[AWS EC2] apache logの見方

ssh ec2-user@${public ip} -i ~/.ssh/***.pem
cat /etc/httpd/conf.d/custom.conf

# アクセスログ
<IfModule log_config_module>
    CustomLog "/var/www/log/access_log" combined

$ cd /var/www/log/
$ ls
access_log error_log

$ sudo less /var/log/httpd/error_log
$ sudo less /var/log/httpd/access_log

### アクセスログの見方
$ cat /etc/httpd/conf/httpd.conf
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\” %I %O” combinedio

%h リモートホストのIPアドレス
%l 接続元のユーザー名
%u リモートユーザ
%t アクセスされた日時
\”%r\” アクセスされたファイル
%>s ステータスコード
%b リソースに対する転送量
\”%{Referer}i\” アクセス元のURL
\”%{User-Agent}i\” なんのOSでどのブラウザからアクセスしてきたか


[aws ec2]Apache2を入れるが、Internal Server Error

### apache2 インストール
$ sudo apt update
$ sudo apt install apache2
$ sudo ufw app list
$ sudo ufw allow ‘Apache Full’
$ sudo ufw status
$ sudo systemctl status apache2
$ hostname -I

### mod_wsgi
$ apt-get install apache2-dev
$ pip3 install mod_wsgi

### settings.py


$ mod_wsgi-express module-config
LoadModule wsgi_module “/home/ubuntu/.local/lib/python3.8/site-packages/mod_wsgi/server/mod_wsgi-py38.cpython-38-x86_64-linux-gnu.so”
WSGIPythonHome “/usr”

### migrate
$ python3 manage.py makemigrations sales
$ python3 manage.py migrate

### apache設定
sudo vi /etc/apache2/sites-available/000-default.conf

LoadModule wsgi_module "/usr/lib/apache2/modules/mod_wsgi-py38.cpython-38-x86_64-linux-gnu.so"
WSGIScriptAlias / /var/www/hanbai/hanbai/wsgi.py
WSGIPythonHome "/usr"
WSGIPythonPath "/var/www/hanbai"

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        # DocumentRoot /var/www/hanbai

        # WSGIScriptAlias / /var/www/hanbai/hanbai/wsgi.py
        # WSGIPythonPath /var/www/hanbai/        
        <Directory /var/www/hanbai/hanbai/>
            <Files wsgi.py>
                Order deny,allow
                AllowOverride None
                require all granted

$ sudo /etc/init.d/apache2 restart

$ /var/log/apache2/error.log
[client] from django.core.wsgi import get_wsgi_application
[Wed Oct 28 23:46:17.546723 2020] [wsgi:error] [pid 10444:tid 139970643724032] [client] ModuleNotFoundError: No module named ‘django’

$ pip3 freeze | grep wsgi

WSGIPythonPath /var/www/hanbai:/home/ubuntu/.local/lib/python3.8/site-packages


php build-in serverでhttpsサーバーを起動



### sslモジュールインストール(centOSの場合はmod_ssl)
$ sudo yum install mod24_ssl
$ httpd -M | grep ssl

### 秘密鍵作成
$ openssl genrsa > server.key

### CSR作成
$ openssl req -new -key server.key > server.csr

### サーバー証明書作成
$ openssl x509 -req -signkey server.key < server.csr > server.crt
$ rm server.csr

### 秘密鍵&サーバー証明書配置
$ sudo mkdir /etc/httpd/conf/ssl.key
$ sudo mkdir /etc/httpd/conf/ssl.crt
$ sudo mv server.key /etc/httpd/conf/ssl.key/
$ sudo mv server.crt /etc/httpd/conf/ssl.crt/

### ssl.conf編集
sudo vi /etc/httpd/conf.d/ssl.conf

# SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

### apache再起動
$ sudo service httpd restart

### composerでhttps用のphp buildin-server libraryインストール
$ curl -sS https://getcomposer.org/installer | php
$ php composer.phar require –dev mpyw/php-hyper-builtin-server:^2.0

### httpsサーバー起動
$ vendor/bin/hyper-run -s


apache 2.4.39 ~apacheのバージョンって何が違うの?

[vagrant@localhost ~]$ httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Jun 19 2018 15:45:13
[vagrant@localhost ~]$ apachectl -v
Server version: Apache/2.2.15 (Unix)
Server built: Jun 19 2018 15:45:13

The Apache HTTP Server Project has released “Apache HTTP Server 2.4.39” that addresses six vulnerabilities. This update fixes six vulnerabilities, including CVE-2019-0211, which may allow code execution with higher privileges.

In addition to “CVE-2019-0211”, “CVE-2019-0217” may be authenticated by another user in Digest authentication, and “CVE-2019-2015” may bypass access control by the client certificate. As for “,” the vulnerability is rated as “Important”, which is the second of four in the rating.

In addition, the three vulnerabilities with the lowest “Low” severity of vulnerability listed as “Low” fix “CVE-2019-0196”, “CVE-2019-0197”, “CVE-2019-0220” did.


apache execute user

To change the user running Apache, you need to change the user specification in httpd.conf. If nothing is specified, the daemon user is specified.

[vagrant@localhost ~]$ ps aux | grep http
root 2040 0.0 2.4 384472 12512 ? Ss 11:44 0: 02 /usr/sbin/httpd
jenkins 2083 0.5 56.8 2273640 285232 ? Ssl 11:45 2: 54 /etc/alternatives/java -Dcom.sun.akuma.Daemon=daemonized -D java.awt.headless=true -DJENKINS_HOME=/var/lib/jenkins -jar /u sr/lib/jenkins/jenkins.war –logfile=/var/log/jenkins/jenkins. log –webroot=/var/cache/jenkins/war –daemon –httpPort=8080 –debug=5 –handlerCountMax=100 –handlerCountMaxIdle=20
apache 2488 0.0 2.0 386112 10280 ? S 12:23 0: 00 /usr/sbin/httpd
apache 2489 0.0 2.0 386112 10280 ? S 12:23 0: 00 /usr/sbin/httpd
apache 2490 0.0 2.0 386112 10300 ? S 12:23 0: 00 /usr/sbin/httpd
apache 2491 0.0 2.0 386112 10280 ? S 12:23 0: 00 /usr/sbin/httpd
apache 2492 0.0 2.0 386112 10280 ? S 12:23 0: 00 /usr/sbin/httpd
apache 2493 0.0 2.0 386112 10280 ? S 12:23 0: 00 /usr/sbin/httpd
apache 2494 0.0 2.0 386112 10280 ? S 12:23 0: 00 /usr/sbin/httpd
apache 2495 0.0 2.0 386112 10280 ? S 12:23 0: 00 /usr/sbin/httpd
vagrant 4449 0.0 0.1 103320 872 pts/0 D+ 20:52 0: 00 grep http

[vagrant@localhost ~]$ id apache
uid=48(apache) gid=48(apache) 所属グループ=48(apache)


It is possible to specify up to 8 levels in the error log up to which level errors should be recorded. set to “LogLevel” to specify.

LogLevel to record.
The level that can be set are as follows.

Level Meaning
A serious error that the emerg server can not run.

-Errors: More serious than alert crit
-Crit; Serious error
-Error: Error
-Warn: Warning
-Notice: Notification message
-Info: Server information, information for debug debugging.

apache restart/reloadの必要性




service httpd restart

check the status of Apache
[vagrant@localhost ~]$ /etc/init.d/httpd status
httpd status unknown due to insufficient privileges.

restart apache
[vagrant@localhost ~]$ sudo service httpd restart
httpd を停止中: [ OK ]
httpd を起動中: httpd: Could not reliably determine the server’s fully qualified domain name, using localhost.localdomain for ServerName
[ OK ]


Web server configuration file for each directory that can be used in an environment where software such as Apache is used.
When this is installed in a specific directory, the contents described in “.htaccess” are applied to the directory in the installed directory and directory under it.

How to make .htaccess file
1. create and save a file named “.htaccess” with text editor.
2. describe what you want to control and configure with apache and save.
3. uploaded to the server and renamed to “.htaccess”

1. Basic authentication
It is a mechanism for forcing ID and password input with authentication in the directory etc.
If you want to play the site before publishing with users and Google bot.
If you want to publish it only to those who know the ipass.

AuthUserfile /fullpath/.htpasswd
AuthGroupfile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user

2. 301 Redirect
It is the transfer method most used in SEO, which can inherit evaluation from old page to new page. It is called permanent relocation, and it is used for URL change and domain transfer.

RewriteEngine on
RewriteRule ^old.html$ http://sample.com/new.php [R=301,L]

3. URL normalization
It refers to unifying the URL to one. For example, in the following cases, Google recognizes each as a different URL, but generally the same page is displayed.

RewriteEngine on
RewirteCond %{THE_REQUEST} ^.*/index.html
RewirteRule ^(.*)index.html$ http://sample.com/$1 [R=301,L]

RewriteEngine on
RewirteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule ^(.*)$ http://sample.com/$1 [R=301,L]

RewriteEngine on
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule ^(.*)$ http://www.sample.com/$1 [R=301,L]

4. Abort of file list display
It is used to eliminate the security concern that the directory structure is exposed to the outside.
When there is an access ending with “/” like http://www.example.com, “index.html” that directory will be called instead.
However, if the index.html file can not be found, the file list in the directory shown.
Publishing the directory in this way will expose the structure of the website and there is certain risk from the security point of view. Therefore, by canceling the file list display in the directory, it is possible to prevent publication of the directory structure.

Options -Indexes

5. Access restriction from specific IP address and domain
You can restrict / deny access from a specific IP address or domain.
Alternatively, you can only allow access from a specific IP address or domain.

order allow,deny
allow from all
deny from sample.com
deny from

order deny,allo
deny from all
allow from sample.com
allow from

<files test-file.html>
	order deny,allow
	deny from all
	allow from sample.com
	allow from


以下のように、LogLevel warnでは、”warn”以上のエラーレベルはすべてエラーログに記録するようになり、逆にnotice以下のエラーレベルに関してはログに記載されなくなる。

# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn