Apache2 and PHP5

From SaruWiki
Revision as of 12:34, 17 May 2009 by Saruman! (talk | contribs) (apache installation outlined)
Jump to navigation Jump to search

Apache2

Installation of Apache2

Installation of Apache2 is quite simple: 

apt-get install apache2

This brings a slew of packages, a.o. apache2-mpm-worker, apache2-utils, libapr1 et cetera. When you want a different worker (e.g. , you should use aptitude to select that different worker (prefork etc.).

Configuration of Apache2

Once Apache2 is in place, you might want to enable SSL for it.

Installation of PHP5

Contribution needed.

Adding WebDAV to your Apache2

Thoughts about WebDAV and your configuration

Out of the box, your Debian Apache2 is prepared to start using WebDAV. All you need is to enable two modules: one for WebDAV itself, one for the authentication that you want to use. Since our server mainly uses LDAP, we'll describe WebDAV+LDAP here.

Furthermore, because WebDAV allows editing files on your server, security is paramount (well, it always is, of course. What we mean is that it's even more important now). The Apache project recommends:
The use of HTTP Basic Authentication is not recommended. You should use at least HTTP Digest Authentication, which is provided by the mod_auth_digest module. Nearly all WebDAV clients support this authentication method. An alternative is Basic Authentication over an SSL enabled connection.
Thus you should not using Basic Authentication (which is pretty simple to set up) unless you run it over SSL - so we do that as well. We choose the Virtual Host that defines our SSL-site, and extend it with WebDAV functionality. If this is not what you want, consider stepping your authentication up to Digest Authentication.

Configuring WebDAV and LDAP for your SSL-enabled Virtual Host

First, enable the WebDAV and authnz_ldap modules: 

a2enmod dav
a2enmod dav_fs
a2enmod authnz_ldap

Do not restart Apache2 just yet, because we haven't configured either the WebDAV site or its authentication!

Furthermore, a location for the DAV lock database must be specified in the global section of your Apache2 configuration file using the DavLockDB directive. To this end, create a file under /etc/apache2/conf.d named webdav containing this single line: 

DavLockDB /var/run/apache2/DavLock

This will act as the (global) lock database for WebDAV; we don't need to specify it in any other configuration file (like the Virtual Host configuration files). Of course, your server should have a directory /var/run/apache2, and it must be writable for the user www-data under which Apache2 runs.

Next, adapt the virtual host that may employ WebDAV and LDAP authentication. The virtual host file needs a section that enables WebDAV (using the directive Dav On), and some directives on how to authorize users within this section. Suppose we want to enable WebDAV only for subdirectory webdav within virtual host http://www.saruman.biz/. Then in the correspondig Virtual Host file (something like /etc/apache2/sites-available/000-saruman.biz) we need to include the following section: 

<Location /webdav>
   Order Allow,Deny
   Allow from all
   Dav On

These lines turn on WebDAV for the location /webdav. This of course means that there should be a directory in your server's filesystem named webdav and located under the root of this virtual host, e.g. /var/www/saruman.biz/webdav 

   AuthType Basic
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative On

This section sets up the authentication as HTTP Basic, with LDAP as the provider, and NOT allowing the authorization phase to fall back to other providers if LDAP cannot provide the required answer. If you want to use "require" statements from some other authorization provider, then you must set AuthzLDAPAuthoritative to "off". 

   AuthName "Enter your Saruman.biz login"
   AuthLDAPURL "ldap://myserver.saruman.biz/ou=people,dc=saruman,dc=biz?mail" NONE
   AuthLDAPBindDN "cn=admin,dc=saruman,dc=biz"
   AuthLDAPBindPassword "mypassword"

The AuthName directive "sets the name of the authorization realm". The string provided for the AuthName is what will appear in the password dialog provided by most browsers.
The AuthLDAPURL should point to your server, and the word behind the question mark should be the LDAP field that you want to use as login. We use mail so that we can log in with our mail address.
The AuthLDAPBindDN should be of a user with the right to view the passwords of the users that will be using the WebDAV server, and the AuthLDAPBindPassword should be that user's password.

   require valid-user
</Location>

This last directive means that any user who has authenticated is granted access. Since only LDAP users can authenticate, this is just fine.

Next up, you need to create folder webdav under the root of your Virtual Host. Do not forget to make that folder owned by www-data:www-data and readable/writable only by that user: 

cd /data/wwwroot/yoursite
mkdir webdav
chown www-data:www-data webdav
chmod 660 webdav

Now you can restart Apache2, see if it restarts ok, and then test your new WebDAV folder.

Retrieved from "https://www.saruman.biz/saruwiki/index.php?title=Apache2_and_PHP5&oldid=2399"