot be used in conjunction with the worker MPM.

	Using PHP Modules with MPMs
Not all available PHP modules are thread-safe. Using the worker MPM with mod_php is strongly discouraged.

Find a list of all external modules shipped with SUSE Linux Enterprise Server here. Find the module's documentation in the listed directory.

Apache can be extended by advanced users by writing custom modules. To develop modules for Apache or compile third-party modules, the package apache2-devel is required along with the corresponding development tools. apache2-devel also contains the apxs2 tools, which are necessary for compiling additional modules for Apache.

apxs2 enables the compilation and installation of modules from source code (including the required changes to the configuration files), which creates dynamic shared objects (DSOs) that can be loaded into Apache at runtime.

The apxs2 binaries are located under /usr/sbin:

apxs2 installs modules so they can be used for all MPMs. The other two programs install modules so they can only be used for the respective MPMs. apxs2 installs modules in /usr/lib/apache2, apxs2-prefork and apxs2-worker installs modules in /usr/lib/apache2-prefork or /usr/lib/apache2-worker.

Install and activate a module from source code with the commands cd /path/to/module/source; apxs2 -cia mod_foo.c (-c compiles the module, -i installs it, and -a activates it). Other options of apxs2 are described in the apxs2(1) man page.

In SUSE Linux Enterprise Server, the execution of CGI scripts is only allowed in the directory /srv/www/cgi-bin/. This location is already configured to execute CGI scripts. If you have created a virtual host configuration (see Section 40.2.1.2, “Virtual Host Configuration”) and want to place your scripts in a host-specific directory, you must unlock and configure this directory.

ScriptAlias /cgi-bin/ "/srv/www/www.example.com/cgi-bin/"

<Directory "/srv/www/www.example.com/cgi-bin/">
 Options +ExecCGI
 AddHandler cgi-script .cgi .pl
 Order allow,deny
 Allow from all
</Directory>

CGI programming differs from "regular" programming in that the CGI programs and scripts must be preceded by a MIME-Type header such as Content-type: text/html. This header is sent to the client, so it understands what kind of content it receives. Secondly, the script's output must be something the client, usually a Web browser, understands—HTML in most cases or plain text or images, for example.

A simple test script available under /usr/share/doc/packages/apache2/test-cgi is part of the Apache package. It outputs the content of some environment variables as plain text. Copy this script to either /srv/www/cgi-bin/ or the script directory of your virtual host (/srv/www/www.example.com/cgi-bin/) and name it test.cgi.

Files accessible by the Web server should be owned by to the user root (see Section 40.7, “Avoiding Security Problems” for additional information). Because the Web server runs with a different user, the CGI scripts must be world-executable and world-readable. Change into the CGI directory and use the command chmod 755 test.cgi to apply the proper permissions.

Now call http://localhost/cgi-bin/test.cgi or http://www.example.com/cgi-bin/test.cgi. You should see the “CGI/1.0 test script report”.

If you do not see the output of the test program but an error message instead, check the following:

In order to use SSL/TSL with the Web server, you need to create an SSL certificate. This certificate is needed for the authorization between Web server and client, so that each party can clearly identify the other party. To ensure the integrity of the certificate, it must be signed by a party every user trusts.

There are three types of certificates you can create: a “dummy” certificate for testing purposes only, a self-signed certificate for a defined circle of users that trust you, and a certificate signed by an independent, publicly-known certificate authority (CA).

Creating a certificate is basically a two step process. First, a private key for the certificate authority is generated then the server certificate is signed with this key.

	For More Information
To learn more about concepts and definitions of SSL/TSL, refer to http://httpd.apache.org/docs/2.2/ssl/ssl_intro.html.

40.6.1.1. Creating a “Dummy” Certificate¶

Generating a dummy certificate is simple. Just call the script /usr/bin/gensslcert. It creates or overwrites the following files:

• /etc/apache2/ssl.crt/ca.crt

• /etc/apache2/ssl.crt/server.crt

• /etc/apache2/ssl.key/server.key

• /etc/apache2/ssl.csr/server.csr

A copy of ca.crt is also placed at /srv/www/htdocs/CA.crt for download.

A dummy certificate should never be used on a production system. Only use it for testing purposes.

40.6.1.2. Creating a Self-Signed Certificate¶

If you are setting up a secure Web server for an Intranet or for a defined circle of users, it might be sufficient if you sign a certificate with your own certificate authority (CA).

Creating a self-signed certificate is an interactive nine-step process. Change into the directory /usr/share/doc/packages/apache2 and run the following command: ./mkcert.sh make --no-print-directory /usr/bin/openssl /usr/sbin/ custom. Do not attempt to run this command from outside this directory. The program provides a series of prompts, some of which require user input.

Procedure 40.1. Creating a Self-Signed Certificate with mkcert.sh¶

1. Decide the signature algorithm used for certificates

   Choose RSA (R, the default), because some older browsers have problems with DSA.

2. Generating RSA private key for CA (1024 bit)

   No interaction needed.

3. Generating X.509 certificate signing request for CA

   Create the CA's distinguished name here. This requires you to answer a few questions, such as country name or organization name. Enter valid data, because everything you enter here later shows up in the certificate. You do not need to answer every question. If one does not apply to you or you want to leave it blank, use “.”. Common name is the name of the CA itself—choose a significant name, such as My company CA.

4. Generating X.509 certificate for CA signed by itself

   Choose certificate version 3 (the default).

5. Generating RSA private key for SERVER (1024 bit)

   No interaction needed.

6. Generating X.509 certificate signing request for SERVER

   Create the distinguished name for the server key here. Questions are almost identical to the ones already answered for the CA's distinguished name. The data entered here applies to the Web server and does not necessarily need to be identical to the CA's data (for example, if the server is located elsewhere).

   	Selecting a Common Name
   The common name you enter here must be the fully qualified hostname of your secure server (for example, www.example.com). Otherwise the browser issues a warning that the certificate does not match the server when accessing the Web server.

7. Generating X.509 certificate signed by own CA

   Choose certificate version 3 (the default).

8. Encrypting RSA private key of CA with a pass phrase for security

   It is strongly recommended to encrypt the private key of the CA with a password, so choose Y and enter a password.

9. Encrypting RSA private key of SERVER with a pass phrase for security

   Encrypting the server key with a password requires you to enter this password every time you start the Web server. This makes it difficult to automatically start the server on boot or to restart the Web server. Therefore, it is common sense to say N to this question. Keep in mind that your key is unprotected when not encrypted with a password and make sure that only authorized persons have access to the key.

   	Encrypting the Server Key
   If you choose to encrypt the server key with a password, increase the value for APACHE_TIMEOUT in /etc/sysconfig/apache2. Otherwise you do not have enough time to enter the passphrase before the attempt to start the server is stopped unsuccessfully.

The script's result page presents a list of certificates and keys it has generated. Contrary to what the script outputs, the files have not been generated in the local directory conf, but to the correct locations under /etc/apache2/.

The last step is to copy the CA certificate file from /etc/apache2/ssl.crt/ca.crt to a location where your users can access it in order to incorporate it into the list of known and trusted CAs in their Web browsers. Otherwise a browser complains that the certificate was issued by an unknown authority. The certificate is valid for one year.

	Self-Signed Certificates
Only use a self-signed certificate on a Web server that is accessed by people who know and trust you as a certificate authority. It is not recommended to use such a certificate on a public shop, for example.

The default port for SSL and TLS requests on the Web server side is 443. There is no conflict between a “regular” Apache listening on port 80 and an SSL/TLS-enabled Apache listening on port 443. In fact, HTTP and HTTPS can be run with the same Apache instance. Usually separate virtual hosts are used to dispatch requests to port 80 and port 443 to separate virtual servers.

	Firewall Configuration
Do not forget to open the firewall for SSL-enabled Apache on port 443. This can be done with YaST as described in Section 43.4.1, “Configuring the Firewall with YaST”.

To use SSL, it must be activated in the global server configuration. Open /etc/sysconfig/apache2 in an editor and search for APACHE_MODULES. Add “ssl” to the list of modules if it is not already present (mod_ssl is activated by default). Next, search for APACHE_SERVER_FLAGS and add “SSL”. If you have chosen to encrypt your server certificate with a password, you should also increase the value for APACHE_TIMEOUT, so you have enough time to enter the passphrase when Apache starts. Restart the server to make these changes active. A reload is not sufficient.

The virtual host configuration directory contains a template /etc/apache2/vhosts.d/vhost-ssl.template with SSL-specific directives that are extensively documented. Refer to Section 40.2.1.2, “Virtual Host Configuration” for the general virtual host configuration.

To get started, copy the template to /etc/apache2/vhosts.d/mySSL-host.conf and edit it. Adjusting the values for the following directives should be sufficient:

	Name-Based Virtual Hosts and SSL
It is not possible to run multiple SSL-enabled virtual hosts on a server with only one IP address. Users connecting to such a setup receive a warning message stating that the certificate does not match the server name every time they visit the URL. A separate IP address or port is necessary for every SSL-enabled domain to achieve communication based on a valid SSL certificate.

If there are vulnerabilities found in the Apache software, a security advisory will be issued by SUSE. It contains instructions for fixing the vulnerabilities, which in turn should be applied soon as possible. The SUSE security announcements are available from the following locations:

By default in SUSE Linux Enterprise Server, the DocumentRoot directory /srv/www/htdocs and the CGI directory /srv/www/cgi-bin belong to the user and group root. You should not change these permissions. If the directories were writable for all, any user could place files into them. These files might then be executed by Apache with the permissions of wwwrun, which may give the user unintended access to file system resources. Use subdirectories of /srv/www to place the DocumentRoot and CGI directories for your virtual hosts and make sure that directories and files belong to user and group root.

By default, access to the whole file system is denied in /etc/apache2/httpd.conf. You should never overwrite these directives, but specifically enable access to all directories Apache should be able to read (see Section 40.2.1.2.3, “Basic Virtual Host Configuration” for details). In doing so, ensure that no critical files, such as password or system configuration files, can be read from the outside.

Interactive scripts in Perl, PHP, SSI, or any other programming language can essentially run arbitrary commands and therefore present a general security issue. Scripts that will be executed from the server should only be installed from sources the server administrator trusts—allowing users to run their own scripts is generally not a good idea. It is also recommended to do security audits for all scripts.

To make the administration of scripts as easy as possible, it is common practice to limit the execution of CGI scripts to specific directories instead of globally allowing them. The directives ScriptAlias and Option ExecCGI are used for configuration. The SUSE Linux Enterprise Server default configuration does not allow execution of CGI scripts from everywhere.

All CGI scripts run as the same user, so different scripts can potentially conflict with each other. The module suEXEC lets you run CGI scripts under a different user and group.

When enabling user directories (with mod_userdir or mod_rewrite) you should strongly consider not allowing .htaccess files, which would allow users to overwrite security settings. At least you should limit the user's engagement by using the directive AllowOverRide. In SUSE Linux Enterprise Server, .htaccess files are enabled by default, but the user is not allowed to overwrite any Option directives when using mod_userdir (see the /etc/apache2/mod_userdir.conf configuration file).

For a list of new features in Apache 2.2, refer to http://httpd.apache.org/docs/2.2/new_features_2_2.html. Information about upgrading from version 2.0 to 2.2 is available at http://httpd.apache.org/docs-2.2/upgrading.html.

More information about external Apache modules from Section 40.4.5, “External Modules” is available at the following locations:

More information about developing Apache modules or about getting involved in the Apache Web server project are available at the following locations:

If you experience difficulties specific to Apache in SUSE Linux Enterprise Server, take a look at the Technical Information Search at http://www.novell.com/support. The history of Apache is provided at http://httpd.apache.org/ABOUT_APACHE.html. This page also explains why the server is called Apache.