Product SiteDocumentation Site

第12章 ウェブ サーバー

12.1. Apache HTTP サーバー
12.1.1. 新機能
12.1.2. 注目すべき変更
12.1.3. 設定の更新
12.1.4. httpd サービスの実行方法
12.1.5. 設定ファイルの編集
12.1.6. Working with Modules
12.1.7. 仮想ホストのセットアップ
12.1.8. SSL サーバーのセットアップ
12.1.9. その他のリソース
HTTP (ハイパーテキスト転送プロトコル)サーバー、あるいはウェブサーバーは、ウェブ経由でクライアントにコンテンツを提供するネットワークサービスです。これは通常ウェブページを意味しますが、他の文書も同様に提供することができます。

12.1. Apache HTTP サーバー

This section focuses on the Apache HTTP Server 2.2, a robust, full-featured open source web server developed by the Apache Software Foundation, that is included in Fedora 16. It describes the basic configuration of the httpd service, and covers advanced topics such as adding server modules, setting up virtual hosts, or configuring the secure HTTP server.
There are important differences between the Apache HTTP Server 2.2 and version 2.0, and if you are upgrading from a previous release of Fedora, you will need to update the httpd service configuration accordingly. This section reviews some of the newly added features, outlines important changes, and guides you through the update of older configuration files.

12.1.1. 新機能

Apache HTTP Server バージョン 2.2 は以下の機能拡張をしています:
  • つまり、改良されたキャッシュモジュール mod_cache および mod_disk_cache
  • つまり、プロキシ負荷分散のサポート mod_proxy_balancer モジュール。
  • 32ビットアーキテクチャーにおける大容量ファイルのサポート、ウェブサーバーが2GBより大きなファイルを取り扱えます。
  • 認証モジュールを置き換える、認証と認可のサポートの新しい構成は、前のバージョンで提供されました。

12.1.2. 注目すべき変更

2.0 以降、デフォルトの httpd サービス設定にいくつかの変更がありました:
  • 以下のモジュールはもはやデフォルトで読み込まれません: mod_cern_meta および mod_asis
  • 以下のモジュールは新しくデフォルトで読み込まれます: mod_ext_filter

12.1.3. 設定の更新

To update the configuration files from the Apache HTTP Server version 2.0, take the following steps:
  1. Make sure all module names are correct, since they may have changed. Adjust the LoadModule directive for each module that has been renamed.
  2. Recompile all third party modules before attempting to load them. This typically means authentication and authorization modules.
  3. もし mod_userdir モジュールを使用するならば、ディレクトリ名(一般的に public_html)を指示する UserDir ディレクティブを確実に提供してください。
  4. If you use the Apache HTTP Secure Server, edit the /etc/httpd/conf.d/ssl.conf to enable the Secure Sockets Layer (SSL) protocol.
Note that you can check the configuration for possible errors by using the following command:
service httpd configtest
For more information on upgrading the Apache HTTP Server configuration from version 2.0 to 2.2, refer to http://httpd.apache.org/docs/2.2/upgrading.html.

12.1.4. httpd サービスの実行方法

This section describes how to start, stop, restart, and check the current status of the Apache HTTP Server. To be able to use the httpd service, make sure you have the httpd installed. You can do so by using the following command as root:
yum install httpd
For more information on the concept of runlevels and how to manage system services in Fedora in general, refer to 7章サービスおよびデーモン.

12.1.4.1. サービスの開始

To run the httpd service, type the following at a shell prompt as root:
systemctl start httpd.service
If you want the service to start automatically at the boot time, use the following command:
systemctl enable httpd.service
Refer to 7章サービスおよびデーモン for more information on how to configure services in Fedora.

Using the secure server

If running the Apache HTTP Server as a secure server, a password may be required after the machine boots if using an encrypted private SSL key.

12.1.4.2. さービスの停止

To stop the running httpd service, type the following at a shell prompt as root:
systemctl stop httpd.service
To prevent the service from starting automatically at the boot time, type:
systemctl disable httpd.service
Refer to 7章サービスおよびデーモン for more information on how to configure services in Fedora.

12.1.4.3. サービスの再開

There are two different ways to restart the running httpd service:
  1. To restart the service completely, type the following at a shell prompt as root:
    systemctl restart httpd.service
    This will stop the running httpd service, and then start it again. Use this command after installing or removing a dynamically loaded module such as PHP.
  2. To only reload the configuration, as root, type:
    systemctl reload httpd.service
    This will cause the running httpd service to reload the configuration file. Note that any requests being currently processed will be interrupted, which may cause a client browser to display an error message or render a partial page.
  3. To reload the configuration without affecting active requests, run the following command as root:
    service httpd graceful
    This will cause the running httpd service to reload the configuration file. Note that any requests being currently processed will use the old configuration.
Refer to 7章サービスおよびデーモン for more information on how to configure services in Fedora.

12.1.4.4. サービスの状態確認

To check whether the service is running, type the following at a shell prompt:
systemctl is-active httpd.service
Refer to 7章サービスおよびデーモン for more information on how to configure services in Fedora.

12.1.5. 設定ファイルの編集

When the httpd service is started, by default, it reads the configuration from locations that are listed in 表12.1「httpd サービス設定ファイル」.
表12.1 httpd サービス設定ファイル
パス 説明
/etc/httpd/conf/httpd.conf 中心となる設定ファイルです。
/etc/httpd/conf.d/ An auxiliary directory for configuration files that are included in the main configuration file.

Although the default configuration should be suitable for most situations, it is a good idea to become at least familiar with some of the more important configuration options. Note that for any changes to take effect, the web server has to be restarted first. Refer to 「サービスの再開」 for more information on how to restart the httpd service.
To check the configuration for possible errors, type the following at a shell prompt:
service httpd configtest
To make the recovery from mistakes easier, it is recommended that you make a copy of the original file before editing it.

12.1.5.1. 一般的な httpd.conf ディレクティブ

The following directives are commonly used in the /etc/httpd/conf/httpd.conf configuration file:
<Directory>
The <Directory> directive allows you to apply certain directives to a particular directory only. It takes the following form:
<Directory directory>
  directive
  …
</Directory>
directory は、ローカルファイルシステムにある既存のディレクトリへの完全パス、またはワイルドカード表現のどちらかです。
This directive can be used to configure additional cgi-bin directories for server-side scripts located outside the directory that is specified by ScriptAlias. In this case, the ExecCGI and AddHandler directives must be supplied, and the permissions on the target directory must be set correctly (that is, 0755).
例12.1 <Directory> ディレクティブの使用法
<Directory /var/www/html>
  Options Indexes FollowSymLinks
  AllowOverride None
  Order allow,deny
  Allow from all
</Directory>

<IfDefine>
IfDefine ディレクティブは特定のディレクティブを特定のパラメーターがコマンドラインにおいて与えられているときのみ適用します。以下の形式を使用します:
<IfDefine [!]parameter>
  directive
  …
</IfDefine>
The parameter can be supplied at a shell prompt using the -Dparameter command line option (for example, httpd -DEnableHome). If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the parameter is not specified.
例12.2 <IfDefine> ディレクティブの使用法
<IfDefine EnableHome>
  UserDir public_html
</IfDefine>

<IfModule>
<IfModule> ディレクティブは特定のディレクティブを特定のモジュールがロードされているときのみ適用できます。以下の形式を使用します:
<IfModule [!]module>
  directive
  …
</IfModule>
The module can be identified either by its name, or by the file name. If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the module is not loaded.
例12.3 <IfModule> ディレクティブの使用法
<IfModule mod_disk_cache.c>
  CacheEnable disk /
  CacheRoot /var/cache/mod_proxy
</IfModule>

<Location>
<Location> ディレクティブは特定のディレクティブを特定の URL のみに適用できます。以下の形式を使用します:
<Location url>
  directive
  …
</Location>
url は、DocumentRoot ディレクティブに指定されたディレクトリの相対パス(たとえば、/server-info)、または http://example.com/server-info のような外部 URL が使用できます。
例12.4 <Location> ディレクティブの使用法
<Location /server-info>
  SetHandler server-info
  Order deny,allow
  Deny from all
  Allow from .example.com
</Location>

<Proxy>
<Proxy> ディレクティブは特定のディレクティブをプロキシサーバーのみに適用できます。以下の形式を使用します:
<Proxy pattern>
  directive
  …
</Proxy>
pattern は外部 URL またはワイルドカード表現(たとえば、http://example.com/*)を使用できます。
例12.5 <Proxy> ディレクティブの使用法
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from .example.com
</Proxy>

<VirtualHost>
<VirtualHost> ディレクティブは特定のディレクティブを特定の仮想ホストのみに適用できます。以下の形式を使用します:
<VirtualHost address[:port]…>
  directive
  …
</VirtualHost>
address は IP アドレス、完全修飾ドメイン名、および表12.2「利用可能な <VirtualHost> オプション」に記載されている特別な形式を使用できます。
表12.2 利用可能な <VirtualHost> オプション
オプション 説明
* すべての IP アドレスを表します。
_default_ 一致しない IP アドレスを表します。

例12.6 <VirtualHost> ディレクティブの使用法
<VirtualHost *:80>
  ServerAdmin webmaster@penguin.example.com
  DocumentRoot /www/docs/penguin.example.com
  ServerName penguin.example.com
  ErrorLog logs/penguin.example.com-error_log
  CustomLog logs/penguin.example.com-access_log common
</VirtualHost>

AccessFileName
The AccessFileName directive allows you to specify the file to be used to customize access control information for each directory. It takes the following form:
AccessFileName filename
filename は要求されたディレクトリにおいて探すファイルの名前です。デフォルトで、サーバーは .htaccess を探します。
セキュリティの理由から、.ht から始まるファイルはウェブクライアントによりアクセスできないよう、ディレクティブが一般的に Files タグにより制限されます。これには、.htaccess および .htpasswd ファイルが含まれます。
例12.7 AccessFileName ディレクティブの使用法
AccessFileName .htaccess

<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>

Action
Action ディレクティブは、特定のメディア形式が要求されたときに実行される CGI スクリプトを指定できます。これは以下の形式をとります:
Action content-type path
The content-type has to be a valid MIME type such as text/html, image/png, or application/pdf. The path refers to an existing CGI script, and must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/process-image.cgi).
例12.8 Action ディレクティブの使用法
Action image/png /cgi-bin/process-image.cgi

AddDescription
The AddDescription directive allows you to specify a short description to be displayed in server-generated directory listings for a given file. It takes the following form:
AddDescription "description" filename
The description should be a short text enclosed in double quotes (that is, "). The filename can be a full file name, a file extension, or a wildcard expression.
例12.9 AddDescription ディレクティブの使用法
AddDescription "GZIP compressed tar archive" .tgz

AddEncoding
The AddEncoding directive allows you to specify an encoding type for a particular file extension. It takes the following form:
AddEncoding encoding extension
The encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .gz).
This directive is typically used to instruct web browsers to decompress certain file types as they are downloaded.
例12.10 AddEncoding ディレクティブの使用法
AddEncoding x-gzip .gz .tgz

AddHandler
The AddHandler directive allows you to map certain file extensions to a selected handler. It takes the following form:
AddHandler handler extension
The handler has to be a name of previously defined handler. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cgi).
This directive is typically used to treat files with the .cgi extension as CGI scripts regardless of the directory they are in. Additionally, it is also commonly used to process server-parsed HTML and image-map files.
例12.11 AddHandler オプションの使用法
AddHandler cgi-script .cgi

AddIcon
The AddIcon directive allows you to specify an icon to be displayed for a particular file in server-generated directory listings. It takes the following form:
AddIcon path pattern
The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/folder.png). The pattern can be a file name, a file extension, a wildcard expression, or a special form as described in the following table:
表12.3 利用可能な AddIcon オプション
オプション 説明
^^DIRECTORY^^ ディレクトリを意味します。
^^BLANKICON^^ 空行を意味します。

例12.12 AddIcon ディレクティブの使用法
AddIcon /icons/text.png .txt README

AddIconByEncoding
The AddIconByEncoding directive allows you to specify an icon to be displayed for a particular encoding type in server-generated directory listings. It takes the following form:
AddIconByEncoding path encoding
The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/compressed.png). The encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc.
例12.13 AddIconByEncoding ディレクティブの使用法
AddIconByEncoding /icons/compressed.png x-compress x-gzip

AddIconByType
The AddIconByType directive allows you to specify an icon to be displayed for a particular media type in server-generated directory listings. It takes the following form:
AddIconByType path content-type
The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/text.png). The content-type has to be either a valid MIME type (for example, text/html or image/png), or a wildcard expression such as text/*, image/*, etc.
例12.14 AddIconByType ディレクティブの使用法
AddIconByType /icons/video.png video/*

AddLanguage
The AddLanguage directive allows you to associate a file extension with a specific language. It takes the following form:
AddLanguage language extension
The language has to be a valid MIME language such as cs, en, or fr. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).
This directive is especially useful for web servers that serve content in multiple languages based on the client's language settings.
例12.15 AddLanguage ディレクティブの使用法
AddLanguage cs .cs .cz

AddType
The AddType directive allows you to define or override the media type for a particular file extension. It takes the following form:
AddType content-type extension
The content-type has to be a valid MIME type such as text/html, image/png, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).
例12.16 AddType ディレクティブの使用法
AddType application/x-gzip .gz .tgz

Alias
The Alias directive allows you to refer to files and directories outside the default directory specified by the DocumentRoot directive. It takes the following form:
Alias url-path real-path
The url-path must be relative to the directory specified by the DocumentRoot directive (for example, /images/). The real-path is a full path to a file or directory in the local file system.
This directive is typically followed by the Directory tag with additional permissions to access the target directory. By default, the /icons/ alias is created so that the icons from /var/www/icons/ are displayed in server-generated directory listings.
例12.17 Alias ディレクティブの使用法
Alias /icons/ /var/www/icons/

<Directory "/var/www/icons">
  Options Indexes MultiViews FollowSymLinks
  AllowOverride None
  Order allow,deny
  Allow from all
<Directory>

Allow
The Allow directive allows you to specify which clients have permission to access a given directory. It takes the following form:
Allow from client
The client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.
例12.18 Allow ディレクティブの使用法
Allow from 192.168.1.0/255.255.255.0

AllowOverride
The AllowOverride directive allows you to specify which directives in a .htaccess file can override the default configuration. It takes the following form:
AllowOverride type
The type has to be one of the available grouping options as described in 表12.4「利用可能な AllowOverride オプション」.
表12.4 利用可能な AllowOverride オプション
オプション 説明
All .htaccess にあるすべてのディレクティブが前の設定を上書きできます。
None .htaccess にあるすべてのディレクティブが前の設定を上書きできません。
AuthConfig AuthName, AuthType, または Require のような認可のディレクティブの使用を許可します。
FileInfo Allows the use of file type, metadata, and mod_rewrite directives such as DefaultType, RequestHeader, or RewriteEngine, as well as the Action directive.
Indexes Allows the use of directory indexing directives such as AddDescription, AddIcon, or FancyIndexing.
Limit Allows the use of host access directives, that is, Allow, Deny, and Order.
Options[=option,…] Allows the use of the Options directive. Additionally, you can provide a comma-separated list of options to customize which options can be set using this directive.

例12.19 AllowOverride ディレクティブの使用法
AllowOverride FileInfo AuthConfig Limit

BrowserMatch
The BrowserMatch directive allows you to modify the server behavior based on the client's web browser type. It takes the following form:
BrowserMatch pattern variable
The pattern is a regular expression to match the User-Agent HTTP header field. The variable is an environment variable that is set when the header field matches the pattern.
By default, this directive is used to deny connections to specific browsers with known issues, and to disable keepalives and HTTP header flushes for browsers that are known to have problems with these actions.
例12.20 BrowserMatch ディレクティブの使用法
BrowserMatch "Mozilla/2" nokeepalive

CacheDefaultExpire
The CacheDefaultExpire option allows you to set how long to cache a document that does not have any expiration date or the date of its last modification specified. It takes the following form:
CacheDefaultExpire time
The time is specified in seconds. The default option is 3600 (that is, one hour).
例12.21 CacheDefaultExpire ディレクティブの使用法
CacheDefaultExpire 3600

CacheDisable
The CacheDisable directive allows you to disable caching of certain URLs. It takes the following form:
CacheDisable path
The path must be relative to the directory specified by the DocumentRoot directive (for example, /files/).
例12.22 CacheDisable ディレクティブの使用法
CacheDisable /temporary

CacheEnable
The CacheEnable directive allows you to specify a cache type to be used for certain URLs. It takes the following form:
CacheEnable type url
The type has to be a valid cache type as described in 表12.5「利用できるキャッシュの種類」. The url can be a path relative to the directory specified by the DocumentRoot directive (for example, /images/), a protocol (for example, ftp://), or an external URL such as http://example.com/.
表12.5 利用できるキャッシュの種類
形式 説明
mem メモリーベースのストレージマネージャーです。
disk ディスクベースのストレージマネージャーです。
fd ファイル記述子のキャッシュです。

例12.23 CacheEnable ディレクティブの使用法
CacheEnable disk /

CacheLastModifiedFactor
The CacheLastModifiedFactor directive allows you to customize how long to cache a document that does not have any expiration date specified, but that provides information about the date of its last modification. It takes the following form:
CacheLastModifiedFactor number
The number is a coefficient to be used to multiply the time that passed since the last modification of the document. The default option is 0.1 (that is, one tenth).
例12.24 CacheLastModifiedFactor ディレクティブの使用法
CacheLastModifiedFactor 0.1

CacheMaxExpire
The CacheMaxExpire directive allows you to specify the maximum amount of time to cache a document. It takes the following form:
CacheMaxExpire time
The time is specified in seconds. The default option is 86400 (that is, one day).
例12.25 CacheMaxExpire ディレクティブの使用法
CacheMaxExpire 86400

CacheNegotiatedDocs
The CacheNegotiatedDocs directive allows you to enable caching of the documents that were negotiated on the basis of content. It takes the following form:
CacheNegotiatedDocs option
The option has to be a valid keyword as described in 表12.6「利用可能な CacheNegotiatedDocs オプション」. Since the content-negotiated documents may change over time or because of the input from the requester, the default option is Off.
表12.6 利用可能な CacheNegotiatedDocs オプション
オプション 説明
On Enables caching the content-negotiated documents.
Off Disables caching the content-negotiated documents.

例12.26 CacheNegotiatedDocs ディレクティブの使用法
CacheNegotiatedDocs On

CacheRoot
The CacheRoot directive allows you to specify the directory to store cache files in. It takes the following form:
CacheRoot directory
The directory must be a full path to an existing directory in the local file system. The default option is /var/cache/mod_proxy/.
例12.27 CacheRoot ディレクティブの使用法
CacheRoot /var/cache/mod_proxy

CustomLog
The CustomLog directive allows you to specify the log file name and the log file format. It takes the following form:
CustomLog path format
The path refers to a log file, and must be relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The format has to be either an explicit format string, or a format name that was previously defined using the LogFormat directive.
例12.28 CustomLog ディレクティブの使用法
CustomLog logs/access_log combined

DefaultIcon
The DefaultIcon directive allows you to specify an icon to be displayed for a file in server-generated directory listings when no other icon is associated with it. It takes the following form:
DefaultIcon path
The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/unknown.png).
例12.29 DefaultIcon ディレクティブの使用法
DefaultIcon /icons/unknown.png

DefaultType
The DefaultType directive allows you to specify a media type to be used in case the proper MIME type cannot be determined by the server. It takes the following form:
DefaultType content-type
The content-type has to be a valid MIME type such as text/html, image/png, application/pdf, etc.
例12.30 DefaultType ディレクティブの使用法
DefaultType text/plain

Deny
The Deny directive allows you to specify which clients are denied access to a given directory. It takes the following form:
Deny from client
The client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.
例12.31 Deny ディレクティブの使用法
Deny from 192.168.1.1

DirectoryIndex
The DirectoryIndex directive allows you to specify a document to be served to a client when a directory is requested (that is, when the URL ends with the / character). It takes the following form:
DirectoryIndex filename
The filename is a name of the file to look for in the requested directory. By default, the server looks for index.html, and index.html.var.
例12.32 DirectoryIndex ディレクティブの使用法
DirectoryIndex index.html index.html.var

DocumentRoot
The DocumentRoot directive allows you to specify the main directory from which the content is served. It takes the following form:
DocumentRoot directory
directory はローカルのファイルシステムに存在するディレクトリーへのフルパスでなければなりません。オプションの初期値は /var/www/html/ です。
例12.33 DocumentRoot ディレクティブの使用法
DocumentRoot /var/www/html

ErrorDocument
The ErrorDocument directive allows you to specify a document or a message to be displayed as a response to a particular error. It takes the following form:
ErrorDocument error-code action
The error-code has to be a valid code such as 403 (Forbidden), 404 (Not Found), or 500 (Internal Server Error). The action can be either a URL (both local and external), or a message string enclosed in double quotes (that is, ").
例12.34 ErrorDocument ディレクティブの使用法
ErrorDocument 403 "Access Denied"
ErrorDocument 404 /404-not_found.html

ErrorLog
The ErrorLog directive allows you to specify a file to which the server errors are logged. It takes the following form:
ErrorLog path
The path refers to a log file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is logs/error_log
例12.35 ErrorLog ディレクティブの使用法
ErrorLog logs/error_log

ExtendedStatus
The ExtendedStatus directive allows you to enable detailed server status information. It takes the following form:
ExtendedStatus option
The option has to be a valid keyword as described in 表12.7「利用可能な ExtendedStatus オプション」. The default option is Off.
表12.7 利用可能な ExtendedStatus オプション
オプション 説明
On Enables generating the detailed server status.
Off Disables generating the detailed server status.

例12.36 ExtendedStatus ディレクティブの使用法
ExtendedStatus On

Group
The Group directive allows you to specify the group under which the httpd service will run. It takes the following form:
Group group
The group has to be an existing UNIX group. The default option is apache.
Note that Group is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.
例12.37 Group ディレクティブの使用法
Group apache

HeaderName
The HeaderName directive allows you to specify a file to be prepended to the beginning of the server-generated directory listing. It takes the following form:
HeaderName filename
The filename is a name of the file to look for in the requested directory. By default, the server looks for HEADER.html.
例12.38 HeaderName ディレクティブの使用法
HeaderName HEADER.html

HostnameLookups
The HostnameLookups directive allows you to enable automatic resolving of IP addresses. It takes the following form:
HostnameLookups option
The option has to be a valid keyword as described in 表12.8「利用可能な HostnameLookups オプション」. To conserve resources on the server, the default option is Off.
表12.8 利用可能な HostnameLookups オプション
オプション 説明
On Enables resolving the IP address for each connection so that the hostname can be logged. However, this also adds a significant processing overhead.
Double Enables performing the double-reverse DNS lookup. In comparison to the above option, this adds even more processing overhead.
Off Disables resolving the IP address for each connection.

Note that when the presence of hostnames is required in server log files, it is often possible to use one of the many log analyzer tools that perform the DNS lookups more efficiently.
例12.39 HostnameLookups ディレクティブの使用法
HostnameLookups Off

Include
The Include directive allows you to include other configuration files. It takes the following form:
Include filename
The filename can be an absolute path, a path relative to the directory specified by the ServerRoot directive, or a wildcard expression. All configuration files from the /etc/httpd/conf.d/ directory are loaded by default.
例12.40 Include ディレクティブの使用法
Include conf.d/*.conf

IndexIgnore
The IndexIgnore directive allows you to specify a list of file names to be omitted from the server-generated directory listings. It takes the following form:
IndexIgnore filename
The filename option can be either a full file name, or a wildcard expression.
例12.41 IndexIgnore ディレクティブの使用法
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

IndexOptions
The IndexOptions directive allows you to customize the behavior of server-generated directory listings. It takes the following form:
IndexOptions option
The option has to be a valid keyword as described in 表12.9「利用できるディレクトリー一覧のオプション」. The default options are Charset=UTF-8, FancyIndexing, HTMLTable, NameWidth=*, and VersionSort.
表12.9 利用できるディレクトリー一覧のオプション
オプション 説明
Charset=encoding Specifies the character set of a generated web page. The encoding has to be a valid character set such as UTF-8 or ISO-8859-2.
Type=content-type Specifies the media type of a generated web page. The content-type has to be a valid MIME type such as text/html or text/plain.
DescriptionWidth=value Specifies the width of the description column. The value can be either a number of characters, or an asterisk (that is, *) to adjust the width automatically.
FancyIndexing Enables advanced features such as different icons for certain files or possibility to re-sort a directory listing by clicking on a column header.
FolderFirst Enables listing directories first, always placing them above files.
HTMLTable ディレクトリーの一覧に HTML テーブルを使います。
IconsAreLinks リンクの代わりにアイコンを使います。
IconHeight=value Specifies an icon height. The value is a number of pixels.
IconWidth=value Specifies an icon width. The value is a number of pixels.
IgnoreCase Enables sorting files and directories in a case-sensitive manner.
IgnoreClient Disables accepting query variables from a client.
NameWidth=value Specifies the width of the file name column. The value can be either a number of characters, or an asterisk (that is, *) to adjust the width automatically.
ScanHTMLTitles Enables parsing the file for a description (that is, the title element) in case it is not provided by the AddDescription directive.
ShowForbidden Enables listing the files with otherwise restricted access.
SuppressColumnSorting 列ヘッダーをクリックすることでディレクトリーの一覧の並び替えをさせません。
SuppressDescription ファイルの説明の領域を確保しません。
SuppressHTMLPreamble Disables the use of standard HTML preamble when a file specified by the HeaderName directive is present.
SuppressIcon ディレクトリーの一覧でアイコンを使いません。
SuppressLastModified ディレクトリーの一覧で最終変更日時の項目を表示しません。
SuppressRules ディレクトリーの一覧で水平線を使いません。
SuppressSize ディレクトリーの一覧でファイル サイズを表示しません。
TrackModified Enables returning the Last-Modified and ETag values in the HTTP header.
VersionSort Enables sorting files that contain a version number in the expected manner.
XHTML 標準の HTML 3.2 の代わりに XHTML 1.0 を使います。

例12.42 IndexOptions ディレクティブの使用法
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8

KeepAlive
The KeepAlive directive allows you to enable persistent connections. It takes the following form:
KeepAlive option
The option has to be a valid keyword as described in 表12.10「利用可能な KeepAlive オプション」. The default option is Off.
表12.10 利用可能な KeepAlive オプション
オプション 説明
On Enables the persistent connections. In this case, the server will accept more than one request per connection.
Off キープアライブ接続を無効にします。

Note that when the persistent connections are enabled, on a busy server, the number of child processes can increase rapidly and eventually reach the maximum limit, slowing down the server significantly. To reduce the risk, it is recommended that you set KeepAliveTimeout to a low number, and monitor the /var/log/httpd/logs/error_log log file carefully.
例12.43 KeepAlive ディレクティブの使用法
KeepAlive Off

KeepAliveTimeout
The KeepAliveTimeout directive allows you to specify the amount of time to wait for another request before closing the connection. It takes the following form:
KeepAliveTimeout time
time を秒で指定します。オプションの初期値は 15 です。
例12.44 KeepAliveTimeout ディレクティブの使用法
KeepAliveTimeout 15

LanguagePriority
The LanguagePriority directive allows you to customize the precedence of languages. It takes the following form:
LanguagePriority language
languagecs, en, または fr のような有効な MIME 言語でなければいけません。
This directive is especially useful for web servers that serve content in multiple languages based on the client's language settings.
例12.45 LanguagePriority ディレクティブの使用法
LanguagePriority sk cs en

Listen
The Listen directive allows you to specify IP addresses or ports to listen to. It takes the following form:
Listen [ip-address:]port [protocol]
The ip-address is optional and unless supplied, the server will accept incoming requests on a given port from all IP addresses. Since the protocol is determined automatically from the port number, it can be usually omitted. The default option is to listen to port 80.
Note that if the server is configured to listen to a port under 1024, only superuser will be able to start the httpd service.
例12.46 Listen ディレクティブの使用法
Listen 80

LoadModule
The LoadModule directive allows you to load a Dynamic Shared Object (DSO) module. It takes the following form:
LoadModule name path
The name has to be a valid identifier of the required module. The path refers to an existing module file, and must be relative to the directory in which the libraries are placed (that is, /usr/lib/httpd/ on 32-bit and /usr/lib64/httpd/ on 64-bit systems by default).
Apache HTTP Server の DSO サポートの詳細は「Working with Modules」を参照してください。
例12.47 LoadModule ディレクティブの使用法
LoadModule php5_module modules/libphp5.so

LogFormat
The LogFormat directive allows you to specify a log file format. It takes the following form:
LogFormat format name
The format is a string consisting of options as described in 表12.11「一般的な LogFormat オプション」. The name can be used instead of the format string in the CustomLog directive.
表12.11 一般的な LogFormat オプション
オプション 説明
%b Represents the size of the response in bytes.
%h Represents the IP address or hostname of a remote client.
%l Represents the remote log name if supplied. If not, a hyphen (that is, -) is used instead.
%r Represents the first line of the request string as it came from the browser or client.
%s Represents the status code.
%t Represents the date and time of the request.
%u If the authentication is required, it represents the remote user. If not, a hyphen (that is, -) is used instead.
%{field} Represents the content of the HTTP header field. The common options include %{Referer} (the URL of the web page that referred the client to the server) and %{User-Agent} (the type of the web browser making the request).

例12.48 LogFormat ディレクティブの使用法
LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogLevel
The LogLevel directive allows you to customize the verbosity level of the error log. It takes the following form:
LogLevel option
The option has to be a valid keyword as described in 表12.12「利用可能な LogLevel オプション」. The default option is warn.
表12.12 利用可能な LogLevel オプション
オプション 説明
emerg Only the emergency situations when the server cannot perform its work are logged.
alert All situations when an immediate action is required are logged.
crit All critical conditions are logged.
error 全エラーメッセージを記録します。
warn All warning messages are logged.
notice Even normal, but still significant situations are logged.
info Various informational messages are logged.
debug Various debugging messages are logged.

例12.49 LogLevel ディレクティブの使用法
LogLevel warn

MaxKeepAliveRequests
The MaxKeepAliveRequests directive allows you to specify the maximum number of requests for a persistent connection. It takes the following form:
MaxKeepAliveRequests number
A high number can improve the performance of the server. Note that using 0 allows unlimited number of requests. The default option is 100.
例12.50 MaxKeepAliveRequests オプションの使用法
MaxKeepAliveRequests 100

NameVirtualHost
The NameVirtualHost directive allows you to specify the IP address and port number for a name-based virtual host. It takes the following form:
NameVirtualHost ip-address[:port]
The ip-address can be either a full IP address, or an asterisk (that is, *) representing all interfaces. Note that IPv6 addresses have to be enclosed in square brackets (that is, [ and ]). The port is optional.
Name-based virtual hosting allows one Apache HTTP Server to serve different domains without using multiple IP addresses.

セキュアな HTTP 接続の使用法

名前ベースの仮想ホストは非セキュアな HTTP 接続で のみ 機能します。セキュアサーバーで仮想ホストを使用している場合は、代わりに、 IP アドレスベースの仮想ホストを使用します。
例12.51 NameVirtualHost ディレクティブの使用法
NameVirtualHost *:80

Options
The Options directive allows you to specify which server features are available in a particular directory. It takes the following form:
Options option
option表12.13「利用できるサーバーの機能」に説明されている有効なキーワードでなければいけません。
表12.13 利用できるサーバーの機能
オプション 説明
ExecCGI CGI スクリプトの実行を有効にします。
FollowSymLinks ディレクトリー内のシンボリックリンク追跡を有効にします。
Includes サーバー サイド インクルード(SSI)を有効にします。
IncludesNOEXEC サーバー サイド インクルード(SSI)を有効にしますが、コマンドの実行は許可しません。
Indexes サーバーによるディレクトリーの一覧生成を有効にします。
MultiViews Enables content-negotiated MultiViews.
SymLinksIfOwnerMatch Enables following symbolic links in the directory when both the link and the target file have the same owner.
All Enables all of the features above with the exception of MultiViews.
None 上の機能をすべて無効にします。

例12.52 Options ディレクティブの使用法
Options Indexes FollowSymLinks

Order
The Order directive allows you to specify the order in which the Allow and Deny directives are evaluated. It takes the following form:
Order option
The option has to be a valid keyword as described in 表12.14「利用可能な Order オプション」. The default option is allow,deny.
表12.14 利用可能な Order オプション
オプション 説明
allow,deny Allow ディレクティブをはじめに評価します。
deny,allow Deny ディレクティブをはじめに評価します。

例12.53 Order ディレクティブの使用法
Order allow,deny

PidFile
The PidFile directive allows you to specify a file to which the process ID (PID) of the server is stored. It takes the following form:
PidFile path
The path refers to a pid file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is run/httpd.pid.
例12.54 PidFile ディレクティブの使用法
PidFile run/httpd.pid

ProxyRequests
The ProxyRequests directive allows you to enable forward proxy requests. It takes the following form:
ProxyRequests option
The option has to be a valid keyword as described in 表12.15「利用可能な ProxyRequests オプション」. The default option is Off.
表12.15 利用可能な ProxyRequests オプション
オプション 説明
On Enables forward proxy requests.
Off Disables forward proxy requests.

例12.55 ProxyRequests ディレクティブの使用法
ProxyRequests On

ReadmeName
The ReadmeName directive allows you to specify a file to be appended to the end of the server-generated directory listing. It takes the following form:
ReadmeName filename
The filename is a name of the file to look for in the requested directory. By default, the server looks for README.html.
例12.56 ReadmeName ディレクティブの使用法
ReadmeName README.html

Redirect
The Redirect directive allows you to redirect a client to another URL. It takes the following form:
Redirect [status] path url
The status is optional, and if provided, it has to be a valid keyword as described in 表12.16「利用可能な status オプション」. The path refers to the old location, and must be relative to the directory specified by the DocumentRoot directive (for example, /docs). The url refers to the current location of the content (for example, http://docs.example.com).
表12.16 利用可能な status オプション
Status 説明
permanent Indicates that the requested resource has been moved permanently. The 301 (Moved Permanently) status code is returned to a client.
temp Indicates that the requested resource has been moved only temporarily. The 302 (Found) status code is returned to a client.
seeother Indicates that the requested resource has been replaced. The 303 (See Other) status code is returned to a client.
gone Indicates that the requested resource has been removed permanently. The 410 (Gone) status is returned to a client.

Note that for more advanced redirection techniques, you can use the mod_rewrite module that is part of the Apache HTTP Server installation.
例12.57 Redirect ディレクティブの使用法
Redirect permanent /docs http://docs.example.com

ScriptAlias
The ScriptAlias directive allows you to specify the location of CGI scripts. It takes the following form:
ScriptAlias url-path real-path
The url-path must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/). The real-path is a full path to a file or directory in the local file system.
This directive is typically followed by the Directory tag with additional permissions to access the target directory. By default, the /cgi-bin/ alias is created so that the scripts located in the /var/www/cgi-bin/ are accessible.
The ScriptAlias directive is used for security reasons to prevent CGI scripts from being viewed as ordinary text documents.
例12.58 ScriptAlias ディレクティブの使用法
ScriptAlias /cgi-bin/ /var/www/cgi-bin/

<Directory "/var/www/cgi-bin">
  AllowOverride None
  Options None
  Order allow,deny
  Allow from all
</Directory>

ServerAdmin
The ServerAdmin directive allows you to specify the email address of the server administrator to be displayed in server-generated web pages. It takes the following form:
ServerAdmin email
デフォルトのオプションは root@localhost です。
This directive is commonly set to webmaster@hostname, where hostname is the address of the server. Once set, alias webmaster to the person responsible for the web server in /etc/aliases, and as superuser, run the newaliases command.
例12.59 ServerAdmin ディレクティブの使用法
ServerAdmin webmaster@penguin.example.com

ServerName
The ServerName directive allows you to specify the hostname and the port number of a web server. It takes the following form:
ServerName hostname[:port]
The hostname has to be a fully qualified domain name (FQDN) of the server. The port is optional, but when supplied, it has to match the number specified by the Listen directive.
When using this directive, make sure that the IP address and server name pair are included in the /etc/hosts file.
例12.60 ServerName ディレクティブの使用法
ServerName penguin.example.com:80

ServerRoot
The ServerRoot directive allows you to specify the directory in which the server operates. It takes the following form:
ServerRoot directory
The directory must be a full path to an existing directory in the local file system. The default option is /etc/httpd/.
例12.61 ServerRoot ディレクティブの使用法
ServerRoot /etc/httpd

ServerSignature
The ServerSignature directive allows you to enable displaying information about the server on server-generated documents. It takes the following form:
ServerSignature option
The option has to be a valid keyword as described in 表12.17「利用可能な ServerSignature オプション」. The default option is On.
表12.17 利用可能な ServerSignature オプション
オプション 説明
On Enables appending the server name and version to server-generated pages.
Off Disables appending the server name and version to server-generated pages.
EMail Enables appending the server name, version, and the email address of the system administrator as specified by the ServerAdmin directive to server-generated pages.

例12.62 ServerSignature ディレクティブの使用法
ServerSignature On

ServerTokens
The ServerTokens directive allows you to customize what information are included in the Server response header. It takes the following form:
ServerTokens option
The option has to be a valid keyword as described in 表12.18「利用可能な ServerTokens オプション」. The default option is OS.
表12.18 利用可能な ServerTokens オプション
オプション 説明
Prod 製品名のみ(つまり、Apache)を含みます。
Major 製品名およびサーバーのメジャーバージョン(たとえば、2)を含みます。
Minor 製品名およびサーバーのマイナーバージョン(たとえば、2.2)を含みます。
Min 製品名およびサーバーの最小バージョン(たとえば、2.2.15)を含みます。
OS 製品名、サーバーの最小バージョンおよび実行しているオペレーティングシステムの種類(たとえば、Red Hat)を含みます。
Full 読み込まれているモジュールと合わせて上述の情報をすべて含みます。

Note that for security reasons, it is recommended to reveal as little information about the server as possible.
例12.63 ServerTokens ディレクティブの使用法
ServerTokens Prod

SuexecUserGroup
The SuexecUserGroup directive allows you to specify the user and group under which the CGI scripts will be run. It takes the following form:
SuexecUserGroup user group
The user has to be an existing user, and the group must be a valid UNIX group.
For security reasons, the CGI scripts should not be run with root privileges. Note that in <VirtualHost>, SuexecUserGroup replaces the User and Group directives.
例12.64 SuexecUserGroup ディレクティブの使用法
SuexecUserGroup apache apache

Timeout
The Timeout directive allows you to specify the amount of time to wait for an event before closing a connection. It takes the following form:
Timeout time
The time is specified in seconds. The default option is 60.
例12.65 Timeout ディレクティブの使用法
Timeout 60

TypesConfig
The TypesConfig allows you to specify the location of the MIME types configuration file. It takes the following form:
TypesConfig path
The path refers to an existing MIME types configuration file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is /etc/mime.types.
Note that instead of editing /etc/mime.types, the recommended way to add MIME type mapping to the Apache HTTP Server is to use the AddType directive.
例12.66 TypesConfig ディレクティブの使用法
TypesConfig /etc/mime.types

UseCanonicalName
The UseCanonicalName allows you to specify the way the server refers to itself. It takes the following form:
UseCanonicalName option
The option has to be a valid keyword as described in 表12.19「利用可能な UseCanonicalName オプション」. The default option is Off.
表12.19 利用可能な UseCanonicalName オプション
オプション 説明
On Enables the use of the name that is specified by the ServerName directive.
Off Disables the use of the name that is specified by the ServerName directive. The hostname and port number provided by the requesting client are used instead.
DNS Disables the use of the name that is specified by the ServerName directive. The hostname determined by a reverse DNS lookup is used instead.

例12.67 UseCanonicalName ディレクティブの使用法
UseCanonicalName Off

User
The User directive allows you to specify the user under which the httpd service will run. It takes the following form:
User user
user は既存の UNIX ユーザーでなければいけません。デフォルトのオプションは apache です。
For security reasons, the httpd service should not be run with root privileges. Note that User is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.
例12.68 User ディレクティブの使用法
User apache

UserDir
UserDir ディレクティブは、ユーザーのホームディレクトリからコンテンツの公開を取り扱えるようにします。以下の形式を利用します:
UserDir option
The option can be either a name of the directory to look for in user's home directory (typically public_html), or a valid keyword as described in 表12.20「利用可能な UserDir オプション」. The default option is disabled.
表12.20 利用可能な UserDir オプション
オプション 説明
enabled user Enables serving content from home directories of given users.
disabled [user] Disables serving content from home directories, either for all users, or, if a space separated list of users is supplied, for given users only.

Set the correct permissions

In order for the web server to access the content, the permissions on relevant directories and files must be set correctly. Make sure that all users are able to access the home directories, and that they can access and read the content of the directory specified by the UserDir directive. For example, to allow access to public_html/ in the home directory of user joe, type the following at a shell prompt as root:
~]# chmod a+x /home/joe/
~]# chmod a+rx /home/joe/public_html/
All files in this directory must be set accordingly.
例12.69 UserDir ディレクティブの使用法
UserDir public_html

12.1.5.2. 一般的な ssl.conf ディレクティブ

The Secure Sockets Layer (SSL) directives allow you to customize the behavior of the Apache HTTP Secure Server, and in most cases, they are configured appropriately during the installation. Be careful when changing these settings, as incorrect configuration can lead to security vulnerabilities.
The following directive is commonly used in /etc/httpd/conf.d/ssl.conf:
SetEnvIf
The SetEnvIf directive allows you to set environment variables based on the headers of incoming connections. It takes the following form:
SetEnvIf option pattern [!]variable[=value]…
The option can be either a HTTP header field, a previously defined environment variable name, or a valid keyword as described in 表12.21「利用可能な SetEnvIf オプション」. The pattern is a regular expression. The variable is an environment variable that is set when the option matches the pattern. If the optional exclamation mark (that is, !) is present, the variable is removed instead of being set.
表12.21 利用可能な SetEnvIf オプション
オプション 説明
Remote_Host クライアントのホスト名を参照します。
Remote_Addr クライアントの IP アドレスを参照します。
Server_Addr サーバーの IP アドレスを参照します。
Request_Method リクエストメソッドを参照します(たとえば、GET)。
Request_Protocol Refers to the protocol name and version (for example, HTTP/1.1).
Request_URI Refers to the requested resource.

The SetEnvIf directive is used to disable HTTP keepalives, and to allow SSL to close the connection without a closing notification from the client browser. This is necessary for certain web browsers that do not reliably shut down the SSL connection.
例12.70 SetEnvIf ディレクティブの使用法
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

/etc/httpd/conf.d/ssl.conf ファイルが存在するには、mod_ssl がインストールされている必要があることに注意してください。SSL サーバーのインストールと設定に関する詳細は「SSL サーバーのセットアップ」を参照してください。

12.1.5.3. Common Multi-Processing Module Directives

The Multi-Processing Module (MPM) directives allow you to customize the behavior of a particular MPM specific server-pool. Since its characteristics differ depending on which MPM is used, the directives are embedded in IfModule. By default, the server-pool is defined for both the prefork and worker MPMs.
The following MPM directives are commonly used in /etc/httpd/conf/httpd.conf:
MaxClients
The MaxClients directive allows you to specify the maximum number of simultaneously connected clients to process at one time. It takes the following form:
MaxClients number
A high number can improve the performance of the server, although it is not recommended to exceed 256 when using the prefork MPM.
例12.71 MaxClients ディレクティブの使用法
MaxClients 256

MaxRequestsPerChild
The MaxRequestsPerChild directive allows you to specify the maximum number of request a child process can serve before it dies. It takes the following form:
MaxRequestsPerChild number
Setting the number to 0 allows unlimited number of requests.
The MaxRequestsPerChild directive is used to prevent long-lived processes from causing memory leaks.
例12.72 MaxRequestsPerChild ディレクティブの使用法
MaxRequestsPerChild 4000

MaxSpareServers
The MaxSpareServers directive allows you to specify the maximum number of spare child processes. It takes the following form:
MaxSpareServers number
This directive is used by the prefork MPM only.
例12.73 MaxSpareServers ディレクティブの使用法
MaxSpareServers 20

MaxSpareThreads
The MaxSpareThreads directive allows you to specify the maximum number of spare server threads. It takes the following form:
MaxSpareThreads number
The number must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild. This directive is used by the worker MPM only.
例12.74 MaxSpareThreads ディレクティブの使用法
MaxSpareThreads 75

MinSpareServers
The MinSpareServers directive allows you to specify the minimum number of spare child processes. It takes the following form:
MinSpareServers number
Note that a high number can create a heavy processing load on the server. This directive is used by the prefork MPM only.
例12.75 MinSpareServers ディレクティブの使用法
MinSpareServers 5

MinSpareThreads
The MinSpareThreads directive allows you to specify the minimum number of spare server threads. It takes the following form:
MinSpareThreads number
This directive is used by the worker MPM only.
例12.76 MinSpareThreads ディレクティブの使用法
MinSpareThreads 75

StartServers
The StartServers directive allows you to specify the number of child processes to create when the service is started. It takes the following form:
StartServers number
Since the child processes are dynamically created and terminated according to the current traffic load, it is usually not necessary to change this value.
例12.77 StartServers ディレクティブの使用法
StartServers 8

ThreadsPerChild
The ThreadsPerChild directive allows you to specify the number of threads a child process can create. It takes the following form:
ThreadsPerChild number
This directive is used by the worker MPM only.
例12.78 ThreadsPerChild ディレクティブの使用法
ThreadsPerChild 25

12.1.6. Working with Modules

Being a modular application, the httpd service is distributed along with a number of Dynamic Shared Objects (DSOs), which can be dynamically loaded or unloaded at runtime as necessary. By default, these modules are located in /usr/lib/httpd/modules/ on 32-bit and in /usr/lib64/httpd/modules/ on 64-bit systems.

12.1.6.1. モジュールの読み込み方法

To load a particular DSO module, use the LoadModule directive as described in 「一般的な httpd.conf ディレクティブ」. Note that modules provided by a separate package often have their own configuration file in the /etc/httpd/conf.d/ directory.
例12.79 mod_ssl DSO の読み込み方法
LoadModule ssl_module modules/mod_ssl.so

Once you are finished, restart the web server to reload the configuration. Refer to 「サービスの再開」 for more information on how to restart the httpd service.

12.1.6.2. モジュールの書き込み方法

If you intend to create a new DSO module, make sure you have the httpd-devel package installed. To do so, type the following at a shell prompt as root:
yum install httpd-devel
This package contains the include files, the header files, and the APache eXtenSion (apxs) utility required to compile a module.
Once written, you can build the module with the following command:
apxs -i -a -c module_name.c
If the build was successful, you should be able to load the module the same way as any other module that is distributed with the Apache HTTP Server.

12.1.7. 仮想ホストのセットアップ

The Apache HTTP Server's built in virtual hosting allows the server to provide different information based on which IP address, hostname, or port is being requested.
To create a name-based virtual host, find the virtual host container provided in /etc/httpd/conf/httpd.conf as an example, remove the hash sign (that is, #) from the beginning of each line, and customize the options according to your requirements as shown in 例12.80「仮想ホストのサンプル設定」.
例12.80 仮想ホストのサンプル設定
NameVirtualHost penguin.example.com:80

<VirtualHost penguin.example.com:80>
    ServerAdmin webmaster@penguin.example.com
    DocumentRoot /www/docs/penguin.example.com
    ServerName penguin.example.com:80
    ErrorLog logs/penguin.example.com-error_log
    CustomLog logs/penguin.example.com-access_log common
</VirtualHost>

Note that ServerName must be a valid DNS name assigned to the machine. The <VirtualHost> container is highly customizable, and accepts most of the directives available within the main server configuration. Directives that are not supported within this container include User and Group, which were replaced by SuexecUserGroup.

Changing the port number

If you configure a virtual host to listen on a non-default port, make sure you update the Listen directive in the global settings section of the /etc/httpd/conf/httpd.conf file accordingly.
To activate a newly created virtual host, the web server has to be restarted first. Refer to 「サービスの再開」 for more information on how to restart the httpd service.

12.1.8. SSL サーバーのセットアップ

Secure Sockets Layer (SSL) is a cryptographic protocol that allows a server and a client to communicate securely. Along with its extended and improved version called Transport Layer Security (TLS), it ensures both privacy and data integrity. The Apache HTTP Server in combination with mod_ssl, a module that uses the OpenSSL toolkit to provide the SSL/TLS support, is commonly referred to as the SSL server.
Unlike a regular HTTP connection that can be read and possibly modified by anybody who is able to intercept it, the use of mod_ssl prevents any inspection or modification of the transmitted content. This section provides basic information on how to enable this module in the Apache HTTP Server configuration, and guides you through the process of generating private keys and self-signed certificates.

12.1.8.1. 証明書とセキュリティの概要

Secure communication is based on the use of keys. In conventional or symmetric cryptography, both ends of the transaction have the same key they can use to decode each other's transmissions. On the other hand, in public or asymmetric cryptography, two keys co-exist: a private key that is kept a secret, and a public key that is usually shared with the public. While the data encoded with the public key can only be decoded with the private key, data encoded with the private key can in turn only be decoded with the public key.
To provide secure communications using SSL, an SSL server must use a digital certificate signed by a Certificate Authority (CA). The certificate lists various attributes of the server (that is, the server hostname, the name of the company, its location, etc.), and the signature produced using the CA's private key. This signature ensures that a particular certificate authority has issued the certificate, and that the certificate has not been modified in any way.
When a web browser establishes a new SSL connection, it checks the certificate provided by the web server. If the certificate does not have a signature from a trusted CA, or if the hostname listed in the certificate does not match the hostname used to establish the connection, it refuses to communicate with the server and usually presents a user with an appropriate error message.
By default, most web browsers are configured to trust a set of widely used certificate authorities. Because of this, an appropriate CA should be chosen when setting up a secure server, so that target users can trust the connection, otherwise they will be presented with an error message, and will have to accept the certificate manually. Since encouraging users to override certificate errors can allow an attacker to intercept the connection, you should use a trusted CA whenever possible. For more information on this, see 表12.22「CA lists for most common web browsers」.
表12.22 CA lists for most common web browsers
ウェブブラウザー リンク
Mozilla Firefox Mozilla root CA list
Opera The Opera Rootstore
Internet Explorer Windows root certificate program members

When setting up an SSL server, you need to generate a certificate request and a private key, and then send the certificate request, proof of the company's identity, and payment to a certificate authority. Once the CA verifies the certificate request and your identity, it will send you a signed certificate you can use with your server. Alternatively, you can create a self-signed certificate that does not contain a CA signature, and thus should be used for testing purposes only.

12.1.8.2. mod_ssl モジュールの有効化

If you intend to set up an SSL server, make sure you have the mod_ssl (the mod_ssl module) and openssl (the OpenSSL toolkit) packages installed. To do so, type the following at a shell prompt as root:
yum install mod_ssl openssl
This will create the mod_ssl configuration file at /etc/httpd/conf.d/ssl.conf, which is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the httpd service as described in 「サービスの再開」.

12.1.8.3. Using an Existing Key and Certificate

If you have a previously created key and certificate, you can configure the SSL server to use these files instead of generating new ones. There are only two situations where this is not possible:
  1. You are changing the IP address or domain name.
    Certificates are issued for a particular IP address and domain name pair. If one of these values changes, the certificate becomes invalid.
  2. You have a certificate from VeriSign, and you are changing the server software.
    VeriSign, a widely used certificate authority, issues certificates for a particular software product, IP address, and domain name. Changing the software product renders the certificate invalid.
In either of the above cases, you will need to obtain a new certificate. For more information on this topic, refer to 「Generating a New Key and Certificate」.
If you wish to use an existing key and certificate, move the relevant files to the /etc/pki/tls/private/ and /etc/pki/tls/certs/ directories respectively. You can do so by running the following commands as root:
mv key_file.key /etc/pki/tls/private/hostname.key
mv certificate.crt /etc/pki/tls/certs/hostname.crt
Then add the following lines to the /etc/httpd/conf.d/ssl.conf configuration file:
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
To load the updated configuration, restart the httpd service as described in 「サービスの再開」.
例12.81 Using a key and certificate from the Red Hat Secure Web Server
~]# mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key
~]# mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt

12.1.8.4. Generating a New Key and Certificate

In order to generate a new key and certificate pair, you must to have the crypto-utils package installed in your system. As root, you can install it by typing the following at a shell prompt:
yum install crypto-utils
This package provides a set of tools to generate and manage SSL certificates and private keys, and includes genkey, the Red Hat Keypair Generation utility that will guide you through the key generation process.

既存の証明書の置き換え方法

If the server already has a valid certificate and you are replacing it with a new one, specify a different serial number. This ensures that client browsers are notified of this change, update to this new certificate as expected, and do not fail to access the page. To create a new certificate with a custom serial number, as root, use the following command instead of genkey:
openssl req -x509 -new -set_serial number -key hostname.key -out hostname.crt

前に作成したキーを削除します

If there already is a key file for a particular hostname in your system, genkey will refuse to start. In this case, remove the existing file using the following command as root:
rm /etc/pki/tls/private/hostname.key
To run the utility, as root, run the genkey command followed by the appropriate hostname (for example, penguin.example.com):
genkey hostname
To complete the key and certificate creation, take the following steps:
  1. Review the target locations in which the key and certificate will be stored.
    genkey ユーティリティの実行方法
    genkey ユーティリティの実行方法
    図12.1 genkey ユーティリティの実行方法

    Use the Tab key to select the Next button, and press Enter to proceed to the next screen.
  2. Using the Up and down arrow keys, select the suitable key size. Note that while the large key increases the security, it also increases the response time of your server. Because of this, the recommended option is 1024 bits.
    Selecting the key size
    Selecting the key size
    図12.2 Selecting the key size

    Once finished, use the Tab key to select the Next button, and press Enter to initiate the random bits generation process. Depending on the selected key size, this may take some time.
  3. Decide whether you wish to send a certificate request to a certificate authority.
    Generating a certificate request
    Generating a certificate request
    図12.3 Generating a certificate request

    Use the Tab key to select Yes to compose a certificate request, or No to generate a self-signed certificate. Then press Enter to confirm your choice.
  4. Using the Spacebar key, enable ([*]) or disable ([ ]) the encryption of the private key.
    Encrypting the private key
    Encrypting the private key
    図12.4 Encrypting the private key

    Use the Tab key to select the Next button, and press Enter to proceed to the next screen.
  5. If you have enabled the private key encryption, enter an adequate passphrase. Note that for security reasons, it is not displayed as you type, and it must be at least five characters long.
    Entering a passphrase
    Entering a passphrase
    図12.5 Entering a passphrase

    Use the Tab key to select the Next button, and press Enter to proceed to the next screen.

    パスフレーズを忘れないでください

    Entering the correct passphrase is required in order for the server to start. If you lose it, you will need to generate a new key and certificate.
  6. Customize the certificate details.
    Specifying certificate information
    Specifying certificate information
    図12.6 Specifying certificate information

    Use the Tab key to select the Next button, and press Enter to finish the key generation.
  7. If you have previously enabled the certificate request generation, you will be prompted to send it to a certificate authority.
    Instructions on how to send a certificate request
    Instructions on how to send a certificate request
    図12.7 Instructions on how to send a certificate request

    Press Enter to return to a shell prompt.
Once generated, add the key and certificate locations to the /etc/httpd/conf.d/ssl.conf configuration file:
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
Finally, restart the httpd service as described in 「サービスの再開」, so that the updated configuration is loaded.

12.1.9. その他のリソース

Apache HTTP Server に関してさらに詳細をお知りになりたい場合は、以下のリソースを参照してください。

12.1.9.1. インストールされているドキュメント

http://localhost/manual/
The official documentation for the Apache HTTP Server with the full description of its directives and available modules. Note that in order to access this documentation, you must have the httpd-manual package installed, and the web server must be running.
man httpd
The manual page for the httpd service containing the complete list of its command line options.
man genkey
The manual page for genkey containing the full documentation on its usage.

12.1.9.2. 役に立つ Web サイト

http://httpd.apache.org/
The official website for the Apache HTTP Server with documentation on all the directives and default modules.
http://www.modssl.org/
The official website for the mod_ssl module.
http://www.openssl.org/
The OpenSSL home page containing further documentation, frequently asked questions, links to the mailing lists, and other useful resources.