This article was last reviewed for Debian 9 (Stretch).

Apache 2.4 installation and configuration (Debian, repository)

Apache 2.4 installation and configuration (Debian, repository)
Author:	Stefán Örvar Sigmundsson
Initial publication:	3 September 2015
Last updated:	19 July 2017
Written in:	English (United Kingdom)

Apache HTTP Server is a modular, free, open-source software and the world's most popular web server. This article will demonstrate how to install and configure Apache 2.4 on Debian or its derivatives such as Ubuntu and Linux Mint. The server will be configured for the domain name example.org as a virtual host.

Installation

Apache can be installed from the official Debian repository using APT:

root@computer:~# apt --assume-yes install apache2

After the installation is completed a directory called /var/www/html should have been created containing a single file called index.html. This file should appear in a web browser on the local machine when navigated is to http://localhost.

Configuration

Apache is stopped before beginning the configuration for the sake of simplicity:

root@computer:~# systemctl stop apache2.service

The default logs are cleared before access and error logs are created:

root@computer:~# rm --recursive /var/log/apache2/*

The default directory created by the package to store the data to be served is not in conformance with the Filesystem Hierarchy Standard so it is removed and a new directory is created:

root@computer:~# rm --recursive /var/www/
root@computer:~# mkdir --parents /srv/http/example.org/

An error log is created for Apache (error.log), an access log for the virtual host (example.org.log) and an error log for the virtual host (example.org.error.log), all in the default log directory:

root@computer:~# cd /var/log/apache2/
root@computer:/var/log/apache2# touch error.log example.org.log example.org.error.log

There is a lot of clutter in the default configuration files even though they are operational. Clearing the configuration directories and the default directory will ensure that there is no conflict nor confusion:

root@computer:~# cd /etc/apache2/
root@computer:/etc/apache2# > apache2.conf
root@computer:/etc/apache2# > envvars
root@computer:/etc/apache2# rm --recursive conf-available/* conf-enabled/* mods-enabled/* sites-available/* sites-enabled/* magic ports.conf

The default user and group created by the package are called www-data. A user and a group are created with a more descriptive name:

root@computer:~# useradd --comment "Apache" --shell "/usr/sbin/nologin" --system --user-group apache

envvars

The envvars file is uncluttered for the sake of readability:

unset HOME

if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
	SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
else
	SUFFIX=
fi

export APACHE_RUN_USER=apache
export APACHE_RUN_GROUP=apache
export APACHE_PID_FILE=/run/apache2$SUFFIX/apache2.pid
export APACHE_RUN_DIR=/run/apache2$SUFFIX
export APACHE_LOCK_DIR=/run/lock/apache2$SUFFIX
export APACHE_LOG_DIR=/var/log/apache2$SUFFIX

export LANG=C

apache2.conf

The apache2.conf file contains global configuration. A single default web site could be defined globally but for the sake of remaining future-proof all web sites are defined as virtual hosts:

<Directory />
	Require all denied
</Directory>

ErrorLog /var/log/apache2/error.log

Options Indexes

IncludeOptional conf-enabled/*.conf
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
IncludeOptional sites-enabled/*.conf

ServerAdmin administrator@example.org

ServerName http://example.org:80

<Directory />: Access is not allowed to any location in the file system by default for security reasons. Virtual hosts must give access to relevant directories.
ErrorLog /var/log/apache2/error.log: The default location and name of the error log (logs/error_log), as defined by Apache, does not utilise the conventional directory structure of Debian. An error log can be configured per virtual host so that errors specific to the virtual hosts do not go into the global error log.
Options Indexes (optional): Globally enables directory listing when access requirements are satisfied. Without this the server will respond with an HTTP 403 response status code when navigated is to a directory that doesn't contain an index file or when index files are not defined in mod_dir.
IncludeOptional conf-enabled/*.conf: All enabled configuration files are included.
IncludeOptional mods-enabled/*.load: All enabled module loading files are included.
IncludeOptional mods-enabled/*.conf: All enabled module configuration files are included.
IncludeOptional sites-enabled/*.conf: All enabled virtual hosts are included.
ServerAdmin administrator@example.org (optional): It is good practice to declare an e-mail address responsible for the server.
ServerName http://example.org:80: A global server name is given. The domain name (example.org) should be replaced with the relevant domain name.

conf-available/log_config.conf

A file is created to contain the configuration for the base module mod_log_config:

root@computer:/etc/apache2# touch conf-available/log_config.conf

The conf-available/log_config.conf file contains custom log format definitions:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

LogFormat …: Defines a common log format to be used by virtual hosts.

mods-available/autoindex.conf (optional)

The mods-available/autoindex.conf file contains configuration for the automatic generation of indexes of the contents of directories. If a user navigates to a directory without specifying a particular file within it then the autoindex module will generate an index of the contents of the directory. The following is only possible if Options Indexes is set in the apache2.conf file:

<IfModule autoindex_module>
	AddIcon (SND,/icons/sound2.gif) .ogg
	AddIcon (VID,/icons/movie.gif) .ogm
	AddIcon /icons/a.gif .ai .eps .ps
	AddIcon /icons/binary.gif .bin .exe
	AddIcon /icons/binhex.gif .hqx
	AddIcon /icons/c.gif .c
	AddIcon /icons/compressed.gif .gz .tgz .z .zip
	AddIcon /icons/dvi.gif .dvi
	AddIcon /icons/f.gif .for
	AddIcon /icons/folder.gif ^^DIRECTORY^^
	AddIcon /icons/layout.gif .htm .html .pdf .shtml
	AddIcon /icons/odf6odb-20x22.png .odb
	AddIcon /icons/odf6odc-20x22.png .odc
	AddIcon /icons/odf6odf-20x22.png .odf
	AddIcon /icons/odf6odg-20x22.png .odg
	AddIcon /icons/odf6odi-20x22.png .odi
	AddIcon /icons/odf6odm-20x22.png .odm
	AddIcon /icons/odf6odp-20x22.png .odp
	AddIcon /icons/odf6ods-20x22.png .ods
	AddIcon /icons/odf6odt-20x22.png .odt
	AddIcon /icons/odf6otc-20x22.png .otc
	AddIcon /icons/odf6otf-20x22.png .otf
	AddIcon /icons/odf6otg-20x22.png .otg
	AddIcon /icons/odf6oth-20x22.png .oth
	AddIcon /icons/odf6oti-20x22.png .oti
	AddIcon /icons/odf6otp-20x22.png .otp
	AddIcon /icons/odf6ots-20x22.png .ots
	AddIcon /icons/odf6ott-20x22.png .ott
	AddIcon /icons/p.gif .pl .py
	AddIcon /icons/script.gif .conf .csh .ksh .sh .shar .tcl
	AddIcon /icons/tar.gif .tar
	AddIcon /icons/tex.gif .tex
	AddIcon /icons/text.gif .txt
	AddIcon /icons/uuencoded.gif .uu
	AddIcon /icons/world2.gif .iv .vrm .vrml .wrl .wrl.gz

	AddIconByEncoding (CMP,/icons/compressed.gif) x-bzip2 x-compress x-gzip

	AddIconByType (IMG,/icons/image2.gif) image/*
	AddIconByType (SND,/icons/sound2.gif) audio/*
	AddIconByType (TXT,/icons/text.gif) text/*
	AddIconByType (VID,/icons/movie.gif) video/*

	DefaultIcon /icons/unknown.gif

	IndexOptions DescriptionWidth=* FancyIndexing FoldersFirst HTMLTable IconsAreLinks NameWidth=* VersionSort XHTML

	<Directory /usr/share/apache2/icons/>
		Require all granted
	</Directory>

	<IfModule alias_module>
		Alias /icons/ /usr/share/apache2/icons/
	</IfModule>
</IfModule>

mods-available/dir.conf (optional)

The mods-available/dir.conf file defines directory index files. If a directory index file exists in a directory and a user navigates to the directory without specifying a particular file within it then the server will return the directory index file instead of an automatically generated index of the contents of the directory by the autoindex module or an HTTP 403 response status code.

<IfModule dir_module>
	DirectoryIndex index.htm index.html index.xht index.xhtml
</IfModule>

mods-available/mpm_event.conf

The mods-available/mpm_event.conf file configures the multi-processing module event:

<IfModule mpm_event_module>
	Group apache

	Listen example.org:80 http

	PidFile /run/apache2.pid

	User apache
</IfModule>

Group apache: The OS group of Apache is www-data by default on Debian.
Listen example.org:80 http: The IP address, port and protocol to which to listen. The domain name (example.org) should be replaced with the relevant domain name or IP address.
PidFile /run/apache2.pid: The location of the process identifier file of Apache is /var/run/apache2.pid by default on Debian.
User apache: The OS user of Apache is www-data by default on Debian.

sites-available/example.org.conf

A file is created to contain the configuration for the example.org virtual host:

root@computer:/etc/apache2# touch sites-available/example.org.conf

The sites-available/example.org.conf file contains a virtual host declaration:

<VirtualHost *:80>
	CustomLog /var/log/apache2/example.org.log combined

	<Directory /srv/http/example.org/>
		Require all granted
	</Directory>

	DocumentRoot /srv/http/example.org/

	ErrorLog /var/log/apache2/example.org.error.log

	ServerName http://example.org:80
</VirtualHost>

<VirtualHost *:80>: The virtual host declaration container. It applies to all IP addresses (*) and port 80.
CustomLog /var/log/apache2/example.org.log combined: The access log is named example.org.log and uses the format combined defined in conf-available/log_config.conf.
<Directory /srv/http/example.org/>: Access is granted to the document root as the apache2.conf file denies access to the entire file system for security reasons.
DocumentRoot /srv/http/example.org/: The document root (/srv/http/example.org/) is named after the domain name. The document root directory (/srv/http/example.org/) should be replaced with the relevant document root directory.
ErrorLog /var/log/apache2/example.org.error.log: The error log is named example.org.error.log and uses the default error log format.
ServerName http://example.org:80: The server name is http://example.org:80. The server name should be replaced with the relevant server name.

Conclusion

Log rotation

The package installs a default logrotate configuration file (/etc/logrotate.d/apache2) that can be customised:

/var/log/apache2/*.log
{
	copytruncate
	maxage 365
	missingok
	monthly
	notifempty
	rotate 12
}

/var/log/apache2/*.log: Sets the configuration scope for the subsequent section. The pattern matches all files (*) ending with the extension log in the /var/log/apache2 directory.
copytruncate: Copy the contents of the log file being rotated into a new file and then truncate the original log file.
maxage 365: Remove log files older than 365 days.
missingok: Do not consider it an error if a log file is missing.
monthly: Perform a log rotation monthly.
notifempty: Do not perform a log rotation on an empty log file.
rotate 12: Perform 12 log rotations before older log files are removed.

Configuration enablement

The configuration is enabled using the provided helper scripts:

root@computer:~# a2enconf log_config
root@computer:~# a2enmod authz_core mpm_event
root@computer:~# a2ensite example.org

The authz_core module provides essential security mechanisms for the server.

The following optional modules enable Apache generated directory indexing with Apache icons in directories without custom index files:

root@computer:~# a2enmod alias autoindex

The following optional module enables the use of custom index files in directories:

root@computer:~# a2enmod dir

Directory ownership and permissions

The configuration directory should be protected:

root@computer:~# chown --recursive root:adm /etc/apache2/
root@computer:~# chmod --recursive 0770 /etc/apache2/

The document root directory should be protected:

root@computer:~# chown --recursive root:adm /srv/http/
root@computer:~# chmod --recursive 0775 /srv/http/

The log directory should be protected:

root@computer:~# chown --recursive apache:adm /var/log/apache2/
root@computer:~# chmod --recursive 0750 /var/log/apache2/

Browser loopback

The following line must be added to /etc/hosts so that a web browser will request example.org from the local machine instead of querying the Internet:

127.0.0.1	example.org
::1			example.org

The domain name (example.org) should be replaced with the relevant domain name.

A Domain Name System record must be created to make the web site accessible by domain name via the Internet.

Server initiation

Apache is started when the configuration is done:

root@computer:~# systemctl start apache2.service

External links

This article has additional content here.

Apache HTTP Server Version 2.4 Documentation (The Apache Software Foundation)