httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leif W" <>
Subject Re: [users@httpd] Need a Virtual Host Refresher Course
Date Thu, 10 Feb 2005 15:15:02 GMT
> "David Blomstrom" <>; 2005-02-09@16:56 GMT-5
> OK, this is making more sense, but I'm still missing
> something. I asked some questions about XAMPP on
> ApacheFriend's forum, too, and someone suggested I try
> the following:
> NameVirtualHost *:80

Well, as I said, * means "listen to any ip", but I have noticed a few 
subtle problems, so I use instead of *.  But anyways this also 
makes Apache listen (and thus respond to) requests on the outside world, 
opening up the security hole I mentioned. is the special 
address that means "this box in front of me to which this keyboard, 
video, and possibly mouse are directly connected", in other words, 

> <VirtualHost *:80>
> ServerName localhost
> DocumentRoot /apachefriends/xampp/htdocs
> </VirtualHost>
> <VirtualHost *:80>
> ServerName sites
> ServerAlias sites *.sites
> DocumentRoot c:\sites
> </VirtualHost>
> <VirtualHost *:80>
> ServerName geobop
> ServerAlias geobop *.geobop
> DocumentRoot c:\sites\geobop
> </VirtualHost>

But with this config, where are the logs sent?  Type in a browser: 
http://sites/geobop/logs/error-log.  The whole idea is fundamentally 
unsound.  I would ask the reasoning for the "sites" site.  Just to get 
an autogenerated list of what sites are available?  You could perhaps 
just write a script to do that and run it from within another site 
without giving away too much.  Anyways, if you go ahead with this 
config, at the very least change the * to or don't say I 
didn't warn you.  Posting a site to the net by using * when you're 
learning PHP and Apache can be a bad combination.  Not only are you more 
likely to write insecure PHP code, but you're also less likely to notice 
someone exploting it.  Well we all have to learn the hard way sometimes. 

> So I changed alll my sites to this format, and it
> works perfectly. I can preview every site at
> http://mysite/ AND I can access XAMPP's home page at
> http://localhost/
> Then I did an experiment. I changed two websites to
> this format:
> <VirtualHost>
>    ServerAdmin webmaster@geoworld
>    ServerName geoworld:80
>    ServerAlias *.geoworld
>    CustomLog
> "C:/sites/geoworld/logs/geoworld-access.log" vcombined
>    ErrorLog
> "C:/sites/geoworld/logs/geoworld-error.log"
>    DocumentRoot "c:/sites/geoworld"
>    <Directory "c:/sites/geoworld">

These two are missing the public_html.

    DocumentRoot "c:/sites/geoworld/public_html"
    <Directory "c:/sites/geoworld/public_html">

>        Options None
>    </Directory>
>    ScriptAlias /cgi-bin/ "c:/sites/geoworld/cgi-bin/"
>    <Directory "C:/sites/geoworld/cgi-bin">
>        Options +ExecCGI
>    </Directory>

This specific ScriptAlias is needed only if your site uses programs 
located in /cgi-bin/.  I gave it as an example, but it might help to 
comment out for now to simplify the situation.  Just get the idea of the 
DocumentRoot first.

> </VirtualHost>
> I also put one of these websites inside a folder named
> public_html...
> C:/sites/public_html/geozoo/
> After I restarted my computer, I couldn't access
> either website, nor could I access XAMPP at
> http://localhost/

Check the main server's error_log and it would tell you what's wrong. 
Probably in C:/ApacheFriends/XAMPP/Apache/logs/error_log.  For the 
specific location, consult the main server config, start at the top of 
the file and search for the first uncommended ErrorLog not inside a 
VirtualHost.  Try running Apache from the command line to check the 
syntax and to start.  If you change httpd.conf, do NOT reboot the 
machine!  There is no need to waste your time.  Just "restart" the 
Apache server, not "restart" the Windows OS.  The restart terminology in 
Unix means to reread a config file, or in some cases actually stop 
(kill) a program and start a new instance, in effect rereading the 
config file.  It doesn't mean the "restart" in the Windows/Shutdown 
context.  The only time you might need to "stop" Apache and then 
"restart" Apache is if you make changes to SSL stuff, maybe other times. 
In this case, you explicitly issue a "stop" and "start" command.

Command Prompt

C:\ -> apache -t
Syntax OK

C:\ -> apacke -k start

C:\ -> apache -k restart

C:\ -> apache -k stop

If you get "is not recognized..." then specify the full path to Apache. 
You can hit the TAB key for completion in WinXP.  Example below may not 
reflect your actual folder names or locations.  Use "dir" in that case. 
When you get tired of typing the full path, then add the path to your 
PATH environment variable.  Add it for only the current Command Prompt 
with the "path" command.  Add it permanently to the registry required 
Administrator access in HKLM\System\CurrentControlSet\Control\Session 

C:\ApacheFriends\XAMPP\Apache\bin\apache -t

path %PATH%;C:\ApacheFriends\XAMPP\Apache\bin\

> I couldn't access GeoZoo (the site inside public_html)
> at http://geozoo or http://public_html/geozoo/

Apache won't mysteriously add "public_html" to a path name if it's 
missing.  DocumentRoot "C:/sites/geozoo" won't look into 
C:/sites/geozoo/public_html.  It relies upon what it's told to do, and 
if it fails, it leaves helpful messages in your error log (saying it 
could not find a file, permission error, and so on).  You MUST read the 
error log.  If you do not know where the error log is, find it as I 
described above.  If there's a specific error which you don't 
understand, then post it here and someone can help.  If you can't find 
any timestamps which match the time that you tried something, maybe you 
got the wrong error log, or you aren't even logging errors, which is 
what you should do first, log the errors and find them.

> One or both of the websites I modified asked for a
> password when I tried to preview them on a browser.
> Maybe that's a clue as to what I'm doing wrong. Any
> tips?

That's totally different... I have no idea.  You probably have "Allow 
All" in you main server config, allowing AuthOverride, and the default 
name is an .htaccess file placed in a folder.  Or else some application 
you hit sends an auth.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message