O'Reilly Book Excerpts: Apache: The Definitive Guide, 2nd Edition
Setting Up a Win32 Server
An excerpt from Chapter 2, "Our First Web Site," of Apache: The Definitive Guide, 2nd Edition. Starting, stopping, and basic configuration of Apache under Win32.
There is no point trying to run Apache unless TCP/IP is set up and running on your machine. In our experience, if it isn't, Apache will crash Windows 95. A quick test is to ping some IP--and if you can't think of a real one, ping yourself:
If TCP/IP is working, you should see some collaborative message like:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=32
If you don't see something along these lines, defer further operations until TCP/IP is working.
It is important to remember that internally, Windows Apache is essentially the same as the Unix version and that it uses Unix-style forward slashes ("/") rather than MS-DOS- and Windows-style backslashes ("\") in its file and directory names as specified in various files.
There are several ways of running Apache under Win32. Under NT, you can run it as a service, operating in the background. First you have to install it as a service by running the "Install Apache as a Service" option from the Start menu. Alternatively, click on the MS-DOS prompt to get a DOS session window. Go to the /Program Files/Apache directory (or wherever else you installed Apache) with:
>cd "\Program Files\apache"
Apache can be installed as an NT service with:
and uninstalled with:
Once this is done, you can open the Services window in the Control Panel, select Apache, and click on Start. Apache then runs in the background until you click on Stop. Alternatively, you can open a console window and type:
>net start apache
>net stop apache
To run Apache from a console window, select the Apache server option from the Start menu.
Alternatively--and under Win95, this is all you can do--click on the MS-DOS prompt to get a DOS session window. Go to the /Program Files/Apache directory with:
>cd "\Program Files\apache"
The Apache executable, apache.exe, is sitting here, and we can start it running, to see what happens, with:
You might want to automate your Apache startup by putting the necessary line into a file called go.bat. You then only need to type:
Since this is the same as for the Unix version, we will simply say "type go" throughout the book when Apache is to be started, and thus save lengthy explanations.
When we ran Apache, we received the following lines:
Syntax error on line 44 of /apache/conf/httpd.conf
ServerRoot must be a valid directory
To deal with the first complaint, we looked at the file \Program Files\apache\conf \httpd.conf. This turned out to be a formidable document that, in effect, compresses all the information we try to convey in the rest of this book into a few pages. We could edit it down to something more lucid, but a sounder and more educational approach is to start from nothing and see what Apache asks for. The trouble with simply editing the configuration files as they are distributed is that the process obscures a lot of default settings. If and when someone new has to wrestle with it he or she may make fearful blunders because it isn't clear what has been changed from the defaults. Rename this file if you want to look at it:
>ren httpd.conf *.cnk
Otherwise, delete it, and delete srm.conf and access.conf :
When you run Apache now, you see:
fopen: No such file or directory
httpd: could not open document config file apache/conf/httpd.conf
And we can hardly blame it. Open edit :
and insert the line:
# new config file
The "#" makes this a comment without effect, but it gives the editor something to save. Run Apache again. We now see something sensible:
httpd: cannot determine local host name
use ServerName to set it manually
What Apache means is that you should put a line in the httpd.conf file:
Now when you run Apache you see:
The "_" here is meant to represent a blinking cursor, showing that Apache is happily running. Unlike other programs in an MS-DOS window, Apache keeps on going even after the screen saver has kicked in.
You will notice that throughout this book, the Config files always have the following lines:
These are necessary for Unix security and, happily, are ignored by the Win32 version of Apache, so we have avoided tedious explanations by leaving them in throughout. Win32 users can include them or not as they please.
You can now get out of the MS-DOS window and go back to the desktop, fire up your favorite browser, and access http://yourmachinename/. You should see a cheerful screen entitled "It Worked!," which is actually \apache\htdocs\index.html.
When you have had enough, hit CTRL-C in the Apache window.
apache -k shutdown
This does a graceful shutdown, in which Apache allows any transactions currently in process to continue to completion before it exits. In addition, using:
apache -k restart
performs a graceful restart, in which Apache rereads the configuration files while allowing transactions in progress to complete.
Security Under Win32
Although NT has an extensive and complex security infrastructure, it is poorly documented and understood. Consequently, there is currently little code in the Windows version of Apache to interface with it. Besides, NT seems to suffer from a variety of more mundane problems: the README file that comes with Apache v1.3.1 says, in part:
Versions of Apache on Win32 prior to version 1.3.1 are vulnerable to a number of security holes common to several Win32 servers. The problems that impact Apache include:
- trailing "."s are ignored by the file system. This allowed certain types of access restrictions to be bypassed.
- directory names of three or more dots (eg. "...") are considered to be valid similar to "..". This allowed people to gain access to files outside of the configured document trees.
There have been at least four other similar instances of the same basic problem: on Win32, there is more than one name for a file. Some of these names are poorly documented or undocumented, and even Microsoft's own IIS has been vulnerable to many of these problems. This behavior of the Win32 file system and API makes it very difficult to ensure future security; problems of this type have been known about for years, however each specific instance has been discovered individually. It is unknown if there are other, yet unpublicized, filename variants. As a result, we recommend that you use extreme caution when dealing with access restrictions on all Win32 web servers.
1. Paradoxically, you have to use what looks like an MS-DOS line editor, edit, which you might think limited to the old MS-DOS 8.3 filename format, to generate a file with the four-letter extension .conf. The Windows editors, such as Notepad and WordPad, insist on adding .txt at the end of the filename.