Dedicated Apache Installation Guide

This installation guide is aimed at advanced users who wish to install their own dedicated Apache server instance. We will only cover Apache, but other web server software such as Lighttpd is also supported.

Fetch and extract the sources

Download the Apache distribution from httpd.apache.org (or ftp.csoft.net/distfiles), and unpack it under ~/src:

  $ cd ~/src
  $ tar -xzf httpd_x.x.xx.tar.gz
  $ cd httpd_x.x.xx
Compile and install your Apache instance

Now is time to define the compile-time options to use. To allow future upgrades, make sure to save the ./configure arguments to the file ~/src/httpd-config.sh. Our administrators will look for this file whenever your Apache installation will need to be recompiled (i.e., for security or reliability fixes, or to match upgrades in system libraries).

For the full list of modules and options, see the Apache documentation. Since your Apache instance runs entirely under your account, you don't need to worry about the suexec options. If you have multiple domain names, you probably want to enable the mod_vhost_alias to faciliate the configuration. If you want to use Subversion with mod_dav_svn (as described here), enable the dav module as well. A typical configuration might look like this:

./configure \
  "--prefix=$HOME/apache" \
  "--enable-vhost-alias" \
  "--disable-ssl" \
  "--disable-actions" \
  "--enable-rewrite" \
  "--enable-deflate"

If you need SSL support, add --enable-ssl. For DAV support (required by mod_dav_svn), pass --enable-dav as well.

Now you can compile and install Apache into your home directory:

  $ sh ~/src/httpd-config.sh
  $ make all install
Basic Apache configuration

Open up the Apache configuration file (./apache/conf/httpd.conf) in your favorite text editor.

First and foremost, you should set the KeepAlive parameter to On and configure KeepAliveTimeout to a sensible value, usually between 1 and 10. This parameter is crucial to performance and controls the number of seconds the connections with web browsers will remain open awaiting future queries. If you are serving pages with few or no images, you can set KeepAlive to Off (this will make your web server less susceptible to denial-of-service attacks).

It is also important to set the MaxClients parameter to a proper value that your server and the resources alloted under your hosting plan can accomodate (please contact us about tuning this parameter).

Assuming you have compiled Apache with the prefork MPM (the default), StartServers, MinSpareServers and MaxSpareServers need to be tweaked as well. Too many processes will not necessarily improve performance and bumping into your account's maximum process limit would cause problems.

  KeepAlive On
  StartServers 4
  MinSpareServers 2
  MaxSpareServers 3
  MaxRequestsPerChild 0
  MaxClients n

Look for the Listen directive and replace it with your v-host IP address (as shown by dns list in csoftadm). Specify 8080 for the port number (packets to port 80 will be redirected accordingly).

  Listen w.x.y.z:8080

If you need SSL support, add a second Listen entry with port 8443.

Now specify the location of your webpages with DocumentRoot. The VirtualDocumentRoot directive allows you to configure new domain names under your account (i.e., using the DNS section of the Control Panel or the dns commands in the Shell Interface), without having to edit httpd.conf every time. In this example, the VirtualDocumentRoot directive dictates that any domain domain.ext should simply point to /home/myself/www/domain.ext.

  DocumentRoot /home/myself/www
  VirtualDocumentRoot /home/myself/www/%0

We now need to allow access to the DocumentRoot:

  <Directory "/home/myself/www">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>

The Options string defines the default web server options. Indexes enables directory listings and FollowSymLinks instructs the web server to follow symbolic links. Other commonly used options include MultiViews to turn on the HTTP/1.1 language negotiation feature and ExecCGI for CGI script execution.

The AllowOverride parameter defines the ability of .htaccess files to override certain aspects of the server configuration on a per directory basis. If you prefer, you can avoid editing .htaccess files altogether and edit your httpd.conf instead (in that case, set AllowOverride to None).

Logfile configuration

Before using logs under your custom Apache server, make sure to disable your access and error logs with the shared Apache, otherwise conflicts will disrupt the logging process (see the Server Settings section of the Control Panel, or use conf from the Shell Interface).

The LogFormat directive specifies the format of log entries. Here we use the standard "combined" log format. The CustomLog directive specifies the location of the logfile. The preferred location for logfiles is /logs/username/:

  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %V" combined
  CustomLog "/logs/myself/httpd" combined

You'll probably want to configure a log analysis tool such that the logfile is analyzed and rotated periodically. See Site statistics with Webalizer for details.

File extension mappings / directory index

The .cgi extension is usually associated with the cgi-script handler.

  AddHandler cgi-script .cgi
SSL support

If need SSL support, you need to specify at least SSLCertificateFile and SSL_CertificateKeyFile, set SSLEngine to On.

  <IfModule mod_ssl.c>
    Listen vhost-ip:8443
    SSLCertificateFile /home/myself/ssl/cert
    SSLCertificateKeyFile /home/myself/ssl/key
    SSLCertificateChainFile /home/myself/ssl/certchain
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/home/myself/tmp/ocsp(128000)
</IfModule>

SSL can be enabled or disabled for specific virtual hosts with the SSLEngine parameter:

  <VirtualHost vhost-ip:8080>
    ...
    SSLEngine Off
  </VirtualHost>
  <VirtualHost vhost-ip:8443>
    ...
    SSLEngine On
  </VirtualHost>
</IfDefine>

If you don't have a certificate signed by a recognized authority, you can always use a self-signed certificate as described in the SSL micro-howto.

Optional: PHP support with mod_php

You can fetch the PHP distribution from php.net (or ftp.csoft.net/distfiles) and unpack it in some temporary location:

  $ tar -xzf php-x.x.tar.gz
  $ cd php-x.x

Now choose the compilation settings. Again, please save the ./configure arguments to ~/src/php-config.sh. To ensure best performance, make sure to explicitely disable all the options which you do not require (these will otherwise be enabled by default if they exist on the system). The --prefix, --with-apxs2 and --disable-cgi options are required. A typical configuration might look like:

./configure \
  --prefix=$HOME/apache \
  --with-apxs2=$HOME/apache/bin/apxs \
  --with-config-file-path=$HOME/apache/conf \
  --disable-cgi \
  --disable-cli \
  --disable-ipv6 \
  --with-zlib=/usr \
  --with-mysql=/usr/local \
  --with-mysqli=/usr/local/bin/mysql_config \
  --with-pgsql=/usr/local \
  --without-mcrypt \
  --without-mhash \
  --without-imap \
  --without-imap-ssl \
  --without-gd \
  --without-ttf \
  --without-gettext \
  --without-iconv \
  --enable-libxml

If you are migrating from the shared Apache and want to make sure to use the same settings, you can check the phpinfo() for the PHP configuration you were previously using:

  $ echo '<?phpinfo()?>' php4-fat > php4-fat.html
  $ lynx php4-fat.html

You will probably want to enable GD and JPEG/PNG if some of your scripts are using imaging features. The --with-gd and --with-ttf options require special consideration. If your account is on an OpenBSD server, substitute /usr/local for /usr/X11R6.

  --with-gd=/usr/local \
  --with-ttf=/usr/local \
  --with-jpeg-dir=/usr/local \
  --with-png-dir=/usr/local

If your scripts use internationalization, enable iconv and gettext:

  --with-iconv=/usr/local \
  --with-gettext=/usr/local

If your scripts need the MBSTRING extension, use --enable-mbstring. Do not enable this option unless you really need it.

When you are satisfied with the settings, install PHP and copy the example php.ini to the directory specified in --with-config-file-path. Open up php.ini in an editor and tweak the settings to your liking.

  $ sh ~/src/php-config.sh
  $ make all install
  $ cp php.ini-dist ~/apache/conf/php.ini
  $ cp /etc/php5/php.ini ~/apache/conf/php.ini

If you were previously using, say, the php5-fat configuration, you can copy the standard server php.ini:

  $ cp /etc/php5-fat/php.ini ~/apache/conf

Finally, make sure the necessary directives exist in your httpd.conf:

  LoadModule php5_module modules/libphp5.so
  AddHandler php5-script .php
  AddType text/html .php
  DirectoryIndex index.html index.php
Optional: eAccelerator for mod_php

We recommend that you install the eAccelerator extension, to improve the performance of PHP scripts. Fetch eaccelerator-*.tar.bz2 from the eAccelerator website (or ftp.csoft.net/distfiles) and unpack it in a temporary location. Download the file eaccelerator-config.sh or copy/paste the following:

#!/bin/sh

export CFLAGS="-O2"
export PHP_PREFIX="$HOME/apache"
export AUTOCONF_VERSION="2.59"

$PHP_PREFIX/bin/phpize
if  $? != 0 ; then exit 1; fi

./configure \
	--enable-eaccelerator=shared \
	--with-php-config=${PHP_PREFIX}/bin/php-config


Now build the extension. From the eAccelerator source directory, run:

$ sh eaccelerator-config.sh
$ make
$ make install

Open up your php.ini file (i.e., ~/apache/conf/php.ini), and add the following. Substitute yourname for your username:

extension=eaccelerator.so
eaccelerator.shm_size="4"
eaccelerator.cache_dir="/home/yourname/tmp"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

Finally, create the ~/tmp directory (or whatever you've used for eaccelerator.cache_dir):

  $ mkdir -m 700 ~/tmp
Optional: mod_fastcgi

If you wish to run FastCGI applications, you will need the mod_fastcgi module loaded into your server. Fetch the latest version from ftp.csoft.net/distfiles and unpack it to some temporary location. In the mod_fastcgi source directory, issue:

  $ cp Makefile.AP2 Makefile
  $ make top_dir=$HOME/apache
  $ make top_dir=$HOME/apache install

Then, make sure the necessary directives exist in your httpd.conf:

 LoadModule fastcgi_module modules/mod_fastcgi.so
 
 <IfModule fastcgi_module>
  AddHandler fastcgi-script .fcgi

  FastCgiConfig -maxClassProcesses 10 -maxProcesses 20 -restart
      -singleThreshold 100 -killInterval 120 -idle-timeout 60
      -restart-delay 1 -pass-header HTTP_AUTHORIZATION
  FastCgiIpcDir "/home/myself/tmp/fastcgi"
 </Ifmodule>

See the mod_fastcgi documentation for details.

Optional: mod_wsgi
Optional: Subversion support with mod_dav_svn
If you want to serve Subversion repositories using HTTP or HTTPS, see: Configuring subversion access over HTTP/DAV.
Optional: Output compression filter

Sites with a lot of HTML content will benefit from compression. This is especially true for visitors with slow links. Apache can be configured to automatically compress output for browsers which support it. Add the following to your httpd.conf to enable compression:

 <Location />
  SetOutputFilter DEFLATE
  # Browser quirks
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0678 no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  # Don't compress images
  SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
 </Location>

This requires Apache to have been compiled with --enable-deflate.

Optional: Other modules

You are free to use the Apache modules of your choice. We also provide official technical support for every module mentioned in your hosting plan description.

Launching the web server

You can now start the daemon and test it remotely. If the server is unreachable, consult the ErrorLog file.

  $ ~/apache/bin/apachectl start
  $ lynx http://domain.ext:8080

If you have enabled SSL:

  $ lynx http://domain.ext:8443

It is critical to add a @reboot directive to your crontab so that your server will be started automatically whenever the machines hosting your account are rebooted. Use crontab -e to bring up your crontab in the default text editor and add the line:

  @reboot $HOME/apache/bin/apachectl start

You may want to use the standard Apache utilities without having to provide the full ~/apache/bin path:

  $ mkdir ~/bin
  $ ln -s ~/apache/bin/apachectl ~/bin
  $ ln -s ~/apache/bin/apxs ~/bin
Requesting the redirection
When you are ready for your Apache server to handle requests for your domains, send us a request via the contact form. We will set up a packet-level "rewriting rule" such that the standard, privileged ports 80 and 443 (for SSL) can be used by your Apache server.

We will also perform the few additional steps needed for redundancy, such that a backup server will automatically start up your server if the master server fails.

Csoft.net
© 2024 CubeSoft Communications
All Rights Reserved.