How do I find out what file Apache is serving when a port is hit?

linux centos apache-httpd tcp

21,777

You can see where httpd is configured to look for it's configuration files using the -V switch:

$ httpd -V
Server version: Apache/2.2.15 (Unix)
Server built:   Feb 13 2012 22:31:42
Server's Module Magic Number: 20051115:24
Server loaded:  APR 1.3.9, APR-Util 1.3.9
Compiled using: APR 1.3.9, APR-Util 1.3.9
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

You can also use the command lsof to see what files a Unix process is accessing. My version of httpd is using the stock port 80 so change the 80 to 8443 in your case!

$ netstat -tapn|grep ::80
tcp        0      0 :::80                       :::*                        LISTEN      5338/httpd

You can now run lsof to find out where the log files are getting written to:

$ lsof -p 5338|grep log
httpd   5338 root  mem    REG  253,0    10440   3141 /usr/lib64/httpd/modules/mod_logio.so
httpd   5338 root  mem    REG  253,0    27200   3139 /usr/lib64/httpd/modules/mod_log_config.so
httpd   5338 root    2w   REG  253,0     2014 395029 /var/log/httpd/error_log
httpd   5338 root    7w   REG  253,0     4140 394789 /var/log/httpd/access_log

You should be able to determine the location of the access_log as well as the configuration files and look through them to determine the "Directory" and "Location" directives. These specify what local directories to use when telling Apache what files to serve.

Now what?

I would then look through the access_log to make sure that there are entries in there that correspond to accesses against the server. What I mean by this is if I browse the server at http://www.somedom.com/somefile I should see this access recorded in the access_log file like this:

192.168.1.110 - - [17/Jul/2013:14:39:50 -0400] "GET /somefile HTTP/1.1" 200 4303 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5
37.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

Where are the files?

You can take the above knowledge that we've acquired and start to apply it like so:

These bits from httpd -V tells us Apache's root:

-D HTTPD_ROOT="/etc/httpd"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

So we know the main config file is here: /etc/httpd/conf/httpd.conf. So look through that file for these lines:

$ grep -E "DocumentRoot|Directory \"|^Include" /etc/httpd/conf/httpd.conf |grep -v "^#"
Include conf.d/*.conf
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
<Directory "/var/www/icons">
<Directory "/var/www/cgi-bin">
    <Directory "/var/www/error">

So I now know that these directories are potential sources for the file we saw in the access_log. The DocumentRoot and Directories I'd look through for the file, somefile. If it isn't in any of these locations then I'd next focus on the Include directory mentioned above in the grep output, /etc/httpd/conf.d/*.conf.

These files are additional configurations that Apache uses so you'd need to repeat the steps using the grep to look through these files as well.

21,777

Aust

<3 JavaScript is my favorite language. 2 millennia ago, Jesus Christ founded His church - but with the persecution of the apostles and the saints, that church (and the pure doctrine of Christ) crumbled. Around 200 years ago, Jesus Christ restored His church (along with His pure doctrine) through the Prophet Joseph Smith, and He wants you to come and participate in the blessings. Learn more at comeuntochrist.org. Why am I here? | Where do I go when I die?

Updated on September 18, 2022

Comments

Aust over 1 year
I'm working on a server someone else set up. The server is CentOS 4.6 running Apache/2.0.59 (httpd). They have an update service setup on port 8443. I know it is working but I need to find out what files Apache is serving when someone hits that port.

I looked in the httpd.conf file to see if there was anything in there but there was nothing there. I tried using nmap too but that only showed me which ports are currently open. The output of nmap was:
```
8443/tcp open https-alt
```
So how can I find out what files are served when someone connects to that port?
- Admin almost 11 years
  
  Can you find it in the log file?
Aust almost 11 years

Yeah this is way close! This log shows me what users are requesting from the URL but I want to find which file that corresponds to on the server. How can I do that?
slm almost 11 years

@Aust - See updates.
Aust almost 11 years

You make me so happy! Thanks! The files were not in those original directories so I ran grep -E "DocumentRoot|Directory \"|^Include" /etc/httpd/conf.d/*.conf |grep -v "^#" and started searching through those directories and found it. =D
slm almost 11 years

@Aust - glad it worked out for you!