Documentation for a newer release is available. View Latest

웹 서버

indexterm:[HTTP server,Apache HTTP Server]indexterm:[web server,Apache HTTP Server] _웹서버_는 웹을 통해 클라이언트에게 정보를 제공하는 네트워크 서비스입니다. 이는 전형적인 웹 부분을 의미하며, 다른 문서들도 잘 제공될 수 있습니다. 웹 서버는 _하이퍼텍스트 전송 통신규약_(*HTTP*)와 같이 HTTP 서버로 잘 알려져 있습니다.

아파치 HTTP 서버

The web server available in Fedora is the Apache HTTP server daemon, httpd, an open source web server developed by the Apache Software Foundation. This section describes the basic configuration of the httpd service, and covers some advanced topics such as adding server modules, setting up virtual hosts, or configuring the secure HTTP server.

httpd 서비스 실행하기

This section describes how to start, stop, restart, and check the current status of the Apache HTTP Server. To be able to use the httpd service, make sure you have the httpd installed. You can do so by using the following command:

# dnf install httpd

대상 개념과 일반적으로 Fedora에서 시스템 서비스를 관리하는 방법에 대한 더 많은 정보를 위해, 다음을 참조하세요 서비스와 데몬.

서비스 시작하기

`httpd`서비스를 실행하려면, `root`으로 쉘 입력기에서 다음과 같이 입력하세요:

# systemctl start httpd.service

만약 당신이 서비스를 시작 시에 자동으로 시작하고자 하면, 다음 명령어를 사용하세요:

# systemctl enable httpd.service
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
보안 서버 사용하기

만약 보안 서버로 아파치 HTTP 서버를 실행 하려면, 비밀번호는 만약 암호화된 개인 SSL 키를 사용하는 경우 장비 부팅 후에 필요 할 수 있습니다.

서비스 중지

동작 중인 httpd 서비스를 중지하려면, `root`으로 쉘 입력기에서 다음과 같이 입력하세요:

# systemctl stop httpd.service

부트 할 때에 자동으로 시작하는 서비스를 막고자 하면, 다음과 같이 입력하세요:

# systemctl disable httpd.service
rm '/etc/systemd/system/multi-user.target.wants/httpd.service'

서비스 재시작하기

httpd 서비스를 재시작 하는 3가지 다른 방식이 있습니다:

  1. 서비스를 완전하게 재시작 하려면, `root`으로 다음 명령을 입력하세요:

# systemctl restart httpd.service

This stops the running httpd service and immediately starts it again. Use this command after installing or removing a dynamically loaded module such as PHP.

  1. 활성화 요청을 중단없이 구성을 다시 적재만 하려면, `root`으로, 다음과 같이 입력하세요:

# systemctl reload httpd.service

This causes the running httpd service to reload its configuration file. Any requests currently being processed will not be interrupted, so configuration changes will only take effect for new client connections.

  1. To reload the configuration and immediately terminate any active connections, enter the following command as root:

# systemctl kill --kill-who=main --signal=HUP httpd

서비스 상태 확인하기

httpd 서비스가 동작 중인지 확인하려면, 쉘 입력기에서 다음과 같이 입력하세요:

# systemctl is-active httpd.service
활성화

구성 파일 편집하기

When the httpd service is started, by default, it reads the configuration from locations that are listed in The httpd service configuration files.

Table 1. httpd 서비스 구성 파일
경로 설명

/etc/httpd/conf/httpd.conf

The main configuration file.

/etc/httpd/conf.d/

An auxiliary directory for configuration files that are included in the main configuration file.

Although the default configuration should be suitable for most situations, it is a good idea to become at least familiar with some of the more important configuration options. Note that for any changes to take effect, the web server has to be restarted first. See Restarting the Service for more information on how to restart the httpd service. To check the configuration for possible errors, type the following at a shell prompt:

# apachectl configtest
구문 좋음

To make the recovery from mistakes easier, it is recommended that you make a copy of the original file before editing it.

공통 httpd.conf 지시문

다음 지시문은 일반적으로 /etc/httpd/conf/httpd.conf 구성 파일에서 사용됩니다:

<VirtualHost>

The <Directory> directive allows you to apply certain directives to a particular directory only. It takes the following form:

<Directory directory>
  directive
  …
</Directory>

_디렉토리_는 로컬 파일 시스템에서 존재하는 디록토리에 대한 전체 경로 또는 와일드카드 표현 중에 하나 일 수 있습니다.

This directive can be used to configure additional cgi-bin directories for server-side scripts located outside the directory that is specified by ScriptAlias. In this case, the ExecCGI and AddHandler directives must be supplied, and the permissions on the target directory must be set correctly (that is, 0755).

Example 1. <디렉토리> 지시문 사용하기
<Directory /var/www/html>
  Options Indexes FollowSymLinks
  AllowOverride None
  Order allow,deny
  Allow from all
</Directory>
<IfDefine>

The IfDefine directive allows you to use certain directives only when a particular parameter is supplied on the command line. It takes the following form:

<IfDefine !parameter>
  directive
  …
</IfDefine>

The parameter can be supplied at a shell prompt using the -Dparameter command line option (for example, httpd -DEnableHome). If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the parameter is not specified.

Example 2. <IfDefine> 지시문 사용하기
<IfDefine EnableHome>
  UserDir public_html
</IfDefine>
<IfModule>

The <IfModule> directive allows you to use certain directive only when a particular module is loaded. It takes the following form:

<IfModule !module>
  directive
  …
</IfModule>

The module can be identified either by its name, or by the file name. If the optional exclamation mark (that is, !) is present, the enclosed directives are used only when the module is not loaded.

Example 3. <IfModule> 지시문 사용하기
<IfModule mod_disk_cache.c>
  CacheEnable disk /
  CacheRoot /var/cache/mod_proxy
</IfModule>
<Location>

The <Location> directive allows you to apply certain directives to a particular URL only. It takes the following form:

<Location url>
  directive
  …
</Location>

The url can be either a path relative to the directory specified by the DocumentRoot directive (for example, /server-info), or an external URL such as http://example.com/server-info.

Example 4. <위치> 지시문 사용하기
<Location /server-info>
  SetHandler server-info
  Order deny,allow
  Deny from all
  Allow from .example.com
</Location>
<프락시>

The <Proxy> directive allows you to apply certain directives to the proxy server only. It takes the following form:

<Proxy pattern>
  directive
  …
</Proxy>

The pattern can be an external URL, or a wildcard expression (for example, http://example.com/*).

Example 5. <Proxy> 지시문 사용하기
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from .example.com
</Proxy>
<VirtualHost>

The <VirtualHost> directive allows you apply certain directives to particular virtual hosts only. It takes the following form:

<VirtualHost address:port…>
  directive
  …
</VirtualHost>

_address_는 IP 주소, 정규화된 도메인 이름, 또는 Available <VirtualHost> options에서 설명된 특별한 형식이 될 수 있습니다.

Table 2. 사용 가능한 <VirtualHost> 옵션
옵션 설명

*

모든 IP 주소를 나타냅니다.

default

일치하지 않는 IP 주소를 나타냅니다.

Example 6. <VirtualHost> 지시문 사용하기
<VirtualHost *:80>
  ServerAdmin webmaster@penguin.example.com
  DocumentRoot /www/docs/penguin.example.com
  ServerName penguin.example.com
  ErrorLog logs/penguin.example.com-error_log
  CustomLog logs/penguin.example.com-access_log common
</VirtualHost>
접근파일이름

The AccessFileName directive allows you to specify the file to be used to customize access control information for each directory. It takes the following form:

AccessFileName filename

The filename is a name of the file to look for in the requested directory. By default, the server looks for .htaccess. For security reasons, the directive is typically followed by the Files tag to prevent the files beginning with .ht from being accessed by web clients. This includes the .htaccess and .htpasswd files.

Example 7. 접근파일이름 지시문 사용하기
접근파일이름 .htaccess

<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>
동작

The Action directive allows you to specify a CGI script to be executed when a certain media type is requested. It takes the following form:

Action content-type path

The content-type has to be a valid MIME type such as text/html, image/png, or application/pdf. The path refers to an existing CGI script, and must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/process-image.cgi).

Example 8. Action 지시문 사용하기
Action image/png /cgi-bin/process-image.cgi
AddDescription

The AddDescription directive allows you to specify a short description to be displayed in server-generated directory listings for a given file. It takes the following form:

AddDescription "description" filename

The description should be a short text enclosed in double quotes (that is, "). The filename can be a full file name, a file extension, or a wildcard expression.

Example 9. AddDescription 지시문 사용하기
AddDescription "GZIP compressed tar archive" .tgz
AddEncoding

The AddEncoding directive allows you to specify an encoding type for a particular file extension. It takes the following form:

AddEncoding encoding extension

The encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .gz).

This directive is typically used to instruct web browsers to decompress certain file types as they are downloaded.

Example 10. AddEncoding 지시문 사용하기
AddEncoding x-gzip .gz .tgz
AddHandler

The AddHandler directive allows you to map certain file extensions to a selected handler. It takes the following form:

AddHandler handler extension

The handler has to be a name of previously defined handler. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cgi).

This directive is typically used to treat files with the .cgi extension as CGI scripts regardless of the directory they are in. Additionally, it is also commonly used to process server-parsed HTML and image-map files.

Example 11. AddHandler 옵션 사용하기
AddHandler cgi-script .cgi
AddIcon

The AddIcon directive allows you to specify an icon to be displayed for a particular file in server-generated directory listings. It takes the following form:

AddIcon path pattern

The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/folder.png). The pattern can be a file name, a file extension, a wildcard expression, or a special form as described in the following table:

Table 3. 사용 가능한 AddIcon 옵션
옵션 설명

^DIRECTORY^

Represents a directory.

^BLANKICON^

Represents a blank line.

Example 12. AddIcon 지시문 사용하기
AddIcon /icons/text.png .txt README
AddIconByEncoding

The AddIconByEncoding directive allows you to specify an icon to be displayed for a particular encoding type in server-generated directory listings. It takes the following form:

AddIconByEncoding path encoding

The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/compressed.png). The encoding has to be a valid MIME encoding such as x-compress, x-gzip, etc.

Example 13. AddIconByEncoding 지시문 사용하기
AddIconByEncoding /icons/compressed.png x-compress x-gzip
AddIconByType

The AddIconByType directive allows you to specify an icon to be displayed for a particular media type in server-generated directory listings. It takes the following form:

AddIconByType path content-type

The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/text.png). The content-type has to be either a valid MIME type (for example, text/html or image/png), or a wildcard expression such as text/, image/, etc.

Example 14. AddIconByType 지시문 사용하기
AddIconByType /icons/video.png video/*
AddLanguage

The AddLanguage directive allows you to associate a file extension with a specific language. It takes the following form:

AddLanguage language extension

The language has to be a valid MIME language such as cs, en, or fr. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).

This directive is especially useful for web servers that serve content in multiple languages based on the client’s language settings.

Example 15. AddLanguage 지시문 사용하기
AddLanguage cs .cs .cz
AddType

The AddType directive allows you to define or override the media type for a particular file extension. It takes the following form:

AddType content-type extension

The content-type has to be a valid MIME type such as text/html, image/png, etc. The extension is a case sensitive file extension, and is conventionally written with a leading dot (for example, .cs).

Example 16. AddType 지시문 사용하기
AddType application/x-gzip .gz .tgz
Alias

The Alias directive allows you to refer to files and directories outside the default directory specified by the DocumentRoot directive. It takes the following form:

Alias url-path real-path

The url-path must be relative to the directory specified by the DocumentRoot directive (for example, /images/). The real-path is a full path to a file or directory in the local file system. This directive is typically followed by the Directory tag with additional permissions to access the target directory. By default, the /icons/ alias is created so that the icons from /var/www/icons/ are displayed in server-generated directory listings.

Example 17. 별칭 지시문 사용하기
Alias /icons/ /var/www/icons/

<Directory "/var/www/icons">
  Options Indexes MultiViews FollowSymLinks
  AllowOverride None
  Order allow,deny
  Allow from all
<Directory>
Allow

The Allow directive allows you to specify which clients have permission to access a given directory. It takes the following form:

Allow from client

The client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.

Example 18. Allow 지시문 사용하기
Allow from 192.168.1.0/255.255.255.0
AllowOverride

The AllowOverride directive allows you to specify which directives in a .htaccess file can override the default configuration. It takes the following form:

AllowOverride type

The type has to be one of the available grouping options as described in Available AllowOverride options.

Table 4. 사용 가능한 AllowOverride 옵션
옵션 설명

All

All directives in .htaccess are allowed to override earlier configuration settings.

None

No directive in .htaccess is allowed to override earlier configuration settings.

AuthConfig

Allows the use of authorization directives such as AuthName, AuthType, or Require.

FileInfo

Allows the use of file type, metadata, and mod_rewrite directives such as DefaultType, RequestHeader, or RewriteEngine, as well as the Action directive.

Indexes

Allows the use of directory indexing directives such as AddDescription, AddIcon, or FancyIndexing.

Limit

Allows the use of host access directives, that is, Allow, Deny, and Order.

Options=option,…

Allows the use of the Options directive. Additionally, you can provide a comma-separated list of options to customize which options can be set using this directive.

Example 19. AllowOverride 지시문 사용하기
AllowOverride FileInfo AuthConfig Limit
BrowserMatch

The BrowserMatch directive allows you to modify the server behavior based on the client’s web browser type. It takes the following form:

BrowserMatch pattern variable

The pattern is a regular expression to match the User-Agent HTTP header field. The variable is an environment variable that is set when the header field matches the pattern.

By default, this directive is used to deny connections to specific browsers with known issues, and to disable keepalives and HTTP header flushes for browsers that are known to have problems with these actions.

Example 20. BrowserMatch 지시문 사용하기
BrowserMatch "Mozilla/2" nokeepalive
CacheDefaultExpire

The CacheDefaultExpire option allows you to set how long to cache a document that does not have any expiration date or the date of its last modification specified. It takes the following form:

CacheDefaultExpire time

_time_은 초로 지정됩니다. 기본값 옵션은 `3600`입니다(이는 1시간입니다).

Example 21. CacheDefaultExpire 지시문 사용하기
CacheDefaultExpire 3600
CacheDisable

The CacheDisable directive allows you to disable caching of certain URLs. It takes the following form:

CacheDisable path

The path must be relative to the directory specified by the DocumentRoot directive (for example, /files/).

Example 22. CacheDisable 지시문 사용하기
CacheDisable /temporary
CacheEnable

The CacheEnable directive allows you to specify a cache type to be used for certain URLs. It takes the following form:

CacheEnable type url

The type has to be a valid cache type as described in Available cache types. The url can be a path relative to the directory specified by the DocumentRoot directive (for example, /images/), a protocol (for example, ftp://), or an external URL such as http://example.com/.

Table 5. 사용 가능한 캐쉬 유형
유형 설명

mem

The memory-based storage manager.

disk

The disk-based storage manager.

fd

The file descriptor cache.

Example 23. CacheEnable 지시문 사용하기
CacheEnable 디스크 /
CacheLastModifiedFactor

The CacheLastModifiedFactor directive allows you to customize how long to cache a document that does not have any expiration date specified, but that provides information about the date of its last modification. It takes the following form:

CacheLastModifiedFactor number

The number is a coefficient to be used to multiply the time that passed since the last modification of the document. The default option is 0.1 (that is, one tenth).

Example 24. CacheLastModifiedFactor 지시문 사용하기
CacheLastModifiedFactor 0.1
CacheMaxExpire

The CacheMaxExpire directive allows you to specify the maximum amount of time to cache a document. It takes the following form:

CacheMaxExpire time

_time_은 초로 지정되었습니다. 기본값 옵션은 `86400`입니다(이는 하루입니다).

Example 25. CacheMaxExpire 지시문 사용하기
CacheMaxExpire 86400
CacheNegotiatedDocs

The CacheNegotiatedDocs directive allows you to enable caching of the documents that were negotiated on the basis of content. It takes the following form:

CacheNegotiatedDocs option

The option has to be a valid keyword as described in Available CacheNegotiatedDocs options. Since the content-negotiated documents may change over time or because of the input from the requester, the default option is Off.

Table 6. 사용 가능한 CacheNegotiatedDocs 옵션
옵션 설명

On

Enables caching the content-negotiated documents.

Off

Disables caching the content-negotiated documents.

Example 26. CacheNegotiatedDocs 지시문 사용하기
CacheNegotiatedDocs On
CacheRoot

The CacheRoot directive allows you to specify the directory to store cache files in. It takes the following form:

CacheRoot directory

The directory must be a full path to an existing directory in the local file system. The default option is /var/cache/mod_proxy/.

Example 27. CacheRoot 지시문 사용하기
CacheRoot /var/cache/mod_proxy
CustomLog

The CustomLog directive allows you to specify the log file name and the log file format. It takes the following form:

CustomLog path format

The path refers to a log file, and must be relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The format has to be either an explicit format string, or a format name that was previously defined using the LogFormat directive.

Example 28. CustomLog 지시문 사용하기
CustomLog logs/access_log combined
DefaultIcon

The DefaultIcon directive allows you to specify an icon to be displayed for a file in server-generated directory listings when no other icon is associated with it. It takes the following form:

DefaultIcon path

The path refers to an existing icon file, and must be relative to the directory specified by the DocumentRoot directive (for example, /icons/unknown.png).

Example 29. DefaultIcon 지시문 사용하기
DefaultIcon /icons/unknown.png
DefaultType

The DefaultType directive allows you to specify a media type to be used in case the proper MIME type cannot be determined by the server. It takes the following form:

기본유형 내용-유형

The content-type has to be a valid MIME type such as text/html, image/png, application/pdf, etc.

Example 30. 기본유형 지시문 사용하기
기본 텍스트/일반
거부

The Deny directive allows you to specify which clients are denied access to a given directory. It takes the following form:

Deny from client

The client can be a domain name, an IP address (both full and partial), a network/netmask pair, or all for all clients.

Example 31. Deny 지시문 사용하기
Deny from 192.168.1.1
DirectoryIndex

The DirectoryIndex directive allows you to specify a document to be served to a client when a directory is requested (that is, when the URL ends with the / character). It takes the following form:

DirectoryIndex filename

The filename is a name of the file to look for in the requested directory. By default, the server looks for index.html, and index.html.var.

Example 32. Deny 지시문 사용하기
DirectoryIndex index.html index.html.var
DocumentRoot

The DocumentRoot directive allows you to specify the main directory from which the content is served. It takes the following form:

DocumentRoot 디렉토리

The directory must be a full path to an existing directory in the local file system. The default option is /var/www/html/.

Example 33. DocumentRoot 지시문 사용하기
DocumentRoot /var/www/html
오류문서

The ErrorDocument directive allows you to specify a document or a message to be displayed as a response to a particular error. It takes the following form:

ErrorDocument error-code action

The error-code has to be a valid code such as 403 (Forbidden), 404 (Not Found), or 500 (Internal Server Error). The action can be either a URL (both local and external), or a message string enclosed in double quotes (that is, ").

Example 34. 오류문서 지시문 사용하기
ErrorDocument 403 "접근 거부됨"
ErrorDocument 404 /404-not_found.html
오류기록

The ErrorLog directive allows you to specify a file to which the server errors are logged. It takes the following form:

ErrorLog path

The path refers to a log file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is logs/error_log

Example 35. ErrorLog 지시문 사용하기
ErrorLog logs/error_log
확장상태

The ExtendedStatus directive allows you to enable detailed server status information. It takes the following form:

ExtendedStatus option

The option has to be a valid keyword as described in Available ExtendedStatus options. The default option is Off.

Table 7. 사용 가능한 ExtendedStatus 옵션
옵션 설명

On

Enables generating the detailed server status.

Off

Disables generating the detailed server status.

Example 36. ExtendedStatus 지시문 사용하기
ExtendedStatus On
Group

The Group directive allows you to specify the group under which the httpd service will run. It takes the following form:

Group group

The group has to be an existing UNIX group. The default option is apache.

Note that Group is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.

Example 37. 그룹 지시문 사용하기
그룹 아파치
헤더이름

The HeaderName directive allows you to specify a file to be prepended to the beginning of the server-generated directory listing. It takes the following form:

HeaderName filename

The filename is a name of the file to look for in the requested directory. By default, the server looks for HEADER.html.

Example 38. HeaderName 지시문 사용하기
HeaderName HEADER.html
호스트이름조회

The HostnameLookups directive allows you to enable automatic resolving of IP addresses. It takes the following form:

HostnameLookups option

The option has to be a valid keyword as described in Available HostnameLookups options. To conserve resources on the server, the default option is Off.

Table 8. 사용 가능한 HostnameLookups 옵션
옵션 설명

On

Enables resolving the IP address for each connection so that the hostname can be logged. However, this also adds a significant processing overhead.

Double

Enables performing the double-reverse DNS lookup. In comparison to the above option, this adds even more processing overhead.

Off

Disables resolving the IP address for each connection.

Note that when the presence of hostnames is required in server log files, it is often possible to use one of the many log analyzer tools that perform the DNS lookups more efficiently.

Example 39. HostnameLookups 지시문 사용하기
HostnameLookups Off
Include

The Include directive allows you to include other configuration files. It takes the following form:

Include filename

The filename can be an absolute path, a path relative to the directory specified by the ServerRoot directive, or a wildcard expression. All configuration files from the /etc/httpd/conf.d/ directory are loaded by default.

Example 40. Include 지시문 사용하기
Include conf.d/*.conf
IndexIgnore

The IndexIgnore directive allows you to specify a list of file names to be omitted from the server-generated directory listings. It takes the following form:

IndexIgnore filename

The filename option can be either a full file name, or a wildcard expression.

Example 41. IndexIgnore 지시문 사용하기
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
IndexOptions

The IndexOptions directive allows you to customize the behavior of server-generated directory listings. It takes the following form:

IndexOptions option

The option has to be a valid keyword as described in Available directory listing options. The default options are Charset=UTF-8, FancyIndexing, HTMLTable, NameWidth=*, and VersionSort.

Table 9. 사용 가능한 디렉토리 목록 옵션
옵션 설명

Charset=encoding

Specifies the character set of a generated web page. The encoding has to be a valid character set such as UTF-8 or ISO-8859-2.

Type=content-type

Specifies the media type of a generated web page. The content-type has to be a valid MIME type such as text/html or text/plain.

DescriptionWidth=value

Specifies the width of the description column. The value can be either a number of characters, or an asterisk (that is, *) to adjust the width automatically.

FancyIndexing

Enables advanced features such as different icons for certain files or possibility to re-sort a directory listing by clicking on a column header.

FolderFirst

Enables listing directories first, always placing them above files.

HTMLTable

Enables the use of HTML tables for directory listings.

IconsAreLinks

Enables using the icons as links.

IconHeight=value

Specifies an icon height. The value is a number of pixels.

IconWidth=value

Specifies an icon width. The value is a number of pixels.

IgnoreCase

Enables sorting files and directories in a case-sensitive manner.

IgnoreClient

Disables accepting query variables from a client.

NameWidth=value

Specifies the width of the file name column. The value can be either a number of characters, or an asterisk (that is, *) to adjust the width automatically.

ScanHTMLTitles

Enables parsing the file for a description (that is, the title element) in case it is not provided by the AddDescription directive.

ShowForbidden

Enables listing the files with otherwise restricted access.

SuppressColumnSorting

Disables re-sorting a directory listing by clicking on a column header.

SuppressDescription

Disables reserving a space for file descriptions.

SuppressHTMLPreamble

Disables the use of standard HTML preamble when a file specified by the HeaderName directive is present.

SuppressIcon

Disables the use of icons in directory listings.

SuppressLastModified

Disables displaying the date of the last modification field in directory listings.

SuppressRules

Disables the use of horizontal lines in directory listings.

SuppressSize

Disables displaying the file size field in directory listings.

TrackModified

Enables returning the Last-Modified and ETag values in the HTTP header.

VersionSort

Enables sorting files that contain a version number in the expected manner.

XHTML

Enables the use of XHTML 1.0 instead of the default HTML 3.2.

Example 42. IndexOptions 지시문 사용하기
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8
KeepAlive

The KeepAlive directive allows you to enable persistent connections. It takes the following form:

KeepAlive option

The option has to be a valid keyword as described in Available KeepAlive options. The default option is Off.

Table 10. 사용 가능한 KeepAlive 옵션
옵션 설명

On

Enables the persistent connections. In this case, the server will accept more than one request per connection.

Off

Disables the keep-alive connections.

Note that when the persistent connections are enabled, on a busy server, the number of child processes can increase rapidly and eventually reach the maximum limit, slowing down the server significantly. To reduce the risk, it is recommended that you set KeepAliveTimeout to a low number, and monitor the /var/log/httpd/logs/error_log log file carefully.

Example 43. KeepAlive 지시문 사용하기
KeepAlive Off
KeepAliveTimeout

The KeepAliveTimeout directive allows you to specify the amount of time to wait for another request before closing the connection. It takes the following form:

KeepAliveTimeout time

_time_은 초로 지정됩니다. 기본값 옵션은 `15`입니다.

Example 44. KeepAlive Timeout 지시문 사용하기
KeepAliveTimeout 15
LanguagePriority

The LanguagePriority directive allows you to customize the precedence of languages. It takes the following form:

LanguagePriority language

The language has to be a valid MIME language such as cs, en, or fr.

This directive is especially useful for web servers that serve content in multiple languages based on the client’s language settings.

Example 45. LanguagePriority 지시문 사용하기
LanguagePriority sk cs en
Listen

The Listen directive allows you to specify IP addresses or ports to listen to. It takes the following form:

Listen ip-address:port protocol

The ip-address is optional and unless supplied, the server will accept incoming requests on a given port from all IP addresses. Since the protocol is determined automatically from the port number, it can be usually omitted. The default option is to listen to port 80.

Note that if the server is configured to listen to a port under 1024, only superuser will be able to start the httpd service.

Example 46. Listen 지시문 사용하기
Listen 80
LoadModule

The LoadModule directive allows you to load a Dynamic Shared Object (DSO) module. It takes the following form:

LoadModule name path

The name has to be a valid identifier of the required module. The path refers to an existing module file, and must be relative to the directory in which the libraries are placed (that is, /usr/lib/httpd/ on 32-bit and /usr/lib64/httpd/ on 64-bit systems by default).

아파치 HTTP 서버의 DSO 지원에 대한 더 많은 정보를 위해 모듈과 힘께 동작하기를 참고하세요.

Example 47. LoadModule 지시문 사용하기
LoadModule php5_module modules/libphp5.so
LogFormat

The LogFormat directive allows you to specify a log file format. It takes the following form:

LogFormat format name

The format is a string consisting of options as described in Common LogFormat options. The name can be used instead of the format string in the CustomLog directive.

Table 11. 공통 LogFormat 옵션
옵션 설명

%b

Represents the size of the response in bytes.

%h

Represents the IP address or hostname of a remote client.

%l

Represents the remote log name if supplied. If not, a hyphen (that is, -) is used instead.

%r

Represents the first line of the request string as it came from the browser or client.

%s

Represents the status code.

%t

Represents the date and time of the request.

%u

If the authentication is required, it represents the remote user. If not, a hyphen (that is, -) is used instead.

%{field}

Represents the content of the HTTP header field. The common options include %{Referer} (the URL of the web page that referred the client to the server) and %{User-Agent} (the type of the web browser making the request).

Example 48. logFormat 지시문 사용
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogLevel

The LogLevel directive allows you to customize the verbosity level of the error log. It takes the following form:

LogLevel option

The option has to be a valid keyword as described in Available LogLevel options. The default option is warn.

Table 12. 사용 가능한 LogLevel 옵션
옵션 설명

emerg

Only the emergency situations when the server cannot perform its work are logged.

alert

All situations when an immediate action is required are logged.

crit

All critical conditions are logged.

error

All error messages are logged.

warn

All warning messages are logged.

notice

Even normal, but still significant situations are logged.

info

Various informational messages are logged.

debug

Various debugging messages are logged.

Example 49. LogLevel 지시문 사용하기
LogLevel 경고
MaxKeepAliveRequests

The MaxKeepAliveRequests directive allows you to specify the maximum number of requests for a persistent connection. It takes the following form:

MaxKeepAliveRequests number

A high number can improve the performance of the server. Note that using 0 allows unlimited number of requests. The default option is 100.

Example 50. MaxKeepAliveRequests 옵션 사용하기
MaxKeepAliveRequests 100
NameVirtualHost

The NameVirtualHost directive allows you to specify the IP address and port number for a name-based virtual host. It takes the following form:

NameVirtualHost ip-address:port

The ip-address can be either a full IP address, or an asterisk (that is, *) representing all interfaces. Note that IPv6 addresses have to be enclosed in square brackets (that is, [ and ]). The port is optional.

Name-based virtual hosting allows one Apache HTTP Server to serve different domains without using multiple IP addresses.

보안 HTTP 연결 사용하기

Name-based virtual hosts only work with non-secure HTTP connections. If using virtual hosts with a secure server, use IP address-based virtual hosts instead.

Example 51. NameVirtualHost 지시문 사용하기
NameVirtualHost *:80
Options

The Options directive allows you to specify which server features are available in a particular directory. It takes the following form:

Options option

The option has to be a valid keyword as described in Available server features.

Table 13. 사용 가능한 서버 기능
옵션 설명

ExecCGI

Enables the execution of CGI scripts.

FollowSymLinks

Enables following symbolic links in the directory.

Includes

Enables server-side includes.

IncludesNOEXEC

Enables server-side includes, but does not allow the execution of commands.

Indexes

Enables server-generated directory listings.

MultiViews

Enables content-negotiated "MultiViews".

SymLinksIfOwnerMatch

Enables following symbolic links in the directory when both the link and the target file have the same owner.

All

Enables all of the features above with the exception of MultiViews.

None

Disables all of the features above.

Example 52. Options 지시문 사용하기
Options Indexes FollowSymLinks
Order

The Order directive allows you to specify the order in which the Allow and Deny directives are evaluated. It takes the following form:

Order option

The option has to be a valid keyword as described in Available Order options. The default option is allow,deny.

Table 14. 사용 가능한 Order 옵션
옵션 설명

allow,deny

Allow directives are evaluated first.

deny,allow

Deny directives are evaluated first.

Example 53. Order 지시문 사용하기
Order allow,deny
PidFile

The PidFile directive allows you to specify a file to which the process ID (PID) of the server is stored. It takes the following form:

PidFile path

The path refers to a pid file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is run/httpd.pid.

Example 54. PidFile 지시문 사용하기
PidFile run/httpd.pid
ProxyRequests

The ProxyRequests directive allows you to enable forward proxy requests. It takes the following form:

ProxyRequests option

The option has to be a valid keyword as described in Available ProxyRequests options. The default option is Off.

Table 15. 사용 가능한 ProxyRequests 옵션
옵션 설명

On

Enables forward proxy requests.

Off

Disables forward proxy requests.

Example 55. ProxyRequests 지시문 사용하기
ProxyRequests On
ReadmeName

The ReadmeName directive allows you to specify a file to be appended to the end of the server-generated directory listing. It takes the following form:

ReadmeName filename

The filename is a name of the file to look for in the requested directory. By default, the server looks for README.html.

Example 56. ReadmeName 지시문 사용하기
ReadmeName README.html
Redirect

The Redirect directive allows you to redirect a client to another URL. It takes the following form:

Redirect status path url

The status is optional, and if provided, it has to be a valid keyword as described in Available status options. The path refers to the old location, and must be relative to the directory specified by the DocumentRoot directive (for example, /docs). The url refers to the current location of the content (for example, http://docs.example.com).

Table 16. 사용 가능한 상태 옵션
상태 설명

permanent

Indicates that the requested resource has been moved permanently. The 301 (Moved Permanently) status code is returned to a client.

temp

Indicates that the requested resource has been moved only temporarily. The 302 (Found) status code is returned to a client.

seeother

Indicates that the requested resource has been replaced. The 303 (See Other) status code is returned to a client.

gone

Indicates that the requested resource has been removed permanently. The 410 (Gone) status is returned to a client.

더 발전된 리디렉션 기술의 경우에 기술에서, Apache HTTP Server 설치의 일부인 mod_rewrite 모듈을 사용 할 수 있습니다.

Example 57. Redirect 지시문 사용하기
Redirect permanent /docs http://docs.example.com
ScriptAlias

The ScriptAlias directive allows you to specify the location of CGI scripts. It takes the following form:

ScriptAlias url-path real-path

The url-path must be relative to the directory specified by the DocumentRoot directive (for example, /cgi-bin/). The real-path is a full path to a file or directory in the local file system. This directive is typically followed by the Directory tag with additional permissions to access the target directory. By default, the /cgi-bin/ alias is created so that the scripts located in the /var/www/cgi-bin/ are accessible.

The ScriptAlias directive is used for security reasons to prevent CGI scripts from being viewed as ordinary text documents.

Example 58. ScriptAlias 지시문 사용하기
ScriptAlias /cgi-bin/ /var/www/cgi-bin/

<Directory "/var/www/cgi-bin">
  AllowOverride None
  Options None
  Order allow,deny
  Allow from all
</Directory>
ServerAdmin

The ServerAdmin directive allows you to specify the email address of the server administrator to be displayed in server-generated web pages. It takes the following form:

ServerAdmin email

The default option is root@localhost.

This directive is commonly set to webmaster@hostname, where hostname is the address of the server. Once set, alias webmaster to the person responsible for the web server in /etc/aliases, and as superuser, run the newaliases command.

Example 59. ServerAdmin 지시문 사용하기
ServerAdmin webmaster@penguin.example.com
ServerName

The ServerName directive allows you to specify the hostname and the port number of a web server. It takes the following form:

ServerName hostname:port

The hostname has to be a fully qualified domain name (FQDN) of the server. The port is optional, but when supplied, it has to match the number specified by the Listen directive.

When using this directive, make sure that the IP address and server name pair are included in the /etc/hosts file.

Example 60. ServerName 지시문 사용하기
ServerName penguin.example.com:80
ServerRoot

The ServerRoot directive allows you to specify the directory in which the server operates. It takes the following form:

ServerRoot directory

The directory must be a full path to an existing directory in the local file system. The default option is /etc/httpd/.

Example 61. Using the ServerRoot directive
ServerRoot /etc/httpd
ServerSignature

The ServerSignature directive allows you to enable displaying information about the server on server-generated documents. It takes the following form:

ServerSignature option

The option has to be a valid keyword as described in Available ServerSignature options. The default option is On.

Table 17. Available ServerSignature options
옵션 설명

On

Enables appending the server name and version to server-generated pages.

Off

Disables appending the server name and version to server-generated pages.

EMail

Enables appending the server name, version, and the email address of the system administrator as specified by the ServerAdmin directive to server-generated pages.

Example 62. ServerSignature 지시문 사용하기
ServerSignature On
ServerTokens

The ServerTokens directive allows you to customize what information are included in the Server response header. It takes the following form:

ServerTokens option

The option has to be a valid keyword as described in Available ServerTokens options. The default option is OS.

Table 18. Available ServerTokens options
옵션 설명

Prod

Includes the product name only (that is, Apache).

Major

Includes the product name and the major version of the server (for example, 2).

Minor

Includes the product name and the minor version of the server (for example, 2.2).

Min

Includes the product name and the minimal version of the server (for example, 2.2.15).

OS

Includes the product name, the minimal version of the server, and the type of the operating system it is running on (for example, Red Hat).

Full

Includes all the information above along with the list of loaded modules.

Note that for security reasons, it is recommended to reveal as little information about the server as possible.

Example 63. ServerTokens 지시문 사용하기
ServerTokens Prod
SuexecUserGroup

The SuexecUserGroup directive allows you to specify the user and group under which the CGI scripts will be run. It takes the following form:

SuexecUserGroup user group

The user has to be an existing user, and the group must be a valid UNIX group.

For security reasons, the CGI scripts should not be run with root privileges. Note that in <VirtualHost>, SuexecUserGroup replaces the User and Group directives.

Example 64. Using the SuexecUserGroup directive
SuexecUserGroup apache apache
Timeout

The Timeout directive allows you to specify the amount of time to wait for an event before closing a connection. It takes the following form:

Timeout time

_time_은 초로 지정됩니다. 기본값 선택은 `60`입니다.

Example 65. Timeout 지시문 사용하기
Timeout 60
TypesConfig

The TypesConfig allows you to specify the location of the MIME types configuration file. It takes the following form:

TypesConfig path

The path refers to an existing MIME types configuration file, and can be either absolute, or relative to the directory that is specified by the ServerRoot directive (that is, /etc/httpd/ by default). The default option is /etc/mime.types.

Note that instead of editing /etc/mime.types, the recommended way to add MIME type mapping to the Apache HTTP Server is to use the AddType directive.

Example 66. TypesConfig 지시문 사용하기
TypesConfig /etc/mime.types
UseCanonicalName

The UseCanonicalName allows you to specify the way the server refers to itself. It takes the following form:

UseCanonicalName option

The option has to be a valid keyword as described in Available UseCanonicalName options. The default option is Off.

Table 19. Available UseCanonicalName options
옵션 설명

On

Enables the use of the name that is specified by the ServerName directive.

Off

Disables the use of the name that is specified by the ServerName directive. The hostname and port number provided by the requesting client are used instead.

DNS

Disables the use of the name that is specified by the ServerName directive. The hostname determined by a reverse DNS lookup is used instead.

Example 67. UseCanonicalName 지시문 사용하기
UseCanonicalName Off
User

The User directive allows you to specify the user under which the httpd service will run. It takes the following form:

User user

The user has to be an existing UNIX user. The default option is apache.

For security reasons, the httpd service should not be run with root privileges. Note that User is no longer supported inside <VirtualHost>, and has been replaced by the SuexecUserGroup directive.

Example 68. User 지시문 사용하기
User apache
UserDir

The UserDir directive allows you to enable serving content from users' home directories. It takes the following form:

UserDir option

The option can be either a name of the directory to look for in user’s home directory (typically public_html), or a valid keyword as described in Available UserDir options. The default option is disabled.

Table 20. 사용 가능한 UserDir 옵션
옵션 설명

enabled user

Enables serving content from home directories of given users.

disabled user

Disables serving content from home directories, either for all users, or, if a space separated list of users is supplied, for given users only.

올바른 권한 설정

In order for the web server to access the content, the permissions on relevant directories and files must be set correctly. Make sure that all users are able to access the home directories, and that they can access and read the content of the directory specified by the UserDir directive. For example, to allow access to public_html/ in the home directory of user joe, type the following at a shell prompt as root:

# chmod a+x /home/joe/
# chmod a+rx /home/joe/public_html/

이 디렉토리에서 모든 파일은 적절하게 설정되어야만 합니다.

Example 69. UserDir 지시문 사용하기
UserDir public_html

공통 ssl.conf 지시문

The Secure Sockets Layer (SSL) directives allow you to customize the behavior of the Apache HTTP Secure Server, and in most cases, they are configured appropriately during the installation. Be careful when changing these settings, as incorrect configuration can lead to security vulnerabilities. The following directive is commonly used in /etc/httpd/conf.d/ssl.conf:

SetEnvIf

The SetEnvIf directive allows you to set environment variables based on the headers of incoming connections. It takes the following form:

SetEnvIf option pattern !variable=value

The option can be either a HTTP header field, a previously defined environment variable name, or a valid keyword as described in Available SetEnvIf options. The pattern is a regular expression. The variable is an environment variable that is set when the option matches the pattern. If the optional exclamation mark (that is, !) is present, the variable is removed instead of being set.

Table 21. 사용 가능한 SetEnvIf 옵션
옵션 설명

Remote_Host

Refers to the client’s hostname.

Remote_Addr

Refers to the client’s IP address.

Server_Addr

Refers to the server’s IP address.

Request_Method

Refers to the request method (for example, GET).

Request_Protocol

Refers to the protocol name and version (for example, HTTP/1.1).

Request_URI

Refers to the requested resource.

The SetEnvIf directive is used to disable HTTP keepalives, and to allow SSL to close the connection without a closing notification from the client browser. This is necessary for certain web browsers that do not reliably shut down the SSL connection.

Example 70. SetEnvIf 지시문 사용하기
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

Note that for the /etc/httpd/conf.d/ssl.conf file to be present, the mod_ssl needs to be installed. See Setting Up an SSL Server for more information on how to install and configure an SSL server.

Common Multi-Processing Module Directives

The Multi-Processing Module (MPM) directives allow you to customize the behavior of a particular MPM specific server-pool. Since its characteristics differ depending on which MPM is used, the directives are embedded in IfModule. By default, the server-pool is defined for both the prefork and worker MPMs. The following MPM directives are commonly used in /etc/httpd/conf/httpd.conf:

MaxClients

The MaxClients directive allows you to specify the maximum number of simultaneously connected clients to process at one time. It takes the following form:

MaxClients 번호

A high number can improve the performance of the server, although it is not recommended to exceed 256 when using the prefork MPM.

Example 71. MaxClients 지시문 사용하기
MaxClients 256
MaxRequestsPerChild

The MaxRequestsPerChild directive allows you to specify the maximum number of request a child process can serve before it dies. It takes the following form:

MaxRequestsPerChild number

Setting the number to 0 allows unlimited number of requests.

The MaxRequestsPerChild directive is used to prevent long-lived processes from causing memory leaks.

Example 72. Using the MaxRequestsPerChild directive
MaxRequestsPerChild 4000
MaxSpareServers

The MaxSpareServers directive allows you to specify the maximum number of spare child processes. It takes the following form:

MaxSpareServers number

This directive is used by the prefork MPM only.

Example 73. MaxSpareServers 지시문 사용하기
MaxSpareServers 20
MaxSpareThreads

The MaxSpareThreads directive allows you to specify the maximum number of spare server threads. It takes the following form:

MaxSpareThreads number

The number must be greater than or equal to the sum of MinSpareThreads and ThreadsPerChild. This directive is used by the worker MPM only.

Example 74. MaxSpareThreads 지시문 사용하기
MaxSpareThreads 75
MinSpareServers

The MinSpareServers directive allows you to specify the minimum number of spare child processes. It takes the following form:

MinSpareServers number

Note that a high number can create a heavy processing load on the server. This directive is used by the prefork MPM only.

Example 75. MinSpareServers 지시문 사용하기
MinSpareServers 5
MinSpareThreads

The MinSpareThreads directive allows you to specify the minimum number of spare server threads. It takes the following form:

MinSpareThreads number

This directive is used by the worker MPM only.

Example 76. MinSpareThreads 지시문 사용하기
MinSpareThreads 75
StartServers

The StartServers directive allows you to specify the number of child processes to create when the service is started. It takes the following form:

StartServers number

Since the child processes are dynamically created and terminated according to the current traffic load, it is usually not necessary to change this value.

Example 77. StartServers 지시문 사용하기
StartServers 8
ThreadsPerChild

The ThreadsPerChild directive allows you to specify the number of threads a child process can create. It takes the following form:

ThreadsPerChild number

This directive is used by the worker MPM only.

Example 78. Using the ThreadsPerChild directive
ThreadsPerChild 25

Working with Modules

Being a modular application, the httpd service is distributed along with a number of Dynamic Shared Objects (DSOs), which can be dynamically loaded or unloaded at runtime as necessary. By default, these modules are located in /usr/lib/httpd/modules/ on 32-bit and in /usr/lib64/httpd/modules/ on 64-bit systems.

모듈 적재

To load a particular DSO module, use the LoadModule directive as described in Common httpd.conf Directives. Note that modules provided by a separate package often have their own configuration file in the /etc/httpd/conf.d/ directory.

Example 79. Loading the mod_ssl DSO
LoadModule ssl_module modules/mod_ssl.so

Once you are finished, restart the web server to reload the configuration. See Restarting the Service for more information on how to restart the httpd service.

Writing a Module

If you intend to create a new DSO module, make sure you have the httpd-devel package installed. To do so, enter the following command as root:

# dnf install httpd-devel

This package contains the include files, the header files, and the APache eXtenSion (apxs) utility required to compile a module.

Once written, you can build the module with the following command:

# apxs -i -a -c module_name.c

If the build was successful, you should be able to load the module the same way as any other module that is distributed with the Apache HTTP Server.

가상 호스트 설정하기

The Apache HTTP Server’s built in virtual hosting allows the server to provide different information based on which IP address, host name, or port is being requested.

To create a name-based virtual host, copy the example configuration file /usr/share/doc/httpd-VERSION/httpd-vhosts.conf into the /etc/httpd/conf.d/ directory, and replace the @@Port@@ and @@ServerRoot@@ placeholder values. Customize the options according to your requirements as shown in Example virtual host configuration.

Example 80. 가상 호스트 구성 예제
<VirtualHost *:80>
    ServerAdmin webmaster@penguin.example.com
    DocumentRoot "/www/docs/penguin.example.com"
    ServerName penguin.example.com
    ServerAlias www.penguin.example.com
    ErrorLog "/var/log/httpd/dummy-host.example.com-error_log"
    CustomLog "/var/log/httpd/dummy-host.example.com-access_log" common
</VirtualHost>

Note that ServerName must be a valid DNS name assigned to the machine. The <VirtualHost> container is highly customizable, and accepts most of the directives available within the main server configuration. Directives that are not supported within this container include User and Group, which were replaced by SuexecUserGroup.

포트 번호 변경하기

If you configure a virtual host to listen on a non-default port, make sure you update the Listen directive in the global settings section of the /etc/httpd/conf/httpd.conf file accordingly.

To activate a newly created virtual host, the web server has to be restarted first. See Restarting the Service for more information on how to restart the httpd service.

SSL 서버 설정하기

Secure Sockets Layer (SSL) is a cryptographic protocol that allows a server and a client to communicate securely. Along with its extended and improved version called Transport Layer Security (TLS), it ensures both privacy and data integrity. The Apache HTTP Server in combination with mod_ssl, a module that uses the OpenSSL toolkit to provide the SSL/TLS support, is commonly referred to as the SSL server.

Unlike a regular HTTP connection that can be read and possibly modified by anybody who is able to intercept it, the use of mod_ssl prevents any inspection or modification of the transmitted content. This section provides basic information on how to enable this module in the Apache HTTP Server configuration, and guides you through the process of generating private keys and self-signed certificates.

인증서와 보안의 개요

Secure communication is based on the use of keys. In conventional or symmetric cryptography, both ends of the transaction have the same key they can use to decode each other’s transmissions. On the other hand, in public or asymmetric cryptography, two keys co-exist: a private key that is kept a secret, and a public key that is usually shared with the public. While the data encoded with the public key can only be decoded with the private key, data encoded with the private key can in turn only be decoded with the public key. To provide secure communications using SSL, an SSL server must use a digital certificate signed by a Certificate Authority (CA). The certificate lists various attributes of the server (that is, the server host name, the name of the company, its location, etc.), and the signature produced using the CA’s private key. This signature ensures that a particular certificate authority has signed the certificate, and that the certificate has not been modified in any way.

When a web browser establishes a new SSL connection, it checks the certificate provided by the web server. If the certificate does not have a signature from a trusted CA, or if the host name listed in the certificate does not match the host name used to establish the connection, it refuses to communicate with the server and usually presents a user with an appropriate error message.

By default, most web browsers are configured to trust a set of widely used certificate authorities. Because of this, an appropriate CA should be chosen when setting up a secure server, so that target users can trust the connection, otherwise they will be presented with an error message, and will have to accept the certificate manually. Since encouraging users to override certificate errors can allow an attacker to intercept the connection, you should use a trusted CA whenever possible. For more information on this, see Information about CA lists used by common web browsers.

Table 22. 일반 웹 검색기에 의해 사용되는 CA 항목에 대한 정보
웹 검색기 연결

Mozilla Firefox

Mozilla root CA list.

Opera

Information on root certificates used by Opera.

Internet Explorer

Information on root certificates used by Microsoft Windows.

Chromium

Information on root certificates used by the Chromium project.

When setting up an SSL server, you need to generate a certificate request and a private key, and then send the certificate request, proof of the company’s identity, and payment to a certificate authority. Once the CA verifies the certificate request and your identity, it will send you a signed certificate you can use with your server. Alternatively, you can create a self-signed certificate that does not contain a CA signature, and thus should be used for testing purposes only.

mod_ssl 모듈 활성화하기

If you intend to set up an SSL server, make sure you have the mod_ssl (the mod_ssl module) and openssl (the OpenSSL toolkit) packages installed. To do so, enter the following command as root:

# dnf install mod_ssl openssl

This will create the mod_ssl configuration file at /etc/httpd/conf.d/ssl.conf, which is included in the main Apache HTTP Server configuration file by default. For the module to be loaded, restart the httpd service as described in Restarting the Service.

Due to the SSL3.0 protocol vulnerability CVE-2014-3566, described in SSL 3.0 Protocol Vulnerability and POODLE Attack, it is recommended to disable SSL and use only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products have the ability to use SSLv2 or SSLv3 protocols, or enable them by default. However, the use of SSLv2 or SSLv3 is now strongly recommended against.

mod_ssl에서 SSL과 TLS 활성화와 비활성화

To disable and enable specific versions of the SSL and TLS protocol, either do it globally by adding the SSLProtocol directive in the "#\# SSL Global Context" section of the configuration file and removing it everywhere else, or edit the default entry under "\# SSL Protocol support" in all "VirtualHost" sections. If you do not specify it in the per-domain VirtualHost section then it will inherit the settings from the global section. To make sure that a protocol version is being disabled the administrator should either only specify SSLProtocol in the "SSL Global Context" section, or specify it in all per-domain VirtualHost sections.

SSLv2와 SSLv3 비활성화

To disable SSL version 2 and SSL version 3, which implies enabling everything except SSL version 2 and SSL version 3, in all VirtualHost sections, proceed as follows:

  1. As root, open the /etc/httpd/conf.d/ssl.conf file and search for all instances of the SSLProtocol directive. By default, the configuration file contains one section that looks as follows:

# vi /etc/httpd/conf.d/ssl.conf
#   SSL 통신규약 지원:
# 클라이언트가 연결 할 수 있는 활성화된 통신규약 수준을
나열합니다.  기본으로 SSLv2 접근을 비활성화:
SSLProtocol all -SSLv2

이 부분은 가상호스트 부분에 있습니다.

  1. 다음과 같은 행에서 [command]#SSLProtocol#을 편집합니다:

#   SSL 통신규약 지원:
# 클라이언트가 연결 할 수 있는 통신규약 수준을
# 나열합니다.  기본값으로 SSLv2 접근 비활성화:
SSLProtocol All -SSLv2 -SSLv3

VirtualHost 부분을 위해 이와 같은 동작을 반복합니다.

  1. SSLProtocol 지시문의 모든 경우는 다음과 같이 변경 될 수 있는 것을 확인합니다:

# grep SSLProtocol /etc/httpd/conf.d/ssl.conf
SSLProtocol all -SSLv2 -SSLv3

This step is particularly important if you have more than the one default VirtualHost section.

  1. 다음과 같이 아파치 서비스를 재시작합니다:

# systemctl restart httpd

Note that any sessions will be interrupted.

Using an Existing Key and Certificate

If you have a previously created key and certificate, you can configure the SSL server to use these files instead of generating new ones. There are only two situations where this is not possible:

  1. You are changing the IP address or domain name.

Certificates are issued for a particular IP address and domain name pair. If one of these values changes, the certificate becomes invalid.

  1. You have a certificate from VeriSign, and you are changing the server software.

VeriSign, a widely used certificate authority, issues certificates for a particular software product, IP address, and domain name. Changing the software product renders the certificate invalid.

In either of the above cases, you will need to obtain a new certificate. For more information on this topic, see Generating a New Certificate Using OpenSSL.

If you want to use an existing key and certificate, move the relevant files to the /etc/pki/tls/private/ and /etc/pki/tls/certs/ directories respectively. You can do so by issuing the following commands as root:

# mv key_file.key /etc/pki/tls/private/hostname.key
# mv certificate.crt /etc/pki/tls/certs/hostname.crt

Then add the following lines to the /etc/httpd/conf.d/ssl.conf configuration file:

SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key

To load the updated configuration, restart the httpd service as described in Restarting the Service.

Example 81. Red Hat 보안 웹 서버에서 키와 인증서 사용하기
# mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/penguin.example.com.key
# mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/penguin.example.com.crt

OpenSSL을 사용하여 새로운 인증서를 생성하기

우선, 개인 키를 생성합니다. 이와 같은 예제로 우리는 2048 RSA 키를 사용 할 수 있습니다:

# openssl genrsa -out myhost.com.key 2048

Create a Certificate Signing Request(CSR). The Common Name field must be your server’s hostname:

# openssl req -new -key myhost.com.key -out myhost.com.csr -sha512

A message digest algorithm like SHA2 or stronger is recommended, but it’s more important for the certificate than for the request. However your CA decides which message digest they use for the certificate.

Now give your CSR to your Certificate Authority(CA) so they can sign your key and give you a certificate:

# openssl x509 -req -days 365 -in myhost.com.csr -signkey myhost.com.key -out myhost.com.crt -sha512

You can also self-sign the CSR, but bear in mind the security issues that it poses and that browsers will warn users about this.

Once your CA has signed it, they will give you the certificate(.crt file). Now move the private key and the certificate to their respective directories:

# cp myhost.com.crt /etc/pki/tls/certs/
# cp myhost.com.key /etc/pki/tls/private/myhost.com.key

The Certificate Signing Request(CSR) can be deleted as it becomes useless once you have obtained your certificate. Alternatively you can put it along your private key:

# cp myhost.com.csr /etc/pki/tls/private/myhost.com.csr

Set the correct context of these files for SELinux:

# restorecon -RvF /etc/pki

The last step is to configure the webserver of your host for the TLS protocol using the key and the certificate files you have just created - see mod_ssl configuration.

추가 자원

To learn more about the Apache HTTP Server, see the following resources.

Installed Documentation
  • httpd(8) — The manual page for the httpd service containing the complete list of its command-line options.

  • apachectl(8) — The manual page for the Apache HTTP Server Control Interface.

Installable Documentation
  • http://localhost/manual/ — The official documentation for the Apache HTTP Server with the full description of its directives and available modules. Note that in order to access this documentation, you must have the httpd-manual package installed, and the web server must be running.

Before accessing the documentation, issue the following commands as root:

# dnf install httpd-manual
# apachectl graceful
Online Documentation
  • https://httpd.apache.org/ — The official website for the Apache HTTP Server with documentation on all the directives and default modules.

  • http://www.modssl.org/ — The official website for the mod_ssl module.

  • OpenSSL - 더 많은 문서, 자주 질문한 문제, 전자우편 목록 연결, 그리고 다른 유용한 자원이 포함된 OpenSSL 홈페이지.