This document is meant to be used by new debian and ubuntu users. It describes the various differences between upstream sources and the modifications made by the debian maintainers.
Please note that this is a work in progress, as Debian's configs are a moving target. Any comments are most welcome.
A more comprehensive list of changes can be found in /usr/share/doc/apache2.2-common/README.Debian.gz
Like many articles here, the main purpose of this one is to ease the difficulties arising from supporting new users in #httpd. One of the main causes of headaches there is people who are new to both Apache HTTPd and their Debian Linux system.
This guide describes how to make efficient use of the Debian configuration files, while preserving the various automation they provide. Please note that we will be working with the latest stable release.
Debian calls its main configuration file apache2.conf, which is the first source of confusion, because there is also an httpd.conf file in the configuration directory:
jmcg@panic:/etc/apache2$ ls -ltr
-rw-r--r-- 1 root root 59 2008-01-17 22:26 ports.conf
-rw-r--r-- 1 root root 378 2008-01-17 22:26 envvars
-rw-r--r-- 1 root root 0 2008-01-23 08:12 httpd.conf
drwxr-xr-x 2 root root 4096 2008-03-31 13:37 sites-enabled
-rw-r--r-- 1 root root 10826 2008-05-14 01:35 apache2.conf
drwxr-xr-x 2 root root 4096 2008-06-11 14:35 sites-available
drwxr-xr-x 2 root root 4096 2008-06-11 14:35 conf.d
drwxr-xr-x 2 root root 4096 2008-06-11 14:35 mods-enabled
drwxr-xr-x 2 root root 12288 2008-06-11 14:35 mods-available
But a quick apache2 -V reveals, among other useful things, what the configuration file is:
jmcg@panic:/etc/apache2$ sudo apache2 -V
Server version: Apache/2.2.8 (Debian)
Server built: May 13 2008 23:39:43
Server's Module Magic Number: 20051115:11
Server loaded: APR 1.2.12, APR-Util 1.2.12
Compiled using: APR 1.2.12, APR-Util 1.2.12
Server MPM: Prefork
forked: yes (variable process count)
Server compiled with....
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
The main problem with the apache2.conf file is not its name, but the lack of sane defaults, which we will now rectify:
# Change the default of 15 seconds to a more conservative value:
# Leave this as is, as it makes sense (see below)
# maybe change the name of the file..
# Define an access log for VirtualHosts that don't define their own logfiles
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
# For reasons of paranoia, set this to Prod, instead of Debian's default 'Full'
# Same here; no one needs to know our version number:
# This is what will be returned by the above:
# Only disable this if you really want to ;)
# This is for usability:
# Debian puts this in their overly verbose Default VHost, but that's unnecessary. A single instance before all the virtual hosts is sufficient
Deny from all
# Assuming /var/www/ is the root of all of your vhosts, set sane defaults for it:
# The user may add +Indexes if he wishes to display a formatted list of the directory contents in the absence of index files as specified with the ''DirectoryIndex'' directive.
Allow from All
And that's it. These additions/changes in apache2.conf set sane defaults.
There's one marvelous attribute of Debian's configuration: the introduction of a default virtual host, and scripts to automate the addition/removal of sites.
The default sites file, called /etc/apache2/sites-available/default/000-default, contains this:
Options Indexes FollowSymLinks MultiViews
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Allow from all
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
Options Indexes MultiViews FollowSymLinks
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
This configuration is overly verbose, complex, and unnecessary. Instead of pointing out every configuration error in it, I will rewrite it from scratch:
In apache2.conf change:
# Include all the user configurations:
# BUT not before declaring that we will be using Name-based vhosts!
Also Note that in newer versions of Ubuntu/Debian NameVirtualHost *:80 has been moved to ports.conf .
We removed the CustomLog directive as the one defined in apache2.conf will propagate to every virtual host - effectively reducing the number of open file handles.
We got rid of all the superfluous <Directory /var/www> and <Directory /> blocks - especially with its awkward Options directives. Again, with the sane settings in the apache2.conf file.
We defused the danger of ambiguity, by changing and moving the NameVirtualHost *:80 directive above the Include line for the virtual hosts, thus enabling new administrators to simply copy, paste, and edit this file.
a2enmod and a2dismod can be used to link configuration sinplets from mods-available to mods-enabled which then get's included into apache2.conf. This is supposed to ease administration. Yet special caution has to be taken with certain modules when enabled in Debian. A wiki page has already been devoted to PHP.
Another module worth mentioning is mod_proxy. It's default configuration is that of a Reverse-Proxy, and this is emphasized in Debian's default config:
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.
Deny from all
#Allow from .example.com
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
Now the problem here is the directive
Deny from all, which effectively denies access to the proxy, leading to
403 Errors ClientDeniedByServerConfiguration errors in the ErrorLog.