Apache and PHP Tidbits

Here are some hints for issues with the Apache 2.0 server and the setup of PHP.

Table of contents

HTTP to HTTPS redirection on a per-directory basis
[notice]-entries in the error log despite a low loglevel
Setup of PHP 4 as a module for Apache 2.0 for Windows
Links

Redirecting HTTP requests to an encrypted connection

You might have set up a HTTPS server on a virtual host in addition to the "main" HTTP server, using Apache 2.0.xx, OpenSSL and mod_ssl (Matt Raible offers a very nice document for this setup, The Apache + SSL HOWTO).

For data and / or services in certain directories or aliases, you want to make sure that users are not allowed to use plain HTTP connections. But you do not want to break existing links from unencrypted URIs and / or send your users a "403 forbidden" page if they type http://server/onlysecure instead of https://server/onlysecure.
So you need a redirection from HTTP-URLs to HTTPS-URLs: when a user requests http://server/onlysecure/anything, he shall be redirected to https://server/onlysecure/anything.

There are lots of HOWTOs for this task on the net, but most of them did not work for me:

Some recipes need different virtual hosts for HTTP and HTTPS (I have a "main" HTTP server and in addition a virtual host offering SSL)
Some don't mention debugging hints
Some need startup-arguments for the server(s)
Most recipes do not work for directory aliases
Many recipes are incomplete (e.g. missing modules)

I did this on Windows, with Apache 2.0.49 and OpenSSL 0.9.7d (nope, not on sinnfrei.org).

Note: do not try this as long as you are not sure that everything else (especially the SSL setup) works fine. And as soon as it works, watch out for possible security flaws.

mod_rewrite

Make sure that mod_rewrite is available and is enabled (without comment marker) in your httpd.conf:

LoadModule rewrite_module modules/mod_rewrite.so

This module allows for the redirection.

Having an server-info handler set up, after a server restart you can see the mod_rewrite directives in the info page of the server.

You also might want to have a rewrite log temporarily for testing. Add those lines to your httpd.conf:

# Debug: mod_rewrite logging
RewriteLog logs/rewrite.log
RewriteLogLevel 9

Setting up the redirection and adding limits

Here is an example for the httpd.conf-directives where you have an alias /onlysecure pointing to C:/server/onlysecure and want to redirect any HTTP-request for this alias to encrypted HTTPS connections.

In addition,

the alias and its directory directives are not added at all if mod_ssl is not available
with SSLRequireSSL there is an additional test for the directory.

As always with the Apache configuration, pay special attention to the presence / absence of slashes and their orientation.

# Add the alias and directory only if SSL is available.
<IfModule mod_ssl.c>

# The onlysecure alias, pointing to its own directory on the server
Alias /onlysecure "C:/server/onlysecure"

# In case a non-encrypted connection comes in to /onlysecure redirect
# the user to a secure connection.
# This does not require FollowSymLinks to be allowed in the directory
# below as the rewrite is done first.

# Gentlemen, start your engines.
RewriteEngine On
# Only condition: not a HTTPS connection, regardless of the port used.
RewriteCond %{HTTPS} !=on
# If the condition fired, use variables to determine the redirection
# target and rewrite (user gets a 302 redirect). The rule applies only
# to the alias.
RewriteRule ^/onlysecure(.*) https://%{SERVER_NAME}/onlysecure$1 [R,L]

<Directory "C:/server/onlysecure">

# Apache 2 only, for the case of removal of the IfModule-directive or
# ignorance of the 302 redirect status code.
# This is the hard way to make sure we have an encrypted connection.
# SSL only. This means that plain HTTP is forbidden and Apache will
# pump out a 403 status if HTTPS is not given, regardless of the port
# used for the request.
SSLRequireSSL

# Restrict options, allow for content negotiation
Options MultiViews
AllowOverride None
Order allow,deny
Allow from all

</Directory>

</IfModule>

Now restart your server, send a HTTP-request to the alias, see if the redirection works (for the alias only :-) and check the logs.

Notice-Entries in the error log

Using Apache 2, you might notice an error log filled with entries which have only a [notice] level, like

[Sat Jul 03 14:24:16 2004] [notice] Parent: Created child process 3500

Those entries show up even if you have set lower log level using

LogLevel warn

or lower (error, crit) in your httpd.conf.

Using a regular file for the error log, the messages having the notice-level cannot be supressed. Instead, use the syslog or pipe the output to an additional filter.

PHP 4 Setup

How to make the PHP 4.3 series work as a module for Apache 2.0 for Windows. Some docs in the binary PHP distributions seem to be a bit out of date.

Note: as of today (date below) and according to the PHP documentation, the Apache 2.0 module for windows is still considered being "non-production".

Here is what to do:

Follow the instructions for installation as a module for Apache 1.3 in the README, except for the entries in httpd.conf
Add the following to your httpd.conf, where the extension of the php4apache2-.so depends on your build:

LoadModule php4_module c:/[path_to_php]/sapi/php4apache2.dll
AddType application/x-httpd-php .php

Add index.php to your DirectoryIndex directive in httpd.conf if you want files named "index.php" to be the default documents for directory requests. The order of the file names determines which comes first. Example:

DirectoryIndex index.php index.shtml index.html index.htm

Older stuff

There is also an outdated document covering the setup of Apache 1.3 and PHP 4 as CGI (German):

Apache 1.3.xx, PHP 4.0 PL1 unter Win32 (PDF, 9kB)