Apache目录权限问题（转贴）

• Official site
• Online Docs
• Covered on their own pages: Tomcat, Apache Monitoring, Apache SSL, Subversion

DOIT博客-_J.zX(L$Qt#ph

^OI7P t+Gj0

Installing

apt-get install apache2 apache2-doc file lynx DOIT博客J$X U?N Fm@v

Note: This installs the apache2-mpm-worker package, which is now preferred over the older apache2-mpm-prefork. However, for PHP (required by Gallery) you're stuck with apache2-mpm-prefork (no worries; you'll get seemlessly converted to prefork if you install PHP). DOIT博客w@$J_,|z

Adding content

Add content to /var/www. My structure is

/var/www/virtual_host/ROOT     <--- main content
                     /foo      <---- webapps etc.
        /virtual_host2

DOIT博客x/XRA8v$k x-dp

Configuration

Debian splits the configuration into pieces. /etc/apache2/apache2.conf contains standard settings that normally don't need changing. /etc/apache2/httpd.conf is legacy support. Put your settings in files inside /etc/apache2/conf.d/. All files in this directory are loaded automatically.

F%~iO+W3|8n0I just created a lorrin.conf in there where I do basic housekeeping.

# Set up InternetExplorer variable when Internet Explorer detected
BrowserMatchNoCase MSIE InternetExplorer

# 2004-Jan-24 LHN: Protect the file system as a whole
<Directory />
        Order Deny,Allow
        Deny from all
</Directory>

# 2004-Jan-24 LHN: Protect special directories.
<DirectoryMatch "(WEB-INF|META-INF|private)">
        Order allow,deny
        Deny from all
        AllowOverride None
</DirectoryMatch>

# 2004-Mar-04 LHN: Enable virtual hosting
NameVirtualHost *:80
NameVirtualHost *:81

# 2004-Mar-04 LHN: Add SSI processing to .css files
<FilesMatch "\.css(\..+)?$">
    SetOutputFilter INCLUDES
</FilesMatch>

# 2004-Jun-28 LHN: Add MIME type for certificates
AddType application/x-x509-ca-cert pem

DOIT博客(D$DM&O Ix!]Q&E8G

Adding sites

Create definitions in sites-available and then add them with a2ensite. These get loaded alphabetically so make the default one have a filename that comes first. Also remember to a2dissite default. Here's a sample:

<VirtualHost *:80 *:81>
        ServerName www.nerdylorrin.net
        ServerAlias nerdylorrin.net
        ServerAdmin webmaster@nerdylorrin.net

        DocumentRoot /var/www/nerdylorrin.net/ROOT/
        <Directory /var/www/nerdylorrin.net/>
                Options FollowSymLinks MultiViews IncludesNOEXEC
                XBitHack On
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog /var/log/apache2/www.nerdylorrin.net.error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/www.nerdylorrin.net.access.log combined
        ServerSignature On

        # 2004-Jan-24 LHN: URL Rewriting
        RewriteEngine on
        # RewriteLog "logs/nerdylorrin/rewrite.log"
        # RewriteLogLevel 9

        # Force canonical hostname
        # There are two sets of rules, one that rewrites to include the port,
        # and one that rewrites without an explicit port. The rewrite to include
        # the port occurs only if the requested port is not 80.

        # First, see if the HTTP_HOST does not start with www.nerdylorrin.net.
        # Then make sure HTTP_HOST isn't totally blank (this might be
        # excessively paranoid) then rewrite. The rewrite rule takes everything
        # after the beginning slash and appends to the fully qualified name

        # This set applies when the port number is not 80
        RewriteCond %{HTTP_HOST} !^www\.nerdylorrin\.net [NC]
        RewriteCond %{HTTP_HOST} !^$
        RewriteCond %{SERVER_PORT} !^80$
        RewriteRule ^/(.*) http://www.nerdylorrin.net:%{SERVER_PORT}/$1 [L,R]
                # if not starts-with www.nerdylorrin.net (ignore case)
                # if not starts-with ends
                # if not starts-with 80 ends
                # replace starts-with / any-path with name:port/the-path (stop rewriting process, redirect)

        # This set applies when the port is 80
        RewriteCond %{HTTP_HOST} !^www\.nerdylorrin\.net [NC]
        RewriteCond %{HTTP_HOST} !^$
        RewriteRule ^/(.*) http://www.nerdylorrin.net/$1 [L,R]
                # if not starts-with www.nerdylorrin.net (ignore case)
                # if not starts-with ends
                # replace starts-with / any-path with name/the-path (stop rewriting process, redirect)

</VirtualHost>

DOIT博客{SMt(Z~.{9S

Adding modules

a2enmod rewrite DOIT博客8]7PZMInHA

Launching

apache2ctl

|k x2Ma0

Server-Side Includes

See the Apache Introduction to Server Side Includes. DOIT博客1B!e(N'|`-V

a2enmod include

br%u s7L#u.~y0add IncludesNOEXEC to the Options in the sites-available/* files and add XBitHack On (separate from the Options line) as needed. Then just chmod +x files that have SSI directives.

(h&qW7]#x0I also added

<FilesMatch "\.css(\..+)?$">
    SetOutputFilter INCLUDES
</FilesMatch>

because I had a .css with SSI directives. DOIT博客y,c4ULD!S)c+w

chmod +x html files as needed.

E},BJ*@-X:V0G0The variables available for use in SSI include all the standard CGI environment variables. DOIT博客 Yc Wy@HW

Authentication

See the Apache Authentication, Authorization and Access Control tutorial.

,@ \KQ8^RRS^0Basic mechanics are that the server responds with a 401 (access denied), then the browser gets login info from the user and submits with every request from that point forward. Credentials are Base64 encoded (e.g. not encrypted) so it's not too secure unless wrapped inside SSL. DOIT博客4Al Fn+E5Q

Passwords are stored in /etc/apache2/passwd and managed with htpasswd2

6ifg_.s0O0

SSL

See ApacheSSL

ge$ufU'jH!gW0

WebDAV

See WebDAV for more information on WebDAV in general. Enabling WebDAV in Apache is very straight-forward. Support is provided via the mod_dav module, which is included in the standard Debian Apache2 package.

:EG)g%XU F XT0a2enmod dav
/X*wp}:Sqn2Fz6Q0a2enmod dav_fs DOIT博客e9@3V9q(Q,Y3sEL)APJ

Create a VirtualHost and in some Directory blocks add

<IfModule mod_dav.c>
     DAV On
</IfModule>

DOIT博客5kS8hQ!k9G

You probably want to have some Auth directives in there as well. Additionally it's also possible to restrict which WebDAV operations are possible. E.g. to make a share read-only for guest users:

AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Tomato WebDAV file access"
AuthUserFile "/etc/apache2/passwd/tomato"

<IfModule mod_dav.c>
       DAV On
       <LimitExcept GET HEAD OPTIONS>
              require valid-user
       </LimitExcept>
</IfModule>

DOIT博客wl7Z%@I$m9N

If people will be reading and writing the files via means other than WebDAV as well you'll have to juggle permissions. What seems to work is to keep the files writable by the www-data group. chgrp to www-data everything, then chmod g+s it and set the masks right (e.g. in Samba create mask = 664 and directory mask = 775). Update /etc/group to put the users in the www-data group: www-data:x:33:lorrin,tina

*d
HXb'| {
vG0

mod_python

mod_python offers additional speed and flexibility for running Python webapps vs. traditional CGI. I found it handy for configuring Trac. See Introducing mod_python (2003-10) by Gregory Trubetskoy for more information. The relevant Debian packages are libapache2-mod-python2.3 and libapache2-mod-python-doc packages.

1J'xw'tpf.efi0

Troubleshooting

DOIT博客(D#K%I a;C:|+D

mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed, referer: https://www.nerdylorrin.net/squirrelmail/src/left_main.php

(Tb2n#GS
s0This kind of error shows up when you've disabled Includes globally for security reasons and install a webapp that assumes they'll be on. Add/modify the Options statement in the Directory block for the new webapp to have the Includes keyword. In this case, for SquirrelMail, the relevant config file is /etc/squirrelmail/apache.conf. DOIT博客gICd4B^&p&p

Wed Mar 15 22:39:16 2006 (No InterWiki reference defined in properties for Wiki called 'Wed Mar 15 22'!) error? client 192.168.2.1? client denied by server configuration: /htdocs DOIT博客+Fa8`BO)e

Normally this kind of error means exactly what it says: The client can't see the requested URL because it's explicitly denied in the Apache configuration. I did once, however, see this error consistently crop up in my error.log. Of note was that /htdocs was neither requested by the client not referenced anywhere in my configuration files. Fully stopping Apache and bringing it back up instead of just doing config file reloads made the problem go away. DOIT博客v,Y5wwN|c0_~