Apache目录权限问题（转贴）

• Official site
• Online Docs
• Covered on their own pages: Tomcat, Apache Monitoring, Apache SSL, Subversion

t&J:S3m-~#{lF0

|md9@t^)|!|0

Installing

apt-get install apache2 apache2-doc file lynx

-uR5wh*H1[7p]:h;B!b\0Note: This installs the apache2-mpm-worker package, which is now preferred over the older apache2-mpm-prefork. However, for PHP (required by Gallery) you're stuck with apache2-mpm-prefork (no worries; you'll get seemlessly converted to prefork if you install PHP).

?$e@-Ii!B,s0

Adding content

Add content to /var/www. My structure is

/var/www/virtual_host/ROOT     <--- main content
                     /foo      <---- webapps etc.
        /virtual_host2

Z6rr"_ cf0

Configuration

Debian splits the configuration into pieces. /etc/apache2/apache2.conf contains standard settings that normally don't need changing. /etc/apache2/httpd.conf is legacy support. Put your settings in files inside /etc/apache2/conf.d/. All files in this directory are loaded automatically. DOIT博客7]KB9^2{Jt@

I just created a lorrin.conf in there where I do basic housekeeping.

# Set up InternetExplorer variable when Internet Explorer detected
BrowserMatchNoCase MSIE InternetExplorer

# 2004-Jan-24 LHN: Protect the file system as a whole
<Directory />
        Order Deny,Allow
        Deny from all
</Directory>

# 2004-Jan-24 LHN: Protect special directories.
<DirectoryMatch "(WEB-INF|META-INF|private)">
        Order allow,deny
        Deny from all
        AllowOverride None
</DirectoryMatch>

# 2004-Mar-04 LHN: Enable virtual hosting
NameVirtualHost *:80
NameVirtualHost *:81

# 2004-Mar-04 LHN: Add SSI processing to .css files
<FilesMatch "\.css(\..+)?$">
    SetOutputFilter INCLUDES
</FilesMatch>

# 2004-Jun-28 LHN: Add MIME type for certificates
AddType application/x-x509-ca-cert pem

DOIT博客,CPz V"\ u%?

Adding sites

Create definitions in sites-available and then add them with a2ensite. These get loaded alphabetically so make the default one have a filename that comes first. Also remember to a2dissite default. Here's a sample:

<VirtualHost *:80 *:81>
        ServerName www.nerdylorrin.net
        ServerAlias nerdylorrin.net
        ServerAdmin webmaster@nerdylorrin.net

        DocumentRoot /var/www/nerdylorrin.net/ROOT/
        <Directory /var/www/nerdylorrin.net/>
                Options FollowSymLinks MultiViews IncludesNOEXEC
                XBitHack On
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ErrorLog /var/log/apache2/www.nerdylorrin.net.error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/www.nerdylorrin.net.access.log combined
        ServerSignature On

        # 2004-Jan-24 LHN: URL Rewriting
        RewriteEngine on
        # RewriteLog "logs/nerdylorrin/rewrite.log"
        # RewriteLogLevel 9

        # Force canonical hostname
        # There are two sets of rules, one that rewrites to include the port,
        # and one that rewrites without an explicit port. The rewrite to include
        # the port occurs only if the requested port is not 80.

        # First, see if the HTTP_HOST does not start with www.nerdylorrin.net.
        # Then make sure HTTP_HOST isn't totally blank (this might be
        # excessively paranoid) then rewrite. The rewrite rule takes everything
        # after the beginning slash and appends to the fully qualified name

        # This set applies when the port number is not 80
        RewriteCond %{HTTP_HOST} !^www\.nerdylorrin\.net [NC]
        RewriteCond %{HTTP_HOST} !^$
        RewriteCond %{SERVER_PORT} !^80$
        RewriteRule ^/(.*) http://www.nerdylorrin.net:%{SERVER_PORT}/$1 [L,R]
                # if not starts-with www.nerdylorrin.net (ignore case)
                # if not starts-with ends
                # if not starts-with 80 ends
                # replace starts-with / any-path with name:port/the-path (stop rewriting process, redirect)

        # This set applies when the port is 80
        RewriteCond %{HTTP_HOST} !^www\.nerdylorrin\.net [NC]
        RewriteCond %{HTTP_HOST} !^$
        RewriteRule ^/(.*) http://www.nerdylorrin.net/$1 [L,R]
                # if not starts-with www.nerdylorrin.net (ignore case)
                # if not starts-with ends
                # replace starts-with / any-path with name/the-path (stop rewriting process, redirect)

</VirtualHost>

DOIT博客0xv!Eq\N

Adding modules

a2enmod rewrite

r:J6f?rKX0

Launching

apache2ctl DOIT博客9{`3Z.i \ kVA.qI

Server-Side Includes

See the Apache Introduction to Server Side Includes.

i:i"g2tKZWM^0a2enmod include

Sw$}V)}'m0add IncludesNOEXEC to the Options in the sites-available/* files and add XBitHack On (separate from the Options line) as needed. Then just chmod +x files that have SSI directives.

Y:Gx'^TC(i'@m0I also added

<FilesMatch "\.css(\..+)?$">
    SetOutputFilter INCLUDES
</FilesMatch>

because I had a .css with SSI directives.

$l]j8vB0q2T:U0chmod +x html files as needed.

{&| Xf G,m
D0The variables available for use in SSI include all the standard CGI environment variables.

){z@)o0cU }s0

Authentication

See the Apache Authentication, Authorization and Access Control tutorial.

0m2]6hRmo;l0Basic mechanics are that the server responds with a 401 (access denied), then the browser gets login info from the user and submits with every request from that point forward. Credentials are Base64 encoded (e.g. not encrypted) so it's not too secure unless wrapped inside SSL. DOIT博客!i$m&~#W/rxz(@2Sa

Passwords are stored in /etc/apache2/passwd and managed with htpasswd2 DOIT博客6V.y5BCv Uqa;D c

SSL

See ApacheSSL DOIT博客!y }]Vf(vRI

WebDAV

See WebDAV for more information on WebDAV in general. Enabling WebDAV in Apache is very straight-forward. Support is provided via the mod_dav module, which is included in the standard Debian Apache2 package. DOIT博客9zDV7KB1` R

a2enmod dav
I9`R[0o3Z0a2enmod dav_fs

d)b
cJg%r?#ckH0Create a VirtualHost and in some Directory blocks add

<IfModule mod_dav.c>
     DAV On
</IfModule>

4Qqe,uiJZ0You probably want to have some Auth directives in there as well. Additionally it's also possible to restrict which WebDAV operations are possible. E.g. to make a share read-only for guest users:

AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Tomato WebDAV file access"
AuthUserFile "/etc/apache2/passwd/tomato"

<IfModule mod_dav.c>
       DAV On
       <LimitExcept GET HEAD OPTIONS>
              require valid-user
       </LimitExcept>
</IfModule>

DOIT博客*W&N?4\b/B[i

If people will be reading and writing the files via means other than WebDAV as well you'll have to juggle permissions. What seems to work is to keep the files writable by the www-data group. chgrp to www-data everything, then chmod g+s it and set the masks right (e.g. in Samba create mask = 664 and directory mask = 775). Update /etc/group to put the users in the www-data group: www-data:x:33:lorrin,tina DOIT博客e
g1Zha l#~:is-n

mod_python

mod_python offers additional speed and flexibility for running Python webapps vs. traditional CGI. I found it handy for configuring Trac. See Introducing mod_python (2003-10) by Gregory Trubetskoy for more information. The relevant Debian packages are libapache2-mod-python2.3 and libapache2-mod-python-doc packages.

7@9r)?5D}{l(D0

Troubleshooting

DOIT博客)}dbjw^

mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed, referer: https://www.nerdylorrin.net/squirrelmail/src/left_main.php DOIT博客 KGT
z*x n;r/Y%Vr"q

This kind of error shows up when you've disabled Includes globally for security reasons and install a webapp that assumes they'll be on. Add/modify the Options statement in the Directory block for the new webapp to have the Includes keyword. In this case, for SquirrelMail, the relevant config file is /etc/squirrelmail/apache.conf. DOIT博客'u`9s1qt A0{L#o

Wed Mar 15 22:39:16 2006 (No InterWiki reference defined in properties for Wiki called 'Wed Mar 15 22'!) error? client 192.168.2.1? client denied by server configuration: /htdocs

ntT5\&a-cs
cI0Normally this kind of error means exactly what it says: The client can't see the requested URL because it's explicitly denied in the Apache configuration. I did once, however, see this error consistently crop up in my error.log. Of note was that /htdocs was neither requested by the client not referenced anywhere in my configuration files. Fully stopping Apache and bringing it back up instead of just doing config file reloads made the problem go away.

nl'a b/d@4V0