Initial configuration required from installation of Apache on CentOS to startup

Publication date:December 8, 2020

INFOMARTION > Initial configuration required from installation of Apache on CentOS to startup


This section describes the initial setup procedure required from the installation of Apache on CentOS to the startup of Apache.

The versions are as follows

CentOS Version7.6 (1810)
Apache Version2.4.6

Table of Contents

  1. install
  2. basic setting
  3. summary

1. install

This section describes the setup of Apache from installation to startup.

1-1. Apache Installation

Perform the Apache installation using the yum command.

[username@hostname ~]$ su -
[root@hostname ~]# yum -y install httpd

1-2. Startup confirmation (http access)

We will simply check if we can access it. apachectl command can be used after installing Apache (httpd) with yum command. Try to start Apache using this one.

[root@hostname ~]# apachectl start
[root@hostname ~]# apachectl status
* httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-12-06 17:08:12 JST; 1s ago
     Docs: man:httpd(8)
 Main PID: 1303 (httpd)
   Status: "Processing requests..."
   CGroup: /system.slice/httpd.service
           |-1303 /usr/sbin/httpd -DFOREGROUND
           |-1304 /usr/sbin/httpd -DFOREGROUND
           |-1305 /usr/sbin/httpd -DFOREGROUND
           |-1306 /usr/sbin/httpd -DFOREGROUND
           |-1307 /usr/sbin/httpd -DFOREGROUND
           `-1308 /usr/sbin/httpd -DFOREGROUND

Dec 06 17:08:11 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
Dec 06 17:08:12 localhost.localdomain httpd[1303]: AH00558: httpd: Could not reliably
Dec 06 17:08:12 localhost.localdomain systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.

If the "apachectl status" command returns "Active: active (running)", the system has started successfully.

Next, access Apache from a browser and set the http permission since the default value of CentOS7 firewall (iptables for CentOS6 and earlier) only allows ssh access. I would like to add https permission settings as well. Also add a "permanent" option to make the settings permanent.

[root@hostname ~]# firewall-cmd --permanent --add-service=http
[root@hostname ~]# firewall-cmd --permanent --add-service=https
[root@hostname ~]# firewall-cmd --reload
[root@hostname ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  services: dhcpv6-client http https ssh
  masquerade: no
  rich rules:

If "http" and "https" are added to "services", it is OK. Access the site from a browser. In my case, the IP address of the server is, so I access "". It is OK if the following page is displayed.

Once the system is successfully started, stop it.

[root@hostname ~]# apachectl stop

2. basic setting

2-1. Create log file output folder

To manage logs under /var/log/, create a httpd directory under /var/log/ as a folder for Apache logs.

The permissions should be set to 755, so that Apache can write, but other users can only read. If other users can write, the logs can be tampered with.

mkdir /var/log/httpd" is unnecessary if a directory with the same name has already been created.

[root@hostname ~]# mkdir /var/log/httpd
[root@hostname ~]# chmod 755 /var/log/httpd

The latter step is to change the Apache log output destination setting.

This procedure is only for creating a folder for the logs to be stored.

2-2. Domain Settings

Modify the domain settings listed in httpd.conf. Apache settings are basically consolidated in httpd.conf, so if you want to change the settings, modify httpd.conf. Domain settings are not required for local environments (not open to the public on the Internet).

[root@hostname ~]# vi /etc/httpd/conf/httpd.conf

Uncomment out and enable the ServerName setting. Set the domain name to match your environment.

httpd.conf【Before change】


httpd.conf【After change】

ServerName domainname:80

2-3. Activate SSL modules and configuration files

Enable SSL to allow access over https; SSL settings are related to SEO, and http is not good for security in the first place, so unless you have to use http, go with https.

Install the ssl module with yum.

[root@hostname ~]# yum -y install mod_ssl

When you install with yum, the ssl module is automatically enabled, so you only need to install it. A configuration file is also automatically created. (/etc/httpd/conf.d/ssl.conf is automatically created.)

2-4. Change log output path

Change the destination of the Apache log output to the log file output folder you just created; only the ssl configuration file will be changed, as it will be configured in a subsequent step to be accessed only via ssl (https).

[root@hostname ~]# vi /etc/httpd/conf.d/ssl.conf

ssl.conf【Before change】

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log


CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ssl.conf【After change】

ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log


CustomLog /var/log/httpd/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

The above modification changes the log output destination to the "/var/log/httpd" directory.

The "%t, %h," etc., are the log format settings. The following is a list of formats that may be used frequently for reference.


・%T:Time taken to process request (seconds)

・%h:Client hostname or IP address, attempting to resolve hostname only if HostnameLookups is set to On

・%r:First line of the request

・%b:The number of bytes in the response (excluding HTTP headers), in CLF format, i.e. - if none of the bytes were sent

・%D:Time taken to process request (microseconds)

・%>s:HTTP Status

2-5. SSL Certificate Creation

This is the procedure for creating a certificate. Self-certification is fine for private use. For public servers, do not use a self certificate.

There is no difference in security between regular certificates and self-certificates. It is the difference between a certificate that a third party can judge to be reliable or not. (With a self-certified certificate, the bar in the URL will be red.) So, for servers that are to be made public (servers that are viewed by third parties), issue a regular certificate.

The default certificate settings for Apache are "/etc/pki/tls/certs/localhost.crt" and "/etc/pki/tls/private/localhost.key".

SSLCertificateFile" and "SSLCertificateKeyFile" in "/etc/httpd/conf.d/ssl.conf" will show the settings.

【For self-certification】

To create a self-certificate, execute the following command, which must be executed as the root user.

When you run "openssl req -new -key /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.crt" you will be asked for several responses, all of which are fine with Enter. The information will be who is issuing the certificate (what country they live in, what is their email address, etc.). If you want to issue a regular certificate, enter the correct information and set it up.

[root@hostname ~]# openssl genrsa > /etc/pki/tls/private/localhost.key
[root@hostname ~]# openssl req -new -key /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.csr
[root@hostname ~]# openssl x509 -req -signkey /etc/pki/tls/private/localhost.key < /etc/pki/tls/certs/localhost.csr > /etc/pki/tls/certs/localhost.crt

【For regular certificates】

To create a regular certificate, execute the following command, which should be executed as the root user.

[root@hostname ~]# openssl genrsa -out /etc/pki/tls/private/localhost.key 2048
[root@hostname ~]# openssl req -new -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.csr

In the case of a normal certificate, this is not all that is required to complete the process. The created "server.csr" must be handed to a certification authority to have a server certificate issued, and then the server certificate issued must be installed.

2-6. always-on SSL

It is not good for security if the site is accessed via http, so add a setting to redirect to https when access comes in via http.

Although it is possible to prohibit access via http, it is recommended to set up a redirect for usability reasons.

[root@hostname ~]# vi /etc/httpd/conf/httpd.conf

Please add the following at the end


<IfModule rewrite_module>
  RewriteEngine on
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

This setting can be changed so that accesses that come in at http are handled at https.

I have stated that this setting does not work if you come over https (RewriteCond %{HTTPS} off).

Please remember to include this setting because without it, https accesses will be redirected as well, resulting in an endless loop.

2-7. Startup confirmation (https access)

Now that the various settings are complete, check to see if the site can be accessed via https. First, start the system.

[root@hostname ~]# apachectl start

Access the site from a browser, the same as for http access, but in my case, the IP address of the server is, so I access "".

The URL is changed from "" to "" because the http redirect setting is included.

Now that it has been successfully started, Apache is stopped.

[root@hostname ~]# apachectl stop

2-8. Automatic startup setting

Lastly, although it is not required, it is a pain to have to start Apache every time the server is restarted, so we will configure the systemctl command to automatically start Apache when the server is started. If you are not using CentOS7, you will need to use the service command.

Create the "apache.service" file and describe the necessary settings.

[root@hostname ~]# touch /etc/systemd/system/apache.service
[root@hostname ~]# vi /etc/systemd/system/apache.service

The following information is provided

#Control before and after execution

#User and group designation
#Once activated, set the status to Activated.
#Start, stop, reload
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl stop
ExecReload=/usr/sbin/apachectl restart

#runlevel3 equivalent setting

After the description is finished, register it with the systemctl command.

[root@hostname ~]# systemctl enable apache
[root@hostname ~]# systemctl is-enabled apache
[root@hostname ~]# systemctl list-unit-files --type=service | grep apache
apache.service                                enabled
[root@hostname ~]# systemctl daemon-reload

3. summary

We have described the initial configuration required when Apache is installed.

Basically, Apache works to some extent with the default settings, but if you actually customize it, please refer to the log output destination settings and SSL settings, which you should change when you operate the system.

Thank you for taking the time to read this to the end.


Please click here to go to the top page of INFORMATION.


Please click here to view the profile.

■For inquiries, please contact

For inquiries about the article, please contact us here.