Project

General

Profile

Apache Web Server Introduction

It is easy to get an Apache Web Server up and going if you have root access. You simply would do a yum install httpd. You would then be able to issue the standard commands like apachectl start, apachectl stop, apachectl restart, apachectl graceful, and apachectl configtest. Since we don't generally have root access, these steps will show you how to successfully run your own web server using another user. These steps were formulated in the process of setting up the web server (Server version: Apache/2.2.15 (Unix)) on sammongpvm01.fnal.gov (Scientific Linux Fermi release 6.4 (Ramsey)). You can find out what version you have by typing httpd v and cat /etc/redhat-release respectively. In this particular case, httpd has already been installed by default so we work off this installation. This particular web server will act as a gateway to a web2py instance that is running on local host (i.e. a proxy).

Directory/File Setup

You will want to create this directory/file scheme. Be sure to pick the appropriate "home" area for this. In my case it is /home/sam. Bold represents directories, and italics represents files. We will elaborate on what these files are as we go.

bin //programs go in here
  • apachectl (0755) //chmod +x apachectl
  • clean_logs.sh (0755) //chmod +x clean_logs.sh
html //html pages go in here
  • empty

httpd

-- conf //configuration files
  • httpd.conf
  • magic
-- conf.d //more configuration files
  • port8480.conf
  • sam_web_servers.conf
-- logrotate //configuration file and status file for logrotate //see man logrotate //used by crontab
  • logrotate.conf
  • logrotate.status
-- logs //this is where the logs get appended to
  • access_log
  • error_log

-- modules //ln -s /usr/lib64/httpd/modules . //just some modules
There should be around 64 modules in this directory...

-- run //this is where the pid file gets stored
  • empty

private
-- logs

---- httpd
---- * access_log
---- * error_log

---- web2py
---- * httpserver.log

bin

apachectl

The apachectl is the executable that allows you to control the functioning of the Apache httpd daemon. We have our own, and we make it executable by doing chmod +x apachectl. If you are not sure which apachectl you are using do which apachectl to find out. You will want to modify your bash profile so you could use your own apachectl by doing the following.

vim ~/.bash_profile
PATH=$HOME/bin:$PATH

The apachectl should look like the following.
export OPENSSL_ALLOW_PROXY_CERTS=1

httpd=/usr/sbin/httpd.worker

case $1 in
configtest) 
${httpd} -d /home/sam/httpd -t
;;
*)
${httpd} -d /home/sam/httpd -k $1
;;
esac

The original apachectl location is at /usr/sbin/apachectl for the curious.

clean_logs.sh

This file gets run by the cron tab. It should look like the following.

#!/bin/sh

find /home/sam/private/logs/ -name "*_log.*" -mtime +7 | xargs -r rm -v
find /home/sam/private/logs/ -name "*_log.*" ! -name "*.gz" -mtime +1 | xargs -r -n1 -t gzip

The first part finds log files that contain _log which have modified time greater than 7 days and remove them in verbose mode if they exist.
The second part finds log files that contain _log which do not have extension .gz that have modified time greater than 1 day. If they exist issue one command to gzip, but print the command line on the standard error output before executing it.
Anything printed lands in /tmp/clean_logs.out.

html

You can serve your web pages here if you want, but for now this folder is empty.

httpd

conf

httpd.conf

This is the main configuration file for the web server. Just copy over this file from /etc/httpd/conf. The things we need to modify are below.

ServerRoot "/etc/httpd" --> ServerRoot "/home/sam/httpd" 

Timeout 60 --> Timeout 300

KeepAlive Off --> KeepAlive On

Listen 80 --> Listen 8480

#ExtendedStatus On --> ExtendedStatus On

DocumentRoot "/var/www/html" --> DocumentRoot "/home/sam/html" 

ErrorLog logs/error_log --> ErrorLog  "|exec 2>&-; /usr/bin/tee -a /home/sam/httpd/logs/error_log  | /usr/bin/logger -thttpd -plocal6.err" 

CustomLog logs/access_log combined --> CustomLog "|/usr/bin/tee -a /home/sam/httpd/logs/access_log | /usr/bin/logger -thttpd -plocal6.notice" combined

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" --> #ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" 

If you would like to enable the server status page uncomment this block of code, and replace .example.com with: 131.225

#<Location /server-status>
#    SetHandler server-status
#    Order deny,allow
#    Deny from all
#    Allow from .example.com
#</Location>

magic

Not sure what this is used for...

conf.d

port8480.conf

This file should look like the following. Replace what you will in regards to the ProxyPass line- it's just an example.

<VirtualHost *:8480>
#KeepAlive on

ProxyPass /station_monitor/ http://localhost:8081/station_monitor/

# Make sure certificate headers are unset in case
# an non-ssl client tries to set them
RequestHeader unset X-Forwarded-Secure
RequestHeader unset X-FORWARDED-S-DN
RequestHeader unset X-FORWARDED-I-DN

# Allow JSON requests from any domain
Header set Access-Control-Allow-Origin "*" 

</VirtualHost>

sam_web_servers.conf

This file should look like the following. Replace what you will in regards to the ProxyPass lines- again it's just an example.

#For the proxy worker sharing to work properly we have to declare the proxying outside the virtual hosts
# This means that all virtual hosts will expose all these downstream servers

ProxyTimeout 3600
RewriteEngine On

# Nova cookbook server
ProxyPass /sam/cookbook/ http://localhost:21000/sam/cookbook/

# Metrics server
ProxyPass /sam/metrics/ http://localhost:21000/sam/metrics/

logrotate

logrotate.conf

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
#include /etc/logrotate.d

# system-specific logs may be also be configured here.
/home/sam/httpd/logs/*log {
    size 128M
    #daily
    #dateext
    rotate 25
    compress
    delaycompress
    missingok
    notifempty
    sharedscripts
    postrotate
       /home/sam/bin/apachectl configtest > /dev/null 2>/dev/null && /home/sam/bin/apachectl graceful > /dev/null 2>/dev/null || true
    endscript
}

logrotate.status

Should be empty initially.

logs

access_log

This is where the Apache requests get logged.

error_log

This is where the Apache errors get logged.

modules

This should be a symbolic link.
File: `modules' -> `/usr/lib64/httpd/modules'

run

This is where the pid file gets stored when you start the web server. So when you do an apachectl stop for example, it will look here to get the pid.

private

logs

httpd

-access_log

This is where the Apache requests get logged.

-error_log

This is where the Apache errors get logged.

web2py

-httpserver.log

This is where the web2py requests get logged. We specify this file explicitly when we start the web2py instance.

Clogger

Logs need to go to clogger. This is done in either /etc/rsyslog.d/000-use-clogger.conf or in /etc/rsyslog.conf. Below is what 000-use-clogger.conf should look like.

####################################################
## HEADER: This file was autogenerated by puppet.
######################################################

# Modules
$ModLoad imtcp
$ModLoad imudp
$ModLoad imuxsock

# Templates
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Actions
$ActionQueueType LinkedList
$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName clogger
$ActionQueueMaxDiskSpace 500m

# Rules
# Send using UDP
# For TCP use @@ rather than @
*.*               @clogger.fnal.gov

Web Server Exemption Request

Before the web server is exposed to the world, you need to go to Service Now, and click on the Service Catalog link. You will see a Web Server Exemption Request link, click on it and fill out the form. You do not want to expose port 80, but rather expose an open port of 1024 or above because we do not have superuser privileges. In my case I use port 8040.

hostname --ip  //get the ip address

Crontab

Your crontab should look like the following.

crontab -e

SHELL=/bin/bash
@reboot    /home/sam/bin/apachectl start

00,15,30,45 * * * * /usr/sbin/logrotate -s /home/sam/httpd/logrotate/logrotate.status /home/sam/httpd/logrotate/logrotate.conf   #Runs logrotate at minutes :00, :15, :30, :45, every hour.
15 00 * * * /home/sam/bin/clean_logs.sh >& /tmp/clean_logs.out   #Runs clean_logs.sh at minute :15, on hour 00, every day.

Start Apache Web Server

/usr/sbin/httpd.worker -d /home/sam/httpd -k start

Other

To find out which Apache version you are using:

httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Jul 23 2014 08:07:51

To stop an existing Apache web server that may have been shipped by default (a rule would need to be added to sudoers- this is a request to Scientific Computing -- Scientific Servers):

sudo /etc/init.d/httpd stop

Clogger notes: www.fnal.gov/docs/products/apache/syslog_logs_notes.html

SSL notes:
http://www.fnal.gov/docs/products/apache/SSLNotes.html
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
http://www.pyopenssl.org/en/stable/ //thin wrapper around a subset of the OpenSSL library