Apache - Httqm's Docs

Use SSLProtocol.

Because simple things often get uselessly complex (SysVinit + init scripts / Upstart + service / systemd + systemctl), and because commands vary depending on distros, here's a little ~~cheatsheet~~ reminder :

Red Hatoids :
- RHEL 6.x : apachectl restart (source)
Debianoids :

While configuring SSLSessionCache, you may be interested in detailed information to make sure everything is going extremely well. To do so, mod_status can display a report about the SSL/TLS cache :

either via a web browser
or in a machine-readable format, which is convenient to query via CLI

I don't know whether this is a bug / limitation / feature / PEBKAC, but I've not been able to get the SSL/TLS Session Cache Status: report when querying with curl : everything else looks fine, this section is just missing ().

Command

Here's my quick-n-dirty solution that parses HTML with Bash :

one-shot :
curl http://$(hostname -i)/server-status | awk 'BEGIN {found=0} /Session Cache Status/ {found=1} {if (found==1) {print}}' | sed -r 's/<br>/\n/g; s/<[^>]+>//g'
re-run command every 10 seconds :
watch -n 10 -d "curl http://$(hostname -i)/server-status | awk 'BEGIN {found=0} /Session Cache Status/ {found=1} {if (found==1) {print}}' | sed -r 's/<br>/\n/g; s/<[^>]+>//g'"

Output

with an empty cache

SSL/TLS Session Cache Status:

cache type: SHMCB, shared memory: 512000 bytes, current entries: 0
subcaches: 32, indexes per subcache: 88
index usage: 0%, cache usage: 0%
total entries stored since starting: 0
total entries replaced since starting: 0
total entries expired since starting: 0
total (pre-expiry) entries scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss

with some cached data

SSL/TLS Session Cache Status:

cache type: SHMCB, shared memory: 512000 bytes, current entries: 2
subcaches: 32, indexes per subcache: 88
time left on oldest entries' objects: avg: 237 seconds, (range: 217...257)
index usage: 0%, cache usage: 0%
total entries stored since starting: 2
total entries replaced since starting: 0
total entries expired since starting: 0
total (pre-expiry) entries scrolled out of the cache: 0
total retrieves since starting: 0 hit, 1 miss
total removes since starting: 0 hit, 0 miss

You have edited the configuration and now want to apply it without actually doing a stop + start of Apache, which would interrupt user sessions.

What we want to perform here is a graceful restart.
Many answers suggest commands relying on init scripts (/etc/init.d/*, service or systemctl). This is not right or wrong per se, but these commands rely on wrappers that send the actual signals to daemons. Depending on the signal sent by these wrapper scripts, you'll perform a graceful restart or a stop+start.

Let's find out :

systemctl status httpd

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since lun. 2020-11-16 09:43:06 CET; 3 months 10 days ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 31746 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
 Main PID: 1275 (httpd)

cat /usr/lib/systemd/system/httpd.service

[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/httpd
ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful		reload will perform a graceful restart
ExecStop=/bin/kill -WINCH ${MAINPID}

Now it's up to you :

systemctl reload httpd
httpd -k graceful

on Red Hatoids :
- httpd -t
on Debianoids :
- apache2ctl -t

This is for Apache2.x.

on Red Hatoids :
- httpd -M
on Debianoids :
- ll /etc/apache2/mods-enabled/
- apache2ctl -t -D DUMP_MODULES
- apache2ctl -M

On the web server :

make available the new website :
1. cp /etc/apache2/sites-available/default /etc/apache2/sites-available/myNewWebSite
2. edit /etc/apache2/sites-available/myNewWebSite and set values :
  - ServerName myNewWebsite (3rd line)
  - DocumentRoot /path/to/myNewWebsite/files
  - <Directory /path/to/myNewWebsite/files>
enable the new website :
1. cd /etc/apache2/sites-enabled
2. ln -s ../sites-available/myNewWebSite
3. apache2ctl restart

On the client :

add a new entry to /etc/hosts such as : 12.34.56.78 myNewWebSite
check /etc/hosts permissions
open your web browser at : http://myNewWebSite

With mod_expires :

	<IfModule mod_expires.c>
		ExpiresActive On
		ExpiresDefault "access plus 1 month"

		ExpiresByType text/html "access plus 5 minutes"
		ExpiresByType text/css "access plus 10 minutes"
		ExpiresByType image/* "access plus 3 minutes"
	</IfModule>

With mod_headers :

Looks like using <IfModule headers_module> or <IfModule mod_headers.c> makes no difference.

	<IfModule headers_module>
		Header set Cache-Control "max-age=123456, public"
	</IfModule>

It is possible to mimic the ExpiresByType behavior by setting headers based on the file extension. file extension != content-type :

	<IfModule mod_headers.c>
		(other settings)

		<FilesMatch "\.(jpg|jpeg|png|gif)$">
			Header set Cache-Control "max-age=42, public"
		</FilesMatch>
		<FilesMatch "\.(js|css)$">
			Header set Cache-Control "max-age=96, public"
		</FilesMatch>
	</IfModule>

Generic situation :

In the Virtual Host definition or in the directory to restrict, create a .htaccess file and fill in the directives (source) :
```
AuthType Basic
AuthName "[your prompt here]"
AuthUserFile /path/to/.htpasswd
Require valid-user
```
Create the /path/to/.htpasswd file and populate it as shown below.

For Free.fr :

In the directory to restrict, create a .htaccess file such as :

PerlSetVar AuthFile /path/to/.htpasswd
AuthName "Explicit Grant Required"
AuthType Basic
Require valid-user

Then, create a .htpasswd file like :
```
user1:password1
user2:password2
```
To do so :
1. create a new .htpasswd file : htpasswd -c /path/to/.htpasswd userName. This will prompt for a password.
2. add a new user to an existing .htpasswd file : htpasswd /path/to/.htpasswd userName
There is some special stuff for Free.fr servers (sources : 1, 2) :
- about the .htpasswd path : use the PerlSetVar AuthFile directive instead of AuthUserFile. Give it a path relative to the root of the virtualhost.
- Don't crypt passwords

Apache - How to ... ?

How to disable the deprecated SSL / TLS protocols ?

How to restart Apache ?

How to get the SSL/TLS Session Cache Status: report from mod_status via CLI ?

Situation

Details

Solution

Command

Output

with an empty cache

with some cached data

How to reload the configuration without restarting Apache ?

Situation

Details

Solution

How to check Apache configuration ?

How to list the loaded modules ?

How to create a new web site on a virtual host ?